Michelle Cohen: Internet Privacy Lawyer on Internet Marketing
Video 1 of 3
Attorney Michelle Cohen: Increased Federal Enforcement of Mobile Commerce in 2013
Video 2 of 3
What to do if you think your company has had a data breach
Video 3 of 3
Michelle’s unfailing dedication to her clients is evidenced by the fact that her first client, whom she worked with as a first-year associate over 20 years ago, remains an active client. She establishes strong and lasting relationships by committing herself to client service. Michelle understands her clients’ business goals, guides them in their use of new technologies, and communicates with them as their business activities unfold.
Michelle’s practice is focused on helping her clients establish powerful and lasting relationships with their customers and prospects. Whether engaging audiences through sweepstakes/contests, social networks, telemarketing, text, or email marketing, Michelle ensures that her clients’ communications comply with current marketing and privacy laws and regulations. For clients who have embraced the popularity of online promotions and gamification, Michelle keeps programs running smoothly by providing guidance on the necessary rules, thresholds and disclosures in the midst of a constantly changing legal landscape. As clients rely more on social media to publicize promotions, Michelle provides up-to-the minute legal counsel related to the rules on Twitter, Facebook and other social sites.
As Ifrah Law increasingly leads the way in iGaming, Michelle advises daily fantasy sports and e-Sports companies on privacy matters, including drafting online terms and conditions, and preparing legal opinions and analysis to support iGaming companies’ launching of their services, including working with payment processors.
When clients find themselves involved in an enforcement matter with the Federal Trade Commission, Federal Communications Commission or state agencies, Michelle’s deep knowledge in these areas and her strong footing in the privacy community help her to resolve issues in the most expedient manner possible. Michelle has extensive experience defending individual and class actions in the consumer protection context, including dozens of Telephone Consumer Protection Act cases. She obtained a rare rescission of an FCC citation in a TCPA enforcement matter.
Michelle also advises clients as to what policies and procedures can be put in place to show a company’s good faith efforts, should the government come knocking. When companies are involved in potential data or security breaches, Michelle knows which questions to ask to ensure they have a sound legal strategy. She works with the company step-by-step to resolve the situation from both the government’s, and her clients’ as well as their customers’ points of view.
Previously, Michelle was a partner at Thompson Hine where she was a member of their telecommunications, corporate transactions & securities and emerging technologies groups. She began her legal career in the litigation department at Paul Hastings, where she spent seven years honing her litigation skills, prior to moving into their corporate practice. Her litigation experience gives her a solid foundation for helping clients avoid litigation as well as in advising them when they are faced with litigation. This litigation experience, coupled with her regulatory and corporate experience, allow Michelle to offer her clients a full complement of services.
Awards + Recognition
- National Law Journal, 2016 Top Rated Litigator
- Certified Information Privacy Professional (CIPP) certification, International Association of Privacy Professionals
- ALM 2013 Washington DC's Women Leaders in the Law
- ALM 2012 Top Rated Lawyer - Technology Law
- Martindale-Hubbell AV Preeminent Peer Review Rating
- Editorial Board Member, E-finance & Payments Law & Policy
- Editorial Board Member, E-Commerce Law & Policy
Professional + Community
- Board Member, Sewall-Belmont House & Museum
- Women in Cable and Telecommunications Past Board Member Washington, D.C. - Baltimore Chapter
- Federal Communications Bar Association
- District of Columbia Bar
- New York State Bar Association
- Women's Bar Association of DC
- Volunteer, Special Olympics
- Brandeis University Alumni Admissions Council
- Pro Bono Volunteer through the District of Columbia Bar
- Former Board member for the Law Firms Division of the United Way, National Capitol Area
Winning Big with a Celebrity Sweepstakes Endorsement
After developing a solid online promotions program over several years with Michelle Cohen advising on sweepstakes and contests, Michelle’s long-standing client, a digital wellness company, decided to energize its online efforts with a celebrity endorsement sweepstakes. The celebrity, a known health advocate and popular entertainer, partnered with our client to give away VIP ticket packages to his sold out shows in multiple cities.
