I am pleased to announce that I am a new ProVisors home group leader in the Silicon Valley Region. I will be leading a new Silicon Valley Virtual 1 Group, which will be an all-virtual home group for service providers engaged in Silicon Valley business. The group will meet the first Friday of the month at 11:30 a.m. PT, and we are currently seeking our first members. If you would like to learn more about ProVisors or Silicon Valley Virtual 1, please reach out to me for additional information, either through Linked In or email at
kp****@pr************.com
. I am excited about this new opportunity and look forward to the challenge of leading a new ProVisors group in this dynamic region. For more information about ProVisors, view https://provisors.com.
The Silicon Valley Software Law Blog’s Kristie Prinz of The Prinz Law Office will be speaking at an upcoming one-day Practicing Law Institute Program to be held on October 9, 2024 at the PLI headquarters in San Francisco, California.
Kristie will be speaking on “Drafting Privacy Policies for Devices with No User Interface – What Do You Do?”, along with Peter McLaughlin of Rimon, P.C. The presentation will examine the challenges of managing legal and privacy terms with IOT devices.
The one-day program is titled “Advanced Internet of Things 2024: Deeper Dive, Practical Wisdom” and will also feature presentations by Leonard Naura of Flatiron Law Group, LLP, Ian Ballon of Greenberg Traurig, LLP, Kate Downing of the Law Office of Kate Downing, Megan Ma of Stanford University, and John Yates of Morris, Manning & Martin, LLP. For more information and to register to attend this event, visit the Practicing Law Institute website at this link.
Software Lawyer Kristie Prinz introduced The Prinz Law Office in this video recorded 8.20.24
Kristie Prinz explains why to review key customer contracts in a sluggish economy in this video recorded 8.16.24
SaaS Lawyer Kristie Prinz Explains in this recording from 2022 why not to use the term “SaaS License.”
It has become increasingly clear over the past few months that businesses are in a cost-cutting mode, as the economy has become more and more sluggish. While your software company is likely focusing on its own cost-cutting strategy, have you stopped to consider whether your most significant customers might be doing the same? Is it possible those key customers may be focusing on how to cut the cost of their contract with your business? Could they be talking to one of your competitors? Could they be building their own proprietary product to replace the cost of your product?
A sluggish economy is the perfect occasion to audit and review your key customer contracts for weaknesses that might allow your customer to walk out the door as a cost-cutting move.
You might wonder why you should spend any resources on contracts when business is already sluggish: isn’t this exactly the time when you should be reducing legal expenses, along with all your other cost-cutting efforts?
Well, no, actually. While, it has been my experience that this is in fact what most software companies do; however, I have been practicing now for 26 years and had the occasion to see a lot of sluggish economies, and given that experience, I would argue that it is exactly the wrong move to make in a sluggish economy. Why would I say this?
Imagine this: it is two months in the future. Over the last 30 days, all of your key customers have stopped paying on their contracts with you and have advised you that they are suspending performance. You are confident that they are just cutting costs and have no grounds to terminate the relationship. You pull out the executed contracts and send them to your software attorney to review for the first time, confident that he or she will confirm your assessment. However, instead of confirming your position, your software attorney tells that the signed contracts were poorly drafted and that the customers may have had valid grounds to terminate.
In this scenario, if you had known there was something you could do to interrupt this chain of events and shore up the customer relationships before they collapsed, would it have been worthwhile to do it? Presumably, yes. If the customers were your truly your key customers, you probably had a lot riding on the continuation of those relationships.
If the fact pattern seems far-fetched, I’ve actually seen it play out many times during sluggish economies. The larger and more expensive the contract, the more at risk it is for termination in a sluggish economy. If you are confident it won’t happen to your company, consider what kind of representation you had for the drafting and negotiation of that contract? Did you work with experienced software counsel who had advised other software and SaaS companies through multiple bad economies, and involve that counsel at every stage of the negotiation and drafting process and then implement all of his or her recommendations? Or did you cut a few corners in getting your deal done? Perhaps handled a lot of the negotiation and drafting without counsel, or relied on less experienced counsel that was more affordable? If you are like many software companies, you probably cut at least a few corners–perhaps you even cut a lot of corners–and the contracts executed by you and your key customers are full of holes.
What would truly be the impact to your software company of a complete loss of your three largest customers? Your six largest customers? Your ten largest customers? How fast could you really recover in a sluggish economy?
If the prospect of this kind of business loss fills you with terror, then this is precisely why you should revisit your significant contracts now.
So, what is it that you can do to shore up your key client relationships now? Well, skilled software counsel can evaluate those contracts and identify the potential liabilities and then work with you to develop a strategy to renegotiate them. By taking the opportunity to renegotiate a weak contract before the contract terminates, you can extend the term of the relationship, fix the legal problems in the contract, and keep the customer happy in the first place by giving the customer a concession that the customer really wants in exchange for the longer relationship term that carries the relationship through the down economy.
Isn’t this a better outcome than losing a key customer altogether over a vulnerability in your contract that is exploited in a cost-cutting effort?
If your software company has not had its key software contracts evaluated recently by an experienced software lawyer, schedule a consultation with me today at https://calendly.com/kristieprinz. Let’s identify the vulnerabilities in your key contracts before a key customer exploits the vulnerabilities as a cost-cutting move and resolve potential problems in the relationships before they arise and become the reason you lose those relationships.
The Prinz Law Office is pleased to announce that Silicon Valley Software Law Blog’s Kristie Prinz has been selected to the 2024 Super Lawyers Northern California list. Each year, no more than five percent of the lawyers in the state are selected by the research team at Super Lawyers to receive this honor. Super Lawyers, part of Thomson Reuters, is a rating service of outstanding lawyers from more than 70 practice areas who have attained a high degree of peer recognition and professional achievement. The annual selections are made using a patented multiphase process that includes a statewide survey of lawyers, an independent research evaluation of candidates, and peer reviews by practice area. For more information about Super Lawyers, visit Superlawyers.com.
The Prinz Law Office has recently announced the launch of three new service offerings to our clients, which were effective August 1, 2024. First, we have made available a new fractional counsel services plan for those of our clients seeking a recurring monthly arrangement with the firm based on an anticipated volume of work at a discounted rate. To view our new fractional services plan, please click here. Second, we have made available a new subscription services plan for those of our clients seeking a recurring monthly arrangement with the firm based on an uncertain volume of work at a discounted rate. To view our new subscription services plan, please click here. Third and finally, we have just entered into a relationship with several senior paralegals to make available paralegal services through the firm, which our clients may utilize on an optional basis at rates that will be significantly reduced from our standard lawyer rates.
The firm is excited to be able to make these new offerings available to our valued clients. If you have any questions about the new offerings, please schedule a consultation here. For more information about The Prinz Law Office, visit PrinzLawOffice.com.
The Prinz Law Office will host a 30 minute webinar on Thursday August 29, 2024 at 10:00 a.m. PT on “Negotiating SaaS Contracts in an Uncertain Economy.” Silicon Valley Software Law Blog’s Kristie Prinz will be the presenter, and will address best practices in negotiating SaaS contracts when the economy is unpredictable. To attend, please register for the webinar here.
This video was recorded by Kristie Prinz on 7.19.24 about the lessons to be learned from the Crowdstrike technology disruption.
This introduction was recorded by Kristie Prinz on 7.9.24 to introduce viewers to her background and experience.
Patrick Reilly’s interview of Kristie Prinz on technology licensing filmed in 2009.
Silicon Valley Software Lawyer Kristie Prinz addressed in this video the FTC’s recent action against a software company over its annual pay monthly software subscription.
The FTC recently proposed that its “Negative Option Rule” be updated to reflect a new “Click to Cancel” provision, which would protect consumers from being forced to pay for unwanted subscriptions and memberships. A copy of the FTC notice of proposal is linked here.
What is the FTC’s Negative Option Rule?
The Negative Option Rule was adopted by the FTC in 1973, to address “negative option offers,” which the FTC defines as offers containing “a term or condition that allows a seller to interpret a customer’s silence, or failure to take an affirmative action, as acceptance of an offer.”
According to the FTC, negative option marketing utilizes four types of offers: prenotification plans, continuity plans, automatic renewals, and free trial conversion offers.
However, the FTC’s original Negative Option Rule only pertained to prenotification plans, excluding the continuity plans, automatic renewals and free trial offers that have become commonplace in 2024. Also, in the case of the original Negative Option Rule, prenotification plans were limited to the sale of goods, where sellers provided periodic notices to participating customers and then sent and charged for those goods only if the consumers took no action to cancel and decline the offer (i.e. the example of a wine club).
Also, the Negative Option Rule required clear and conspicuous disclosure of certain terms before a subscription agreement was reached. According to the FTC, those terms were as follows:
- how subscribers must notify the seller if they do not wish to purchase the selection;
- any minimum purchase obligations;
- the subscribers’ right to cancel;
- whether billing charges include postage and handling;
- that subscribers have at least ten days to reject a selection;
- that if any subscriber is not given ten days to reject a selection, the seller will credit the return of the selection and postage to return the selection, along with shipping and handling; and
- the frequency with which announcements and forms will be sent.’
Finally, under the existing Negative Option Rule, sellers were required to define particular periods for sending merchandise, to give consumers a defined period to respond, to provide instructions for rejecting merchandise, and to promptly honor written cancellation requests.
What is “Click to Cancel’?
What would change with the FTC’s newly proposed “Click to Cancel” update?
Under the FTC’s proposed “Click to Cancel” rule change, the scope of the Negative Option Rule would be increased to make it pertain to not only prenotification plans but also to continuity plans, automatic renewals, and free trial conversion offers. Also, the proposed “Click to Cancel” rule provisions would mandate the following:
- Businesses would be required to make cancelling a subscription or membership at least as easy as it was to start it;
- Businesses would have to ask consumers if they want to hear new offers when they ask to cancel before they would be able to pitch new offers;
- Businesses would be required to provide an annual reminder if enrolled in a negative option program involving anything other than physical goods, before they are automatically renewed.
Another “Click to Cancel” change is that the under the new provisions any misrepresentation of a material fact related to any of the four negative option offers, whether expressly or by implication, would constitute a violation of not only the Negative Option Rule but also an unfair or deceptive act or practice in violation of Section 5 of the Federal Trade Commission Act.
What is the Potential significance of “Click to Cancel” to the Software/SaaS Industry?
The potential significance of the “Click to Cancel” change to the average software or SaaS company is that, if this proposed rule is adopted, software and SaaS companies who sell to consumers will need to update consumer contracts and terms of service to confirm that they are compliant with the requirements of the Negative Option Rule, as amended.
The Silicon Valley Software Law Blog will keep you posted as to the status of the FTC’s proposed rule. If your software or SaaS company is concerned about its compliance with “Click to Cancel” please schedule a consultation with me to discuss today.
Consumer-facing SaaS and software companies are on notice by the FTC that their subscription billing practices are under scrutiny. The FTC has just filed a lawsuit against Adobe over its “Annual Paid Monthly” subscription model, which the FTC says in its consumer alert “put subscribers on the hook for a whole year of payments, paid in monthly increments” without proper explanation or disclosure. A copy of the FTC complaint is attached here.
What subscription practices with the “Annual Paid Monthly” subscription plan did the FTC find particularly objectionable?
According to the FTC, Adobe enrolled consumers by default in its most expensive plan without clearly disclosing the key terms of the plan, which were that they were agreeing to a year-long commitment with a large early termination fee, and that consumers only discovered the nature of what they agreed to when they tried to terminate and realized they could not do so without incurring a significant fee. The FTC stated:
Adobe hides material terms of its [Annual Paid Monthly] plan in fine print and behind optional textboxes and hyperlinks, providing disclosures that are designed to go unnoticed and that most consumers never see. Adobe then deters cancellations by employing an onerous and complicated cancellation process. As part of this convoluted process, Adobe ambushes subscribers with the previously obscured ETF when they attempt to cancel.
What is particularly significant about the FTC’s actions is that the FTC not only filed suit against the corporation Adobe but it also filed suit individually against two of its executives. The FTC is demanding monetary civil penalties against Defendants and a permanent injunction as well as other damages.
What is the basis of the FTC’s legal case against Adobe? The FTC’s case focuses on The Restore Online Shopper’s Confidence Act, 15 U.S.C. §§ 8401-8405 (“ROSCA”). The text of ROSCA is published here. ROSCA prohibits unfair and deceptive Internet sales practices, and generally prohibits charging consumers for goods and services sold in transactions through a negative option feature unless the seller:
- clearly and conspicuously discloses all material terms of the transactions before obtaining billing information from the consumer
- obtains the consumer’s express informed consent before making the charge
- provides simple mechanisms to stop recurring charges.
The FTC alleges Adobe had significantly increased its revenue by engaging in practices that violated ROSCA.
What are the SaaS and software contracting best practices to be learned from this FTC action?
First and foremost, you should rethink the use of “Annual Paid Monthly” Subscription Plans. They may seem clever from a marketing perspective, but they are likely to draw heavy regulatory scrutiny going forward.
Second of all, if you are offering “Annual Paid Monthly” subscription plans, you should go out of your way to clearly and conspicuously disclose the key terms of your “Annual Paid Monthly” plan, including in particular the key facts that the plan has an annual subscription term and that it has an early termination fee. You also should be exceedingly clear about the price of the early termination fee.
Third of all, if you are offering “Annual Paid Monthly” subscription plans, you should refrain from taking steps in the customer enrollment process to push your customers to the “Annual Paid Monthly” subscription plan.
Fourth, if you are offering “Annual Paid Monthly” subscription plans, you should make it easy for your customers to cancel. If customers are posting online complaints about the problems they have had in trying to cancel your subscription, you should take action prompt action to address those problems. It seems clear that the FTC was troubled by the complaints posted with the better business bureau against Adobe on this issue.
Finally, if you are a SaaS or software company, you need to become familiar with ROSCA and the government’s ROSCA enforcement practices, if it was not already on your company’s radar.
The Silicon Valley Software Law Blog will continue to advise you of the developments with this FTC action as it moves forward. If you have questions or concerns about FTC compliance generally or this action in particular, please reach out and schedule a consultation with me at this link.
California is on the verge of adopting a controversial bill that would impose unprecedented new regulations on the development of AI: SB 1047: Safe and Secure Innovation for Frontier Artificial Intelligence Models Act. A full copy of the bill has been linked here. If adopted, the proposed bill would establish unprecedented new compliance obligations for AI software start-ups in Silicon Valley.
What is SB 1047, the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act?
The Safe and Secure Innovation for Frontier Artificial Intelligence Models Act (the “AI Models Act”) would create a new Frontier Model Division within California’s Department of Technology which would have oversight powers over the training of many new AI models. Under the AI Models Act, developers of these AI models would be required to build a so-called kill switch into the AI model and to potentially shut down the model until the Frontier Model Division deems that the AI model is subject to a “limited duty exemption,” which would be defined as:
a determination. . . . that a developer can provide reasonable assurance that the covered model does not have a hazardous capability, as defined, and will not come close to possessing a hazardous capability when accounting for a reasonable margin for safety and the possibility of posttraining modifications.
A “covered model” under the AI Models Act would be defined to mean an “artificial intelligence model that was trained using a quantity of computing power greater than 10^26 integer or floating-point operations, and the cost of that quantity of computing power would exceed one hundred million dollars ($100,000,000) if calculating using average market prices of cloud compute as reasonably assessed by the developer at the time of training.
As currently proposed, “derivative” AI models would be exempt from the new compliance obligations: only “non-derivative” AI models would be subject to the obligations.
A “derivative model” would be defined to be an artificial intelligence model that is derivative of another AI model, including either ” a modified or unmodified copy of an artificial intelligence model” or “a combination of an artificial intelligence model with another software. The “derivative model” would be specifically defined not to include “an entirely independently trained artificial intelligence model” or an “artificial intelligence model, including one combined with other software, that is fine-tuned using a quantity of computing power greater than 25 percent of the quantity of computing power, measured in integer or floating-point operations, used to train the original model.”
What constitutes a “hazardous capability” under the proposed legislation?
The AI Models Act would define “hazardous capability” to constitute the capability of a covered model to be used in one of the following harms:
- the creation or use of a chemical, biological, radiological, or nuclear weapon in a manner that results in mass casualties
- at least $500 million dollars of damage through cyberattacks on critical infrastructure via a single incident or multiple related incidnts
- at least $500 million dollars of damage by an AI that autonomously engages in conduct that would violate the Penal Code if taken by a human
- bodily harm to another human
- the theft of or harm to property
- other grave threats to public safety and security that are of comparable severity to the harms described above.
Penalties for noncompliance with this legislation would include punitive damages and a civil penalty for a first violation not to exceed ten percent of “the cost of the quantity of computing power used to train the covered model to be calculated using average market prices of cloud compute at the time of training” and 30 percent of the same in case of a second violation. The legislation authorizes joint and several liability against the developers directly where
(1) steps were taken in the development of the corporate structure among affiliated entities to purposely and unreasonably limit or avoid liability.
(2) The corporate structure of the developer or affiliated entities would frustrate recovery of penalties or injunctive relief under this section.
What has been the reaction to SB 1047 from the Silicon Valley start-up community?
Bloomberg also reported that the a key point of contention in the startup community is the idea that AI developers are responsible for people who misuse their systems, pointing to Section 230 of the Communications Decency Act of 1996, which has shielded social media companies from liability over content users create on platforms.
Author Jess Miers of the Chamber of Progress criticized the legislation on the basis that it would “introduce a high degree of legal uncertainty for developers of new models, making the risks associated with launching new AI technologies prohibitively high.”
The Silicon Valley Software Law Blog will continue following legislative developments relating to SB 1047 as this bill advances.
If you have questions regarding your software company’s potential compliance obligations under SB1047, please schedule a consultation with me at this link.
The Prinz Law Office is pleased to announce the launch of a new subscription plan, which is intended to simplify the process of working with a lawyer for companies as well as individuals. The firm’s subscription plans have been been designed to uniquely enable clients to hire and communicate with counsel without the fear or worry of an accruing billable hour.
Subscriber clients will pay a flat monthly rate each month with the option of purchasing add-on services at an additional flat fee rate that they can easily estimate in advance of making a work request. Subscription prices will start at just $150 at the lowest bronze level.
To view the currently available subscription plans, please click here: Prinz Law Office Subscription Plans.
The new subscriptions are available to clients immediately.
Updated 6.21.24
Governor Newsom has just signed SB 54, which will require venture capital firms in the state of California to annually report the diversity of founders they are backing. According to Tech Crunch’s reporting, SB 54 will result in amendments to the Business and Professional Code and also will amend part of the Government Code pertaining to venture capital.
What is California SB 54?
SB 54 goes into effect as of March 1, 2025, and requires the following aggregated information to be reported on all VC investments:
- The gender identity of each member of the founding team, including nonbinary and gender-fluid identities.
- The race of each member of the founding team.
- The ethnicity of each member of the founding team.
- The disability status of each member of the founding team.
- Whether any member of the founding team identifies as LGBTQ+.
- Whether any member of the founding team is a veteran or a disabled veteran.
- Whether any member of the founding team is a resident of California.
- Whether any member of the founding team declined to provide any of the information described above.
Failure to timely comply with the reporting requirement may result in the assessment of a penalty of One Hundred Thousand Dollars ($100,000.00) to be assessed against a “covered person.” SB 54 defines “covered person” as any person who does both of the following:
- Acts as an investment adviser to a venture capital company.
- Meets any of the following criteria: (i) Has a certificate from the Commissioner of Financial Protection and Innovation pursuant to Section 25231 of the Corporations Code. (ii) Has filed an annual notice with the Commissioner of Financial Protection and Innovation pursuant to subdivision (b) of Section 25230.1 of the Corporations Code. (iii) Is exempt from registration under the Investment Advisers Act of 1940 pursuant to subsection (l) of Section 80b-3 of Title 15 of the United States Code and has filed a report with the Commissioner of Financial Protection and Innovation pursuant to paragraph (2) of subdivision (b) of Section 260.204.9 of Title 10 of the California Code of Regulations.
SB 54 provides that reports will be due by March 1st of each year.
What is the Argument in Favor of SB 54?
