As Business Goes Digital: Balancing Risk, Competition, and Innovation Presentation to: Charlotte Chapter, Association of Corporate Counsel As Business Goes Digital: Balancing Risk, Competition, and Innovation December 11, 2018 Presented by: Erin Illman, Steven Snyder, and Corby Anderson

What is e-Commerce? A commercial transaction conducted over an electronic network By 2020, expect $4 trillion in global e-commerce

How e-Commerce Is Conducted Online storefronts Online marketplaces Social media

Advantages of e-Commerce The world is your market Open for business 24 / 7 Low cost of operation Manageable inventory Accessible to niche markets Quickly adaptable Can encourage impulse purchases

Advantages of e-Commerce Quickly scalable Easy to retarget, remarket to customers Responsive to consumer trends, market demands Feedback readily available Customers can sell for you Personalized shopping experience Insights through tracking, analytics

Disadvantages of e-Commerce Shipping times Every now and then, technology fails you This site can’t be reached Technology changes constantly Competition is fierce

Advantages Come with Risks How much sharing of data is too much? Concerns about Privacy Transparency Data security

Data Collection: Active and Passive Active: Voluntarily provided by customer Passive: Browser tracking, third-party applications Automatic software logs Cookie placements FTC: 57% of busiest e-Commerce sites allow third-party cookie placement, but only 22% disclose that

Data Collection: Active v. Passive

How Consumers View Privacy A fundamental right? or A tradable commodity?

What Do Consumers Want? Privacy versus personalization and convenience Introducing our company:

e-Commerce Law in the United States Currently no comprehensive federal e-commerce or privacy law, but many narrowly tailored laws Federal Trade Commission Act (FTC Act) Children’s Online Privacy Protection Act (COPPA) Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) Telemarketing and Consumer Fraud and Abuse Prevention Act (Telemarketing Act) Telephone Consumer Protection Act (TCPA) Communications Act of 1934 Computer Fraud and Abuse Act (CFAA)

e-Commerce Law in the United States Sector-specific laws, such as Fair Credit Reporting Act (FCRA) Title V of Gramm-Leach Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health Act (HITECH) Industry and regulatory guidance Contract and tort-based privacy rights State laws

California Online Privacy Protection Act Any business that collects personally identifiable information (PII) of a California resident online must have Privacy Policy that discloses: Types of PII collected Third parties PII may be shared with How consumer can review, seek changes to PII How consumer is notified of changes to Privacy Policy Effective date of Privacy Policy

California Online Privacy Protection Act “Do Not Track” provision requires business to: Disclose how it responds to “Do Not Track” signals from web browsers Disclose whether third parties may collect visitor’s PII Provide hyperlink in Privacy Policy to description of any protocol that offers consumer choice regarding any collection of PII about online activities

EU’s General Data Protection Regulation Concerns data protection and privacy for all individuals in European Union (EU) Regulates export of personal data from EU Gives control of personal data back to citizens and residents of EU Took effect May 25, 2018 Imposes fines of up to 4% of global revenue, or €20M

EU’s General Data Protection Regulation High-level requirements: Lawfulness, fairness, and transparency Individual rights Accountability and governance Information security Records management

Does GDPR Apply to Your Business?

Does GDPR Apply to Your Business? Additional guidance issued on November 23, 2018, added further nuance to determining whether GDPR applies, including: What processing the business does of data subjects in the EU Whether that processing relates to the offering of goods or services or the monitoring of data subjects’ behavior This guidance is available here: https://edpb.europa.eu/our-work-tools/public-consultations/2018/guidelines-32018-territorial-scope-gdpr-article-3_en

Takeaways: Privacy Policy Privacy policy must align with practices Requires knowledge and control of how data is used Requires coordination between business stakeholders and legal/privacy counsel Do not try to “cover yourself” with overly broad language Have procedures for monitoring changes in practices that warrant updates to policy

Takeaways: Emerging Technology Technology can outpace regulation Being too far in front creates legal risk Companies must balance this risk with the need to adopt emerging technology to remain competitive Requires careful consideration and assessment of technical and legal frameworks

Takeaways: Data Security Know your data First things first, what data do you Collect? Use? Share? Store? Match data with legitimate, legal business purpose

Takeaways: Data Security Establish corporate philosophy of data processing, storage, and overall management Work with business units to ensure that privacy obligations can be implemented with technology in place Make sure all employees understand expectations Make sure proper procedures are in place

Takeaways: Intellectual Property E-Commerce sites contain a wealth of IP: Product images and descriptions Videos, background music, and sound effects Photos and drawings Make sure you have the right to use what you post on your site, either because: You own it or have a license to use it It is in the public domain It meets the requirements for fair use

Takeaways: Intellectual Property Make sure any branded goods you sell are authentic and from authorized suppliers If you use celebrity images, be mindful of rights of publicity If your site posts user-generated content, be sure you can qualify for Digital Millennium Copyright Act’s safe harbor provision Coordinate social media strategy with IP strategy

Takeaways: Intellectual Property Protect all IP that you create, develop, or commission for your site: Word marks, slogans, logos Designs, artwork, photos Music, sound effects Unique processes or services Trade secrets Use web monitoring to detect brand infringements

Takeaways: Advertising Manage your brand’s online presence Work with marketing, communications, customer service teams Protect against fake third-party posts Make sure native ads include disclosure Guard against false online reviews (actionable as false advertising)

Takeaways: Advertising Never link positive reviews to special pricing For endorsements and testimonials Be transparent, conspicuously disclose material connections Make sure influencers have information they need to understand attributes of products and services Confirm that testimonials are accurate and do not overstate benefits of product or service

If you’d like more information on any of these issues, please let us know. dley.com eillman@Bradley.com ssnyder@Bradley.com canderson@Bradley.com Thank you!