Michelle crafted sweepstakes rules and reviewed promotional materials, including social media campaigns. The celebrity also used social media to organize in-person athletic meet-ups around the country, as part of his current touring schedule. This coast-to-coast campaign included sweepstakes at the on-site events. Michelle worked with our client on several aspects of its campaign, including social media messaging, drafting winner’s eligibility affidavits and ensuring compliance with state and federal sweepstakes laws, as well as social networks’ policies and requirements.
The result? Michelle’s client continues to develop exciting and clever online promotions that will engage their audience, while complying with applicable laws and regulations and maintaining positive relationships with key social networks.
Successfully Negotiating the Sale of Assets During a Government Investigation
When a company that is under investigation for money laundering decides to sell its assets, what was once a straightforward sales process becomes a complex negotiation. That is what happened with our client, a provider of diagnostic testing equipment.
Ifrah Law and Michelle Cohen represented the company in its sale of radiology and cardiology diagnostic services equipment, which involved numerous challenges. Understandably, the buyer was concerned about the ongoing criminal investigation, and Michelle worked closely with them to address their concerns about representations and warranties and possible post-sale seizure from the government. Additionally, since there were bank liens on some of the assets, Michelle worked with the bank’s outside counsel to arrange a prompt payoff, obtain a satisfactory pay-off letter and secure a release of the liens in order to close the deal. Michelle also worked with the buyer to create a creditor payment plan that would payoff unsecured creditors and obtain releases from them in order to address the buyer’s concerns about unsecured creditors seeking relief from the buyer. Finally, she created an employee fund (funded by the buyer) to pay for uncompensated leave time.
These complicated issues were resolved in less than two weeks, as a result of Michelle’s skilled negotiations with all parties. The buyer was represented by Delaware’s largest law firm.
Successful Resolution of a TCPA Class Action
Michelle Cohen’s client, a publicly-traded enhanced messaging provider, was involved in a large-scale class action alleging violations of the TCPA’s unsolicited facsimile advertising rules. In addition to having provided the client with TCPA advice for over 15 years, Michelle represented them in enforcement matters before the FCC, including obtaining the rescission of an FCC citation, a highly unusual ruling from the FCC, finding that the client had a valid defense to the citation.
This TCPA case involved the alleged sending of 125,000 unsolicited faxes. The class was suing for triple damages of $1500 per violation – up to $180 million. Michelle and her team handled discovery, including depositions and motions. When the other parties decided to enter mediation, Michelle represented her client through the mediation, to the settlement agreement and ultimate dismissal of the case. Given the damages at stake, this case was successfully resolved for Michelle’s client, whose settlement contribution fell below the limits of their insurance policy.
Ensuring TCPA Compliance for a Global Provider of Customer Management Services
On behalf of our client, a leading provider of customer management services with call centers around the world, Ifrah Law led a full-scale review of its customer communications to ensure that they comply with federal and state requirements, including those of the TCPA and the FTC’s Telemarketing Sales Rule (TSR). We addressed the many different types of calls that the company undertakes on behalf of its varied customer base – service calls, appointments, live sales calling and pre-recorded calls – to ensure that its call centers are using consistent protocols and controls in the United States, and that these protocols are in compliance with the TCPA and TSR. Our client trusted Ifrah Law with this extensive project due to our long history with managing TCPA matters – we have been involved with the TCPA since its inception in 1991 – and due to our prior work for the client, including successfully representing the client in two FCC inquiries.
We worked with the company’s Director of Privacy to develop a thorough understanding of the types of calls that the company makes for its customers, and the contractual protections that are in place and which could be revised to protect the company further. A critical aspect of this project was to educate leaders within the company that there are different TCPA requirements based on the type of call: technology used, person being called, whether the call is pre-recorded or live; mobile or business. We also wrote the call center guidelines and controls to ensure that all employees – from those being trained to the marketing team – had the same information regarding how to handle different types of customer call projects.
