Laws and Regulations

The US legal and regulatory landscape governing the metaverse is rapidly evolving. The laws and regulations that are implicated by the metaverse are numerous and potentially create a range of legal issues. There are currently no US laws that specifically apply only to the metaverse – however, in some situations existing laws apply; in other situations, new laws and regulation are likely to be developed over time.

Intellectual Property

Intellectual property laws are key to metaverse governance. The creation of new types of digital assets, such non-fungible tokens (NFTs), raises novel intellectual property issues including those summarised below.

Copyright

Copyright is a type of intellectual property that protects original works of creators. In the metaverse, this covers user-generated digital content such as avatars, virtual buildings, and digital artwork. The owner of a copyrighted item has the exclusive right to reproduce the work, display it, distribute copies and display it publicly. Copyright also provides the owner the right to authorise others to exercise these exclusive rights. If an artist creates content in the metaverse that is similar to copyrighted content in the physical world, then they may be liable for copyright infringement. For example, an avatar or an NFT in the metaverse that is similar to a copyrighted avatar or NFT outside the metaverse could trigger a copyright infringement claim.

Trade marks

A trade mark is a word, phrase, logo, design, or slogan that indicates the source of goods and services. Trade mark law protects against the unauthorised use of a trade mark by third parties that would cause a consumer to believe that the trade mark owner either was the source of the goods or services, or endorsed or sponsored such goods or services, in a manner that may dilute or disparage the trade mark.

Many companies register their brands with the US Patent and Trade Office (USPTO) for use in connection with virtual offerings as well as those in the physical world. These companies obtain registered trade mark protection for things like virtual goods, retail store services featuring virtual goods, NFTs, and digital tokens.

Patents

A patent for an invention is the grant of a property right to the inventor. Generally, a new patent is valid 20 years from the date on which the application for the patent is filed in the United States. US patent grants are effective only within the United States, its territories and possessions. A company developing metaverse-related technologies will need to consider whether to seek patent protection and whether its technology might infringe on the patents of other parties in the same way as technology providers outside of the metaverse.

User-Generated Content Litigation

The proliferation of user-generated content creates risks of unauthorised use of third-party trade marks and brand dilution. For example, some metaverse spaces operate as an online economy, allowing users to create their own virtual worlds, to develop intellectual property, to sell branded creations, and/or to build an online business presence sell their products in the real world. Using another party’s trade marks in these ways can trigger a trade mark infringement claim.

There have already been a number of challenges regarding intellectual property incorporated into user-generated content in the metaverse, including a case alleging trade mark infringement and dilution as a result of a company minting NFTs using trade marks belonging to other companies (Nike, Inc v StockX LLC and Hermès v Mason Rothschild).

Torts

Tort law governs civil wrongs such as property damages and personal injury, which can include activity caused by users in the metaverse to other participants. A defendant could be liable for financial compensation related to an act in the metaverse. For example, defamation is a false statement presented as a fact that causes injury or damage to the character of the person it is about. In the metaverse, user-generated content that is false and causes injury to another could trigger a defamation claim.

Tax and Financial Regulations

The purchase and sale of virtual goods trigger tax implications, including sales tax and income tax. NFTs may be subject to US commodities, banking, and securities laws, due to the manner in which these assets are created and exchanged.

Contracts

In the metaverse, contract law applies to agreements between users, such as selling virtual goods to renting virtual property. Businesses entering into agreements in the metaverse need to comply with laws and regulations applicable to contracts in the physical world, including meeting all consumer disclosure requirements.

Data Protection

Data practices relating to the metaverse are subject to generally applicable US privacy and data protection frameworks, primarily the California Consumer Privacy Act and other comprehensive state privacy laws that go into effect in 2023, Section 5 of the Federal Trade Commission Act, and state laws that prohibit unfair or deceptive acts and practices.

As with other platforms, it is important for companies that have a presence in the metaverse to understand the personal data flows involving the company, the platform, and exchanges between them. Key issues to examine include:

• whether a company collects personal data through its presence in the metaverse;
• whether the company shares any of this data with the metaverse platform; and
• whether such collection and sharing are adequately disclosed in privacy notices and covered under existing rights request processes.

Cybersecurity and Data Security

Companies face potential liability for disclosing personal data to vendors or third parties that do not maintain reasonable data security measures. Therefore, to the extent that personal data will be shared with a metaverse platform, it is important to assess the platform’s cybersecurity practices in advance. In addition, if the metaverse supports operational business activities, then the platform’s general cybersecurity measures, including availability guarantees and ability to resist and respond to various forms of cyberattacks, are important considerations.