Tech Crunch reports that supporters of SB 54 have argued that this law will make venture capital more “transparent.” According to Tech Crunch, less than 3 % of all venture capital investments go to women or black founders.
Tech Crunch reported that SB 54 was opposed by the National Venture Capital Association and TechNet, though both organizations professed to support generally the concept of diversity in venture capital.
What is the Anticipated Impact of SB54?
Although the impact of SB 54 will go beyond just the software industry, this new law is likely to have a significant impact on software and SaaS companies, particularly those having diverse founders, as mandated reporting will likely incentivize venture capital firms to further focus on considering diversity in investment. If your software company has diverse founders, you will definitely want to keep this law on your radar screen going forward.
The Silicon Valley Arbitration and Mediation Center has published for public comment a first draft of “Guidelines on the Use of Artificial Intelligence in Arbitration.” The proposed guidelines were drafted by the Center’s AI Task Force Guidelines Drafting Subcommittee and are intended to provide a framework for how to use artificial intelligence in domestic and international arbitrations.
The guidelines contain three key chapters: a chapter that applies to all participants in international arbitrations, a chapter that applies to parties and party representatives, and a chapter that applies to arbitrators. The topics addressed by the guidelines include safeguarding confidentiality, duty of competence or diligence in the use of AI, and non-delegation of decision-making responsibilities.
To view and comment on the guidelines, check out the following link: SVAMC AI GUIDELINES PORTAL (typeform.com) The deadline for submitting comments is September 30, 2023.
Date & Time: November 21, 2019, 10-11:15 PST
Price: $125 Early Bird, $150 General Admission, $175 Last Minute & On-Demand
Register on Eventbrite
On-Demand
The Prinz Law Office is sponsoring a webinar on “Legal Developments Impacting the Software Industry in 2019” which will provide an overview of what software companies need to know about key legal developments in 2019 and practice steps they should be taking in response to those developments. At this webinar you will learn about:
- Key state law developments impacting the industry, including but not limited to the California Consumer Privacy Act (the “CCPA”), which goes into effect January 1, 2020;
- Federal Regulatory activity impacting the software industry, particularly with respect to the Federal Trade Commision (“FTC”); and
- Cases and trends in litigation impacting the software industry.
Silicon Valley SaaS Lawyer Kristie Prinz will be presenting this webinar. Ms. Prinz is a SaaS, software and technology transactions attorney in Silicon Valley who has been representing early stage, small, and mid-market software companies for more than 20 years. Ms. Prinz is a nationally-recognized speaker, media contributor, and author of the Silicon Valley Software Law Blog. Ms. Prinz has developed particular expertise in the fields of SaaS and digital health transactions. She graduated from Vanderbilt Law School and is licensed to practice in the states of California and Georgia.
This program is intended for in-house counsel and attorneys, as well as founders, executives, and service providers working with software companies.
Silicon Valley Software Law Blog’s Kristie Prinz recently sat down for an interview with Beau Fernald, Fractional COO and Principal of Aware Insights LLC to discuss the topic of software implementation. As we have discussed in prior blogposts, one of the most common drafting mistakes in software contracts is failing to sufficiently define the parties’ mutual expectations for a software implementation. Most contracts, in fact, are completely silent on the issue, regardless of the time, financial or other requirements of the implementation, which may be extensive. While Beau is not a software lawyer and brings a different operational perspective to the issue of software implementation, he offers some additional insight on software implementation mistakes that SaaS and software companies make, the consequences of those mistakes, and best practices on how to avoid them altogether. Beau strongly agrees the contention that software implementation understandings need to be articulated and memorialized in a writing to avoid subsequent misunderstandings that may result in a legal dispute.
For more information on Beau Fernald, you can view his professional profile at: https://www.linkedin.com/in/beaufernald/. The Aware Insights LLC website is at: https://awareinsights.com.
I am excited to announce that my firm is adopting a number of new options for working with our clients. We received feedback asking for new fixed rate and subscription packages for specific business scenarios, and in response to that feedback we have designed a variety of new packages designed around those requests. These options are available for viewing upon request. Existing clients who are working with us already under another billing arrangement will be able to switch to a new plan at any time upon request. I am confident that these new options will address new business needs of the technology and life sciences communities we serve. If you have an idea for a billing arrangement that the firm has not yet developed, we invite you to submit your ideas for consideration at kp****@pr************.com .
The Federal and Trade Commission (“FTC”) announced today a settlement with Twitter, Inc. (“Twitter”) in which Twitter agreed to pay $150 million for its alleged misuse of user account security data, specifically email addresses and phone numbers, for advertising purposes. The government alleged that the misuse of account data was in violation of a 2011 FTC Order against Twitter, which prohibited the company from misrepresenting the extent to which it maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information. The government alleged that the misuse of consumer data also violated the EU-US Privacy Shield, and the Swiss-U.S. Privacy Shield.
The FTC press release is attached here. The complaint is attached here, and the stipulated order is attached here.
In addition to the paying a $150 million fine, the government announced that Twitter has agreed to the following:
- Twitter will not profit from deceptively collected data;
- Users will have other options to multi-factor authentication such as apps or security keys that do not require the provision of phone numbers;
- Notify all users that Twitter misused the phone numbers and emails collected for targeted advertising and to provide users with information about Twitter’s privacy and security controls;
- Implement and maintain a comprehensive privacy and information security program which requires an assessment of the potential privacy and security requirements of new products;
- Limit employee access to users’ personal data; and
- Notify the FTC if it experiences a data breach.
With this enforcement action against Twitter, the FTC is clearly making a statement to companies in the business of collecting consumer data that they need to truthfully disclose the purposes for which data used for advertising purposes is collected, and that failure to disclose this information will have potential federal regulatory consequences. SaaS and software companies should take note of this particular enforcement action, and ensure that they avoid engaging in the same practices that were the subject of this enforcement action.
Updated June 12, 2024
I was recently asked by a client whether arbitration or litigation in a SaaS contract was better. The issue had been raised by an attorney on the other side of the SaaS contract negotiation, who had not only tried to persuade my client to revise the specific clause in that case, but had also provided my client the unsolicited advice that “he should prefer litigation over arbitration” in all cases.
My client, who had elected to include an arbitration clause in his standard SaaS contract terms, was unsure what to do and how to respond, and so he reached out to me for guidance.
While the debate over whether arbitration or litigation is better for a particular organization is not a dilemma specific to the software industry, it is one that clients often raise with me in frustration, hoping that I can advise them that one option is definitively “better” than the other. The answer, like many things in the law, is not so black and white, and it should not be decided without considering the pros and cons of each option.
What happens when a SaaS contract includes an arbitration clause?
First of all, let’s assume you have no arbitration clause in your SaaS contract and a dispute arises, then the only contractually available forum to hear the dispute will be a courtroom. If your company does not have an in-house legal department with litigators on staff, then you will need to hire a litigation support to handle the litigation process, either from the plaintiff side or the defense side. You will incur costs every time a motion is filed or defended, and you will incur costs for discovery, depositions, mediation, and the trial preparation, all until the case is either settled or a judgment is reached. This process could take years to go through.
On the other hand, let’s assume you have an arbitration clause in your contract and a dispute arises, then the contractually available forum to hear the dispute will be a courtroom. However, your opponent may not want to arbitrate the case, and so your opponent may file in court first, in which case you will have to file to compel the case to arbitration. Alternatively, your opponent may be unwilling to participate in the arbitration, so you may have to file a motion to compel your opponent participate in the arbitration. Once you win any motion in court, you will then have to initiate the arbitration with the private organization that will handle the arbitration, which will generally be AAA or JAMS in the US, but there are other organizations that handle commercial arbitration internationally. This will require you to pay the filing fees, which are often far higher than is required to initiate a case in a court. Once the case is initiated an arbitrator will be appointed to hear the case, and the parties will decide on the format for the case, and the case will proceed outside of court within the private dispute resolution process of the organization selected.
What are the advantages of arbitration in a SaaS contract?
What are the advantages? Well, arbitration is intended to be a commercial process rather than a legal process, so it is much less formal. It also can be faster, as there is no judicial backlog to slow down the process. There are fewer rules governing the process, so it often viewed as less predictable. But fewer rules also means that the process is more easily managed by business-people who are not litigators. The goal of arbitration is generally to get to a rendered decision as quickly as possible, which may be advantageous.
How is arbitration different than the standard court path to dispute resolution?
In contrast, the court option is very formal. It can be slow, which may be a negative in some situations and a positive in other situations. And it is governed by rules and precedent, which will require knowledge and familiarity with both to proceed through. Most litigated cases settled, so the goal of litigation may not be to get to a judgment. Instead, the goal may actually be to get to a settlement.
Is arbitration cheaper than going to court to resolve the dispute?
Is one option necessarily cheaper than the other? Arbitration is generally perceived in the business world to be cheaper, due to the faster process and the relaxed rules, but because the process is a private commercial process, the fees for the administration of the case can be higher in some situations and it is still possible to incur legal fees during the process. In contrast, discovery, depositions, and motion hearings can drive up the cost of a litigation process, both in terms of legal hours billed but also in terms of other costs.
Is an arbitration award a faster path to enforcement?
It is important to recognize that getting an arbitration award may not actually be better than a mediated settlement to the party owed an award, since a voluntary settlement may be easier to enforce than a decision. On the other hand, the process is private and stays completely confidential and outside of court records, which may be preferred by both parties, and the informality may be less stressful on both sides of the dispute.
How to Decide between Dispute Resolution via Arbitration or Litigation When Drafting?
In the end, the choice between arbitration vs. litigation is one of personal or commercial preference. You have to expect that a commercial litigator who spends his career in the courtroom is going to prefer to stay as far away from arbitration as possible. In contrast, transactional lawyers are generally going to prefer to stay as far away from litigation as possible.
I generally recommend to clients that they should contemplate the type of dispute that would arise from a particular set of contract terms before deciding how they prefer to resolve that dispute. For example, if a dispute arises, would an informal private solution to resolving the dispute be better than the formality of litigation? Will the other side have significantly more resources to apply towards the dispute? Would the other side benefit from delaying the resolution of the dispute and causing you to invest significant resources in the process? What will be the anticipated filing fees for each side in the dispute?
All in all, arbitration vs. litigation is not a decision that should be made without some careful consideration of the underlying issues and the consequences of each decision. There are valid reasons why parties gravitate to one option or the other. It is up to your business to decide what should be your organization’s preferred standard with respect to a particular type of contract, and whether or not you will be willing to concede your position upon request by a particular client. You may realize that your preferred position is going to be the same in every case, or alternatively, that your position may require review on a scenario-by-scenario basis.
If you have questions regarding whether to accept or reject arbitration in a dispute resolution clause in a SaaS contract, you can schedule a consultation with me today to discuss at this link.
Dates: June 6, 2022
Time: 9:00 a.m.
Price: $699 Register
Are you a lawyer who would like to expand your practice niche into the digital health area? Would you like to know the basics about negotiating and drafting these types of agreements?
Join Digital Health Lawyer Kristie Prinz in an introductory digital health contracts workshop intended for lawyers looking to expand into this practice niche. The virtual workshop will be interactive and students will be invited to participate in shaping the course content. Participation will be limited to a maximum of 20 people.
The course will be taught by Silicon Valley Digital Health Lawyer Kristie Prinz. Kristie Prinz is a Digital Health, SaaS and Technology Transactions Attorney based in Silicon Valley, who has been representing life sciences companies in technical transactions for 22 years. Prior to arriving in Silicon Valley, Kristie practiced law in Atlanta, Georgia. Kristie is a frequent speaker and media contributor, and is also the author of the Silicon Valley Digital Health Law Blog. Kristie is a graduate of Vanderbilt Law School and licensed to practice law in the states of California and Georgia. For more information on Kristie, check out her website.
To sign up, please register here.
Date: May 21, 2022
Time: 9:00 a.m. PST
Price: $699 Register
Are you a lawyer who would like to expand your practice niche into the software transactions area? Would you like to know the basics about negotiating and drafting these types of agreements?
Join Silicon Valley Lawyer Kristie Prinz in an introductory software transactions workshop intended for lawyers looking to expand into this practice niche. The virtual workshop will be interactive and students will be invited to participate in shaping the course content. Participation will be limited to a maximum of 20 people.
Kristie Prinz is a Software, SaaS and Technology Transactions Attorney based in Silicon Valley, who has been representing software & SaaS companies in technical transactions for 22 years. Prior to arriving in Silicon Valley, Kristie practiced law in Atlanta, Georgia. Kristie is a frequent speaker and media contributor, and is also the author of the Silicon Valley Software Law Blog. Kristie is a graduate of Vanderbilt Law School and licensed to practice law in the states of California and Georgia. For more information on Kristie, check out her website.
To register for this workshop, please click here.
Date: June 18, 2022
Time: 9:00 a.m. PST
Price $699 Register
How are digital health contracts unique from other business contracts? What do you need to know to negotiate them?
Silicon Valley Digital Health Lawyer Kristie Prinz will be teaching an introductory workshop on digital health contracts negotiation for nonlawyers on June 18, 2022 at 9 a.m. PST. The virtual workshop will be interactive and participants will be invited to help direct the focus of the workshop.
In this workshop, she will address:
• What is digital health?
• What constitutes a digital health agreement?
• What are the key considerations you need to have in negotiating digital health contracts?
• What is unique about digital health contracts?
This workshop is intended for entrepreneurs and other non-lawyers who are negotiating digital health contracts and need a practical, interactive overview on how to negotiation these contracts.
Kristie Prinz is a Digital Health, SaaS and Technology Transactions Attorney based in Silicon Valley, who has been representing life sciences companies in technical transactions for 22 years. Prior to arriving in Silicon Valley, Kristie practiced law in Atlanta, Georgia. Kristie is a nationally-recognized speaker, media contributor, and author of the Silicon Valley Digital Health Law Blog. Kristie runs the Life Sciences Advisors and Silicon Valley Software Services Advisors Group. Kristie is a graduate of Vanderbilt Law School and licensed to practice law in the states of California and Georgia.
This program is intended for physicians, entrepreneurs, IT professionals, CFOs, and general business lawyers who are negotiating digital health contracts.
To register for this event, please click here.
Date: May 23, 2022
Time: 9 a.m. PST
Price: $699 Register
How are software contracts unique from other business contracts? What do you need to know to negotiate them?
Silicon Valley Lawyer Kristie Prinz will be teaching an introductory workshop on software contracts negotiation for nonlawyers. The virtual workshop will be interactive and participants will be invited to help direct the focus of the workshop.
In this workshop, she will address:
- What are the key considerations you need to have in negotiating software contracts?
- What are the key terms that need to be addressed in a software contract?
- What are the primary causes of disputes in software contracts and how do you avoid them?
This workshop is intended for entrepreneurs and other non-lawyers who are negotiating software contracts and need a practical, interactive overview on how to negotiate these contracts.
Kristie Prinz is a Software, SaaS, and Technology Transactions Attorney based in Silicon Valley, who has been representing software and SaaS companies in technical transactions for 22 years. Prior to arriving in Silicon Valley, Kristie practiced law in Atlanta, Georgia. Kristie is a nationally-recognized speaker, media contributor, and author of the Silicon Valley Software Law Blog. Kristie is the founder of the The Prinz Law Office and the Silicon Valley Software Services Advisors Group. Kristie is also a graduate of Vanderbilt Law School and licensed to practice law in the states of California and Georgia.
This event is intended for developers, entrepreneurs and software company executives who do not have a law degree but are actively negotiating and draft SaaS agreements for their companies.
Time: 10 a.m. PST
Price: $175.00 Register How are SaaS agreements unique from other technology contracts? What do you need to know to negotiate and draft them? Silicon Valley SaaS lawyer Kristie Prinz will present an introductory webinar on “Introduction to Negotiating & Drafting SaaS Contracts,” on June 17th at 10 a.m. PST, which will provide an overview of the basic concepts that you need to know before attempting to negotiating and draft a SaaS contract. In the webinar she will address
- Key differences between SaaS contracts and other technology contracts
- Essential SaaS contract terms
- Where SaaS relationships can go wrong
Ms. Prinz is a SaaS, software and technology transactions attorney in Silicon Valley who has been representing early stage, small, and mid-market software companies for more than 22 years. Ms. Prinz is a nationally-recognized speaker, media contributor, and author of the Silicon Valley Software Law Blog. Ms. Prinz has developed particular expertise in the fields of SaaS and digital health transactions. She graduated from Vanderbilt Law School and is licensed to practice in the states of California and Georgia.
This event is intended for developers, entrepreneurs and software company executives who do not have a law degree but are actively negotiating and draft SaaS agreements for their companies
To register to attend, please sign up here.
Date & Time: March 24, 2017, 10-11:30 PST
General Admission Price: $199
Are your SaaS customers really signing an agreement that is effective for your business? How do you know if your SaaS contract is not just ineffective but is actually negatively impacting your business?
The Prinz Law Office is sponsoring a webinar on “Best Practices for Drafting SaaS Contracts that Reduce the Customer Sales Cycle & Avoid Disputes” which will explore these topics of concern for SaaS companies. At this webinar, you will learn the following:
- What makes an effective SaaS customer contract?
- What terms should SaaS customers expect?
- Common challenges with customer negotiations.
- What drafting problems frequently result in stalled contract negotiations? Customer disputes?
- How can better drafting close deals faster? Avoid subsequent customer disputes?
The speaker for this webinar will be Prinz Law Office founder and SaaS lawyer Kristie Prinz. Ms. Prinz’s practice focuses on advising early stage and small to mid-sized businesses on the negotiation and drafting of complex commercial transactions in the software, hardware, Internet, health technology fields of practice, as well as other related high tech and life sciences fields. Ms. Prinz is a regular speaker, media contributor, and author on technology law, intellectual property and entrepreneurship issues. Ms. Prinz has developed particular expertise in advising SaaS companies in negotiating and drafting their customer agreements. Ms. Prinz is a graduate of Vanderbilt Law School and is licensed to practice in the states of California and Georgia.
This program is intended for anyone working at or launching a SaaS company. Having a law degree is not a pre-requisite for attendance.
Date & Time: October 26, 2017, 10-11:30 PST
General Admission Price: $199; On-Demand Price: $199
Register on Eventbrite
On-Demand
Are your SaaS customers really signing an agreement that is effective for your business? How do you know if your SaaS contract is not just ineffective but is actually negatively impacting your business?
The Prinz Law Office is sponsoring a webinar on “Best Practices for Drafting SaaS Contracts that Reduce the Customer Sales Cycle & Avoid Disputes” which will explore these topics of concern for SaaS companies. At this webinar, you will learn the following:
- What makes an effective SaaS customer contract?
- What terms should SaaS customers expect?
- Common challenges with customer negotiations.
- What drafting problems frequently result in stalled contract negotiations? Customer disputes?
- How can better drafting close deals faster? Avoid subsequent customer disputes?
The speaker for this webinar will be Prinz Law Office founder and SaaS lawyer Kristie Prinz. Ms. Prinz’s practice focuses on advising early stage and small to mid-sized businesses on the negotiation and drafting of complex commercial transactions in the software, hardware, Internet, health technology fields of practice, as well as other related high tech and life sciences fields. Ms. Prinz is a regular speaker, media contributor, and author on technology law, intellectual property and entrepreneurship issues. Ms. Prinz has developed particular expertise in advising SaaS companies in negotiating and drafting their customer agreements. Ms. Prinz is a graduate of Vanderbilt Law School and is licensed to practice in the states of California and Georgia.
Date & Time: February 19, 2019, 10-11:00 PST
Price: $125 Early Bird, $150 General Admission, $175 On-Demand
Register on Eventbrite
On-Demand
What terms should be included in a well-written SaaS contract? How do you know if your SaaS contract is really protecting your business? What should you be doing after the SaaS contract is signed to manage the SaaS customer relationship?
The Prinz Law Office is sponsoring a webinar on “Best Practices for Drafting SaaS Contracts & Managing SaaS Customer Relationships” which will provide an overview of how SaaS companies should be drafting customer agreements and what steps they should be taking to manage the SaaS customer relationship after the agreement is signed. At this webinar, you will learn the following:
- What terms should be an in a well-drafted SaaS customer contract?
