Posts which are about the intersection of law and technology.

You are currently viewing How to Use Technology to Bridge the Justice Gap

How to Use Technology to Bridge the Justice Gap

Alex Shahrestani once again presented at EFF-Austin (in conjunction with the Texas Opportunity and Justice Incubator), this time addressing the use of technology to bridge the justice gap, alongside fellow panelists Arlo Gilbert (Osano) and Joseph Cooper (Justice For Me).
You are currently viewing Privacy Policies Are Good For Customer Relations

Privacy Policies Are Good For Customer Relations

Really, the title of this post should say that good privacy policies are good for customer relations. Many companies see the privacy policy as a necessary evil. They cannibalize market competitors’ privacy policies and call it a day, but the truth is they are missing out on a real opportunity to connect with their customers. If your privacy policy says that you can collect everything under the sun, yes, you might avoid some legal liability issues, but everyone will assume that your alarm clock app or shopping cart website is recording their phone calls. On the other hand, if your privacy policy doesn’t do enough, you could find yourself in a lawsuit for not following the terms of your own policy. 

That’s why I advocate for companies to take pride in their privacy policies.

Privacy Policies are more than just a legal hoop to jump through. With fallout from privacy breaches like with Facebook, Quora, and Newegg, privacy is moving to the front of customers’ minds. Privacy-forward companies are seeing surges in use (DuckDuckGo searches nearly doubled from 2017 to 2018), and, according to the Pew Research Center, 93% of Americans care who has their personal information, and 90% of Americans care what kind of information is held.

Privacy is now a feature of trusted consumer brands. That’s why it’s important to have thought through your privacy values. You need to understand your business model thoroughly to decide whether the collection, sale, sharing, or storage of user data is necessary to your business, because if not, you may be leaving some goodwill on the table with an overly broad privacy policy.

A broad privacy policy will help protect you during litigation, but it won’t let people know where you actually stand when consumers are deciding which brands to trust.

A good rule of thumb for a solid privacy policy is to follow the rule of the 5Ws – use your privacy policy to tell people:

  1. Who is collecting their data
  2. What data is being collected
  3. When the data will be collected
  4. Where the data goes
  5. Why the data is needed; and
  6. How the data is being collected

The above list is a bit of a simplification, but it gets the general idea across of what goes into a good privacy policy. As you’re sifting through the lives of various people with your data, remember that transparency on your end can go a long way towards building trust and lifelong customer relationships.

You are currently viewing Five Things Your Startup Can Do to Improve GDPR Compliance Right Now

Five Things Your Startup Can Do to Improve GDPR Compliance Right Now

CybersecurityThe General Data Protection Regulation (GDPR) is a robust piece of privacy legislation coming out of the European Union. You might think that being in Austin, Texas, or anywhere outside of the EU would protect you from the obligations, but you’d be wrong. If you collect data on anyone currently in, or a resident of, the EU, then you are subject to the law. The consequences for failing to comply can be huge – fines up to 4% of global revenue. That’s a huge hit. So what can you do about it?

1. Update Your Privacy Policy
The GDPR is all about transparency and consumer choice. When was the last time you read your privacy policy? When was the last time you read any privacy policy? If you collect data from users of your app or visitors to your website, then there’s a good chance that you need to have a privacy policy. What’s more, you actually need to do the things that are stated in your privacy policy. Being out of compliance with your privacy policy can open you up to administrative action and lawsuits from more than just the EU. Make sure your privacy policy is up to date with the latest requirements of the GDPR, California, and other jurisdictions – if you collect data on residents from those jurisdictions, you need to follow their laws.

2. Implement or Update Internal Privacy Policies 
The GDPR isn’t just about providing user choices, you need to also be able to demonstrate compliance when a regulator requests a demonstration. The logic of this makes sense when you think about what will happen when the EU moves to enforce – they’ll ask you to prove you’re complying, and they don’t have time to comb through your systems to find proof. Having internal policies that are protective of user information will provide a data point that the regulators can rely on to see that you’ve made an effort to comply – there’s failure to comply and then there’s failure to comply for lack of effort. There’s a chance the regulators would be willing to work with you if they see the failure as innocent and with a good faith effort.