Laws and Regulations

Numerous laws and regulations regulate the digital economy in the United States, including a variety of laws, regulations and codes of conduct particular to specific industries or to the type of data and users involved. Laws and regulations at the federal, state and local level – and in some instances even laws of foreign jurisdictions – may apply to a participant in the digital economy in the USA. As a general matter, laws and regulations applicable outside of the digital economy will also apply to the establishment and operation of a digital business, in addition to those laws and regulations focused primarily on digital operations and transactions.

Terms & Conditions

A business operating a website or mobile platform will need to carefully consider the terms and policies applicable to the platform and the manner in which the terms and policies are disclosed. Even if no goods or services are being sold on the platform, the operator will generally reference the terms of use for the platform and link to the applicable policies, including as a privacy policy describing the collection, storage, use, and disclosure of personal information and policies related to the provision and use of user-generated content. The legal requirements for these policies can vary significantly depending upon the nature of the platform.

In addition to the terms of use of the platform, the operator will need to require customers to enter into appropriate binding contracts if goods or services are being sold, licensed or otherwise made available on the platform in order to specify the terms associated with the transfer of the goods and services. Courts in the United States have sometimes refused to enforce certain provisions of contracts entered into online (or the entire contract) either because the elements for valid contract formation have not been met or because certain provisions were found to be against public policy. In order to increase the likelihood of a digital contract being enforced, the applicable terms should be prominently displayed. Operators of digital platforms generally should either:

• require potential customers to affirmatively accept the contract terms (such as by clicking on an “Accept” button clearly referencing the terms and conditions) before proceeding to use the platform; or
• provide that the contract becomes effective if the user continues to use the platform after the terms and conditions are prominently presented.

Requiring the customer to affirmatively accept the contract terms after the terms are presented to the customer will decrease the likelihood that a court in the United States will find the contract to be unenforceable as a result of the customer not having actual or implied notice of the contractual terms or the customer not having agreed to those terms. However, certain applicable statutes or common law principles may still lead a court to deny enforcement of certain provisions, such as relating to arbitration provisions or choice of law and forum selection provisions. 

Intellectual Property

The digital economy also implicates intellectual property laws. Companies that offer consumers innovative experiences have to navigate IP issues including branding and trade mark protection, copyright, licences for specific software or technology, patents, trade secrets and knowhow for their digital offerings.

Privacy/Data Security/Consumer Protection

Privacy, data security, and consumer protection laws play a key role in regulating commercial practices in the digital economy. The US Federal Trade Commission (FTC), which has jurisdiction over consumer protection and competition enforcement across broad areas of the US economy, based in part on Section 5 of the FTC Act, which prohibits unfair methods of competition and unfair or deceptive acts and practices. State attorneys general have similar consumer protection authority under their laws against unfair or deceptive acts and practices.

Over the past few decades, the FTC has used its Section 5 authority to establish standards for the processing of personal data through enforcement actions against specific companies, as well as non-binding guidance and policy documents. Until recently, the FTC limited its rulemaking activity to specific industries or practices for which Congress granted clear regulatory authority, such as children’s privacy or the security of personal information that financial institutions handle.

The FTC, however, has indicated that the growing digital economy, coupled with business models that are based on monetising personal data, may have given rise to unfair or deceptive data practices that are prevalent. As discussed in 4. Artificial Intelligence and Big Data, the FTC is now considering developing regulations to govern “commercial surveillance” and data security, which could apply far more broadly than the sector-specific rules mentioned above.

Industry-Specific Laws

Other federal and state regulators play an important role in the legal order surrounding the digital economy. For example, a number of federal laws applicable to entities operating in specific industries apply to the operation of a digital business in those industries, including financial institutions, health care providers and insurers (and their business associates), companies doing business with governmental entities, and educational institutions. See 3. Cloud and Edge Computing for a summary of some of these laws.

Laws and Regulations

Entrusting processes or data to a cloud or other distributed computing environment like edge computing may implicate a variety of laws and regulation in the US depending upon the industry, data, and users involved. Laws and regulations at the federal and state level – as well as laws of foreign jurisdictions – may apply directly to providers of these services operating in the US as well as their customers. In addition, these offerings often involve providers processing data on behalf of customers that is subject to additional regulation (such as controllers of personal data). The obligations of those customers are required to be passed through to the providers in the computing contracts.

Sector-Specific Laws and Regulations and Industry Standards

Laws and standards that govern entities operating in specific industries, including financial institutions, health care providers and insurers (and their business associates), companies doing business with governmental entities, educational institutions, and telecommunications common carriers, are applicable to cloud and edge computing providers and information received by the providers. The following laws and standards are frequently implicated when such entities move processes and data to the cloud.