- How do SaaS companies overcome common negotiating hurdles over terms?
- What are the common drafting problems with SaaS customer contracts?
- What do SaaS companies need to know about managing the customer relationship after the contract is signed?
Silicon Valley Software Lawyer Kristie Prinz will be presenting this webinar. Ms. Prinz is a technology transactions attorney in Silicon Valley who has been representing early stage and mid-market technology companies for more than 20 years. Ms. Prinz is a nationally-recognized speaker, media contributor, and author on software, technology, and intellectual property-related issues. Ms. Prinz is a graduate of Vanderbilt Law School and is licensed to practice in the states of California and Georgia.
This program is intended for in-house counsel and attorneys, as well as IT professionals and other businesspeople working in the technology industry.
Time: Friday, March 8, 2019, 10-11 a.m. PST
Early Bird Price: $125, General Admission Price: $150, On-Demand Price: $175
Register on Eventbrite
On-Demand
Are your customers signing a master services agreement which is actually protecting your business? What should you be doing after agreement is signed to manage the customer relationship?
The Prinz Law Office is sponsoring a webinar on “Best Practices for Drafting Master Services Agreements & Managing the Service Relationship” which will provide an overview on how companies should be drafting master service agreements (“MSAs”) and what steps they should be taking to manage the relationship after the agreement is signed. At this webinar, you will learn the following:
- What terms should be in a well-drafted MSA?
- What drafting problems do you typically find in a MSA?
- What do companies need to know about managing the service relationship after the contract is signed?
Silicon Valley Tech Transactions Lawyer Kristie Prinz will be presenting this webinar. Ms. Prinz is a technology transactions attorney in Silicon Valley who has been representing early stage and mid-market technology companies for more than 20 years. Ms. Prinz is a nationally-recognized speaker, media contributor, and author on software, technology, and intellectual property-related issues. Ms. Prinz is a graduate of Vanderbilt Law School and is licensed to practice in the states of California and Georgia.
This program is intended for in-house counsel and attorneys, as well as IT professionals and other businesspeople working in the technology industry.
Date & Time: October 8, 2019, 10-11:15 PST
Price: $125 Early Bird, $150 General Admission, $175 Last Minute & On-Demand
Register on Eventbrite
On-Demand
The Prinz Law Office is sponsoring a webinar on “Best Practices for Negotiating SaaS Contracts & Managing SaaS Customer Relationships” which will provide an overview of how SaaS companies should be drafting customer agreements and what steps they should be taking to manage the SaaS customer relationship after the agreement is signed. At this webinar, you will learn the following:
• What makes an effective SaaS customer contract?
• What are the essential terms in a well-drafted SaaS contract?
• What are the common issues that arise in SaaS negotiations? What are the best strategies to resolve them?
• What are the best practices to manage the customer relationship?
Silicon Valley SaaS Lawyer Kristie Prinz will be presenting this webinar. Ms. Prinz is a software and technology transactions attorney in Silicon Valley who has been representing early stage, small, and mid-market software companies for more than 20 years. Ms. Prinz is a nationally-recognized speaker, media contributor, and author of the Silicon Valley Software Law Blog. Ms. Prinz has developed particular expertise in the fields of SaaS and digital health transactions. She graduated from Vanderbilt Law School and is licensed to practice in the states of California and Georgia.
This program is intended for in-house counsel and attorneys, as well as salespeople, founders, and other executives working with SaaS companies.
Date & Time: March 31, 2020, 10-11:15 PST
Price: $125 Early Bird, $150 General Admission, $175 Last Minute & On-Demand
Register on Eventbrite
On-Demand
The Prinz Law Office is sponsoring a webinar on “Best Practices for Negotiating SaaS Contracts & Managing SaaS Customer Relationships” which will provide an overview of how SaaS companies should be drafting customer agreements and what steps they should be taking to manage the SaaS customer relationship after the agreement is signed. At this webinar, you will learn the following:
• What makes an effective SaaS customer contract?
• What are the essential terms in a well-drafted SaaS contract?
• What are the common issues that arise in SaaS negotiations? What are the best strategies to resolve them?
• What are the best practices to manage the customer relationship?
Silicon Valley SaaS Lawyer Kristie Prinz will be presenting this webinar. Ms. Prinz is a software and technology transactions attorney in Silicon Valley who has been representing early stage, small, and mid-market software companies for more than 20 years. Ms. Prinz is a nationally-recognized speaker, media contributor, and author of the Silicon Valley Software Law Blog. Ms. Prinz has developed particular expertise in the fields of SaaS and digital health transactions. She graduated from Vanderbilt Law School and is licensed to practice in the states of California and Georgia.
This program is intended for in-house counsel and attorneys, as well as salespeople, founders, and other executives working with SaaS companies.
Date & Time: April 17, 2020, 10-11:15 PST
Price: $99 Early Bird, $125 General Admission, $150 Last Minute & On-Demand
Silicon Valley Technology Lawyer Kristie Prinz will present a webinar on April 17, 2020 at 10 a.m. PST/1 p.m. EST on “The Intersection of Technology and Legal Practice: Addressing Current Technology Issues without Allowing Them to Overwhelm Your Practice,” which will provide an overview for lawyers and law firms who are not technology law practitioners on best practices to manage the use of technology in their legal practice.
At this webinar, you will learn the following:
- What you need to know before starting a website or software development project;
- Best practices for managing hosting and maintenance relationships;
- Best practices for retaining and managing technology vendors; and
- Recent legal developments impacting law practices.
Silicon Valley Technology Lawyer Kristie Prinz will be presenting this webinar. Ms. Prinz is a SaaS, software and technology transactions attorney in Silicon Valley who has been representing early stage, small, and mid-market software companies for more than 21 years. Ms. Prinz is a nationally-recognized legal speaker, media contributor, and author of the Silicon Valley Software Law Blog and the soon-to-be-launched Silicon Valley Privacy Law Blog.
In addition to her legal practice, Ms. Prinz serves a consultant to law firms and law firms on technology, Internet, marketing and advertising, professional development, and public speaking-related issues.
Ms. Prinz graduated from Vanderbilt Law School and is licensed to practice in the states of California and Georgia.
This program is intended for small to mid-sized law firms and lawyers who are trying to manage the use of technology in their law practices without getting completely overwhelmed by it.
Date & Time: April 6, 2020, 10-11:30 a.m. PST
Price: $125 Early Bird, $150 General Admission, $175 Last Minute & On-Demand
With the rapidly developing changes affecting businesses due to the worldwide spread of the coronavirus infection, and the widespread fear of the potential economic fallout, what are some of the best practices your business should be implementing immediately in negotiating master service agreements with customers and service providers?
The Prinz Law Office is sponsoring a webinar on “Best Practices for Negotiating Master Services Agreements in an Uncertain Economy” which will provide an overview on how companies should approach the negotiation of master service agreements (“MSAs”) in the current economic climate, and steps you can be taking to protect your business in uncertain times. At this webinar, you will learn the following:
- What terms should be in a well-drafted MSA?
- What special concerns do you need to address in uncertain times?
- What steps can you take to protect your company against the risks of doing business in uncertain times?
Silicon Valley Tech Transactions Lawyer Kristie Prinz will be presenting this webinar. Ms. Prinz is a technology transactions attorney in Silicon Valley who has been representing early stage and mid-market technology companies for more than 21 years. Ms. Prinz is a nationally-recognized speaker, media contributor, and author on software, technology, and intellectual property-related issues. She publishes the Silicon Valley Software Law Blog and the new Silicon Valley Privacy Law Blog. Ms. Prinz is a graduate of Vanderbilt Law School and is licensed to practice in the states of California and Georgia.
This program is intended for in-house counsel and attorneys, as well as IT professionals, consultants, and other businesspeople working in the technology industry.
Date & Time: April 13, 2020, 10-11:30 a.m. PST
Price: $125 Early Bird, $150 General Admission, $175 Last Minute & On-Demand
With the rapidly developing changes affecting businesses due to the worldwide spread of the coronavirus infection, and the widespread fear of the potential economic fallout, what are some of the best practices your business should be implementing immediately in negotiating software, website, and technology development agreements?
The Prinz Law Office is sponsoring a webinar on “Best Practices for Negotiating Development Agreements in an Uncertain Economy” which will provide an overview on how companies should approach the negotiation of development agreements in the current economic climate, and steps you can be taking to protect your business in uncertain times. At this webinar, you will learn the following:
- What terms should be in a well-drafted development agreement?
- What special concerns do you need to address in uncertain times?
- What steps can you take to protect your company against the risks of entering into development transactions in uncertain times?
Silicon Valley Tech Transactions Lawyer Kristie Prinz will be presenting this webinar. Ms. Prinz is a technology transactions attorney in Silicon Valley who has been representing early stage and mid-market technology companies for more than 21 years. Ms. Prinz is a nationally-recognized speaker, media contributor, and author on software, technology, and intellectual property-related issues. She publishes the Silicon Valley Software Law Blog and the new Silicon Valley Privacy Law Blog. Ms. Prinz is a graduate of Vanderbilt Law School and is licensed to practice in the states of California and Georgia.
This program is intended for in-house counsel and attorneys, as well as developers, consultants, and other businesspeople purchasing or performing development services.
Date & Time: April 20, 2020, 10-11:30 a.m. PST
Price: $125 Early Bird, $150 General Admission, $175 Last Minute & On-Demand
With the rapidly developing changes affecting businesses due to the worldwide spread of the coronavirus infection, and the widespread fear of the potential economic fallout, what are some of the best practices your business should be implementing immediately in negotiating SaaS agreements with customers?
The Prinz Law Office is sponsoring a webinar on “Best Practices for Negotiating SaaS Agreements in an Uncertain Economy” which will provide an overview on how companies should approach the negotiation of SaaS agreements in the current economic climate, and steps you can be taking to protect your business in uncertain times. At this webinar you will learn the following:
- What terms should be in a well-drafted SaaS contract?
- What special concerns do you need to address in uncertain times?
- What steps can you take to better protect your company against the risks of doing business with customers in uncertain times?
Silicon Valley SaaS Lawyer Kristie Prinz will be presenting this webinar. Ms. Prinz is a SaaS, software and technology transactions attorney in Silicon Valley who has been representing early stage, small, and mid-market software companies for more than 20 years. Ms. Prinz is a nationally-recognized speaker, media contributor, and author of the Silicon Valley Software Law Blog and the new Silicon Valley Privacy Law Blog. Ms. Prinz has developed particular expertise in the fields of SaaS and digital health transactions. She graduated from Vanderbilt Law School and is licensed to practice in the states of California and Georgia.
This program is intended for in-house counsel and attorneys, as well as salespeople, founders, and other executives working with SaaS companies.
Date & Time: December 30, 2020, 10-11:30 a.m. PST
Price: $150 General Admission, $175 Last Minute & On-Demand
Silicon Valley Software Lawyer Kristie Prinz will present a webinar on December 30, 2020 on “Negotiating Consulting Services Agreements In an Uncertain Economy.
What are the key risks in a consulting services relationship during an uncertain economy? How do you negotiate terms to minimize these risks?
Silicon Valley Law Kristie Prinz will address in this webinar:
- Key Terms in a Consulting Agreement
- Common Risks in an Uncertain Economy
- Where Relationships Can Go Wrong
- How to Negotiate Terms that Minimize the Risks
Silicon Valley Lawyer Kristie Prinz has been advising technology and life science consultants on negotiating consulting services agreements for more than 20 years. Ms. Prinz is a frequent speaker on negotiating and drafting technology-related agreements, and she is the author of the Silicon Valley Software Law Blog. Ms. Prinz started her Silicon Valley career at the Palo Alto office of the New York-based IP law firm of Pennie & Edmonds LLP, where she worked in the biotech and IP licensing groups . Following the sudden closing of Pennie & Edmonds LLP, she launched The Prinz Law Office, where she represents life sciences and technology companies and consultants on their technical negotiations and agreements. Ms. Prinz is a graduate of Vanderbilt Law School and is licensed to practice law in the states of California and Georgia.
To register, please click here.
Date & Time: December 8, 2020, 10-11:30 a.m. PST
Price: $150 General Admission, $175 Last Minute & On-Demand
With the continued economic uncertainty resulting from COVID-19 and ongoing disruptions to large sectors of the worldwide economy, what are the current best practices to adopt in the negotiation of SaaS agreements?
Silicon Valley SaaS lawyer Kristie Prinz will present a webinar on December 8, 2020 at 10 a.m. PST on “Best Practices for Negotiating SaaS Agreements in an Uncertain Economy.” The program will provide an overview on how companies should approach the negotiation of SaaS agreements in the current economic climate, and steps you can take to better protect your business in the negotiation process.
At this webinar you will learn the following:
What are some of the key considerations you should be addressing in your SaaS negotiations in an uncertain economy?
What are the best practices for successfully addressing those concerns?
What steps can you take to better protect your company in SaaS negotiations?
Ms. Prinz is a SaaS, software and technology transactions attorney in Silicon Valley who has been representing early stage, small, and mid-market software companies for more than 20 years. Ms. Prinz is a nationally-recognized speaker, media contributor, and author of the Silicon Valley Software Law Blog. Ms. Prinz has developed particular expertise in the fields of SaaS and digital health transactions. She graduated from Vanderbilt Law School and is licensed to practice in the states of California and Georgia
To register, please click here.
Date & Time: December 14, 2020, 10-11:30 a.m. PST
Price: $150 General Admission, $175 Last Minute & On-Demand
How are SaaS agreements unique from other technology contracts? What do you need to know to negotiate and draft them?
Silicon Valley SaaS lawyer Kristie Prinz will present an introductory webinar on December 14, 2020 at 10 a.m. PST on “Introduction to Negotiating & Drafting SaaS Agreements,” which will provide an overview of the basic concepts that you need to know before attempting to negotiating and draft a SaaS contract. In the webinar she will address:
-
- Key differences between SaaS contracts and other technology contracts
- Essential SaaS contract terms
- Where SaaS relationships can go wrong
Ms. Prinz is a SaaS, software and technology transactions attorney in Silicon Valley who has been representing early stage, small, and mid-market software companies for more than 20 years. Ms. Prinz is a nationally-recognized speaker, media contributor, and author of the Silicon Valley Software Law Blog. Ms. Prinz has developed particular expertise in the fields of SaaS and digital health transactions. She graduated from Vanderbilt Law School and is licensed to practice in the states of California and Georgia.
To register for the webinar, please sign up here.
Date & Time: May 16, 2022, 10 a.m. PST
How are digital health contracts unique from other business contracts? What do you need to know to negotiate them?
Silicon Valley SaaS Lawyer Kristie Prinz will present an introductory webinar on May 16th at 10 a.m. PST on “Introduction to Negotiating Digital Health Contracts” which will provide an overview of the basic concepts you need to know before entering into a digital health contract negotiation. In the webinar, she will address:
• What is digital health?
• What constitutes a digital health agreement?
• What are the key considerations you need to have in negotiating digital health contracts?
• What is unique about digital health contracts?
Kristie Prinz is a Digital Health, SaaS and Technology Transactions Attorney based in Silicon Valley, who has been representing life sciences companies in technical transactions for 22 years. Prior to arriving in Silicon Valley, Kristie practiced law in Atlanta, Georgia. Kristie is a nationally-recognized speaker, media contributor, and author of the Silicon Valley Digital Health Law Blog. Kristie runs the Life Sciences Advisors and Silicon Valley Software Services Advisors Group. Kristie is a graduate of Vanderbilt Law School and licensed to practice law in the states of California and Georgia.
This program is intended for physicians, entrepreneurs, IT professionals, CFOs, and general business lawyers who are negotiating digital health contracts.
To register for the program, please sign up here. A recording of the program will also be available.
If you work in the software industry, you may be surprised to discover that digital health software products may be subject to regulation by the Food and Drug Administration (“FDA”). Some software is considered a software as a medical device (“SaMD”) product or software in a medical device (“SiMD”) product.
FDA Policy on Software Subject to Regulation
So, how do you know whether or not a software product you are building is going to be considered a SaMD or SiMD product?
The FDA issued a “Policy for Low Risk Devices” on September 27, 2019, which provides general nonbinding recommendations to clarify its policy on health software that has been deemed not to be a device under Section 201(h) of the FD&C Act. In this policy, the FDA specifically stated that software intended “for maintaining or encouraging a healthy lifestyle and is unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease of condition” does not constitute a “device” under section 201(h) of the FD & C Act. According to the FDA policy, general wellness products will not be examined to determine if they are devices and comply with the regulatory requirements for devices. The FDA further defines general wellness products to include products meeting the following requirements: (1) they are intended for only general wellness use as defined in the guidance and (2) they present a low risk to the safety of users and other persons.
In the Policy for Low Risk Devices, the FDA states that a “general wellness product” has the following:
(1) an intended use that relates to maintaining or encouraging a general state of health or healthy activity, or
(2) an intended use that related the role of healthy lifestyle with helping to reduce the risk or impact of certain chronic diseases or conditions and where it is well understood and accepted that healthy lifestyle choices may play an important role in health outcomes for the disease or condition.
The FDA then provides examples of the specific types of uses that would fall under each category.
The FDA also states the test for assessing the degree of risk for general wellness products:
(1) Is the product invasive?
(2) Is the product implanted?
(3) Does the product involve an intervention or technology that may pose a risk to the safety of users and other persons if specific regulatory controls are not applied, such as risks from lasers or radiation exposure?
If all of the above answers are “no,” then the product is deemed to be low risk and not subject to FDA regulation.
The FDA also issued a “Policy for Device Software Functions and Mobile Medical Applications” on September 27, 2019, which provided nonbinding recommendations for regulation software applications intended for use on mobile platforms or on general purposes computing platforms.
Categories of Software Functions Subject to FDA Regulation
In the “Policy for Device Software Functions and Mobile Medical Applications” the FDA clarified that it intended to focus its regulatory oversight to “only those software functions that are medical devices and whose functionality could pose a risk to a patient’s safety if the device were to not function as intended.” The FDA listed three categories of software functions that would be subject to this regulatory oversight focus:
(1) Software functions that are an extension of one or more medical devices by connecting to such device(s) for purposes of controlling the device(s) or analyzing medical device data.
(2) Software functions (typically, mobile apps) that transform the mobile platform into a regulated medical device by using attachments, display screens, or sensors, or by including functionalities similar to those of currently regulated medical devices.
(3) Software functions that become a regulated medical device by performing patient-specific analysis and providing patient-specific diagnosis, or treatment recommendations.
Categories of Software Functions Subject to FDA Discretion
The FDA also clarified that it intended to exercise enforcement discretion for software functions that “help patients. . . . self-manage their disease or conditions without providing specific treatment or treatment suggestions” or “automate simple tasks for health care providers.” The FDA listed four categories of software functions that would be subject to this regulatory enforcement discretion:
(1) Software functions that provide or facilitate supplemental clinical care, by coaching or prompting, to help patients manage their health in their daily environment.
(2) Software functions that provide easy access to information related to patient’s health conditions or treatments.
(3) Software functions that are specifically marketed to help patients communicate with healthcare providers by supplementing or augmenting the data or information by capturing an image for patients to convey to their healthcare providers about potential medical conditions.
(4) Software functions that perform simple calculations routinely used in clinical practice.
Categories of Software Functions Not Deemed Medical Devices
The FDA also provided a list of categories of software functions that are not medical devices:
(1) Software functions that are intended to provide access to electronic “copies” of medical textbooks or other reference books with generic text search capabilities.
(2) Software functions that are intended for health care providers to use as educational tools for medical training or to reinforce training previously received.
(3) Software functions that are intended for general patient education and facilitate patient access to commonly used reference information.
(4) Software functions that automate general office operations in a health care setting and are not intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease.
(5) Software functions that are generic aids or general-purpose products.
(6) Software functions that are intended for individuals to log, record, track, evaluate, or make decisions or behaviorial suggestions related to developing or maintaining general fitness, health, or wellness.
(7) Software functions that enable individuals to interact with EHR software certified under the ONC Health IT Certification Program.
(8) Software functions that provide patients with simple tools to organize and track their health information.