3. Provide Users with Choices About How Their Data is Used
As mentioned above, one of the goals of the GDPR is to provide consumer choice when interacting with companies. Being able to offer consumers options with regard to data collection, use, distribution, decommissioning, and review will be necessary for GDPR compliance, so the more privacy is baked into the development process, the better.

4. Update Your Vendor Contracts to Be Privacy Conscious
Under the GDPR, you’re not just responsible for how you use and treat consumer data, but you’re also responsible for how consumer data is treated by those who you give the data to. If you, as a steward of consumer data, give that data to a payment processor, and that payment processor then uses that data in a way that’s out of compliance with your privacy policy or the GDPR, you can be held responsible for that. One defensive measure you can take is by including privacy and security provisions in each contract you enter with vendors.

5. Build Your Systems to Demonstrate How You Protect Consumer Data
Gone are the days of simply seeking to protect your data, you need to be able to prove that you’ve done it. If a European regulator comes knocking on your door asking whether you’re protecting consumer data, telling them you’ve done so is not enough. Instead, you’ll need to show them how the processes work. When a user opts out of marketing materials, can you show that choice has been memorialized somewhere? Can you show that you work to ensure that those choices are honored? Those are the types of things you should orient yourself towards.

As you might have gathered, the GDPR (and other privacy laws) is no joke. When the GDPR was first announced, they provided companies with three years of runway to get their systems compliant before enforcing the laws. At this point in time, the EU expects compliance. You really should talk to an attorney to make sure you’re in compliance, but hopefully taking these steps will get you part of the way there!

You are currently viewing How Common are CyberAttacks?

How Common are CyberAttacks?

Cybersecurity is entering mainstream consciousness more and more. Every attack that passes raises the question, a little bit closer to home – will I be next?

A recent study conducted by Sophos and Vanson Bourne of 3,100 IT managers globally had some surprising results.

68% of organizations surveyed fell victim to a cyberattack in the last year. That means that these organizations were unable to prevent attackers from entering their network and/or endpoints. Additionally, those organizations that were victim of at least one cyberattack suffered an average of two attacks within the one-year period.

The organizations reported that threats were in their systems for an average of 13 hours before being detected. The report is quick to point out that the 13 hour number represents the minimum amount of time a threat was within the organizations’ systems.

Additionally, the 2018 Verizon Data Breach Investigations Report states that (coincidentally) 68% of cyberattacks take “months or longer” to discover. The disparity between the two statistics is probably accounted for by the difference in capabilities – companies who are breached are not in the business of cybersecurity, their teams do the best they can with the tools they have, but they are underequipped and unable to analyze and respond to threat horizons with the precision of cybersecurity providers.

These reports highlight the need to have a strong cybersecurity plan in place, not only technical measures but operational ones too.

Over a quarter of attacks come from inside threats, with about 17% of all breaches resulting from employee error and 4% coming from clicks on phishing campaigns.

Insider threats can be somewhat addressed through technical measures, but having clear policies in place regarding data operations, regular auditing of compliance measures, and consistent employee training. 

A well equipped, well prepared team can mean the difference between prevention, neutralization, and recovery, and a staggering blow to productivity and consumer trust.

You are currently viewing Do You Care About Your Customers’ Rights Enough to Pay Them to Read a Contract?

Do You Care About Your Customers’ Rights Enough to Pay Them to Read a Contract?

An insurance policy buried a $10,000 prize deep in the contract, stating, “If you’ve read this far, then you are one of the very few Tin Leg customers to review all of their policy documentation,” the contract then provided instructions for the winner to redeem the prize.