Financial institutions

The Gramm-Leach-Bliley Act (GLBA) is a US federal law regulating the treatment of non-public personal information (NPI) by financial institutions, such as banks, financial advisors, and insurance companies.

The GLBA includes provisions on privacy applicable to the collection and disclosure of NPI (the “Privacy Rule”) and security provisions requiring the financial institutions to protect NPI (the “Safeguards Rule”). The GLBA applies not only to financial institutions, but may also apply to companies receiving non-public personal information from a financial institution or who perform activities that are financial in nature or incidental to financial activities. Entities subject to the GLBA generally require their providers to agree to contract terms that reflect the applicable obligations under the GLBA.

An entity subject to the GLBA utilising a third party service provider for processing will need to confirm the selection of a service provider that maintains appropriate policies and safeguards consistent with the GLBA and enter into an appropriate contract.

The Safeguards Rule (and more detailed guidelines for banks, which are not subject to the Safeguards Rule) requires financial institutions to develop and maintain a comprehensive information security programme and to exercise appropriate oversight over service providers, among other requirements. The Federal Trade Commission issued a major revision of the Safeguards Rule in December 2021.

Healthcare

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law addressing the treatment and use of individuals’ personal protected health information (PHI). HIPAA applies to healthcare providers, health insurance plans and healthcare clearinghouses (“Covered Entities”) and their business associates (and those business associates’ subcontractors) performing certain services invoking PHI (“Business Associates”). Under the authority granted by HIPAA, the US Department of Health and Human Services has issued Privacy, Security, and Breach Notification Rules, which together establish requirements for the use, disclosure, and protection of PHI. The use of cloud and edge computing services will need to comply with HIPPA to the extent applicable.

Entities participating in federal programmes

Requirements applicable to activities by federal agencies and their contractors include the Federal Information Security Modernization Act (FISMA) and the Federal Risk and Authorization Management Program (FedRAMP). FISMA establishes federal agency roles and responsibilities for information technology security.

Educational institutions

The Family Educational Rights and Privacy Act (FERPA) provides certain privacy protections applicable to a student’s educational records. Schools covered by FERPA placing records subject to FERPA in the cloud will need to ensure that its cloud providers are contractually obligated to meet the requirements of FERPA. 

Auditing standards

Standards for Attestation Engagements No 18 (SSAE 18) sets forth standards used by auditors to review certain practices of service providers. Companies offering cloud-based services in the US frequently make available to their customers on an annual basis a type of report based on SSAE 18 known as a Service and Organization Control (SOC) 2 report focusing on the principles of security, privacy, availability, processing integrity, and confidentiality. A provider providing services materially impacting the financial statements of its customers will often be requested to also provide a SOC 1 report, which focuses on the service provider’s financial controls.

Payment card industry standard

The Payment Card Industry Data Security Standard (PCI DSS) has been created by the Payment Card Industry Data Security Council to address data security for any company that stores, processes or transmits “Cardholder Data” or “Sensitive Authentication Data” as defined by the PCI DSS. A service provider receiving Cardholder Data or Sensitive Authentication Data will be required to meet extensive requirements to demonstrate PCI DSS compliance.

Surveillance

Several federal laws authorise law enforcement and intelligence agencies to compel cloud and edge computing providers to produce personal data and other information in response to subpoenas, court orders, and other forms of legal process. Key statutes include the Foreign Intelligence Surveillance Act (FISA) and the Electronic Communications Privacy Act (ECPA), as amended by the Clarifying Lawful Overseas use of the Data (“CLOUD Act”). The CLOUD Act permits federal authorities in certain instances to compel technology providers based in the US to provide data stored on the provider’s servers located both inside and outside the US.

Given the potential multi-jurisdictional reach of cloud-based products and services, these US laws may conflict with laws of other countries claiming jurisdiction over data or computer assets. For instance, with regard to the European Union, the scope of the US legal authorities’ reach, the strength of judicial and other safeguards, and the rights and protections that Europeans may exercise against government agencies seeking data stored by US-based providers have become major issues following the Court of Justice for the European Union’s July 2020 Schrems II decision. In addition to requisite processes to evaluate and respond to government demands, US-based cloud providers increasingly face demands from their customers to assess the risk of government access to the customers’ data processed by the providers.

Specific Issues for Processing of Personal Data

In addition to the generally-applicable sector-specific laws and standards discussed above, several federal and state laws and regulations govern specific circumstances relating to the type of personal data collected or transmitted. These laws include broadly defined federal and state consumer protection laws, comprehensive state-level statutes, and laws designed to protect either certain categories of data collected or certain data collected on specific populations.