(9) Software functions that provide easy access to information related to patients’ health conditions or treatments.
(10) Software functions that provide patients with simple tools to organize and record their health information.
(11) Software functions that are specifically marketed to help patients document, show, or communicate to providers regarding potential medical conditions.
(12) Software functions that enable, during an encounter, a health care provider to access their patient’s personal health record (health information) that is hosted on a web-based or other platform.
(13) Software functions for health care providers certified under the ONC Health IT Certification Program, such as those that help track or manage patient immunizations by documenting the need for immunization, consent form, and immunization lot number;
(14) Software functions that help asthmatics record (i.e. collect and log) inhaler usage, asthma episodes experienced, location of user at the time of an attack, or environmental triggers of asthma attacks;
(15) Software functions certified under the ONC Health IT Certification Program that prompt the health care provider to manually enter symptomatic, behavioral, or environmental information, the specifics of which are pre-defined by a health care provider, and store the information for later review;
(16) Software functions that record the clinical conversation a clinician has with a patient and sends it (or a link) to the patient to access after the visit;
(17) Software functions that allow a user to record (i.e. collect and log) data, such as blood glucose, blood pressure, heart rate, weight, or other data from a device to eventually share with a health care provider, or upload it into an online (cloud) database, or personal or electronic health record (PHR or EHR, respectively) that is certified under the ONC Health IT Certification Program;
(18) Software functions that enable patients or health care providers to interact with PHR systems or EHR systems that are certified under the ONC Health IT Certification Program;
(19) Software functions that meed the definition of Non-Device-MDDS, which are functions solely intended to transfer, store, convert formats, and display medical device data or results, without controlling or altering the functions or parameters of any connected medical device.
(20) Software functions that display patient-specific medical device data.
(21) Software functions that are intended for transferring, storing, converting formats, or displaying clinical laboratory test or other device data and results, findings by a health care professional with respect to such data and results, general information about such findings, and general background information about such laboratory test or other device, unless such function is intended to interpret that data, results, and findings.
The policies provide much more detail about the scope of the regulatory authority to be exercised over software than what can be captured in a blogpost, but this overview at least summarizes the key points of the guidance.
If you have a question about FDA regulation of software, you can schedule a consultation with me at this link.
Updated 6.29.24
If you missed the recent webinar by Silicon Valley SaaS Lawyer Kristie Prinz on “Best Practices for Negotiating and Drafting SaaS Contracts,” a recording of the program is now available on demand for viewing. To view the program, please visit this link.
Silicon Valley Software Law Blog Author and SaaS Lawyer Kristie Prinz will be presenting a webinar on “Best Practices for Drafting & Negotiating SaaS Contracts” on Friday, November 19, 2021 at 10 a.m. PST. To attend, please register at the attached link.
Updated 6. 11. 24
Have you ever heard the term “SaaS license” or “SaaS Licensing” being used among lawyers and businesspeople?
There is a misconception that there is such a concept as a “SaaS license.” However, in fact, two principles are actually being confused: the “software license” and the “SaaS agreement.” Why does this matter? Well, if you do not know the type of agreement that you are drafting, you are going to confuse the important terms in the agreement, and this is going to have a huge impact on what you draft or negotiate. In addition, if you do not know what you are drafting, this is going to impact other terms beyond the agreement such as taxes and revenue recognition. So, the bottom line is that it does matter what you draft.
What is different about the concepts of “SaaS agreement” and “Software license” ?
Also, the concepts of “SaaS agreement” and “software license” are completely different. In the case of a software license, the licensor grants to the licensee the rights to use a specific piece of intellectual property, the software, under certain conditions and limitations, and if you exceed the parameters of the grant, you will be infringing on the intellectual property. The license grants licensee the right to use the software for the length of the copyright or other specific period of time and will specify who can use the software, how the software can be used, and under what conditions the software can be used. In contrast, in the case of the SaaS agreement, no intellectual property rights will be granted in the software. Instead, the grantee receives access rights in the software in the cloud and in a bundle of services. The rights that the grantee receives are more along the lines of what someone might receive to intellectual property in content posted on a website on the Internet. The internet user might have the right to view the posted content, but that right does extend to doing anything to the content beyond just viewing it.
What rights are provided in a “SaaS Agreement?
In the case of the SaaS agreement, you may have rights to certain services in addition to access rights, such as hosting, maintenance, and technical support by way of the SaaS agreement, but your rights are to services and not to intellectual property in the software.
What rights are provided in a “software license”?
In the case of the software license, the rights to hosting, maintenance and technical support are generally going to be obtained through other agreements.
Another difference between the two concepts is that in the case of the software license, you have more control and the ability to change service providers if a service is not being provided at the level you require. In the case of the SaaS agreement, you are “stuck” if you are unhappy with the quality of any service. So, the quality of the service delivered is far more important in the case of SaaS agreements than in the case of the software license. You cannot just easily move your content if you are unhappy with a particular service, as you have no direct control over the content in the case of the SaaS agreement. In essence, you delegate that control to a third party, the SaaS provider.
So, the “SaaS agreement” and the “software license” are two fundamentally different concepts, and the term “SaaS license” or “SaaS licensing” is just a confusion of those two concepts.
Silicon Valley Software Law Blog’s Kristie Prinz will present a webinar on “Introduction to Negotiating & Drafting SaaS Agreements” on December 14, 2020 at 10 a.m. PST. To learn more about the program or to register, please click here.
Silicon Valley Software Law Blog’s Kristie Prinz will be presenting a webinar on “Best Practices for Negotiating SaaS Agreements in an Uncertain Economy” on December 8, 2020 at 10 a.m. PST. For more information on the program or to register, please click here.
If your software company is like most U.S. businesses, it has been severely impacted by the ongoing coronavirus crisis and the stay-at-home orders that have been mandated across the country. Legislation was recently passed by Congress and signed into law that may make available disaster relief to your software company: the Coronavirus Aid, Relief, and Economic Security Act (the “CARES” Act).
The CARES Act established a new business loan program, the Paycheck Protection Loan Program (“PPP”), which will enable a U.S. software company qualifying as a small business to receive a loan in the amount of 2.5 times the company’s monthly payroll costs. As part of the PPP, software companies (and other small businesses) may be eligible for loan forgiveness on any loan proceeds applied during the eight week period immediately following receipt of the loan towards payroll, rent, utilities, and interest on mortgage and debt obligations incurred prior to February 15, 2020, provided that all employees are kept on the payroll for the eight week period and the documentation verifying the use is submitted to the lender. Any loan proceeds that are not forgiven will have a maturity of 2 years and an interest rate of 1%. The program is described in more detail on this weblink. The interim regulations describing how the program will work are linked here and the FAQ addressing questions and answers is linked here.
To participate in this loan program, your company should submit an application through your primary bank. Alternatively, many online and non-bank business lenders are also participating in the loan program, so working through such a lender may be an available option.
In addition, your software company may be eligible for an economic injury disaster loan advance of up to $10,000. Originally these advances were supposed to be available within 3 days of submitting an application; however, this now been revised to remove the previously defined deadline. Advances should be requested directly through the SBA website at this link: https://covid19relief.sba.gov/#/. The loan advance will not have to be repaid but the amount may be deducted from a subsequently obtained PPP loan.
It is anticipated that the funds allocated to this program are going to run out before all the applications are processed, so companies are being encouraged to submit applications as soon as possible. It is unfortunately not clear how long businesses will have to wait to receive the aid. To date, the Silicon Valley Software Law Blog is only aware of one approved business via a third party report, and has heard of no business actually receiving any aid through these programs.
If you are on a law firm mailing list, it is likely that you have seen emails or alerts in the last few weeks that discuss the concept of “force majeure.”
Why has the concept of force majeure suddenly become a favorite topic of law firms around the country? Well, over the month of March, many state and local governments have imposed stay-at-home orders on businesses and their employees. In addition, there have been mass cancellations and closings, all as a result of the coronavirus pandemic. The economic damage arising from these events is already affecting many contractual relationships, rendering parties unable to perform. For this reason, the boilerplate force majeure clause included in many contracts is now anticipated to take on new significance.
If you are unclear on what exactly a force majeure clause is, this is the clause routinely included in many contracts that specifically addresses what happens if one party cannot perform a contractual obligation due to the occurrence of an event beyond that party’s control. Such clauses generally provide that the force majeure event will not constitute a material breach provided that certain requirements are met.
So, do the events of the last month automatically permit the nonperformance of an obligation by a party to a contract if a force majeure clause exists? As is the case with most contract interpretation issues, the answer is not so black and white.
Since this particular set of circumstances has not happened in the lifetime of most practicing lawyers, it is unlikely that the average force majeure clause specifically contemplated the possibility of a pandemic or a widespread, stay-at-home order over an extended period affecting most businesses and workers across an entire city, county, or state. So, the first question will be: is the force majeure clause in the relevant contract drafted broadly enough to apply to specific circumstances causing the failure to perform? A force majeure clause that specifically addressed “acts of government” may be broad enough to apply. However, a force majeure clause that only contemplated “acts of God” or ” acts of nature” may not. So, the specific wording of the force majeure clause will be critical. Also, the application may be subject to interpretation, if the applicability depends on words like “beyond the reasonable control of either party” or “epidemic.”
Assuming that the definition of force majeure is defined broadly enough to apply to the particular circumstances many businesses and workers have faced over the last month, then the next question to determine will be whether the conditions were met for the force majeure clause to apply. Many force majeure clauses impose requirements on the affected party that must be met for the force majeure clause to apply. Have these requirements been strictly followed? Is that answer subject to interpretation?
Then, assuming that the force majeure definition applies and the conditions were met, then the next question is whether or not there were any carve-outs for the particular obligation that has not been performed, which render the clause inapplicable? One carve-out that I see from time to time is failure to make a payment.
Finally, assuming that the force majeure definition applies, the conditions were met, and there were no carve-outs that apply, the question will be whether the continuation of the event for an extended period then enables the other party to terminate. It is not uncommon for a force majeure clause to specify that if the event continues for more than thirty or sixty days, then the performing party will be able to terminate.
Of course, there may be other clauses in a particular contract beyond just the force majeure clause that may apply to excuse or simply address a failure or delay in performance. Additionally, if a party is facing the likelihood of not being able to perform, that party always has the option of simply approaching the other party directly and attempting to renegotiate the contract to specifically address the changed circumstances and contemplate a particular resolution. In many cases, this may actually be the preferred way to tackle an unforeseen situation along the lines of what many businesses are facing as a result of the coronavirus pandemic. However, if the other party is not open to renegotiation or other options are just not available, a force majeure clause may provide the contractual answer to the deal with the current circumstances of your business.
If your software company is like many, you are probably already contemplating the renegotiation of certain contracts due to the uncertainty and changed business conditions arising from the coronavirus pandemic.
However, the renegotiation of contracts will inevitably open your software company up to the possibility of having to agree to terms and conditions far less favorable than what you previously agreed to. Furthermore, if not carefully drafted, any modification to an existing agreement could create legal issues that did not previously exist, leaving your software company in a vulnerable position should your company end up in a legal dispute with the other party down the road.
So, what are some practice tips for the successful renegotiation of contracts in a period of economic and business uncertainty?
First and foremost, approach contract re-negotiations as an opportunity to clarify any vague or uncertain terms in the previously executed contract. It is critical in periods of economic and business uncertainty to fully contemplate in the contract the parties’ intentions. So, a renegotiation is the perfect time to address any such issues that have come to light with the contract since execution. You definitely do not want to spend the time and money on renegotiating only to leave in the contract all the problems that have previously come to light with it, any one of which could result in a contract dispute down the road. Also, you want to think through all the possible scenarios that could arise and make certain the contract fully addresses those possibilities. For example, right now, many cities around the world are in lockdown for a period that has been assigned an expected end date. What happens if the date gets pushed back by three months? How does this impact the relationship? What happens if the date gets pushed back by six months? How does this impact the relationship? Thinking through the implications on the contract of potential scenarios and ensuring they are appropriately address in the contract is key.
Second, approach contract renegotiation with the intention of ensuring that the terms will be a “win” for both parties. In other words, both sides of the contract should obtain a benefit from the renegotiation, so that one side is not making all of the concessions on the mere promise of a future relationship. For example, if one side is seeking new payment terms, consider whether the other party would benefit from a longer contractual commitment. Good relationships require mutuality for both sides to remain satisfied with that relationship. If one side feels forced to agree to terms against its interest, then the relationship is likely to be negatively impacted on an ongoing basis.
Third, anticipate the possibility that the contract renegotiation does not truly resolve the issue prompting the renegotiation and develop a fallback solution that will enable the parties to easily go their separate ways without the necessity of further negotiations or proceedings. Contemplate what terms would need to be included that would allow for a clean and painless parting of ways if the issues do not end up being resolved by the modification.
Fourth, make sure you are really contemplating the full impact of the proposed modification(s) on every single clause of the contract, and not a single clause or set of clauses in the contract. Perhaps the single most common mistake I see with contract modifications is that parties fail to contemplate how a modification affects an entire agreement and draft documents that add a lot of uncertainty into the terms. Even a minor modification has the potential to impact all or nearly all of the clauses in a previously executed document. Thus, make sure you have taken the time to fully contemplate the impact of a proposed modification before agreeing to it.
Fifth, make sure you identify the specific contract you are modifying, and the specific clauses you are modifying, as well as what specific modifications you are making. Also, clearly state what happens specifically to the clauses you are not modifying. The worst contract modifications are unclear as to the contract version being modified and/or the specific clauses being modified, and are not clear as to the effect on other clauses. An effective contract modification is one that does not create new uncertainty.
The bottom line is that even a seemingly simple modification proposal requires careful contemplation beyond just merely the request proposed. While it might be tempting to cut corners with a contract renogotiation in order to save on legal fees or expedite the signing of a contract modification in an uncertain economic climate, such decisions often lead to disputes with previously good relationships that would never have arisen otherwise. It generally pays to take the time do a contract modification the right way.
Although many businesses are concerned about the potential economic fallout of recent shelter-in-place orders in Silicon Valley as well as more limited office and business closings across the United States, the coronavirus crisis is presenting a unique sales opportunity to savvy SaaS companies, given the fact that much of the United States workforce has suddenly been forced to work remotely.
How can your company capitalize on the sales opportunities now presented by the increased demand for software-as-service solutions while avoiding the legal pitfalls that can arise from economic uncertainty?
First and foremost, increased customer demand presents an opportunity to improve poorly drafted contracts, which can be more easily renegotiated in conjunction with a customer-initiated request. If your customer is looking to add user access or other services as a result of the new focus on a remote workforce, then you may want to update your customer contract at the same time, particularly given all the predictions of a post-coronavirus recession. It would be in your company’s best interests to have a strong contract in place with your customers in the event of any recession, since poor economic conditions tend to result in contract cancellations by customers. If you have never had your customer contract reviewed by a lawyer with SaaS contracts expertise, now might be a perfect time to do so in conjunction with meeting any new customer demand, so that your business is better prepared to weather an economic downturn and customers looking for loopholes to walk away from your agreement.
Second, if your customer is looking to add authorized users at new locations, ensure that you are addressing the new sales by properly amending your existing contract as contemplated by the SaaS lawyer who originally drafted the contract. More often than not, I see companies making huge mistakes with subsequent SaaS sales, where they execute amendments that incorrectly override key terms in their original contracts or add significant legal loopholes into the original contracts. Obviously a poorly drafted amendment can completely undo any investment you made in a well written original agreement, and can create legal disputes where you previously had none. So, you definitely want to exercise a high degree of care to ensure that any new sales are appropriately addressed by a correctly drafted amendment.
Additionally, you need to consider whether any implementation services will be required to make these additions, whether the possibility of future implementations was contemplated by the original contract, and how the delivery of implementation services might be impacted as a result of the coronavirus pandemic or any economic conditions that might arise as a result of the pandemic. In the prior recession, implementation was one of the most commonly disputed issues between software companies and customers.
Third, if your customer has gone entirely remote, you need to anticipate a greater demand for various types of support services, which also creates new customer sales opportunities. For example, perhaps instead of one-size-fits-all free standard support, there may now be a customer demand for multiple levels of paid, enhanced support services. However, if your company suddenly decides to completely revamp support services in response to new customer demand, you definitely need to make sure such changes have been contemplated in your original contract, and to the extent they have not, make sure the contract again is appropriately amended to address a complete revamp of your support offering.
Fourth, you may find that your customer now has new custom functionality or feature development needs in response to changing service demands by the customer’s own client base, which is similarly responding and trying to adapt to the same crisis. If you are fortunate enough to have this type of opportunity arise, then you need to ensure that ownership of custom functionality features was sufficiently contemplated by the original contract with your customer, not only with respect to whether or not those features can subsequently be made available to your entire customer base but also with respect to the specific terms for costs, timetable, and specifications for development. To the extent these issues are not fully addressed by your original contract, you will want to make sure they are properly addressed by separate agreement. In light of the current crisis, you will want to ensure that any potential delays that might arise due to the coronavirus crisis have been properly addressed in the terms.
Fifth, the new circumstances may present new customer demands for live and recorded remote training that did not exist previously, which may be able to be sold at different price-points. However, again, if such an opportunity for sales presents itself, you should ensure that your original contract contemplated the possibility of different levels of training for a fee being purchased by the customer. If not, then you will want to ensure that your agreement is properly amended to reflect the new training service offerings. And of course, if your customer is seeking training to be provided by a particular instructor, you will want to ensure that the possibility of that instructor falling seriously ill to coronavirus has been contemplated and any risks properly addressed.
Sixth, the new remote circumstances may present customer demands for enhanced levels of service in terms of available bandwidth and other service enhancements, which you also may be able to make available to customers at different price-points. Should this arise, you will again need to ensure that the possibility of different levels of service was contemplated by the original agreement, and if not, appropriately amend the agreement to address this possibility.
Finally, the new remote circumstances may present opportunities to sell new professional services to your customers that you had not previously considered. Should an opportunity of this nature arise, then you will need to ensure that the possibility of future professional services was contemplated by the original agreement, and if not appropriately amend the agreement to address this possibility and then potentially draft a separate professional service agreement that addresses the contemplated services required by the customer.
All in all, the coronavirus crisis is presenting a unique business opportunity for cloud-based SaaS providers to deliver more services to a workforce suddenly forced to work remotely. However, to capitalize on the opportunity to meet the demands of a newly remote workforce, SaaS companies will need to apply a high level of care to the technical drafting of their contracts. Otherwise, to the extent they cut corners, they are likely to pay the price by attracting customer disputes in a subsequent weak economy.
The Silicon Valley Software Law Blog’s Kristie Prinz will be presenting a series of webinars on negotiating in a very uncertain economy, sharing practice tips developed and lessons learned from the last recession. I will be kicking off the series with a webinar on “Best Practices for Negotiating Master Services Agreements in an Uncertain Economy” on April 6th, followed by a webinar on “Best Practices for Negotiating Development Agreements in an Uncertain Economy” on April 13th, and and a webinar on “Best Practices for Negotiating SaaS Agreements in an Uncertain Economy” on April 20th. I will be announcing the next webinars in the series soon. To register for any of these programs, please check out the webinar notices at The Prinz Law Store Website.
Silicon Valley Software Law Blog’s Kristie Prinz will present a webinar on “The Intersection of Law & Technology: Addressing Current Technology Issues without Allowing them to Overwhelm your Practice” on April 17, 2020 at 10 a.m PST/ 1 a.m. EST. For more information on the program, please check out this link:https://prinzlawstore.com/2020/02/silicon-valley-technology-lawyer-kristie-prinz-to-present-webinar-on-the-intersection-of-technology-and-legal-practice-addressing-current-technology-issues-without-allowing-them-to-overwhelm-your-p/
Silicon Valley Software Law Blog’s Kristie Prinz will be presenting on “Negotiating SaaS Contracts & Managing Customer Relationships” on March 31st, 2020 at 10 a.m. PST/ 1 p.m. EST in a webinar sponsored by The Prinz Law Office. To attend, please register at: https://prinzlawstore.com/2020/02/best-practices-for-negotiating-saas-contracts-managing-saas-customer-relationships/
Silicon Valley Software Law Blog’s Kristie Prinz will be presenting on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” for Clear Law Institute on March 23, 2020 at 10 a.m. PT/1 p.m. ET.