This large-scale process took a year to complete. Once the documentation was finalized, our client was ready to begin a company-wide training program on the guidelines, well in advance of TCPA rule changes.
In the past few years, many organizations such as Capital One, Bass Pro Outdoor, and the Cosmopolitan Hotel have faced class actions alleging violations of California’s call recording law. This week, California’s Attorney General demonstrated that her office, working with state prosecutors, will also vigorously enforce the law under the state’s criminal statutes. Attorney General Harris announced an $8.5 million dollar settlement with Wells Fargo Bank, N.A. over the alleged failure to provide call recording announcements to California consumers.
The complaint alleged violations of Sections 632 and 632.7 of California’s Penal Code, including the purported failure of Wells Fargo’s employees to “timely and adequately disclose the recording of communications with members of the public.” These laws form part of California’s Invasion of Privacy Act. Section 632 makes it illegal to eavesdrop (monitor) or record a “confidential communication” without the consent of all parties. The statute defines a “confidential communication” as including “any communication carried on in circumstances as may reasonably indicate that any party to the communication desires it to be confined to the parties thereto.“ The law specifically excludes communications in circumstances “in which the parties to the communication may reasonably expect that the communication may be overheard or recorded. “ Section 632.7 bars the recording of cell phone conversations, without the consent of all parties.
Wells Fargo Bank settled the case, agreeing in a stipulated judgment to the $8.5 million settlement and certain compliance requirements. Specifically, Wells Fargo must make a “clear, conspicuous, and accurate disclosure” to any consumer in California of the fact that Wells Fargo is recording the call. The settlement requires that this disclosure occur “immediately at the beginning” of the call, but allows Wells Fargo to precede the disclosure with an introductory greeting identifying the customer service representative and the entity on whose behalf the call is made (presumably, a Wells Fargo-affiliated entity). Wells Fargo also committed to a compliance program for one year and periodic internal testing of its employees’ and agents’ compliance with the call disclosure requirement. The bank agreed to appoint an officer or supervisor with specific oversight responsibility for compliance with the settlement obligations. Within a year following the stipulated judgment, Wells Fargo must provide the Attorney General with a report summarizing the testing.
Interestingly, the Attorney General previously pursued a similar action against home improvement platform Houzz Inc. for allegedly failing to notify all parties of its recording of incoming and outgoing telephone calls. In that case, Houzz agreed to appoint a Chief Privacy Officer to oversee Houzz’s compliance, a first for a California Department of Justice settlement.
As we have advised before, all organizations recording calls – whether inbound or outbound – should immediately disclose to called parties that the call is being recorded. The disclosure should occur at the outset of the call. One type of introduction could be, “This is Michelle, calling on behalf of XYZ Company. This call is being recorded and/or monitored.” Some companies may wish to announce the option of a non-recorded line, available via a key press. It is also important to time the recording to begin after the announcement, to avoid potential liability based on even a few seconds of a recorded call before an announcement is given.
A few important reminders are worth repeating:
- The announcement requirement applies to inbound and outbound calls, including requested return calls.
- Recording announcements apply to all types of calls – not just sales calls.
- Maintain proof of the announcement.
- Implement a short, written call recording policy.
- Train customer service representatives to understand the call recording policies.
- Periodically “test” call recording procedures.
- Promptly investigate any call recording complaints and take appropriate corrective action.
- Have customer service representatives sign an acknowledgment that they understand they are being monitored and/or recorded.
The recording of customer service and other calls is an important component to prevent fraud, fulfill legal requirements and augment customer service, among other reasons. Companies can implement call recording effectively, but must comply with announcement requirements and should take proactive measures, such as training and testing, to protect against civil and criminal liability and to safeguard consumer goodwill.