Federal laws

The FTC is the main consumer protection enforcement agency in the US and has long applied its authority to prevent “unfair or deceptive acts or practices” to the data protection arena. Although this authority, defined under Section 5 of the FTC Act, is not specific to data protection, the FTC has used it to bring more than 100 privacy and data security enforcement actions over approximately two decades.

State laws

Virtually every state has enacted narrow legislation to protect specific categories of sensitive personal data of its residents. However, the California Consumer Privacy Act (CCPA); Virginia Consumer Data Protection Act (VCDPA); and comprehensive privacy laws in Colorado, Connecticut, and Utah, go into effect by the end of 2023, and require contracts with service providers/processors such as cloud computing providers to limit the service provider’s data use, assist with consumer rights requests and data protection impact assessments, and ensure personal data security, among other requirements. Below is a high-level description of some of these state statutory requirements.

California

The CCPA was enacted in 2018 to give Californians more control over the personal information certain businesses collect and use about them. “Personal information” is defined under the CCPA as information that identifies, relates to, or could reasonably be linked with a California consumer or their household, including name, social security number, email address, product purchasing records, online browsing history, geolocation information, and biometric data. Personal information does not include information that is publicly available, de-identified, or aggregated, as defined under the CCPA.

In addition, in November 2020, California voters approved an amendment to the CCPA called the California Privacy Rights Act (CPRA). The CPRA fully went into effect on 1 January 2023. Key amendments under the CPRA include the following.

• Higher applicability threshold to organisations that buy, sell, or share the personal data from at least 50,000 residents or households annually to at least 100,000. This modification may exclude some entities from application of the CCPA.
• New category of “sensitive personal information”, which includes personal information that reveals a consumer’s:
1. social security, driver's license, state identification card, or passport number;
2. financial account and related data;
3. precise geolocation within a 1,850 foot radius;
4. practical or ethnic origin, religious or philosophical beliefs, or union membership;
5. mail, email, or text messages content, unless the business is intended recipient of such information;
6. genetic data and/or biometric information for the purpose of unique identification; and
7. health status or medical conditions and sexuality, including sexual orientation.

Consumers have the right to limit or opt out of certain uses of sensitive personal information.

• In addition to limiting the use of sensitive personal data, consumers can opt-out of:
1. the sale of personal information to a third party for monetary or other valuable consideration; and
2. sharing of personal information with a third party “for cross-context behavioural advertising, whether or not for monetary or other valuable consideration”.
• Consumers also have a new right to require businesses to correct inaccurate information “taking into account the nature of the personal information and the purposes of the processing of the personal information”.

Violations of the CCPA are enforced by both the California Attorney General and the California Privacy Protection Agency, both of which have the power to impose penalties/fines of up to USD2,500 per violation or USD7,500 per intentional violation/violation involving consumers under 16 years of age. The law also affords California consumers a private right of action for breaches of sensitive personal information.

Virginia

The Commonwealth of Virginia is the second state to enact a comprehensive data privacy law, the Virginia Consumer Data Protection Act (VCDPA). The VCDPA was passed into law in 2021 and went into effect on 1 January 2023.

Virginians have comparable rights under the VCDPA as Californians do under the CCPA. However, Virginia affords additional, specific rights to opt out of targeting advertising and profiling.

Finally, there is no private right of action for Virginians to recover damages for a business’s breach of the VCDPA. The Virginia Attorney General is responsible for enforcing the VCDPA and may impose penalties of up to USD7,500 per violation.

Colorado

The Colorado Privacy Act (CPA) was signed into law on 7 July 2021 and went into effect on 1 July 2023. The CPA is generally more closely aligned with the VCDPA than the CCPA. Violations of CPA will be enforceable exclusively by the Colorado Attorney General and the 22 Colorado District Attorneys and are subject to penalties of up to USD20,000 per violation under the Colorado Consumer Protection Act. There is no private right of action for Colorado consumers under the law.

Other states

Other states may enact their own laws. Given the differences among current state laws, companies will need to devote careful thought to a compliance strategy that accounts for these differences and the laws’ incomplete coverage.

Entities that hold personal information about consumers and businesses should consider privacy, disclosure, equal opportunity/non-discriminatory uses, and transparency concerns. “Big data” is the collection of millions of data points of information about an individual consumer or business across a variety of sources, collected over time, and may be held or used by entities that interact directly with consumers and business (first-person data), or by data aggregators and data brokers (third-person data). “Artificial intelligence” enables machines to analyse information in big data using algorithmic processes.