​$10,000 is a cheap price for all of the benefits the company will receive from this move:

  1. Great publicity. Who doesn’t want to get insurance from a company like that? And now ​their name is plastered across the internet.
  2. Great for court. Can you imagine going to court against this company about the language of their policies? “Your honor, I would like to point out that my client incentivized people to thoroughly read their contracts – always.”
  3. Goodwill from current customers. Even the customers who didn’t capitalize on the offer will have to feel good about their current insurance company. The company feels more honest, and people will be less inclined to shop around for options.
  4. Encourages transparency. Moves like this, and the benefits that flow from them, contribute to the honest practice of law and to the trust relationship between companies and their customers.

Given the costs of marketing, customer retention, and litigation, $10,000 seems a small price to pay for all that Tin Leg was able to accomplish.

If you’re looking to run your own contest or sweepstakes, make sure to follow good practices! Social Media Contests and Sweepstakes.

Original story here.

You are currently viewing A Google Cybersecurity Solution for Everyone

A Google Cybersecurity Solution for Everyone

Alphabet owned company, Chronicle, just announced a new product offering – Backstory

The small Google affiliate promises affordable pricing based on the number of employees that a company has rather than the amount of data used. Depending on what those figures end up being – it could have a big impact on the state of cybersecurity regulation.

The FTC is the de facto enforcer of cybersecurity standards among businesses, and they have moving goalposts regarding the adequacy of a company’s cybersecurity practices:

“From the outset, the FTC has recognized that there is no such thing as perfect security, and that security is a continuing process of detecting risks and adjusting one’s security program and defenses.  For that reason, the touchstone of the FTC’s approach to data security has been reasonableness—that is, a company’s data security measures must be reasonable in light of the volume and sensitivity of information the company holds, the size and complexity of the company’s operations, the cost of the tools that are available to address vulnerabilities, and other factors.  Moreover, the FTC’s cases focus on whether the company has undertaken a reasonable process to secure data.”

Taken with the possibility of affordable cybersecurity solutions based on company size, smaller ventures no longer have the reasonableness standard to hide behind when they engage in poor cybersecurity hygiene. Even though the standard remains the same, this means “more” regulation.

Even if the potential lower costs means adding an extra expense, it’s really a big win for consumers and businesses alike. Consumers can feel more confident in sharing their data with businesses (which is often part of a company’s business model), and companies can rest easier knowing that they no longer have to be the ones who let customer data leak for lack of trying.

You are currently viewing The Problem of Algorithmic Bias

The Problem of Algorithmic Bias

When thinking about what it is to be biased, people tend to think of someone living in the backwoods, brooding over how “They took our jobs,” and cherry-picking statistics to self-validate their own prejudices against people of other colors, creeds, and backgrounds. Well, that’s stereotyping and shame on you for doing it. 

Bias is overlaying one’s assumptions and simplifications on top of a complex and nuanced person, idea, system, or thing (1)Bias is part of the human condition, it’s how we function (2). Imagine trying to grasp every subtlety of any given situation at all times: it’s inefficient, impractical, and socially awkward. As functioning adults, and sometimes professionals, we are expected to just know things. Asking questions can feel imposing and embarrassing. That’s just how it is. We as humans are simply uncomfortable with acknowledging uncertainty. Bias is inherent and unending, and its minimization should always be pursued.

Bias is already a problem. There was already so much inherent bias in the way that individuals were living their lives that the law had to be changed (several times) in order to try to mitigate the effects of biases (3). However, as bad as it is, what’s the worst thing that can happen when an individual factors an implicit or even explicit bias into their decision? You think, “Wow, what an asshole.” What if that person is representative of, say, a particular restaurant in a community? You avoid that restaurant, and maybe you have a bad time the first and only visit you make to the restaurant. What if the person is representative of an entire town, state, or country? Suddenly the problem is no longer a negligible and easily avoided nuisance.

The problem with algorithmic bias is the difficulty in detecting it and its cold scalability (4). Even those who actively challenge their own biases can accidentally implement their own biases, and when you’re dealing with products that can be downloaded at the touch of a button and delivered to millions of people instantly, suddenly the scale of that minor problem becomes immeasurable. The problematic program scoops up data and spits it out like pulp from a mill. But despite all best intentions, we’re all subject to the law.