The Prinz Law Office is pleased to announce its new alternative billing options for 2020. As of the New Year, the firm has dramatically increased its alternative billing options so that clients will have a lot more choices for standard fixed fee packages: clients will now be able to choose from as many as five different levels of standard fixed fee services for many of regularly requested services. This will be in addition to all the subscription options and fixed hour options, which were announced previously in 2019. For more information about all the new alternative options now available, please contact Kristie Prinz at
kp****@pr************.com
.
If your company is like many, you have known about the upcoming effective date of the California Consumer Privacy Act (“CCPA”), but are still making last minute preparations in advance of it going into effect.
If you are one of many procrastinators out there just starting to think about the law, the Silicon Valley Software Law Blog wanted to recap some highlights for you.
- Your business is subject to the law, regardless of its location, if any one of the following is true:
- Your company has gross annual revenues in excess of $25 million.
- Your company buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
- Your company derives 50 percent or more of its revenues from selling consumers’ personal information.
- The CCPA creates new rights for California consumers: (a) the right to know; (b) the right to delete; (c) the right to opt out; and (d) the right to non-discrimination.
- You must provide notice to consumers at or before the point of data collection of the personal information to be collected and the purposes it will be used.
- You must provide clear and conspicuous notice to consumers of the right to opt out of the sale of personal information, which includes providing a “Do Not Sell My Personal Information” link on the website or mobile application.
- You must respond to requests for consumers to know, delete, and opt-out within specified timeframes (generally 45 days). Privacy settings to opt out must be treated as a validly submitted opt out request.
- You must verify the identity of consumers who make requests to know or to delete, regardless of any password-protected account settings with the business.
- You must disclose any financial incentives offered in exchange for the retention or sale of a consumer’s personal information, explain how the value of the personal information is calculated, and explain how the incentive is permitted under the CCPA.
- You must make available to consumers at least two or more designated methods for submitting requests, including at a minimum a toll-free phone number, and if you maintain a website, a website address by which to submit requests. However, a business that operates exclusively online and has a direct relationship with the consumer from who it collects personal information is only required to provide an email address.
- You must make your privacy policy accessible to consumers with disabilities, or to provide consumers with disabilities information on how they can access the policy in an alternative format.
- You must make your privacy policy available in a format where consumers can print it out in a separate document.
- You must ensure that the privacy policy explains how a consumer can designate an authorized agent to make a request on the consumer’s behalf.
- You must retain records of all requests and responses to requests for at least 24 months; provided that businesses that buy or sell personal information of more than 4 million consumers annually have additional reporting obligations.
Also, if your business qualifies as a “data broker” you are required to register with the Attorney General by January 1, 2020. How do you know if your business is a “data broker”? Your business knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. Three categories of businesses are excluded from these obligations: (i) consumer reporting agencies to the extent they are covered by the Fair Reporting Act; (ii) financial institutions to the extent they are covered by the Gramm Leach Bliley Act; and (iii) entities covered by the Insurance Information and Privacy Protection Act.
The CCPA, its amendments, and regulations define more compliance obligations that businesses should be familiar with, but this list is a good starting point in advance of the effective date.
Obviously, even if your business is not subject to these laws, these privacy requirements will now constitute the best practices for doing business in California, so all businesses should seriously consider incorporating these privacy practices into their standard privacy practices and procedures. The Silicon Valley Software Law Blog will continue to keep you updated as these new laws begin to be implemented.
Updated 6.21.24
Software companies in the business of brokering data are on notice: the state of California intends to keep you on a tight leash.
In anticipation of the January 1, 2020 effective date of the California Consumer Privacy Act (“CCPA”), California took yet another bold step to protecting the personal information of Californians when it passed a new data broker law on October 11, 2019, which applies to anyone in the business of collecting and selling the personal information of consumers: AB-1202 establishes a new compliance framework for data brokers.
What is California’s New Data Broker Law?
Under the new law, data brokers will be required to register with the Attorney General, pay a registration fee, and provide their name, physical address, email, and website address, which will be publicly displayed online. Any data broker who fails to register will be (a) subject to injunction and liable for civil penalties, fees, and costs at a rate of $100 for each date that the data broker fails to register; (b) liable for an amount equal to the fees due during the period it failed to register; and (c) the expenses incurred by the Attorney General in the investigation and prosecution of the action.
What is a Data Broker under the California Law?
What businesses are defined as “data brokers” under the law? The law defines “data broker” to mean a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The law specifically excludes three categories of businesses from the definition of “data broker”: (i) consumer reporting agencies to the extent they are covered by the Fair Reporting Act; (ii) financial institutions to the extent they are covered by the Gramm Leach Bliley Act; and (iii) entities covered by the Insurance Information and Privacy Protection Act. “Personal information” is defined to have the meaning provided in subdivision (o) of Section 1798.140, so publicly available information may be excluded to the extent the data is used for a purpose that is compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained
California’s New Data Broker Law Applies to Companies Selling Data
So, if your company is in the business of selling data in any capacity, not only do you need to prepare for the January 1, 2020 launch of the CCPA, you also need to prepare to register with the state of California as a data broker. Businesses will be required to register on or before January 31st following each year when your business meets the definition of a “data broker.”
Silicon Valley Software Law Blog Author Kristie Prinz will present an upcoming webinar on November 21, 2019 on “Legal Developments Impacting the Software Industry.” The event will be hosted by The Prinz Law Office and will explore what software companies need to know about the key legal developments affecting the software industry in 2019. To learn more about the event or to register, please check the event page: https://prinzlawstore.com/2019/10/legal-developments-impacting-the-software-industry-2019/.
Updated 6.26.24
In anticipation of the California Consumer Privacy Act (“CCPA”) going into effect on January 1, 2020, California Governor Gavin Newsom has just signed into law seven amendments to the statute, and the California Department of Justice published the text of its new regulations to be adopted in furtherance of the CCPA.
The signed bills are as follows: AB 25, AB 874, AB 1146, AB 1355, AB 1564, and AB 1130. The text of the published regulations are made available here. The deadline to submit written comments is 5 p.m. on December 6, 2019. California is accepting comments submitted in accordance with the instructions posted on this Office of the Attorney General website: https://www.oag.ca.gov/privacy/ccpa.
So now that there is a little more statutory and regulatory clarity on what exactly will be going into effect on January 1st, 2020, software companies are in a better position to start preparing for the law to take effect.
CCPA Compliance Requirements
So, what does your software company need to know about complying with the California law as of January 1, 2020, as the California privacy laws collectively stand today?
First of all, your business will be subject to the law if at least one of the following are true:
- Your company has gross annual revenues in excess of $25 million;
- Your company buys, receives, or sells the personal information of 50,000 or more consumers, households or devices;
- Your company derives 50 percent or more of its revenues from selling consumers’ personal information.
“Consumer” is currently defined as a natural person who is a California resident. “Personal information” is currently defined as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirect, with a particular consumer or household” and includes not only name, address, and social security number, but also purchasing history or tendencies, biometric information, internet activity, geolocation data, employment information, and education information. However, publicly available information and de-identified or aggregate consumer information is now specifically excluded from the definition. “Business” is currently defined to include for-profit businesses as well as other legal entities.
CCPA Consumer Rights
Second all, California consumers are going to have certain new rights that your business will be responsible for ensuring:
- A Right to Know (a) the specific pieces of personal information the business has collected about the consumer; (b) the categories of personal information it has collected or sold about that consumer; (c) the purpose for which it collected or sold the categories of personal information; and (d) the categories of third parties to whom it sold the personal information.
- A Right to Delete personal information held by your business or by a service provider of your business; provided that, however, there will be some exceptions, where it is necessary for your business or service provider to do any of the following: (a) complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’ ongoing business relationship with consumer, or otherwise perform a contract between the business and the consumer; (b) detect security incidents; protect against malicious, deceptive fraudulent, or illegal activity; or prosecute those responsible for that activity; (c) debug to identify and repair errors that impair existing functionality; (d) exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law; (e) comply with the California Electronic Communications Privacy Act; (e) engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent; (f) to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business; (g) to comply with a legal obligation; or (h) to otherwise use consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information. If you or your service provider does not delete consumer’s information upon request, you must inform the consumer as to why and notify the consumer of any rights he or she has to appeal the decision, and you must do it within the timeframe you would have had to delete the information.
- A Right to Opt Out of the Sale of personal information. “Sale” is defined to include selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other consideration. The proposed regulations provide more clarification on the practices businesses should follow to ensure this right to opt out of the sale. In the case of children under the age of 16, your business cannot sell their personal information unless they have opted-in to the sale. In the case of children under 13, a parent or guardian must opt-in on behalf of the child. The proposed regulations further define the rules related to the protection of children.
- A Right of Non-Discrimination. Your business will be prohibited from discriminating against a consumer for exercising his or her rights under the CCPA. Discrimination will be defined to include denying goods or services to the consumer, charging different prices or rates for goods or services, providing a different level or quality of goods or services to the consumer, or suggesting that the consumer will receive a different price or quality of goods or services; provide that you will be able to charge a different price or rate, provide a different level or quality of goods or services, or offer financial incentives if the difference is reasonably related to the value provided to the business by the consumer’s personal data, so long as the business practice is not unjust unreasonable, coercive, or usurious in nature. The proposed regulations further define how the right of non-discrimination will be implemented.
CCPA Business Obligations
Third, businesses will now have other new business obligations to consumers, including the following:
- Provide notice to consumers at or before the point of collection of the categories of personal information to be collected from them and the purposes they will be used.
- Provide clear and conspicuous notice to consumers of the right to opt-out of the sale of personal information in the form of a “Do Not Sell My Personal Information” link on their website or mobile application.
- Respond to requests from consumers to know, delete, and opt-out within the specified timeframe (generally 45 days). The proposed regulations require businesses to treat privacy settings to opt out selected by a consumer as a validly submitted opt out request.
- Make available to consumers at least two or more designated methods for submitting requests for information, including at a minimum, a toll-free phone number, and also specify other business practices for handling requests by consumers.
- Verify the identity of any consumer making a request to know or delete. Password protected account settings are not considered sufficient verification. The proposed regulations require a business unable to verify a request to comply to the greatest extent it can even if it denies a request.
- Disclose financial incentives offered in exchange for the retention or sale of consumer’s personal information (as specified by the proposed regulations), including a short summary of the incentive, a description of the summary and the categories of personal information impacted, an explanation of how a consumer can opt-in to the incentive, a notice to consumer that he or she has the right to withdraw at any time and how he or she can exercise this right, and an explanation of why the incentive is permitted under California privacy law.
- Retain records of all requests and responses to those requests for at least 24 months; provided that businesses (alone or in combination) collecting, buying or selling the personal information of more than 4 million consumers annually are subject to extra recordkeeping obligations.
- Disclose a privacy policy which describes consumer’s rights under California privacy law, how to submit requests to exercise rights under California privacy law, and information regarding their data collection and sharing practices. The proposed regulations define additional requirements for the privacy policy, including that it must be accessible to consumers with disabilities or provide consumers with disabilities information on how they can access the policy in an alternative format; that it must be in a format where consumers can print it out as a separate document; it must explain the right of a consumer not to receive discriminatory treatment; and it must explain how a consumer can designate an authorized agent to make a request on the consumer’s behalf under California privacy law.
- Train employees or contractors handling consumer requests on compliance with California privacy law and directing consumers to exercise their rights under California privacy law; provided that businesses collecting, buying or selling the personal information of more than 4 million consumers are subject to higher training obligations.
-
-
CCPA Conflicts with GDPR
Fourth, businesses are now going to have to reconcile the requirements of the European Union’s General Data Protection Regulation (“GDPR”) with California’s privacy laws. In particular, California’s Department of Justice has advised businesses to be wary of the following:
- Data inventory and mapping of data flows to demonstrate compliance with the GDPR may have to be re-worked to reflect the different requirements of California.
- Processes and/or systems set up to respond to individual requests for access to or erasure of personal information will need to be reviewed in order to apply different definitions of what constitutes personal information and different rules on verification of consumer requests.
- Contracts with service providers or data processors adopted to comply with the GDPR may need to be rewritten to reflect the requirements under California law.
-
-
Regardless of whether your software company is going to meet the threshold to be subject to the new California law when it goes into effect, it would be prudent to start incorporating these new requirements into your company’s privacy practices and procedures, since they will at the very least become the new best practices for businesses serving California consumers effective January 1, 2020. It goes without saying that software companies who will be subject to the law when it goes into effective need to take steps to become compliant immediately, as the law is set to go into effect in less than 75 days.
The Silicon Valley Software Law Blog will continue to follow any further rulemaking and privacy law amendments as they are proposed and/or adopted by the State of California. If you have questions regarding the CCPA and your company’s compliance obligations, schedule a consultation with me today at this link.
Silicon Valley Software Law Blog’s Kristie Prinz will be presenting a webinar on “Best Practices for Negotiating SaaS Contracts & Managing SaaS Customer Relationships” on October 8, 2019 at 10:00 a.m. PST/ 1 p.m. EST. The webinar will address the following issues:
- What makes an effective SaaS customer contract?
- What are the essential terms in a well-drafted SaaS contract?
- What are the common issues that arise in SaaS negotiations? What are the best strategies to resolve them?
- What are the best practices to manage the customer relationship?
The Prinz Law Office is sponsoring the event, which will be intended for lawyers as well as business people.
To register, please sign up at the Prinz Law Store website.
If you are in the software business, you likely recognize that you can be sued for materially breaching contracts, infringing third party IP, and data breaches but you may not realize the extent of your liability just for making the sale of a software product deemed to contain a security flaw in the first place, even if the security flaw was never exploited and only identified.
Increasingly, however, just the act of selling software later deemed to be “defective” due to security flaws has resulted in liability to companies.
As The Silicon Valley Software Law Blog has been reporting, the Federal Trade Commision (the “FTC”) has recently imposed fines and put in place ongoing oversight on companies for this type of issue.
But as Cisco just discovered, if the sales were made to a federal or state agency, the mere act of making the sale can also result in significant liability. Cisco has agreed to pay $8.5 million to settle a case originally filed in New York Western District Court in 2011 involving the sale of video surveillance technology to a variety of government organizations, including but not limited to Homeland Security, the Secret Service, the Army, the Navy, the Marines, the Air Force and the Federal Emergency Management Agency.
According to The New York Times, the Cisco case was initiated by the Justice Department in the Federal District Court for the Western District of New York, and the allegations were based on violations of the False Claims Act, which addresses fraud and misconduct in federal government contracts. Fifteen states and the District of Columbia joined in the suit. As The New York Times reported, the argument made by the government was that the software had no value because if failed to serve its primary purpose of security enhancement. According to The New York Times, the flaw was identified back in 2008 by a Cisco subcontractor, who brought it to the company’s attention at that time. However, as The New York Times reported, the subcontractor was subsequently terminated, and when he realized two years later that the vulnerability was still not fixed, he contacted the FBI. The New York Times reported that Cisco continued to sell the software with the flaw until July 2013, when if finally notified customers and fixed the flaw.
While the Cisco case applies only to sales made to government, a class action suit is pending right now on similar facts, where the sales were made to non-government consumers.
As was announced in this press release class and discussed in this firm blogpost, a class action lawsuit was initiated late last year against Symantec for critical defects in its security products under the Norton Brand. It is not clear as to the status of that litigation.
The bottom line: if you are selling software that provides security functionality, you need to have internal systems in place to identify security flaws and quickly fix the flaws, particularly if the software is being sold to a government organization. However, if you are selling to the general public, you may still be liable for sales of the software containing security flaws, whether liability is assessed through the FTC or through class action litigation, regardless of the terms of your contract for those sales.
When your company releases its next software update, you may want to consider the potential legal implications of the release. There seems to be a new trend in class action litigation: suits over software updates.
As Reuters first reported, an owner of a Tesla vehicle has filed a lawsuit against Tesla, Inc. claiming that a software update fraudulently limited the battery range of older vehicles, which reduced the distance that they can travel without recharging the vehicles. Reuters reported that the lawsuit was filed in a Northern California federal court and seeks class action status for owners of Model S and X vehicles around the world.
According to Reuters, the lawsuit claims that the software update was released with the intention of avoiding liability for defective batteries.
CNET reports that the affected owners claim to have lost some eight kilowatt hours of capacity after the software update, which occurred back in May, 2019, and that the affected cars are older model S and X vehicles, which have batteries that should still be covered under the eight (8) year warranty on the batteries. InsideEvs explained the argument as Tesla “enter[ing] [owners’] garages and replac[ing] a 40-gallon tank for a 20-gallon tank.”
Tesla is not the first company to be sued for a software update and how the update affected the performance of a device. Apple has also been the subject of numerous suits in the past few years on a similar issue. This Business Insider article reports on the legal controversy involving Apple regarding an update affecting battery performance. Class action suits were also filed against Microsoft over its Windows 10 upgrade strategy. See this Consumeraffairs.com article.
While these cases all pertain to software that controlled performance of a device, whether batteries or computers, it seems clear that with the increasing reliance on software functionality across so many industries, lawsuits over software updates are likely to continue.
So, the next time your company contemplates a software update or upgrade, it may be prudent to to contemplate the legal implications of the release and whether or not it is likely to result in litigation. You also may want to reconsider the sufficiency of your legal agreements in place with the parties to whom you are sharing the updates or upgrades before making available the new software. Software companies are clearly on notice that they may be sued for updates or upgrades, if they are alleged to have a negative impact on customers or users after the release.
The CARIN Alliance, which is a coalition of companies from the health and tech industries, has just announced the release of a new standard for sharing health claims data in conjunction with the Blue Button Developers Conference. The announcement is linked here.
The newly released standard is linked here: CARIN Blue Button Implementation Guide CI Build.
According to FierceHealthcare, the standard was developed by working group comprised of alliance members and includes more than 240 claim data elements. FierceHealthcare reports that 20 organizations, including Apple, Anthem, Blue Cross Blue Shield, Cambia Health Solutions, Google, and Humana have agreed to test an application programming interface (“API”) employing the standard in anticipation of a product lunch of the standard next year.
CNBC reports that the significance of the news is that this is the first time that industry has agreed to standards for sharing claims data to third party developers, and the Alliance aspires not only to make the data available to consumers but also to provide fraud detection functionality and functionality to help consumers avoid paying bills with errors in them.
FierceHealthCare reports that the new standard “builds” on Blue Button 2.0, which was released by the Centers by Medicare and Medicaid Services (“CMS”) last year and is an API enabling Medicare beneficiaries to access to their Medicare claims data. A web page dedicated to Blue Button 2.0 is linked here. FierceHealthCare reported on the Blue Button 2.0 initiative by CMS here.
Obviously the development of new digital health standards is a victory for the digital health industry, which has arguably been slow to develop industry standards along the lines of what exist in the tech industry generally.
For more information on how to join The Carin Alliance, click here. For a list of alliance members, please click here.
The Software Industry is closely following legislation in California that, if passed, could have a huge impact on Gig workers and the software companies that rely on them.
The legislation at issue is AB 5, which would codify and expand the California Supreme Court’s recent decision in Dynamex Operations v. Superior Court (2018) 4 Cal. 5th 903. The text of the proposed legislation is available here.
According to The Intercept, the bill was sponsored by Lorena Gonzalez, a Democratic assemblywoman from San Diego. The Intercept reports that that California is losing an estimated $7 billion in payroll tax annually due to the misclassification of employees as independent contractors, so the state is eager to close the loophole.
Obviously, Uber and Lyft, directly oppose the legislation, since it would directly impact their current Gig worker business model. In fact, The Los Angeles Times has reported that Uber and Lyft have actually paid drivers to organize protests against the legislation.
For Uber and Lyft, the obvious concern is that the passage of AB-5 in California could prompt other states to pass their own versions of the legislation, or even, that similar legislation could be passed at the federal level, which could potentially expand the impact of the legislation far beyond the borders of California.