While there is no comprehensive current federal statutory and regulatory structure in the US dedicated to information used in big data and artificial intelligence, several federal statutes are potentially implicated depending on the type of information at-issue. Case-by-case enforcement of these statutes have formed in the structure of consumer protection relating to big data and artificial intelligence.

At the federal level, the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) have indicated that they may use their authority to prevent unfair or deceptive acts and practices in the AI and big data arenas. For example, in 2022, the CFPB announced that its examinations of financial institutions for unfair, deceptive, or abusive practices would include assessments of whether examinees engaged in discriminatory practices. In late 2022, the FTC issued an Advanced Notice of Proposed Rulemaking (ANPR) seeking comments from the public on proposed rules to protect against consumer harm as a result of entities’ commercial surveillance and data security practices. Following receipt of comments from the public and industry, the FTC may issue rules relating to these topics.

In addition, various states have statutory restrictions on the collection, retention, and use of personal information, generally, or with respect to specific types of personal information.

Big Data

Despite the absence of a comprehensive federal statutory and regulatory structure for big data, the Federal Trade Commission (FTC) plays a significant role in shaping entities’ practices involving non-public personal information, generally, in the US using case-by-case enforcement and policy statements. The FTC has authority under Section 5 of the FTC Act to declare a business as having “unfair or deceptive acts or practices.” Analysis under Section 5 of the FTC Act is fact-specific to the particular circumstances of an entities’ practices. In its Report on Big Data, “Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues, FTC Report” (January 2016), the FTC described a number of specific practices as unfair or deceptive in its report on big data.

Several comprehensive state privacy laws set transparency and choice requirements in relation to profiling and automated decision-making. In 2021, Colorado and Virginia also passed generally-applicable privacy statutes relating to personal information. Those states, and Connecticut, give consumers the right to opt out of “profiling” (defined as automated personal data processing to evaluate certain individual characteristics) in furtherance of “decisions that produce legal or similarly significant effects concerning the consumer”. California’s privacy regulator, the California Privacy Protection Agency (CPPA), is expected to issue regulations that address similar issues by mid-2023. In addition, the California Consumer Privacy Act (CCPA) mandates disclosure about the collection and use of “a consumer’s personal information”, including disclosure about what personal information is collected, the right to delete personal information, and the right to prevent the sale of the collected personal information. The CCPA also contains a right of non-discrimination for consumers that exercise their rights to protect their personal information, with certain exceptions.

Other federal and state privacy statutes are more narrowly focused on specific types of personal information. For example, the US federal Fair Credit Reporting Act regulates information collected and used by consumer reporting agencies, and federal civil rights laws regulate the use of personal information where the intent or the effect of the use of the information results in a violation of the rights of the statute’s protected classes. Various states have similar and additional civil rights laws relating to this type of information. In addition, certain states provide even greater privacy protections to specific types of personal information. For example, the Illinois Biometric Information Privacy Act (BIPA) protects individuals’ rights over their biometric information, such as facial recognition scans, voice and finger prints, and hand or eye scans.

As a result, entities pursuing the collection, retention, or use of information about consumers and businesses in the US should ensure that they have clear disclosures and procedures to safeguard personal information, and that these procedures are fully enforced. In addition, entities should examine the type of personal information being collected, retained, and used, as well as the state jurisdictions applicable to the entity, to implement the appropriate federal and state privacy, disclosure, and transparency procedures and safeguards.

Artificial Intelligence

In addition to the privacy, disclosure, equal opportunity/non-discriminatory uses, and transparency considerations raised above, artificial intelligence raises an additional consideration relating to the scope of disclosure and consent. Artificial intelligence necessarily depends on algorithms that evolve or change over time. To the extent an entity provides disclosure that certain personal information is being collected, retained, and used, and the consumer provides consent for that purpose, any changes outside the scope of that disclosure and consumer’s consent may violate federal and state privacy and protection laws or be considered an “unfair or deceptive act or practice” under Section 5 of the FTC Act. Entities should ensure that disclosures and consents are sufficiently specific to inform consumers of the nature of the personal information being collected, retained, or used, and periodically update these disclosures and consent in parallel with changes to their machine learning and artificial intelligence algorithmic processes.

Regulatory authorities in the United States have also increasingly become focused on the potential discriminatory impact of the use of AI in decision-making, such as when algorithms are used in connection with employment decisions or the decision to offer credit to a consumer.

“Smart” or “connected” devices, also known as internet of things devices, follow the federal National Institute of Standards and Technology (NIST) guidelines published by the US Department of Commerce and the statutory requirements found in certain state laws. Further, pursuant to the federal Internet of Things Cybersecurity Improvement Act of 2020, compliance with the NIST guidelines is required for federal procurements.