Just last month at the National Council of Legislators from Gaming States (“NCLGS”) winter meeting in Orlando, I discussed the strong interest in skill-based games by casino owners, regulators, legislators, and the public. In an effort to appeal to millennials, fill empty slot seats, and expand the demographic at Atlantic City casinos, New Jersey’s Division of Gaming Enforcement (“DGE”) just announced new temporary regulations for “skill-based gaming.” Although the DGE already has authority to permit skill-based games – and last year allowed a $10,000 free throw basketball tournament at the Borgata – the agency issued these regulations to provide additional guidance to industry. DGE hopes to encourage companies with skill-based games to bring their products to Atlantic City before other jurisdictions. The regulations can be found here.
Key Consumer Protection Disclosures
The temporary regulations define “skill based gaming” as “any Division approved casino game where game outcome is dependent in whole or in part upon the player’s physical dexterity and/or mental ability.” This definition is broad enough to cover a wide variety of skill-based games – from basketball and golf to “Trivia Crack” and various brain teasers. The DGE mandates certain consumer protections, including that skill-based games clearly display:
- Rules of play
- Amount required to wager on the game
- Amount to be paid on winning wagers
- Any rake or fee charged to play the game
- Total amount wagered by the player
- Statement that the outcome of the game is affected by player skill (applies to skill and “hybrid” games), and
- Other information sufficient for the player to reasonably understand the game
In addition, “unless otherwise disclosed to the player,” once a player begins a skill-based game, the gaming device cannot be altered during play based on a player’s skill.
Special Advantages/Identifiers Allowed with Conditions
DGE’s regulations allow player-purchased enhancements, randomly awarded enhancements, or other advantages, provided all players are advised of these features. The DGE put certain protections in place for these features. Specifically, players must be advised both, that the feature is available, and of the benefit it offers. A skill-based game offering these advantages is required to explain how to obtain the feature and to provide players “with sufficient information to make an informed decision, prior to game play, as to whether or not to compete against a patron” who has this advantage.
Skill-based games may use an “identifier” (such as the skill of the player) to determine which games are available to a player. The regulations also allow players to compete against a computerized or skilled house-sponsored opponent, provided the game discloses when the opponent is participating and allows a player to opt-in or opt-out of a computerized or house-sponsored opponent. To establish fairness, the computerized or house-sponsored opponent must be prevented from having access to information that is otherwise unavailable to a player (for instance, knowledge of upcoming events).
Peer-to-Peer Skill Gaming
All peer-to-peer skill-based games are to be monitored for collusion and money laundering activity using an automated feature (following the internal controls of the casino licensee).
The temporary regulations require that slot machines with a skill-based component have a payout of at least 83 percent for each wager available for play on the device. However, games, which rely “entirely” on skill or do not use a random number generator (“RNG”) are not required to achieve a minimum hold percentage.
Skill-based games will continue to require DGE approval. A special “New Jersey First” process allows companies that bring their skill-based products to New Jersey before or simultaneously with submission to any other jurisdiction or testing lab, a 14-day approval process from testing to placement on the casino floor.
The temporary regulations mirror Nevada regulations on skill-based gaming adopted in September 2015. Therefore, any skill games approved in New Jersey would be permissible in Las Vegas and vice versa.
Massachusetts, Pennsylvania Close Behind/Trends
Other states are exploring permitting skill-based games at casinos. Just last week, Massachusetts issued draft regulations – comments are due by March 7. Pennsylvania is also reviewing allowing skill games at casinos.
Empty chairs at traditional slots mean zero revenues. Casinos are, understandably, looking to attract new patrons and recognize that millennials are used to interactive gaming experiences, having grown up with Xboxes, Wii games, and popular online games such as Candy Crush. Caesars Entertainment’s CEO recently reportedly advised slot makers to speed the development of new products, such as skill-based gaming machines. We expect to see the roll-out of a variety of skill-based games and other contests, including many that may appeal to millennial and Generation “X” and “Y” nostalgia, such as Guitar Hero, Pac Man, and other popular arcade games.