Both The Intercept and The Los Angeles Times are reporting that Uber and Lyft have each warned investors of this potential risk in recent regulatory filings. Indeed, an investment publication, Investorplace, warns that the passage of the bill will have a very detrimental impact on both companies.
The bottom line is that software companies who have built business models around the Gig worker model may soon be forced to either cease operations in California or, alternatively, to change their models for the state, if AB-5 is passed and signed into law, so if your company has been developed around this model or you are building a company relying on this model, you will want to follow this legislation closely as it moves through the California legislature. The Silicon Valley Software Law Blog will continue to track the developments on this legislation.
Multiple media outlets are reporting today that the Federal Trade Commission has agreed to settle its case against Facebook on its privacy practices for $5 Billion.
The Wall Street Journal reports that the vote by FTC commissioners was 3-2 in favor of accepting the agreement and split along party lines with the Republican majority favoring the settlement. According to The Wall Street Journal, the matter next goes the the Justice Department’s civil division for final review.
According to the Mercury News, assuming reports are correct, this will be the largest fine imposed to date by the U.S. government on a tech company. The Washington Post reports that the fine is more than 200 times higher than any previous fine.
Interestingly enough, The Wall Street Journal is reporting that the fine obtained by the FTC exceeds what the European Union could have obtained under its privacy laws.
The Washington Post predicts that the settlement will impose serious consequences on Facebook that go far beyond just a $5 billion fine. However, The Washington Post acknowledges that the dissenting commissioners opposed the settlement because they wanted some assessment of personal liability against CEO Mark Zuckenberg; commissioners reportedly decided to accept a settlement without any such assessment in order to ensure that the matter did not end up in litigation.
While controversial, the FTC’s enforcement action in this matter still sets a significant precedent for the software industry with respect to the consequences of not protecting data uploaded to or generated by software. Software companies are on notice: the FTC is closely following your privacy practices and may assess fines in the billions of dollars against you if you fail to take sufficient steps to protect user data.
As The New York Times and The Washington Post recently reported, facial recognition software is being heavily utilized by government agencies, who are using the software to search state driver’s license databases, despite the fact that most of the photos in the databases are of citizens who have never committed a crime and have never given any sort of consent to the searches. The reports have raised concerns about the lack of regulation and oversight currently with respect to the use of facial recognition software by law enforcement.
According to a report by The New York Times, since 2011, the FBI has run nearly 400,000 facial recognition searches of federal and local databases, including DMV records. The Washington Post reports that the FBI is currently running about 4000 searches per month.
Moreover, The New York Times and The Washington Post are reporting that in states offering driver licenses to undocumented immigrants, Immigration and Customs Enforcement (“ICE”) is using the software to conduct searches on undocumented immigrants.
The Washington Post reports that twenty-one (21) states and the District of Columbia allow federal investigators to scan driver’s license photos, and that those searches generally require no more than an email request to conduct the search.
A number of lawmakers in Washington are raising concerns about the recent revelations, and two cities, San Francisco and Somerville, MA, have now imposed a ban preventing police and public agencies from using the software. The Washington Post reports that a privacy coalition has petitioned the Homeland Security Committee for the Department of Homeland Security (“DHS”) to stop using the technology.
What are the arguments being raised in favor of greater regulation of law enforcement’s use of the technology?
First and foremost, proponents for greater regulation argue that running facial recognition searches against photos of law-abiding citizens is a huge privacy violation. Secondly, they argue the scope of it use by law enforcement is too broad, since it has been used not only for the identification of criminal suspects but also to find witnesses, victims, and bystanders. Third, they argue its use often constitutes a breach of trust, since states encourage undocumented immigrants to submit their information to the databases and then proceed to to tun it over to ICE. Fourth, they argue that use of the software heightens the risk of misidentification and false arrest due to inaccuracies with how certain facial features are detected.
All in all, it is clear that law enforcement considers facial recognition software to be a valuable investigative tool. However, there are clearly some valid concerns with how the software is being used that warrant further consideration. Should law enforcement really be able to conduct these types of searches without a warrant? Should ICE be able to conduct searches of undocumented immigrants who have been encouraged to submit information for inclusion in a database? What kind of checks should be in place on law enforcement’s use of software that that has inherent inaccuracies?
The Silicon Valley Software Law Blog will continue to follow these issues as Congress and privacy advocates debate them.
Silicon Valley Software Law Blog’s Kristie Prinz will be presenting an upcoming web on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” on August 9, 2019 at 10:00 a.m. PST/1:00 p.m PST for Virginia-based Clear Law Institute. The sponsor is offering a 35% discount off the registration fee with the discount code KPrinz200577.
The Prinz Law Office has issued a press release on the event, which can be viewed here.
To register for the event, please see the Clear Law Institute website here.
Silicon Valley Software Law Blog’s Kristie Prinz will be presenting a webinar on July 25, 2019 for CLE provider Strafford a webinar titled “Drafting Software Hosting Agreements: Service Availability, Performance, Data Security, Other Key Provisions.” Ms. Prinz’s co-presenter will be FieldFisher partner Laura Berton.
The Prinz Law Office has issued a press release announcing the upcoming engagement, which can be viewed here.
To register, please visit the Stafford Publications website link here.
The Federal Trade Commission (“FTC”) has put software companies and software service providers on notice it intends to interpret the Gramm-Leach-Bliley Act’s Safeguards Rule broadly to apply to businesses which make available software or services that serve financial, payroll, and accounting purposes and collect sensitive data on consumers and their employees.
The FTC recently announced its settlement of a complaint filed against LightYear Dealer Technologies, LLC which does business as Dealerbuilt, which required Dealerbuilt as condition of the settlement to develop, implement and maintain an information security program that incorporates the minimum requirements specified by the FTC and submit to third party compliance assessments and annual certifications over a period of the next 20 years.
The FTC’s specified minimum requirements for Dealerbuilt’s information security program included the following:
- Develop, implement, maintain and record in writing an Information Security Program;
- Make available the written program, evaluations of the program, and updates on the program, to the company’s board of directors or governing body, or if none exists, the senior officer responsible for the program at least once per annual period and after any data breach;
- Identify an employee or employees responsible for the coordination of the program;
- Provide written assessment annually and after any data breach of any potential data breach risks;
- Develop written safeguards to ensure data security including the following:
- Training of all employees at least once every annual period on how to protect personal information;
- Technical measures monitoring networks, systems to identify attempted data breaches;
- Access controls on databases containing personal information, which (a) restrict the ability to connect to only approved IP addresses; (b) require authentication to access the databases; and (c) limit the access of employees to only those databases as necessary to perform their duties;
- Encrypt all social security numbers and financial account information;
- Implement policies and procedures for secure installation and inventory on an annual basis
- Perform assessment annually and after any data breach of the sufficiency of safeguards and modify the program as necessary;
- Conduct test annually and after any data breach of effectiveness of safeguards, which shall include vulnerability testing every four months and after a data breach, and annual penetration testing, as well as after any data breach;
- Ensuring that contracts with any service providers ensure compliance with safeguards; and
- Evaluate and make adjustments to program upon any changes to operations or business or in event of any data breach. or on an annual basis.
The FTC Order also mandates that an information security assessment be conducted initially and biennially by a third party professional approved by the Associate Director for Enforcement for the Bureau of Consumer Protection at the FTC, and that the assessor will be required to provide the documents relevant to the assessment to the FTC for review within 10 days following the completion of the initial review and then on demand. Furthermore, the Order requires the senior corporate manager or senior officer of Dealerbuilt to submit annual written certifications to the FTC, and that within a reasonable time following any discovery of a data breach, or at least 10 days following the provision of first notice of any data breach, Dealerbuilt must send a report to the FTC of any data breach, which meets certain specified requirements. Also, the Order permanently enjoins all individuals affiliated with Dealerbuilt from violating any provisions of the Safeguards Rule, and makes the Order applicable to all businesses connected to Dealerbuilt, which Dealerbuilt is to be broadly interpreted and Dealerbuilt is required to identify in detail via compliance reports, accompanied by sworn affidavits.
The FTC also imposes broad recordkeeping requirements on Dealerbuilt through the Order, requiring Dealerbuilt to create and retain for the next 20 years accounting records of all revenues collected, personnel records, consumer complaint records and responses to those records, and any documents relied upon to prepare mandate assessments and to demonstrate full compliance with the order.
Finally, within 10 days of any request by the FTC, Dealerbuilt is required to furnish compliance reports to the FTC or other requested information accompanied by sworn affidavits.
The FTC announcement is attached here and the Order attached here.
What prompted this broad enforcement action by the FTC against DealerBuilt? According to the FTC Complaint, a series of security failures resulted in the breach of a backup database through a storage device beginning in late October 2016, which resulted in the breach of personal information of nearly Seventy Thousand consumers, which included full names and addresses, telephone numbers, social security numbers, drivers license numbers, and birthdates of consumers as well as wage and financial account information of dealership employees. The FTC Complaint further alleges that Dealerbuilt failed to detect the breach and only learned of it after a customer called its chief technology officer demanding to know why customer data was publicly available on the Internet.
The FTC Complaint alleged that Dealerbuilt was a financial institution as defined by Section 509(3)(A) of the Gramm-Leach-Bliley Act, 15 U.S.C. Section 6809(3)(A) as a result of being “significantly engaged in data processing for its customers, auto dealerships that extend credit to customers.” The Complaint alleged that the “failure to employ measures to protect personal information” constituted an “unfair act or practice” and that the failures to (a) “develop, implement, and maintain a written information security program”; (b) identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information” and “assess the sufficiency of any safeguards in place to control those risks”; and (c) to design and implement basic safeguards and to regularly test or otherwise monitor the effectiveness of such safeguards” constituted a violation of the Safeguards Rule and an unfair or deceptive act or practice in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.
What should software companies and service providers take away from this FTC enforcement action? First and foremost, the FTC is making a definitive statement that if you are in the business of providing software or software services that have any sort of financial or accounting function to them, you are a financial institution for purposes of Gramm-Leach-Bliley and the Safeguards Rule is going to be deemed to apply to your business. Second, the FTC considers service providers accountable for the protection of any personal data they collect or store. Third, the FTC expects businesses using third party software or providers to have contracts in place with those software companies or service providers imposing security requirements, monitoring requirements, and explicitly requiring them to follow websites reporting on known vulnerabilities. Fourth, the FTC expects businesses to train and supervise employees on how to ensure the security of the company. The FTC specifically points businesses in its announcement to comply with its publication, Start with Security: Lessons Learned from FTC Cases.
Internet of Things (“IoT”) companies are on notice: the FTC is concerned about the the security of software installed to IoT and smart home products and is prepared to take enforcement action against companies to ensure that consumers are protected.
The FTC has just announced the proposed settlement of its case against D-Link filed in January, 2017, which mandates that D-Link put in place and maintain a comprehensive software security program for the next 20 years that incorporates certain specified requirements, including a “secure software development process” that incorporates specified software development safeguards to ensure the security of its devices.
These FTC imposed requirements include the following:
- Specifying in writing how functionality and features secure the devices;
- Engaging in threat modeling to identify potential security risks;
- Reviewing every planned release of code with automated static analysis tools;
- Performing pre-release vulnerability testing on each planned release of code;
- Performing ongoing code maintenance to address vulnerabilities as they are identified;
- Adopting remediation processes to address identified security flaws at any stage of the development process;
- Monitoring research on possible vulnerabilities to devices;
- Setting up a process for receiving and validating vulnerability reports from security researchers;
- Making automatic firmware updates to devices;
- Notifying customers at least 60 days in advance of any decision to stop making security updates to a devices; and
- Providing biennial security training for personnel and any vendors involved with the device software.
In addition to imposing the above requirements on D-LInk, the order gives the FTC the power of oversight to ensure ongoing compliance, and requires D-Link to obtain routine third party assessments by a professional with credentials specified by the FTC to perform in-depth reviews of D-Link’s security practices. The FTC specifically mandates that the assessment meet an approved standard as defined by the FTC: the International Electrotechnical Commission (“IEC”) standard for the secure product development life cycle. The FTC announcement is attached here and its order is attached here.
What prompted the FTC case against D-Link? The FTC complaint filed against D-Link alleged a failure by D-Link to take “reasonable” steps to secure software constituting “unfair acts or practices in or affecting commerce, in violation of Section 5 of the FTC Act, 15 U.S.C. Sections 45(a) and 45 (n)” and misrepresentations regarding D-Link’s security practices constituting a “defective act or practice, in or affecting commerce in violation of Section 5(a) of the FTC Act, 15 U.S. C. Section 45(a).” The FTC Complaint against D-Link is attached here.
What do companies engaged in IoT software development need to take away from this enforcement action? First of all, companies need to be aware that the FTC is applying its regulatory powers against companies to ensure that they are securing software in accordance with any representations made to consumers. Second of all, companies need to be aware that the FTC is looking to certain published standards by the IEC to provide the industry standards for software in this space, so IEC compliance certification may provide the measure of a company’s compliance with its security obligations. Third, the FTC has provided some suggested guidelines for companies to follow in the following publications: Careful Connections: Building Security in the Internet of Things and Start With Security: Lessons Learned from FTC Cases.
Two app developers have filed suit against Apple, Inc. over its App Store practices, following the recent decision by the U.S. Supreme Court in favor of consumers allowing a class action suit on similar issues to proceed. The case was filed in the U.S. District Court for the Northern District of California (San Jose).
According to Bloomberg, the developers’ suit is also a class action suit on behalf of developers nationwide whose products are sold through the App Store. Bloomberg reports that the developers claims are on antitrust grounds and also allege violations of California’s Unfair Competition Law, and that they are represented by a law firm based in Seattle, Hagens Berman, which previously won a $650 million settlement against Apple and other e-book publishing companies on similar claims in 2016.
As the Silicon Valley Software Law Blog previously reported, the U.S. Supreme Court case which just ruled in favor of consumers, presented a legal question as to whether consumers had standing to sue Apple, since developers, rather than consumers, have the direct, contractual relationship with Apple. However, the U.S. Supreme Court decision did not decide on the merits of the case and only decided whether the class action suit could proceed. Clearly, the developers would be presumed to have standing to bring a class action suit and the same legal question would not be relevant.
The timing of these suits coincides with increasing calls in Washington for greater regulation at the federal level of Apple as well as its fellow tech giants Amazon, Facebook, and Google, particularly with respect to federal antitrust law and the handling of consumer data. The New York Times is reporting that the four companies are in the process of assembling an “army of lobbyists” to defend them in Washington, spending a combined total of $55 million in lobbying last year.
Needless to say, the tech industry is under fire for many of its business practices, and it seems likely that some changes are on the horizon, regardless of its best efforts to maintain the status quo. The Silicon Valley Software Law Blog will continue to update you on any developments
The Supreme Court has ruled against Apple in an antitrust case claiming that the App store has created a monopoly over the sale of apps and has used the monopoly to charge consumers higher than the majority price. Justice Kavanaugh delivered the opinion of the Court that the plaintiffs are not barred from suing Apple under antitrust laws under the direct purchaser rule set forth in Illinois Brick Co. v. Illinois, 431 U.S. 720, 745-746 (1977). To view the Supreme Court’s decision, click here.
In this case, Apple had argued that the rule set by the Court in Illinois Brick allows consumers to sue only the party who sets the retail price, which in this case was the app developers rather than Apple. However, the Court found that Apple had misconstrued the rule and found compelling instead that consumers had to purchase the apps directly from Apple and “there is no intermediary in the distribution chain between Apple and the consumer.” In contrast, in the case of Illinois Brick, the company manufactured and distributed product, which was sold to masonry contractors, and those masonry contractors sold the products to general contractors, who then in turn sold them to consumers, so there was a multi-level distribution structure. The Court found that the brightline test stated by Illinois Brick was to allow direct purchasers to sue but to bar indirect purchasers from filing suit, in order to ensure an “effective and efficient litigation scheme in antitrust cases.”
The decision was 5-4 with Justice Kavanaugh having the deciding vote. Justice Gorsuch wrote the dissent, arguing that the majority has replaced “a rule of proximate cause and economic reality with an easily manipulated and formalistic rule of contractual privity.” According to the dissent, “[unless] Congress provides otherwise, this Court generally reads statutory causes of action as “limited to plaintiffs whose injuries are proximately caused by violations of the statute.” In this case, the dissent contends that the developers–and not the plaintiffs– are the parties who would be directly injured by any “monopolistic overcharge.”
The Supreme Court’s decision allows the antitrust case against Apple to progress and increases the likelihood of future App Store business changes on the horizon such as cutting the commission rate charged to developers, allowing developers to collect the fees, or other fundamental model changes.
However, the decision may have other implications that go beyond just the App Store. According to The Washington Post, Silicon Valley tech giants and an industry group called The App Association are raising concerns that this lawsuit may put other platform services at risk. Wired speculates that “a ruling in the plaintiff’s favor could have serious implications for other tech companies with similar business models,” citing Amazon in particular. In the end, The Verge predicts that perhaps the most significant impact that this case will have is to “affect how much power consumers have over digital platforms,” ultimately forcing online stores to be “more accountable toward their users.”
The Silicon Valley Software Law Blog will continue following this case as it moves forward.
The Prinz Law Office, which publishes the Silicon Valley Software Law Blog, has announced the opening of its new San Francisco Bay Area location in San Francisco. The new location will enable the firm to better serve clients in the northern Peninsula, the North Bay, and San Francisco. For more information on the announcement, please click here.
Silicon Valley Software Law Blog’s Kristie Prinz will be presenting a webinar on “Best Practices for Drafting Master Service Agreements & Managing the Service Relationship” on Friday, March 8th at 10 a.m. PST/1 p.m. EST. The Prinz Law Office will be sponsoring the event, which is intended for lawyers as well as businesspeople. To register for the event, please sign up at http://prinzlawstore.com/2019/01/best-practices-for-drafting-master-service-agreements-managing-the-service-relationship/
Silicon Valley Software Law Blog’s Kristie Prinz will be presenting a webinar on “Best Practices for Drafting SaaS Contracts & Managing SaaS Customer Relationships” on February 19, 2019 at 10:00 a.m. PST/ 1 p.m. EST. The Prinz Law Office is sponsoring the event, which will be intended for lawyers as well as business people. To register, please sign up at http://prinzlawstore.com/2019/01/drafting-saas-contracts-managing-saas-customer-relationships/
The Prinz Law Office, which publishes the Silicon Valley Software Law Blog, has announced the opening of its new Silicon Valley location in Palo Alto. The new location will enable the firm to better serve clients throughout the San Francisco Bay. For more information on the announcement, please click here.
Legal commentators have been raising alarms about the significant potential impact of The Foreign Investment Risk Modernization Act of 2018 (“FIRRMA”), since the legislation was signed into law in August, 2018. In case you are unfamiliar with FIRRMA, the legislation dramatically expanded the powers of the Committee on Foreign Investment in the United States (“CFIUS”) to conduct national security reviews of business deals, which obviously could have significant implications on the business community’s ability to close business transactions. The U.S. Treasury has developed a website that highlights for the public key points about FIRRMA and this review process.
In particular, FIRMMA now expands CFIUS review powers to include the following types of business deals:
- A purchase, lease, or concession by or to a foreign person of real estate located in proximity to sensitive government facilities.
- “Other Investments” by a foreign person in any unaffiliated U.S. business that owns, operates, manufactures, supplies, or services critical infrastructure; produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies; or maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security. “Other investments” is defined to mean an investment that affords a foreign person access to material, nonpublic technical information in possession of the U.S. business, membership or observer rights on the board of directors or equivalent governing body of the U.S. business, or the right to nominate an individual to a position on the board of directors or equivalent voting body, or any involvement other than the voting of shares in the substantive decisionmaking of the U.S. business; the use, development, acquisition, safekeeping, or release of sensitive personal data of U.S. citizens maintained or collected by the U.S. business; the use, development, acquisition or release of critical technologies; and the management, operation, manufacture, or supply of critical infrastructure.
- Any change in rights that results in foreign control of a U.S. business or an “other investment” as defined above.
- Any transaction, transfer, agreement, or arrangement, the structure of which is intended to evade the review of the Committee.