The NIST guidelines, NISTIR 8259, provides a summary of cybersecurity and privacy risk considerations, as well as assessment tools, and NISTIR 8259A provides a baseline for how a connected device will be defined as “securable”.

Connected devices raise considerations of privacy, disclosure, and cybersecurity concerns relating to information that the connected device uses, receives, stores, or transmits described elsewhere in this article, and in particular, Sections 2, 3, 4, and 8. Two additional frameworks are also significant in this arena: federal and state wiretapping laws and critical infrastructure.

Federal and State Wiretapping Laws

The federal Wiretap Act and similar state laws generally prohibit the interception of electronic communications. Although these laws contain exceptions for recipients of communications and that may allow analysis of communications for security purposes, the application of these exceptions requires fact-specific analysis. For example, some state wiretap laws require all parties to a communication to consent to interception. If this exception is the basis for intercepting machine-to-machine traffic, it is important to understand whether such multi-party consent is necessary.

Critical Infrastructure

The Cybersecurity and Infrastructure Security Agency of the US Department of Homeland Security is developing cyber-incident and ransom payment reporting regulations pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Entities in the communications and healthcare sectors, among others, may be covered by these regulations. The reporting requirements, however, are not effective until the regulations are finalised.

In addition, certain states, such as California and Oregon, have statutes specifically focused on securing connected devices by requiring them to be equipped with cybersecurity safeguards which differ depending on the type of connected device. These state statutory requirements and NIST guidelines for securing a connected device should be considered in addition to privacy, disclosure, and transparency statutes, as well as general consumer protection statutes.

Radio and Broadcast Television

The Communications Act of 1934, as amended, with rules promulgated and enforced by the Federal Communications Commission (FCC), governs commercial AM, FM radio, and television broadcast authorisations. An authorisation from the FCC is required to operate a commercial AM, FM radio, and broadcast television station in the US, as described more fully on the FCC’s application guidance.

An application to the FCC for a commercial AM radio station (with frequencies of 540 kHz to 1700 kHz) requires a demonstration of non-interference on the same or on adjacent frequencies as existing US or foreign-based AM stations, as well as harmonic and intermediate frequency analyses. Application and fees are required during allotment application windows.

An application to the FCC for a commercial FM radio station (with frequencies of 92.1 MHz to 107.9 MHz) requires an application for a construction permit and a concurrent petition for rulemaking to the FCC which must, according to the FCC’s application guidance:

• include the proposed new channel, class, and the community to be served;
• the proposed new allotment site must meet the spacing requirements of (the FCC’s rules) to other stations, prior-filed applications, and vacant allotments; and
• the proposed new allotment site must provide at least a 70 dBu signal strength over the entire community of licence.

If the petition is accepted, the FCC would then issue a notice which would permit public comment on the application. If approved, the new allotment would then be placed in an auction bid which would require the original petitioner to bid on the allotment.

Full-powered television broadcast stations are allocated through the FCC’s Table of Allotment (47 CFR Section 73.622). Applicants seeking a new broadcast television station must petition the FCC and the FCC will then conduct an auction. However, at this time, the FCC states that it is not accepting new full-powered broadcast television station applications.

Video Programming by Cable and Open Video Services

Historically, video programming has been governed by state and local jurisdictions, called local franchise authorities. However, the Cable Communications Policy Act of 1984, as expanded by the Cable Television Consumer Protection and Competition Act of 1992, added cable television regulation to the FCC’s authority under the Communications Act of 1934 while maintaining the primary regulatory role of the local franchise authorities, with the notable exceptions of establishing a prohibition on regulating rates for cable operators that are “subject to effective competition,” as defined by the FCC, and a prohibition on exclusive cable franchises. In addition, Section 653 of the Telecommunications Act of 1996, as amended, established an “open video system” (OVS) distribution method for video programming in the absence of a local franchising authority regulatory requirement. The specific local franchise requirements vary widely across jurisdictions.

Online Video Services

The FCC’s video regulations generally do not apply to IP-delivered video programming that is not provided by a multichannel video programming distributor (MVPD). There are no prior regulatory authorisation requirements to post videos online. However, entities should ensure compliance with federal, state, and local rules when making video available online. For example, a distribution of online videos may implicate the 21st Century Communications and Video Accessibility Act (CVAA), 47 USC Section 613 and FCC rules where the video was previously published or shown on television. Further, interpretation of Title III of the federal Americans with Disabilities Act (ADA), 42 USC Section 12182, varies, and is subject to change through court interpretation, as to whether a website is “a place of public accommodation” requiring equal access for individuals with disabilities, such as through the provision of closed captioning.