Regulators and casino operators will likely continue to develop rules and procedures during the approval processes and following reviews on the initial roll-out. We see several issues that will need to be addressed depending on the type of game. For instance, when playing head to head, what happens if there is an unanticipated stop of play due to a player issue, a tech issue or some other act? Who ultimately decides the winner in the event of a dispute/tie? Can professionals (for instance e-Sport-sponsored players) play skill-based video games? What about college athletes playing “their” sport in a skill-based athletic game? How will wagers work? Who will host the games? Will there be exclusivity?
The key to answering many of the operational questions will be for the manufacturers and casino operators to develop clear “rules of the game” that address the varied situations – similar to current rules for skills contests run online or in brick and mortar locations. Detailed rules and disclosures can help the games run smoothly and prevent later disputes and litigation.
We applaud New Jersey’s DGE for encouraging innovation through these new regulations and the New Jersey First program. The DGE recognizes the need for games that appeal to expanded demographics. The DGE’s speedy implementation of skill-based gaming regulations, as well as its outreach and willingness to engage with industry demonstrate the agency’s commitment to economic growth while ensuring consumer protections are in place.
Most of the attention involving the Telephone Consumer Protection Act (“TCPA”) has centered on the stream of class actions around the country. It is important to remember that the Federal Communications Commission (“FCC”) and state attorney generals can, and do, enforce the TCPA. In fact, the FCC recently issued citations to Lyft, the ride-sharing service, and First National Bank (“FNB”). Under the Communications Act, before the FCC may issue monetary penalties against a company or person that does not hold an FCC license or authorization, it must first issue a citation warning the company or person.
The TCPA requires prior express written consent for telemarketing calls/texts to mobile phones utilizing an autodialer or prerecorded call and for prerecorded telemarketing calls to residential lines. FCC rules mandate that the “prior written consent” contain certain key features. Among these requirements is the disclosure informing the consenting person that “the person is not required to sign the agreement – directly or indirectly – or agree to enter into an agreement as a condition of purchasing any property, goods, or services.”
For years, the FCC focused on actual consumer complaints of having received telemarketing calls/texts without the required prior express written consent. Interestingly, here, the FCC did not allege that either Lyft or FNB sent texts/robocalls without the required consent. The FCC’s accompanying press release indicates that its Enforcement Bureau initiated the two investigations after becoming aware of “violative provisions in those companies’ service agreements.” The citations issued to Lyft and FNB, along with recent correspondence by the FCC to Paypal concerning similar issues, represent new FCC attention on terms/conditions of service in the TCPA context, particularly on “blanket take it or leave it” agreements. The FCC Enforcement Bureau Chief, Travis LeBlanc, put all companies on notice, urging “any company that unlawfully conditions its service on consent to unwanted marketing calls and texts to act swiftly to change its policies.” The FCC directed Lyft and FNB to take “immediate steps” to comply with FCC rules and the TCPA – presumably meaning that the companies should immediately revise their terms and practices.
According to the FCC, Lyft’s terms require customers to expressly consent to receive communications from Lyft to customer’s mobile numbers, including text messages, calls, and push notifications. The messages could include Lyft-provided promotions and those of third party partners. The terms advise customers that they can opt-out by following the “unsubscribe” option, and that customers are not required to consent to receive promotional messages as a condition of using the Lyft platform or the services.
However, the FCC found that contrary to Lyft’s terms of service, Lyft does not actually provide “unsubscribe options” for consumers. If a consumer independently searches and gets to Lyft’s “help center,” the only option to opt-out subsequently prevents consumers from using Lyft’s service. Thus, per the FCC, “Lyft effectively requires all consumers to agree to receive marketing text messages and calls on their mobile phones in order to use services.”
The FCC concluded that while Lyft’s terms of service stated that consumers were not required to consent as a condition to using Lyft, in actuality, consumers could not refuse consent and remain Lyft users. Thus, the FCC cited Lyft, warning that it would be liable for any advertising text messages for which it did not collect proper, prior express written consent. The agency further stated that it would continue to monitor Lyft’s practices.