There are two main problems of law with bias. One problem is a priori and one is a posteriori. The experience of believing in the basic essence of a thing being universal to the plurality of instances of that sort of thing requires no applicable experience for the negative implications to be apparent — if one is operating on biases when approaching a person or situation, one is missing the richness of the entirety of the situation or person’s character. If one is experiencing a bias, one has already diminished the fullness of an experience. The a posteriori problem follows from the search for the a priori problem. The a posteriori problem is one of direct impact on the subject of the bias, as well as the indirect effects which are far more difficult to define. The indirect effect is the ripple effect, the thumb on the scale. The direct impact of bias is the imbalance created by the effect on the subject, the indirect impact is the affirmation of the initial bias.


  1. http://www.dictionary.com/browse/bias
  2. https://www.boston.com/news/science/2013/02/05/everyone-is-biased-harvard-professors-work-reveals-we-barely-know-our-own-minds
    1. https://www.psychologytoday.com/blog/the-media-psychology-effect/201604/mris-reveal-unconscious-bias-in-the-brain
    2. http://neuroscience.uth.tmc.edu/s4/chapter06.html
  3. https://www.law.cornell.edu/constitution/amendmentxiv
    1. https://www.law.cornell.edu/constitution/amendmentxix
  4. https://www.theatlantic.com/technology/archive/2016/04/the-underlying-bias-of-facial-recognition-systems/476991/
You are currently viewing Blockchain Basics: Legal Implications and Business Viability

Blockchain Basics: Legal Implications and Business Viability

A panel discussion of the state of blockchain in the law and what the future holds. Featuring Alex Shahrestani, Brian Hall, Brian Konradi, and Mira Ganor.
You are currently viewing Fake News and Social Media

Fake News and Social Media

The Journal of Law and Technology at Texas presented a roundtable discussion on fake news and social media. The speakers include Texas Tribune Co-Founder and Executive Editor Ross Ramsey, In-House Counsel to Dell and Professor of Law and Social Media at UT Law Ryan Garcia, and former Facebook employee on Operationalization of Legal Procedures Warren Hanes. Moderated by Journal of Law and Technology at Texas Founder Alex Shahrestani.
You are currently viewing Social Media Contests and Sweepstakes

Social Media Contests and Sweepstakes

Here’s a quick disclaimer. This is not specific legal advice, this article serves as an educational resource only. You should always speak to an attorney about your specific situation to get the best advice for you. If you’re looking for representation you can contact me here.

Contests and sweepstakes on social media can feel like a goldmine- free or low cost exposure to people through their friends and family? What better way to reach new customers is there?

Social media contests are so ubiquitous that it seems like there must be nothing to them: you have a contest, pick a prize, pick a winner, and you’re done! But they’re not really as simple as they seem. 

Plenty of internet contests have gone wrong due to a lack of preparation, foresight, or luck.

The UK’s Natural Environment Research Council launched an online poll to name a research vessel, and the public popularly voted for the name Boaty McBoatface. Funny, but not helpful to the NERC.

Taylor Swift set up a contest to perform at the U.S. school that earned the most votes, and the internet took over. If Taylor Swift had followed through on the results of the contest she would have been performing at a school for the deaf.

A small regional paper company with a whimsical manager ended up paying out five winning tickets to a single client and took a hosing after failing to limit each contestant to one winning outcome.

Failing to take into account the mechanics of running a contest, the details of who the winner will be, how they will receive their winnings, and what the legal implications are can lead to embarrassment at worst, and lawsuits at best. These notes should help get you thinking about how to run your upcoming contest or sweepstakes.

Big Picture Questions
Before getting into the nuts and bolts of how you should run a contest you should ask yourself why. Will this bring new customers? Will this educate consumers about how to use your product? Will a new product be developed from this contest? 

  • Will this contest fit into our mission and values?
  • Do we have a brand media strategy that is prepared for a contest?