The federal Video Privacy Protection Act (VPPA), 18 USC Section 2710, establishes notice and consent requirements for “video tape service providers”, a term that is defined with sufficient breadth to include many online streaming services as well as video-on-demand services. The VPPA generally requires a consumer’s opt-in consent to disclose personally identifiable viewing history information. The VPPA provides a private right of action and has led to a significant volume of class action information against video services providers and, in some instances, advertising platforms.

With regard to the content of video posted online, pursuant to Section 230 of the Communications Decency Act, providers of an interactive computer service generally are not treated as a publisher or speaker for information provided by another information content provider. As a result, companies with video-sharing platform services will generally not be liable for civil damages for the content of videos where the provider, in good faith, restricts access to, or the availability of, material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected, or where the provider takes action to enable or to makes available technical means to restrict access to the above-described material, along with undertaking other procedural requirements of the statute.

Title II of the federal Telecommunications Act of 1996, as amended (the “Telecommunications Act”), generally governs the offer to the public of interstate and international “telecommunications”, which are transmissions by the aid of wire, cable, radio, or other like connections, through regulations promulgated and enforced by the Federal Communications Commission (FCC) 47 USC §§153(50), (53). The FCC also asserts jurisdiction over certain aspects of interconnected Voice over Internet Protocol (VoIP) services. Whether a transmission is interstate and international, on the one hand, or intrastate, on the other hand, is generally determined by the origination and termination points of the transmission. Generally, providers of telecommunications must possess authorisation from the FCC under Section 214 of the Communications Act of 1934 for interstate and international transmissions, though certain wireless carriers are relieved of the requirement to obtain Section 214 authority and broadband internet access service (“broadband”) is currently subject to distinct regulatory frameworks. All Title II telecommunications service providers and interconnected VoIP providers must obtain an FCC Registration Number (FRN) through the FCC’s website, register with the FCC, and designate an agent for service of process by filing a form with the Universal Service Administrative Company (USAC). These obligations apply to both wholesale providers and resale providers.

Individual state commissions and state and local statutes regulate intrastate transmissions. Providers of intrastate telecommunications must register with or obtain authorisation from each individual state in which the intrastate transmission occurs except where the state legislature or commission has exempted the requirement. Providers of intrastate telecommunications services are also subject to state statutory requirements, such as state statutes on unfair or deceptive acts and practices and privacy.

In contrast to federal Title II “telecommunications services”, transmissions may be subject to reduced FCC regulation if provided on a “private carriage” basis, or if the interstate or international transmission consists of “information services”. Private carriage is the transmission of telecommunications that are not offered to the public. When interstate or international telecommunications are provided on a private carrier basis, the provider is not required to obtain a Section 214 authorisation from the FCC and fewer federal compliance obligations apply. State regulators, however, generally do not recognise the concept of private carriage as an exception to authorisation or compliance obligations.

In addition, there is no requirement to obtain Section 214 authority from the FCC to provide interstate and international information service transmission. Information services are statutorily defined as “the offering of a capability for generating, acquiring, storing, transforming, processing, retrieving, utilising, or making available information via telecommunications” 47 USC §153(24). The definition further states that information service “does not include any use of any such capability for the management, control, or operation of a telecommunications system or the management of a telecommunications service”. Generally, if there is a net change in the protocol of a transmission, the transmission may likely qualify as an information service 47 USC §153(50). Information services have been commonly identified as email, online gaming, web browsing, video conferencing, instant messaging, and other, similar non-voice IP-enabled services. The FCC has a long-standing policy against the economic regulation of “information services”, and there is a prohibition on states subjecting information services to any state economic regulation. However, the FCC’s policy does not prohibit the application of federal and state consumer protection laws to these services.

With respect to VoIP services and VoIP service providers, there is a continuing dispute as to whether federal communications law permits states to require applications for authority; however, one or more states currently assert that authority. For the most part, states either require registrations, typically for purposes of collecting state public fund contributions, or do not impose either a registration or application requirement, although even in such cases, contributions to state public purpose funds may still be required. State economic regulation, such tax obligations, generally apply to VoIP revenues. In general, state regulation of VoIP services and VoIP services providers is limited, but registration, where it exists, varies considerably across the states with state uniquely handling the question of VoIP jurisdiction. In a number of states, legislatures have expressly removed VoIP services and VoIP service providers from the jurisdiction of the state commissions or state commissions have declined to exercise jurisdiction over VoIP services and VoIP service providers, although many such states may permit a “carve out” of residual state commission jurisdiction for purposes of state universal service fund and other public fund assessments.