FIRRMA further defines “critical technologies” to include “specially designed and prepared nuclear equipment, parts and components, materials, software and technology covered by part 810 of title 10, Code of Federal Regulations (relating to assistance to foreign atomic energy activities)” as well as “emerging and foundational technologies controlled pursuant to section 1758 of the Export Control Reform Act of 2018. ” While the list of what constitutes an “emerging and foundational” technology has yet to be defined, most legal commentators are expecting the list to include software that does not relate to nuclear technology, particularly in the areas of artificial intelligence, autonomous mobility, augmented virtual reality, cybersecurity, and financial technology. So, while the legislation is new and the full scope of its application and subsequent interpretation has yet to be determined, it is anticipated by most commentators that many software transactions involving foreign investment in a U.S. business will ultimately be deemed to be subject to the new CFIUS review powers.
What does this mean for the software industry? Well, the full impact of the law is yet to be determined and is more the subject of extensive speculation in the legal industry at the moment, but it does mean that software companies could be subject to more federal compliance obligations when they are doing deals that involve foreign investment, that these compliance obligations could slow down or even derail the closing of some deals, and that software companies could potentially be subject to significant fines up to the amount of the deal if they fail to comply with their new obligations. So, it certainly means that U.S. based software companies need to be aware of FIRRMA and need to closely follow any future developments related to the law, in order to potentially comply with it on future deals.
The Silicon Valley Software Law Blog will continue to follow the developments regarding this law and how it is applied and interpreted with respect to the software industry. For more information on how the expansion of CFIUS powers may impact Silicon Valley industries other than software, please check out the blog posting on our affiliated blog, the Silicon Valley IP Licensing Law Blog.
The software industry is raising concerns about the potential consequences of Australia’s recent passage of legislation to provide law enforcement with expansive new powers to compel the disclosure of encrypted data.
According to ITPro, the “Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018” was approved by a 46-11 majority in the Australian parliament last month. As The Verge reports, the newly passed legislation grants to law enforcement new notice powers of mandatory technical assistance and technical capability, which “require companies to give access to encrypted data if available, or to build the capacity to provide such access if they are unavailable.” Additionally, as reported by The Verge, the legislation grants a voluntary technical assistance request power “that does not have to be publicly reported.” According to The Verge, the fine for noncompliance can be up to $10 million AUD (approximately $7.2 million USD).
The Verge reports that the new law also uniquely enables the Australian government to approach individuals such as key employees in order to compel their cooperation rather than limiting the enforcement powers to merely compelling cooperation by institutions. The penalty for any individual’s failure to cooperate could result in a prison sentence.
As Wired has reported, the legislation has been strongly opposed by the tech industry on the grounds that “if Australia compels a company to weaken its product security for law enforcement, that backdoor will exist universally, vulnerable to exploitation by criminals and governments far beyond Australia.” Also, as Wired has noted, any company that complies with Australia’s law is likely to then be required to provide the same access to another country. Fortune suggests that the legislation is particularly intended to target What’sApp and Signal.
According to The Verge, Apple’s position on the legislation has been that “encryption is actually a defense against cyberattacks and terrorism” and that “more of it is needed to make citizens safe, not less.” Apple took its concerns directly to the Australian parliament, according to Threatpost, which has posted a letter reportedly submitted by Apple to parliament. Threatpost also reports that Cisco and Mozilla have also been vocal in their opposition to the legislation. Commentator and human rights lawyer Lizzie O’Shea also observes to The Verge that “once these [backdoor] tools exist, then it would be easy for Australian authorities to share them with their counterparts in allied nations,” particularly since Australia is part of the Five Eyes intelligence sharing agreement in which Great Britain, Canada, New Zealand and the United States also participate.
The Australian government’s position, according to The Verge, is that the powers are necessary to defend citizens against terrorism and crime and that the powers will not introduce a “systemic weakness” into the technology. However, a prevailing criticism has been that “systemic weakness” is not actually defined by the legislation. Fortune reports that the Australian Labor Party is already seeking to amend the legislation, particularly to define “systemic weakness.”
Clearly, Australia’s new legislation has the potential to have a far-reaching impact on software companies and individuals working in the software industry. The Silicon Valley Software Law Blog will continue to follow this issue as it develops.
Silicon Valley Software Law Blog’s Kristie Prinz will present a webinar on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” for Virginia-based Clear Law Institute on February 8, 2019 at 10:00 a.m. PST/ 1:00 p.m. EST. The sponsor has made available a 35% discount off the registration fee with the discount code KPrinz148075. To register, please sign up here: https://clearlawinstitute.com/shop/webinars/negotiating-saas-agreements-drafting-key-contract-provisions-protecting-customer-and-vendor-interests-020819/.
If your company has either pursued Privacy Shield certification, or publicly claimed to be in pursuit of Privacy Shield certification, recent enforcement action by the Federal Trade Commission (“FTC”) should put your company on notice that failure to maintain your certification may render you subject to FTC enforcement activity if you continue to make representations on the Internet or in advertising materials related to Privacy Shield.
The FTC has just announced settlements with four companies, IDmission, LLC, mResource LLC (doing business as Loop Works LLC), SmartStart Employment Screening, Inc., and VenPath, Inc. on allegations related to EU-U.S. Privacy Shield compliance.
The FTC’s complaint against IDmission, LLC, which is a cloud-based technology platform, focuses on the company’s website representations of compliance with the EU-U.S. Privacy Shield framework despite the company’s failure to actually complete the certification process. In contrast, FTC’s complaints against mResource, SmartStart, and VenPath, which are companies providing talent management and recruiting services, employment and background screening services, and data analytics services respectively, all focus on the companies’ website representations of Privacy Shield certification despite failing to maintain the certification.
The settlements now render these four companies subject to direct FTC oversight and monitoring with respect to their advertising and compliance activities going forward.
From this enforcement action, it is clear that the FTC is on the lookout for companies who are making claims about the EU-U.S. Privacy Shield that they are not actually meeting, and that the FTC is prepared to exercise its enforcement authority against any company that fails to meet its representations as they pertain to Privacy Shield.
So, software companies, the FTC is putting you on notice: you need to self-monitor your Privacy Shield certification and ensure that you maintain the certification at all times, and to ensure that you are compliant with certification requirements, particularly if you are making advertising-related representations related to Privacy Shield. The FTC is watching.
Tech Crunch and Forbes recently reported on a problem plaguing the App Store: unethical subscription practices.
According to Tech Crunch, commonly utilized unethical practices include as follows:
- that the apps are too aggressive in obtaining subscriptions;
- that the apps offer little functionality without upgrading;
- the apps provide no transparency around how free trials work;
- and the apps make it difficult to stop subscription payments.
Both Tech Crunch and Forbes note that the App Store has established published Guidelines for App Store Review, which specifically includes a Developer Code of Conduct that states:
Customer trust is the cornerstone of the App Store’s success. Apps should never prey on users or attempt to rip-off customers, trick them into making unwanted purchases, force them to share unnecessary data, raise prices in a tricky manner, charge for features or content that are not delivered, or engage in any other manipulative practices within or outside of the app.
So, if Apple requires adherence to a code of conduct, why is it alleged that unethical subscription practices are still so rampant on the App Store? And why hasn’t the Federal Trade Commission (“FTC”) stepped in, or more state attorney general offices intervened? It is unclear, since as Forbes argues, the more these practices are allowed to continue, the more the practices are likely to detrimentally affect the entire App Store market. As both Tech Crunch and Forbes have pointed out, the App Store is full of reviewer complaints about the specific practices of various apps, so at least Apple has definitely been on notice that there was a problem. Presumably the FTC and at least one or two state attorney general’s offices have been made aware of these issues as well.
As a Silicon Valley SaaS and software licensing attorney, however, I would encourage App developers profiting off practices that seem questionable or are the targets of a significant number of annual complaints to consider modifying those practices as quickly as possible, as you and your business run the risk of not only attracting a lawsuit by the FTC or an attorney general’s office but you also run the risk of attracting a class action suit on behalf of subscribers who were allegedly harmed by your App. This type of suit is not without precedent, and could come with a significant damage award. Your subscription terms do matter and they need to be viewed as fair and reasonable to your subscribers. You are on notice: these practices are being brought under scrutiny by the press and scrutiny by regulators, states, and class action attorneys is likely to soon follow.
The State of California has just agreed to delay the enforcement of S. B. 822, also known as the California Internet Consumer Protection and Net Neutrality Act of 2018, until litigation is decided regarding whether the FCC can preempt state net neutrality laws is decided by the US Court of Appeals for the District of Columbia Circuit. Attached is a copy of the stipulation and agreement filed in the US District Court for the Eastern District of California. As Ars Techica reported, California has agreed to refrain from enforcement of the law until after the US Court of Appeals case has been decided and any appeals have been exhausted.
As the Washington Post reports, the outcome of the case before the D.C. Circuit could result in the rejection of the FCC’s 2017 rule change, which then would mean that S.B. 822 would become redundant. However, both the Washington Post and Fortune are reporting that the D.C. Circuit could rule on the issue of preemption as well, which could potential impact S. B. 822 and other similar state laws.
If your company is like most, you postpone the procurement of insurance policies until you absolutely have to obtain them, expecting to be able to obtain whatever you need on demand.
However, if your company is in the software space and you anticipate a significant deal is on the horizon, you should be anticipating your needs in advance of actually starting those negotiations, or you may find yourself in a situation where you have to commit to maintaining insurance during the relationship that you may not actually be able to buy on the open market. Why is this a problem? Well, this puts you in the position of potentially breaching the terms of the “significant” deal before you ever start performing those terms, which can obviously have serious consequences for your company’s business if your breach is ever discovered. Since the usual insurance terms in these types of deals require the submission of certificates of insurance as proof of coverage, any failure to procure the insurance required is not likely to stay undiscovered for an extended period.
Notwithstanding the foregoing, even if you do not breach the terms of the negotiated deal, it is far better to negotiate the scope of indemnification risks you will be incurring with advance knowledge of the terms of the insurance policies you already have in place, as you can then negotiate limits of liability within the coverage of the insurance coverage previously obtained.
So, what types of insurance requirements should a software company anticipate when it goes to negotiate a significant deal?
First and foremost, companies should anticipate the requirement of a general commercial liability policy. This is a standard commercial insurance policy that every business, regardless of whether or not in the software industry, should keep.
Second of all, companies should anticipate the requirement of a commercial auto insurance policy to cover the risk that employees or contractors may have an accident while traveling back and forth to a customer or business partner’s work site.
Third of all, companies should anticipate the requirement of an errors & omissions policy to cover the risk that company workers will intentionally or negligently act in a way that harms the customer or business partner.
Fourth, companies should anticipate the requirement of a cyberinsurance policy to cover the risks of hack attacks, data breaches, and third party cybercrimes, as well as notification costs and other costs to remedy a breach after it occurs.
Fifth, companies should anticipate the requirement of an umbrella policy to cover losses in excess of the insurance limits available.
What types of limits of coverage should a software company anticipate? In my experience, larger deals will come with larger expectations, so the more significant the deal, the more insurance your company should be lining up in advance.
The bottom line is that doing some advance planning with respect to insurance before your software company commences negotiations on a significant deal will save your company the worry down the road of being discovered to be in breach of the deal you just closed if you find that meeting the insurance requirements you agreed to is not quite as easy as you anticipated. Furthermore, it will enable you to go into negotiations better prepared to be able to negotiate terms that actually protect your company.
Governor Jerry Brown has signed into law S.B. 822, also known as the California Internet Consumer Protection and Net Neutrality Act of 2018. The law is intended to go into effect on January 1, 2019 and, according to CNN, will establish the “strictest net neutrality protections in the country.”
However, the U.S. government has responded to the California action by seeking a preliminary injunction to block the law from going into effect. A DOJ press release announcing the suit is attached here, in which the DOJ asserts that “Once again the California legislature has enacted an extreme and illegal state law attempt to frustrate federal policy.”
However, according to the Electronic Frontier Foundation, the core argument by the DOJ and FCC articulated in the court filings is not that states cannot pass net neutrality laws but that a pending lawsuit in the D.C. Circuit filed by the California Attorney General challenging the FCC’s repeal of net neutrality should be decided before the legality of the passage of the California Internet Consumer Protection and Net Neutrality Act of 2018 can be decided.
Wired reports that the dispute between California and the federal government “raises novel questions about the relationship between the federal government and the states.” At the heart of the dispute is whether California has the legal right to pass a law on net neutrality, and whether the FCC has the legal right to prevent states from adopting net neutrality laws. While in general pre-emption only occurs when there are incompatible state and federal rules, Wired reports that “[i]t’s not unheard of for the federal government to preempt state or local regulations when those regulations conflict with federal policy, even when the federal policy is not to regulate.” In contrast to the current facts, however, Wired reports that the past example of this type of pre-emption involved a decision by Congress as opposed to a federal agency.
Clearly, California and the federal government are now headed for a legal show-down in federal court. The Silicon Valley Software Law Blog will keep you posted as the legal battle further develops.
If your company has just landed a big development project for a third party, do not underestimate the importance of the agreement in protecting the revenue stream you are being offered in exchange for your development services.
The typical development agreement requires lump sum payments in installments throughout the term of the relationship. Also, the typical development agreement will have at most a statement of work connected with the project and will rarely be accompanied by technical specifications or milestones, with respect to which approval can be sought at the various phases of the development.
Why can this be a problem? Well, if your company agrees to take on a large development project and has not defined contractually in detail the technical specifications and standards required to be performed, or developed detailed milestones that can be tied to satisfaction of particular phases of the project, how exactly can you prove that you earned the money paid in installments if the customer pulls the plug on the project at any stage? How exactly do you prove that you fulfilled your responsibilities with respect to the development project if you never actually reached agreement as to the technical terms of the development project?
The reality is that it can be very hard to enforce an agreement when the key terms of the relationship were never actually memorialized in writing. While the risk of not being able to enforce your agreement may be low in low dollar value development projects, that risk escalates dramatically as the dollar value of the project also increases into the hundreds of thousands of dollars or even millions.
In general, when I see disputes involving development projects, the dispute can almost always be attributed to a poorly drafted agreement between the parties.
So, what can you do to minimize your risks of taking on a development project?
First and foremost, obtain help from experienced technology transactions counsel when your company is first approached with a potential development project. An experienced attorney in this space can guide you through the negotiation process at the early stages, so that you don’t have to renegotiate terms that have already been agreed to by the potential development partner. It can be very hard to get partner buy-in on developing and memorializing good technical terms when the parties are already weeks or months into the negotiation the deal.
Second of all, ensure that the technical specifications and requirements for the project have been defined in detail, and develop milestones throughout the development process, which can be approved. Also, develop a process that is very well-defined within the contract to obtain that approval. If a specific timeline is required at any part of the process, develop terms that reflect the agreed upon timeline as well.
Third, instead of merely requiring payment by installments through the development work, develop payments that are tied to the accomplishment of specific well-defined milestones, in order to ensure that your company is can prove that any payment received was earned a s a result of the successful accomplishment of the applicable milestone(s).
The bottom line is that a big development project should be accompanied by a very detailed, technically-specific development agreement if a company prefers to avoid big legal headaches down the road. It is in your company’s best interest to ensure that any development agreement that the parties execute is drafted to protect the anticipated revenue stream from the development project.
Silicon Valley Software Law Blog Sponsor, The Prinz Law Office, has announced today the launch of a new option for clients: the “subscription model” billing model. The firm will initially be offering daily and half-daily subscription models. The model is anticipated to potentially be a good fit with companies having ongoing legal review or advice needs in the transactional space that can be easily anticipated and scheduled in a pre-set block of time.
For information about how the new subscription model will work, please contact the firm for additional information.
Updated 6.21.24
I was recently asked for a list of the top mistakes the average company will make when they enter into a software deal without getting an experienced software lawyer involved early in the negotiations. I thought it was an excellent question, so I wanted to share my thoughts on the issue with this audience.
Companies Negotiate with the Wrong Technology Contract
First and foremost, the most common mistake I run into with all types of technology negotiations, but especially with negotiations in the software space, is that companies handling their own software negotiations often end up negotiating with the wrong contract as the starting point. For example, the parties may negotiate from a software license template when they need a SaaS agreement template instead, or they may negotiate from a master services agreement or a hosting agreement when the deal they were doing actually involved SaaS terms. A knowledgeable software attorney will know and understand that the terms of a well-drafted template will be completely different based on the technology model under negotiation and will be able to ask the right questions in order to identify the right technology model and therefore the necessary baseline terms that need to be addressed in a well-drafted agreement.
Companies Negotiate with the Right Technology Contract But One that was Written for a Different Product or Relationship
Another common issue I run into is that even if the parties choose the right initial type of contract to begin the negotiations with, they begin the negotiation with a template that was designed for an entirely different product or relationship than what is currently being contemplated. Obviously, it is going to require less negotiation to reach a good deal when the starting point for the negotiation is a set of proposed terms that applies to the right type of technology transaction and the particular product or relationship under negotiation. Also, the terms of the signed contract are far more likely to be meaningful when they were developed around the right product and services. Otherwise, they are likely not to include the key deal terms or contemplate any of the issues that could come up between the parties. I see many signed contracts that are little better than a handshake because the terms agreed to are almost completely irrelevant to the transaction. An experienced software attorney is going to be able to ask the right questions to determine whether the contract terms were written for the appropriate product or services.
The Contracts Do Not Sufficiently Contemplate how the Relationship will Evolve
A third issue I run into is that the contracts do not sufficiently contemplate how the relationship will evolve over time. A standard practice in the industry is to rely exclusively on a list of prices to determine on the fee-related issues in the agreement. What is typically missing is all the terms that explain how the pricelist will be implemented. While this might not be fatal to the relationship if there is some sort of initial agreement on the price to be paid overall, few software business relationships in 2018 are up-front, fixed price relationships. Most relationships now are intended to generate recurring revenue streams and anticipate new fees as new seats, services, and functionality are added. So, a mere pricelist is almost never adequate to support an ongoing relationship. Thus, if an experienced software attorney is not involved with the deal, there is a high likelihood that the contract signed will not have all the necessary terms to explain precisely how all the fees will be assessed going forward.
They Overlook the Technical Concerns About the Transaction
A fourth issue typically overlooked by a contract negotiated without the assistance of experience software counsel are all the technical concerns about the transaction. In many software deals, the service level is absolutely critical to the transaction. However, more often than not, the service level agreement being relied on by the parties was copied off the Internet and has absolutely no significance or relevance to the service being offered or provided. Also, even where the service level agreement was obtained in a more thoughtful way, it is very common to find the agreement full of terms that are so poorly written or that have so many carve-outs that it is completely unenforceable. In addition, many relationships contemplate the performance of a variety of services which are never addressed in the contract at the technical level required to reach any sort of understanding regarding those services. An experienced software counsel will be able to ask the right questions to understand all the technical aspects of the deal between the parties and will be able to determine all the terms that have been omitted from the contract before it is executed.
They Fail to Contemplate the Possibility of Suspension of Services
A fifth issue typically missed when a contract is negotiated without the assistance of experienced counsel is the contemplation of all the issues that could arise with regard to the suspension of services. In 2018, the service provider frequently has the ability to “suspend” a company’s access to the software and the data stored therein at any time and could just as easily erase all of that data. However, few contracts that I see really address the issue of suspension at the level required to address all possible issues that could arise between the parties. An experienced software counsel will ask the right questions to identify these issues and address them in the contract.
They are Overly Focused on the Negotiation of the Indemnification Clause
A sixth mistake that I often encounter is contracts that contain elaborately negotiated indemnification clauses but never really contemplated all the related issues such as whether the indemnification could ever be enforced and whether the focus of the indemnification clause negotiated was on the liabilities most relevant to the transaction. An experienced software counsel will be knowledgeable about software indemnification clauses and all the issues relevant to the clauses in order to ensure that the maximum amount of protection is in place.
The bottom line is that an experienced technology transactions counsel understands technology sufficiently to ask enough questions about the relationship envisioned to determine all the key terms that were never contemplated in the agreement, and can add that additional level of skill and expertise to the negotiation of the deal that a general business lawyer or business person simply cannot. Technology deals are fundamentally technical and only someone that understands technology and technical deals sufficiently is going to be able to evaluate proposed terms sufficiently to negotiate them appropriately in order to look after the party’s best interests.