If you’ve thought long and hard whether this is a must for your company, then you’re probably ready to hear about what running a contest will entail.

Hiring Experts
You might be considering hiring an outside company to help you with your contest, or maybe you’re hiring new team members. Here are some points to suss out with the potential hire.

  • Do they know what they’re doing?
  • Have they done it before?
  • What info are they collecting and how are they using it?
  • Are the right agreements in place, NDA, security?
  • Are they big enough to indemnify you?

Perhaps most important question for shopping out consultants is, “Are they big enough to indemnify you?” If they fail to perform on their contract; if they can’t provide adequate security for attempts to manipulate the contest; if a consumer sues; if the FTC sues – your indemnity contract means nothing when they are unable to actually financially support the indemnification. 

Contest Formats
How should your contest look? Is it a “share for an entry” post? A luck of the draw game? Customers will be quick to point out flaws in your contest if you fail to run a fair contest. Here are some considerations for various forms of contests and sweepstakes. 

  • Avoid voting
    • Voting fraud at worst, customer complaints at best
  • Contests of skill that require specific criteria are good options to limit your liability
    • Ex. Highest score in a game
    • Ex. First to get all questions correct
  • Vague criteria can be good to create wiggle room for the outcome, such as artistic contests where a panel of employees judges entries based on:
    • Visual appeal
    • Innovation
    • Feasibility
  • Don’t accidentally encourage fake accounts – you could end up violating a platform’s terms

You want to make sure that your customers and participants in the survey believe that you’re trying to hold a fair contest that engages them in the game.

Dealing with Winnings
You’ve determined who’s going to run the contest. You’ve determined how the contest will be run. Now, you need to make sure your contest doesn’t run afoul of the law.

  • If the winner gets over $600, you should issue a 1099
  • If the prizes value over $5,000, in the aggregate, then you will have to register in several states for the contest to be legal in those states
    • Registration requires paperwork and bonds for the protection of consumers
    • Failure to register can result in penalties or bans
  • Prizes must be described accurately
    • Approximate Retail Value must be accurate
    • Don’t be “cute” about it
      • The winner of a radio contest for “100 Grand” gave the winner a “100 Grand” candy bar
      • Toyota prize for most up-sells from waitress gave the winner a Toy Yoda

Winners
How you pick the winner is just as important as determining the rules for the contest. Make sure you put some forethought into how the winner selection will play out.

  • When determining the winner, make sure to stick to the rules and process you set out at the beginning of the competition
  • When notifying the winner, give yourself time – let them know they won, but don’t say what level
  • Clear the winner
    • Ensure they meet qualifications
      • To that end, have entrants accept an affidavit of eligibility (usually very general)
    • Be wary of publicly seen winners, always investigate before publicly announcing a winner
      • Person with multiple warrants; person with face tattoos of swastika
  • What is your plan for the winning entry?
    • Did you give yourself the rights to a commercial?
    • Can you use the winners entries in future marketing materials? How about the losing entries?

Some Final Notes and Best Practices

  • Have a contingency plan
    • What will you do if a piece of the contest fails?
  • Formal rules are the terms of a contest
    • Can’t stop a lawsuit but solid rules can be a strong defense
    • Must include the rules at all relevant points
      • Ex. No purchase necessary, legal residents of the 50 states and DC, 18 or older, ends on xx/xx/xxxx. to enter and for official rules including odds and prize description visit URL. Void where prohibited.
  • Check platform rules
    • Twitter, Google+, Facebook, etc. (email is also a platform)
  • Be clear in your rules
  • Never change the rules once the contest begins
    • If someone gets upset over the change you could face a lawsuit
    • You could no longer have a contract because you have an entrant who is in a contest without having agreed to new terms
  • Be prepare to send takedown notices for creative entries that infringe on others’ intellectual property
  • If you design a contest to be ugly, it will get ugly
  • Be prepared to address concerns of winners
    • Ex. If there’s supposed to be one winner, but somehow multiple winners occur, you’re still responsible