Key Challenges

Technology agreements may cover the deployment or sale of a number of different services, products, solutions and platforms, including on-premise software licences, software-as-a-service offerings, software development and maintenance, data-related product and services, artificial intelligence-enables solutions and many others. Each type of agreement will have its own challenges. However, key challenges often include performance commitments (eg, warranties and service levels), clear upfront pricing and addressing changes to prices over time, compliance with laws’ provisions, intellectual property ownership, data security and privacy, audit, indemnification and limitations and exclusions of liability.

Legal Framework

As a general matter, technology agreements will choose the laws of particular state to apply to the agreement and a court will enforce the parties’ choice of law in the contract as long as there is a reasonable relationship to the transaction or the parties, subject to certain exceptions. However, in the United States, federal law generally takes precedence over state laws. While there is no over-arching federal contract law, various federal laws will continue to apply to a technology agreement containing the choice of a specific state’s laws depending upon factors such as the subject matter of the agreement, the industry involved and the technology or data involved. For example, software and products that incorporate encryption may be subject to export restrictions under the Export Administration Regulations, a complex licensing and exemption scheme for encryption exports.

Federal, state and local governmental agencies and entities entering into technology agreements are often subject to laws and regulations applicable to the procurement process for technology agreements as well as specific requirements related to provisions contained within the agreements.

Data Protection and Cybersecurity

An increasingly important data protection and security issue concerning technology agreements is whether the parties are entering into a service provider/processor relationship, or whether personal data that is transferred pursuant to the agreement is between parties with independent rights to determine the means and purposes of processing. Comprehensive state privacy laws establish specific requirements for service provider processor contracts, similar to those under the GDPR. In addition, California requires agreements under which a party sells or shares personal data to include a subset of these provisions, including specifying the purposes of the data transfer, obligating the recipient to comply with applicable privacy laws, and providing the data source the rights to assess the recipient’s compliance and remedy instances of non-compliance.

US laws generally do not require data localisation or restrict storage location (other than in relation to countries that are under sanctions or export controls), nor do they require specific measures for cross-border data transfers. However, the location of personal data storage, including the ability to enforce confidentiality provisions against employees or contractors, is often a factor in assessing a contracting party’s ability to meet contractual obligations and to provide a reasonable level of data security.

Data Protection and Cybersecurity

Trust, digital identity, and similar services process personal data that may be highly sensitive because of its potential to be misused for fraud, identity theft, or account compromise. Personal data used in the course of providing such services may be subject to data breach notification laws, which have been enacted in all 50 states, the District of Columbia, and several US territories. These laws typically provide exemptions for encrypted data, provided that encryption keys are not compromised, but determining whether or not this exemption may require a forensic investigation of the relevant data security incident.

Other data protection and cybersecurity considerations that relate to trust and identity services include the following.

• Biometric privacy laws. At least three states have enacted laws that establish notice, consent, and retention requirements for biometric information that is used to establish individuals’ identity. One of these laws, the Illinois Biometric Information Privacy Act, provides a private right of action and has given rise to a significant amount of class action litigation.
• Comprehensive state privacy laws. In addition to requiring heightened consent and security measures for sensitive data (including biometric information and, in California, account credentials), state privacy laws require parties to determine whether the provider or trust or identity service is acting as a service provider/processor or as a third party with independent rights to use personal data under the relevant agreement.
• State data security and disposal laws. Most states have enacted data security legislation, including secure disposal requirements, that specifically govern sensitive data such as social security numbers and state identification numbers.

Electronic Signatures

The federal United States Electronic Signatures in Global and National Commerce Act (the “ESIGN Act”), as supplemented by Uniform Electronic Transactions Acts (the “UETA Act”) and similar laws adopted at the state level, establishes that electronic records are not invalid solely because of their electronic nature when the parties have chosen to use electronic documents and signatures. The ESIGN Act permits individual states to further address electronic signatures for transactions subject to the individual state’s laws, other than in certain areas where the ESIGN Act overrules (or pre-empts) state law. While most states have adopted an act very similar to the model UETA Act, some states have modified the model act or not enacted it. In addition, the model UETA contains certain exceptions to the use of electronic signatures, such as their use with wills, codicils and certain trusts.

Generally speaking, a party to an agreement seeking to establish the validity of an electronic signature will need to:

• show that the counterparty intended to sign the document and consented to conduct business electronically;
• establish the validity of the process by which the signature was created or indicated; and
• show that a record of the electronic signature was retained and can be reproduced by all parties to the agreement.

Additional requirements apply to transactions involving consumers in some cases.

In addition to meeting the requirements related to electronic signature, an electronic contract will still need to meet the requirements for an enforceable contract under applicable state law (ie, an offer, acceptance of the offer and consideration).