In FNB’s investigation, the FCC noted that consumers wishing to use FNB’s online banking services are required to agree to receive text messages and emails for marketing purposes at consumer-provided phone numbers. FNB customers wishing to enroll in the Apply Pay service are similarly required to consent to receive marketing-related text messages and emails. The FCC objected to FNB requiring consumers to agree to receive marketing text messages in order to use the online banking and Apple Pay services, and failing to inform consumers that they have the option to refuse consent. The agency reiterated that under FCC rules, prior express written consent to receive telemarketing messages requires that, among other things, consumers receive a clear and conspicuous disclosure informing the consumer of his or her right to refuse to provide consent.
When it comes to autodialed/prerecorded telemarketing calls and texts to mobile phones and prerecorded telemarketing calls to residential lines, companies need to be diligent in ensuring they have proper, defensible prior express written consent. The FCC’s citations to Lyft and FNB make clear that organizations may not rely on blanket mandatory opt-in agreements. While it may be acceptable to seek consent in terms of service, consumers must be informed of their opt-out abilities, and must be able to access the opt-out and still use the service or make the purchase.
Companies should review their service agreements and the operational mechanisms to make sure consumers have information on opting-out. Further, any opt-out mechanisms must work as promised. A user’s opt-out should not block services/purchases. Of course, the best way to obtain consent is to seek a separate, prior express written consent in an agreement that contains all the required elements, as follows:
- Is in writing (can be electronic);
- Has the signature (can be electronic) of the person who will receive the advertisement/telemarketing calls or texts;
- Authorizes the caller to deliver advertisements or telemarketing messages via autodialed calls, texts, or robocalls;
- Includes the telephone number to which the person signing authorizes advertisements or telemarketing messages to be delivered;
- Contains a clear and conspicuous disclosure informing the person signing that:
- By executing the agreement, the person signing authorizes the caller to deliver ads or telemarketing messages via autodialed calls, texts or robocalls; and
- The person signing the agreement is not required to sign the agreement (directly or indirectly) or agree to enter into such an agreement as a condition of purchasing any property, goods, or services.
As a reminder, the FCC repeatedly takes the position that the company claiming prior express written consent will bear the burden of providing that consent.
Photo courtesy http://outplayed.fr/
With a $143 million market in North America, eSports is big business in the U.S. And given its swift rise in popularity – 205 million people worldwide watched or played eSports in 2014, it will only become bigger. At last week’s eSports Conference, held in San Francisco September 9-10, industry leaders met and mingled while discussing market trends, best practices and the future of eSports. But before eSports companies get swept away by the excitement surrounding the industry, it’s critical to take a step back and ensure that your company has a solid legal footing in place to avoid “game over.”
- What should eSports companies pay particular attention to in crafting their terms and conditions?
Players should be provided with straightforward terms and conditions that explain the rules of the game, the policies governing the use of the site, and any other important rules, such as an operator’s ability to terminate or suspend a player if the need arises. Clear and compliant terms and conditions may limit company liability, specify mandatory arbitration for most claims, and allow the operator to terminate or suspend services at its discretion. Operators may also consider setting certain minimum standards when allowing users to post content, such as forbidding content that is violent, harassing, pornographic, infringes on intellectual property rights, or defames others. Companies might also specify that player accounts may not be bought or sold, to avoid the sale of in-game currency and goods on the secondary market.
- What privacy laws impact eSports companies?
Security breaches in the financial services and healthcare sectors frequently make the news. But privacy laws and data breaches –whether from employee negligence or hackers – affect all companies. Start-ups could be particularly vulnerable because they have limited resources and may not be focused on data security and data privacy. There are two main aspects of data privacy to consider – how to protect data and what to do if data security is breached.
Step 1: Get serious about protecting the personal data you collect. This includes understanding the data your company is collecting and making sure operational controls are in place. Operational controls include secure systems and appropriate managerial controls. Access to personal information should be only as needed. Employees should be trained (and re-trained) on data protection, such as making sure data is encrypted and not stored on devices that can be easily lost or stolen such as flash drives.
Step 2: Develop an action plan should a breach occur. This includes understanding what agencies, organizations, and persons may need to be notified. Most states require that affected persons be promptly notified if their personal information has been exposed. Other important considerations include: understanding the extent of the breach and whether any actions such as changing passwords need to be implemented immediately; forming an internal team to include public relations, IT, human resources, and legal, and lining up appropriate outside resources such as counsel and credit monitoring services.
- How can I manage kids who try to register for my eSports website?
In the U.S., there are particular restrictions on collecting personal information from children under 13. The Children’s Online Privacy Protection Act (COPPA) limits the personal identifying information that companies can gather on children under 13 and requires certain disclosures and parental consent. Since many kids under the age of 13 engage in online gaming, it is critical that gaming companies are aware of the children’s privacy laws, which include:
- Notifying parents directly before collecting their children’s (under 13) personal information and getting the parents’ consent
- Honoring parents’ rights with respect to information collected about their children
- Implementing reasonable procedures to protect the security of children’s’ personal information
- Could eSports be subject to the laws governing other online activities, such as fantasy sports or online poker?
Unlike real-money online poker, the exchange of money is not an inherent feature of eSports. Athletes compete against each other for the fun and social aspects of the games rather than to win money from one another. This lack of wagering between players removes eSports from the reach of the laws which ultimately caused the shutdown of unregulated real-money online poker in the US. However new real-money industries of fantasy eSports and eSports betting have arisen to engage eSports viewers even more actively in the games they watch. Fantasy eSports are nearly identical to traditional fantasy sports in that players exercise their skill to assemble a team whose performance is not determined by the outcome of a single athlete, team, or match. Fantasy sports—and by extension, eSports—are generally considered to be legal under most federal and state gambling laws. However as the industry grows, fantasy sports are receiving increased attention from regulators and there has been an effort to restrict them in some states. Conversely, other states seek to assure their legality by passing specifically tailored laws to protect them. Organized eSports betting on single matchups, while popular overseas, has not taken off in the U.S. due to concerns about its legality. The element of chance or luck inherent in picking the outcome of a single game or the performance of a single athlete is generally considered high enough for the activity to be deemed illegal gambling in an unregulated setting. However free-play eSports wagering sites may avoid this classification by providing virtual betting which does not involve the exchange of real money in order to wager.
- What are legal issues that free-play eSports betting sites should be aware of?
Free-play eSports betting platforms need to be cognizant of the three elements of gambling: consideration, chance, and prize. These three elements, when present in a single activity, add up to illegal gambling under many states’ laws.
Free eSports wagering sites may attempt to remove the element of consideration by creating their own virtual currency, which users may obtain for free and cannot cash out for real money. Customers might receive virtual currency just for creating an account, and earn additional currency completing certain in-game activities. However, omitting real money from the equation does not necessarily mean that consideration is absent under some states’ laws. Some states may consider other benefits conferred by a user to satisfy the element of consideration, such as if users have to provide substantial information or devote substantial time to earn the currency.
Every week, we learn about new data breaches affecting consumers across the country. Federal government workers and retirees recently received the unsettling news that a breach compromised their personal information, including social security numbers, job history, pay, race, and benefits. Amid a host of other public relations issues, the Trump organization recently discovered a potential data breach at its hotel chain. If you visited the Detroit Zoo recently, you may want to check your credit card statements, as the zoo’s third party vendor detected “malware” which allowed access to customers’ credit and debit card numbers. And, certainly, none of us can forget the enormous data breach at Target, and the associated data breach notifications and subsequent lawsuits.
For years, members of Congress have stressed the need for national data breach standards and data security requirements. Aside from mandates in particular laws, such as HIPAA, movement on data breach requirements had stalled in Congress. Years ago, however, the states picked up the slack, establishing data breach notification laws requiring notifications to consumers and, in many instances to attorneys general and consumer protection offices when certain defined “personal information” was breached. California led the pack, passing its law in 2003. Today, 47 states have laws requiring organizations to notify consumers when a data breach has compromised consumers’ personal information. Several states’ laws also mandate particular data security practices, including Massachusetts, which took the lead on establishing “standards for protection of personal information.”
Many businesses and their lobbying organizations have urged Congress to preempt state laws and establish a national standard. Most companies have employees or customers in multiple states. Thus, under current laws, organizations have to address a multitude of state requirements, including triggering events, types of personal information covered, how quickly the notification must be made, who gets notified, what information should be included in the notification, among others. State Attorneys General, on the other hand, assert that, irrespective of these inconveniences, their oversight of data breaches through the supervision of notifications and enforcement has played a critical role in consumer protection.
This week, the Attorneys General from the 47 states wrote to Congressional leaders, urging Congress to maintain states’ authority in any federal law, by requiring data breach notifications, and preserving the states’ enforcement authority.
The AGs’ key points are:
- State AG offices have played critical roles in investigating and enforcing data security lapses for more than a decade.
- States have been able to respond to constant changes in data security by passing “significant, innovative laws related to data security, identity theft, and privacy.” This includes addressing new categories of information, such as biometric data and login credentials for online accounts.
- States are on the “front lines” of helping consumers deal with the fallout of data breaches and have the most experience in guiding consumers through the process of removing fraudulent charges and repairing their credit. By way of example, the Illinois AG helped nearly 40,000 Illinois residents remove more than $27 million in unauthorized charges from their accounts.
- Forty states participate in the “Privacy Working” group, where state AGs coordinate to investigate data breaches affecting consumers across multiple states.
- Consumers keep asking for more protection. Any preemption of state law “would make consumers less protected than they are right now.”
- States are better equipped to “quickly adjust to the challenges presented by a data-driven economy.”
- Adding enforcement and regulatory authority at the federal level could hamper the effectiveness of the state law. Some breaches will be too small to have priority at the federal level; however, these breaches may have a large impact at the state or regional level.
Interestingly, just this week, Rep. David Cicilline (D-RI) introduced a House bill mandating that companies inform consumers within 30 days of a data breach. The bill also requires minimum security standards. Representative Cicilline’s bill would not preempt stricter state-level data breach security laws. The bill also contains a broad definition of “personal information” to include data that could lead to “dignity harm” – such as personal photos and videos, in addition to the traditional categories of banking information and social security numbers. The proposed legislation would also impose civil penalties upon organizations that failed to meet the standards.
Without a doubt data breaches will continue – whether from bad actors, technical glitches, or common employee negligence. The states have certainly “picked up the slack” for over a decade while Congressional actions stalled. Understandably, the state AGs do not want Congress taking over the play in their large and established “privacy sandbox.” Preemption will continue to be a key issue for any federal data breach legislation before Congress. As someone who has guided companies through multi-state data breach notifications, I have seen firsthand that requiring businesses to deal with dozens of differing state requirements is costly and extremely burdensome. Small businesses, in particular, are faced with having to grapple with a data security incident while trying to understand and comply with a multitude of state requirements. Those businesses do not have the resources of a “Target” and complying with a patchwork of laws significantly and adversely impacts those businesses. While consumer protection is paramount, a federal standard for data breach notification would provide a common and clear-cut standard for all organizations and reduce regulatory burdens. While the federal standard could preempt state notification laws, states could continue to play critical roles as enforcement authorities.
In the interim, companies must ensure that they comply with the information security requirements and data breach notifications of applicable states. An important, and overlooked aspect is to remember that while an organization may think of itself as, say a “Vermont” or “Virginia” company, it is likely that the company has personal information on residents of various states – for instance, employees who telecommute from neighboring states, or employees who left the company and moved to a different state. Even a “local” or “regional” company can face a host of state requirements. As part of an organization’s data security planning, companies should periodically survey the personal information they hold and the affected states. In addition to data breach requirements in the event of a breach, organizations need to address applicable state data security standards.