USA Today is reporting that multiple technology and telecommunication companies are lobbying Congress to pass federal privacy legislation that would pre-empt the new privacy law recently passed in California which grants sweeping protections to consumers. In particular, USA Today reports that Amazon, AT&T, Apple, Google, Twitter and Charter Communications are leading the lobbying effort and argue that inconsistent state laws will “make it tough for companies to operate” and would “threaten innovation.”
Of course, as USA Today reports, the lobbying companies are seeking weaker regulations than exist in the European Union or that were just passed in California, with the sole exception of Apple, which relies on a different business model and was reportedly the only company “at the hearing to argue that the bar for federal legislation should be set “high enough” to protect consumers.” As The New York Times reported, the goal of the tech industry is to institute federal rules that would give technology companies wide leeway over how personal information is handled. The Electronic Frontier Foundation describes the tech industry’s goal as “neuter[ing]” California for a weaker law at the federal level.
According to The New York Times, however, the tech industry’s efforts are not limited to just federal lobbying efforts. In fact, The New York Times reported that lobbying efforts are underway in California as well, and that the California Chamber of Commerce and other business and tech groups have just submitted nineteen pages of bill edits to State Senator Bill Dodd, one of its authors. In addition, The New York Times reports that the groups are also asking California to delay enactment for a year.
The bottom line is that the tech and telecommunication industries are actively lobbying at both the federal and state levels to ensure that California’s new privacy law never goes into effect in its current form. Convincing Congress to pass a federal law that they hope to be able to influence and shape has now become the top priority for both industries.
Silicon Valley Software Law Blog Author Kristie Prinz will be presenting a webinar on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” for Clear Law Institute on 10/26/18 at 10:00 a.m. PST. Clear Law Institute is providing a registration discount for attendees who register with the discount code: KP119433. To register, sign up at the following link:
https://clearlawinstitute.com/shop/webinars/negotiating-saas-agreements-drafting-key-contract-provisions-protecting-customer-and-vendor-interests-102618/
Updated on 6.21.24
If your company is a SaaS business, you may come across a customer or prospective business partner who insists on the inclusion of a source code escrow agreement as part of the deal terms. If this scenario arises, you may be inclined to immediately agree to the prospective customer or business partner’s terms in order to close the deal you are negotiating. However, what are the five things your SaaS company needs to know about source code escrow before you agree to include source code escrow in the terms of a transaction?
Choose a Source Code Escrow Product Intended for SaaS Companies
First of all, you should know that the standard source code escrow product was not designed for SaaS and is probably not going to be very effective for a customer or business partner if they ever need to rely on it. The traditional source code escrow offering was intended for a traditional software product, which is downloaded to hardware and is updated or upgraded on a periodic basis. In the traditional source code escrow agreement, the deposit materials are generally only updated a few times a year. However, in the SaaS product scenario, the product is often updated on a continuous basis, so updating the deposit materials only a few times a year is unlikely to be sufficient. Similarly, in a traditional source code escrow agreement, the backup and storage of the data is unlikely to be addressed. However, in the SaaS agreement scenario, the customer or business partner is unlikely to have access to the data in the cloud, so the party receiving access to the deposit materials is more likely to expect the backup and storage of SaaS data to be a key component of the escrow relationship.
For this reason, many technology escrow companies are offering a special escrow products intended for SaaS only, which provide for the continuous update of deposit materials and include data as part of the deposit materials. The SaaS version of the escrow product is more likely to provide uninterrupted access to the full set of materials that the customer or business partner previously had access to in the cloud, so it is likely to be the better fit for the customer or partner seeking source code escrow as part of the deal terms.
Anticipate that SaaS Source Code Escrow Products Will be More Expensive
Secondly, you should know that the SaaS version of the source code escrow product will likely be more expensive than the traditional product since it is going to be a more labor-intensive solution. A source code escrow company can expect in a SaaS product scenario to perform significantly more services to ensure that the escrow works if needed than it would have had to perform in a traditional software scenario, given the ongoing nature of the updates and upgrades. As a result, the costs of SaaS escrow are likely to be significantly higher than traditional software escrow, which should certainly be contemplated in the allocation of escrow costs between the parties.
Obtain License Rights to Use the Escrowed Source Code in a Release Scenario
Third, you should know that you may not be able to obtain the rights you are seeking to use the escrowed code in a release scenario. In SaaS, users typically receive access rights rather than license rights to the use of the intellectual property. As a result, a SaaS provider can build products that incorporate open source code and offer access rights to the end product, even though the provider is prohibited from distributing the software otherwise. The SaaS provider can also incorporate third party code into the product that cannot be sublicensed to third parties, even in an escrow scenario. So, it is certainly possible that the SaaS provider will not have the necessary rights in the SaaS product to be able to authorize the license grant to the escrowed materials, which could potentially result in the customer or business partner receiving physical copies of the source code and data but not having the rights necessary to use the copies procured.
Address Transitioning Services and Know-How Transfer in Source Code Escrow Agreement
Fourth, you should consider that mere possession of a functional copy of the source code and data may not be sufficient for a customer or business partner to continue using the software and applicable data in the event of a release condition. In fact, the customer or business partner may require transitioning services or access to the SaaS provider’s know-how before it is able to resume use of the software. Consequently, transitioning services and know-how transfer may be important considerations that need to be addressed in any escrow terms.
Contemplate the Responsibilities and Liabilities of the Respective Parties Regarding Data and Potential for Data Breach as Well as the Availability of Cybersecurity Insurance
Fifth, you should consider that the very nature of SaaS escrow may result in the escrow provider having control over any collected data uploaded to the SaaS product and that the escrow provider could be vulnerable to a data breach arising from the acts or omissions of an employee or third party. Thus, the deal terms should contemplate the responsibilities and liabilities of the respective parties regarding the data and the potential for a data breach, as well as any available insurance coverage to protect against this risk.
Will SaaS Source Code Escrow Will Meet Your Needs?
All in all, while escrow products are now available and on the market, which may meet the needs of a prospective customer or business partner seeking source code escrow to a SaaS product, a SaaS provider will have a variety of considerations to contemplate before acquiescing to such demands in a negotiation. In the end, the decision of whether or not to agree to escrow terms should be based on a careful evaluation of all of the above considerations.
After spending months preparing to comply with the European Union’s General Data Protection Regulation (“GDPR”), software companies now have a new U.S. data privacy law to be concerned with. California has just passed a landmark data privacy law of its own: the Consumer Privacy Act of 2018. To view the text of the law, click here.
As USA Today reports on the new law: “[it] is similar to Europe’s General Data Protection Regulation rules, which took effect last month, but goes further, allowing consumers to opt out of their data being shared instead of forcing them to opt in to continue using online services.”
For its part, The New York Times characterizes California’s new law as less “expansive” than the GDPR but “one of the most comprehensive in the United States.” However, Wired describes the new law as “adding to [the GDPR] in crucial ways.” In particular, Wired points to the fact that the GPDR requires opt-ins to collect and store data but in practice the opt-ins actually used do not give consumers a choice other than to opt-in in order to use the service; however, California’s law will prevent companies from denying service to consumers who opt out.
According to Tech Crunch, the key protections of California’s new law are requiring companies to comply with consumer requests to delete data, providing a new consumer right to opt out of data being sold without any sort of penalty being assessed, preserving for companies the right to provide “financial incentives” to collect data, and granting state authorities the right to fine companies for violations.
As you might expect, it is being reported that there were extensive corporate lobbying efforts employed by some prominent companies against the proposed legislation. The New York Times and USA Today are reporting that Google, Facebook, Verizon, Comcast and AT&T each contributed $200,000 to a committee opposing the ballot measure and that lobbyists are expecting businesses to pour between ten and a hundred million dollars into campaigns against the law over the next few months.
All in all, there seems to be a consensus that this legislation is going to have a tremendous impact on data privacy nationwide, despite its limited application to California and the fact that it may still be amended before it goes into effect in 2020.
As for the software industry, the worries about data privacy compliance now shift from Europe to California and potentially the other 49 states. Fortunately, the industry has two full years to prepare for the new California regulation.
If your software company is relying on so-called “Gig workers” to provide a service managed by your app and software platform, then you need to know about a California Supreme Court ruling just issued this week, which is likely to severely limit your ability to rely on the “Gig worker” model going forward in the state of California.
The California Supreme Court held that the following three part test is the standard in California for classifying a worker as an independent contractor: (a) the worker is free from the control and direction of the hiring entity in connection with the performance of the work; (b) the worker performs work that is outside the usual course of the hiring entity’s business; and (c) the worker is customarily engaged in an independently established trade, occupation, or business. The Court emphasized that with respect to the last part of the test, the worker will have made an affirmative decision to go into business, taking such steps as “incorporation, licensure, advertisements” and “routine offerings to provide the services of the independent business to the public or to a number of potential customers, and the like” and will not just be “designated an independent contractor by the unilateral action of the hiring entity.” A copy of the decision is linked here.
According to CNN, California’s test for classifying workers as independent contractors will now be the toughest test in the United States, and the Supreme Court’s ruling will significantly limit the ability of online platforms to treat workers as contractors, except perhaps in cases where the workers are in the same line of business off the platform and also work with other similar platforms.
As the LA Times reported, “[the] decision has implications for the growing gig economy, such as Uber, Lyft, and other app-driven services” but suggested that the implications would go beyond the gig economy to virtually every industry and would prompt California businesses to “immediately question whether they should reclassify independent contractors.”
As a Silicon Valley technology lawyer who has been closely following the litigation testing the Gig worker model, I have anticipated a legal decision that would limit the increasing reliance within the industry on Gig workers to build new business models and have been surprised that we did not already have such a decision. The California Supreme Court’s ruling does put an online business platform’s decision to rely on independent contractors to perform services offered under the platform under significantly more scrutiny that had existed in the past. But I would argue that the implications go far beyond state employment laws. I would argue that perhaps an even more important consequence of this ruling that it imposes very clear liability on the online business company for the acts of the workers arranged through the online business platform. I have long been concerned about the safety implications of procuring services from relatively unscreened independent contractor workers and have expected that this would become a problem for the online business platform model down the road precisely because of the reliance on Gig workers. Indeed, there seem to be now reports on almost a weekly basis of crimes being committed by Gig workers against customers. CNN published a report just this week on sexual assault and abuse cases against Uber drivers. This article just tracked reported sexual assault and abuse cases but there are certainly many more unreported cases that could not be included in the CNN report, since sexual crimes tend to be very under-reported due to the very nature of the crimes. If this report had included other types of crimes, who knows what the number of reported crimes would have been just for Uber? For Uber as well as all of its competitors? I would argue that this case not only has the potential to change the relationship that many online platforms have with workers but also it has the potential to impose greater responsibility on online platforms with respect to worker conduct and keeping their customers safe. It is an open question, however, what imposing the responsibilities of an employer in terms of liability for workers will do to business models that have taken off largely due to the lower cost to operate a model which provides services without taking on all the traditional liabilities associated with providing that service.
The bottom line is that if you are software company operating under the Gig worker model or building a business where you plan to rely on the Gig worker model, you need to be aware of this decision and to start following how it is applied going forward, as it is a significant legal development, and it is certain to have an ongoing impact on your business.
The California legislature is considering a bill that would restore net neutrality on a state-wide level when the FCC repeal of net neutrality takes effect next week.
The California net neutrality bill, SB 822, was written by State Senator Scott D. Wiener, D-San Francisco. The text of SB 822 is attached here.
According to the Mercury News, SB 822 would be “stronger” than the net neutrality rules adopted in President Obama’s administration, which “required equal treatment of all Internet traffic,” and “prohibited the establishment of Internet slow and fast lanes.” SB 822 also prohibits “zero rating”, which as Mercury News reports, is when “Internet providers exempt certain content, sites, and services from data caps.” SB 822 further prohibits public agencies from entering into contracts in violation of the bill.
SB 822 is opposed by the broadband industry on the basis that the industry opposes state-level net neutrality rules, but is supported by the Electronic Frontier Foundation, the ACLU, the mayors of many of the largest cities in the state including San Francisco, Oakland, San Jose, Sacramento, and Los Angeles.
If SB 822 is adopted, California would not be the first state to enact a net neutrality law. The New York Times reported that Washington State signed the first net neutrality bill. The governors of Montana and New York have signed executive orders making net neutrality effective at the state-level, according to reports by The New York Times and The Verge.
If your software company has pursued Privacy Shield certification or is contemplating pursuit of certification, then you should know that an Irish Court has referred a case to the Court of Justice of the European Union, which could potentially invalidate the EU-U.S. Privacy Shield as it previously did with the Privacy Shield predecessor, Safe Harbor, according to a Tech Crunch report.
As Tech Crunch explains, the current case against Facebook was initiated by the lawyer and privacy campaigner Max Schrems, who also initiated the prior compliant which resulted in the judgment by the Court of Justice of the European Union overturning Safe Harbor.
The High Court of Ireland referred eleven questions for consideration to the Court of Justice of the European Union, including several questions (nos. 9 and 10) that specifically deal with the adequacy of the EU-U.S. Privacy Shield. Tech Crunch suggests that this referral could lead to a complete collapse of the EU-U.S. Privacy Shield framework.
With the evident uncertainty over the future of Privacy Shield: does it still make sense to pursue and/or maintain certification if your company has European customers? In light of the fact that the new data privacy rules in Europe (the “GDPR”) go into effect May 25th, which increase the fines for violations, and the Privacy Shield framework remains the best guidance currently available for American companies intending to do business in Europe, pursuit of certification remains a sound business and legal strategy. However, companies need to follow what happens with this challenge and remain cognizant of the fact that Privacy Shield has not yet been tested by this European high court and it is uncertain that it will withstand the current challenge.
I recently presented for myLawCLE on the topic of drafting software hosting agreements. I am pleased to now be able to share a recording of the full, two-hour presentation with interested Software Law Blog readers:
Silicon Valley Software Law Blog Author Kristie Prinz will be presenting a webinar on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” on June 11, 2018 at 10:00 a.m. The program will be sponsored by Virginia-based Clear Law Institute. To register for the event, sign up at the Clear Law Institute website.
If your business is in the software industry and you are doing any business in Europe, you should be aware of the EU General Data Protection Regulation (“GDPR”), as it will apply to your business when it goes into effect on May 25, 2018. You also may want to consider pursuing Privacy Shield certification before the GDPR goes into effect.
What exactly is the GDPR? This is the law passed by the European Parliament in 2016 which changes the laws relating to data privacy regarding EU citizens. Attached is a copy of the full text of the GDPR.
The GDPR will apply to any business processing the personal data of anyone residing in the European Union, regardless of the location of the business. Article 3 of the GDPR provides:
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
Article 4 of the GDPR defines “personal data” to constitute:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Article 4 of the GDPR defines “processing” to constitute:
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Some highlights from the legislation include as follows:
Article 5 of the GDPR provides guidelines on how data should be processed, which includes keeping it in a form “which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”
Article 7 of the GDPR establishes the requirements for procuring consent to data processing, which include that “the request for consent shall be presented in a manner that is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language” and that the “data subject shall have the right to withdraw his or her consent at any time. Article 8 of the of the GDPR sets forth the conditions for procuring consent from children, including “where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.”
Article 9 of the GDPR prohibits the processing of certain kinds of data:”personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” Article 10 of the GDPR adds to this list the processing of data about criminal convictions unless processed by an official authority.
Article 17 of the GDPR codifies the so-called “right to be forgotten.”
Article 27 of the GDPR requires companies processing data of EU residents outside the European Union to designate a representative of the controller or processor in the European Union, except in the following circumstances:
-
processing. . . .is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
-
[where processing is by] a public authority or body.
Article 33 of the GDPR requires a data breach notification to be provided to the appropriate supervisory authority within 72 hours of becoming aware of a data breach.
Article 46 of the GDPR limits the transfer of personal data to a third party country or international organization only if “appropriate” safeguards are in place and effective legal remedies are in place which may include “contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation.”
If your software company is doing business in Europe and has not already pursued Privacy Shield certification, you may want to consider doing this as soon as possible. The Privacy Shield Frameworks were recently designed by the U.S. Department of Commerce in conjunction with the European Commission and Swiss Administration in order to provide companies with a “mechanism” to comply with European Union and Swiss data protection requirements when transferring personal data from the European Union and Switzerland to the United States. Some of the key requirements of Privacy Shield Framework are listed on this linked web page. As part of the process, your software company will need to update its existing privacy policy to include language required by the Privacy Shield Framework, which is set forth at the the https://www.privacyshield.gov website. The U.S. Department of Commerce has provided a webpage listing the benefits of participation to U.S. companies. Your company may find going forward that Privacy Shield certification is required by prospective European customers, so simply being prepared to do business with them may be an additional benefit of the Privacy Shield certification process.
The bottom line is that software companies need to spend some time familiarizing themselves with the GDPR and consider how their business may be impacted by the legislation before it goes into effect in May, 2018. If your company does business in Europe or hopes to do business in Europe in the foreseeable future, this privacy legislation will impact future deals with potential European customers and will certainly affect what you can do with personal data obtained through such relationships going forward.
I was recently asked how to recognize that a software contract is poorly written. Upon consideration, I’ve come up with six signs to watch for in order to identify a poorly written software contract.
In my experience, the first sign of a poorly drafted contract is that contract completely confuses the software licensing and SaaS technology models, so that it’s extremely unclear as to what kind of product that the software provider is actually selling. If the product is a software license, the contract should contain a clear license grant confirming the licensee’s rights in the intellectual property and defining the scope of the license. Any hosting, maintenance, technical support, or other services should be made available by separate written agreement (i.e. hosting contract, maintenance contract, technical support contract, professional service contract) but should not be included in the face of the license agreement. On the other hand, if the product is a SaaS agreement, no license grant should be included in the contract and the contract should instead contain a clear grant of access and use rights. The terms “licensor” and licensee” should be absent from the contract. On the other hand, services like hosting and maintenance will generally be included in the contract as the bundle of services provided to the subscriber via subscription, as well as other services such as back-up, disaster recovery, technical support, and transitioning services. In addition, a SaaS agreement will generally include a service level agreement and an acceptable use policy, and it will address the policies and procedures taken to ensure the security of the platform. These technology models are very clear and defined technology frameworks. If the contract merges and mixes up the models, then this is a good indication that the contract is poorly drafted.
A second sign of a poorly drafted software contract is that the contract fails to discuss the concept of “users” and how they are granted, and just refers to an invoice or schedule that lists a number of “users” and assigns a price to that number. Both software licenses and SaaS agreements can provide rights to “users” but the license grant or the access rights grant needs to contemplate “users” in terms of who is authorized to be a “user” and what rights are provided to a “user”. In addition, the contract should explain how users are made available (i.e. individually or in increments), how they can be increased or decreased during the term or a renewal period, and the costs of each user or the user increments. Where users are not addressed in the contract and are only referenced in a schedule, they don’t actually have any rights in either the software or the services and so it’s unclear what is actually being sold by a software provider.
A third sign of a poorly drafted software contract is that the contract provides for periodic rather than up-front billing but fails to address what happens when those periodic payments are late. Is suspension employed at some point after the payment is late? If so, what kind of notice is provided and how is that notice delivered? Is the data still accessible after suspension? If so, what kind of fee is assessed for removing the data after suspension and in what format is it removed? If the data is in the cloud, how fast is it purged? A well-drafted software contract contemplates the potential relationship problems that might arise and defines how those scenarios will be handled rather than leaving them to be dealt with in the future.
A fourth sign of a poorly drafted software contract is that the contract fails to set customer expectations about either the functionality and features of the software in the case of a software license or, alternatively in the case of a SaaS contract or other software services contract, the quality and nature of the services that will be provided. In software services contracts, the value of the relationship is entirely tied to what is being delivered. Hosting contracts and SaaS agreements should generally have service level agreements which carefully define the service level being provided, provide a guaranty as to uptime and define any exceptions to that uptime, and provide a service credit that can be easily applied in a service failure. They should also address in detail the backup services being provided, the security services employed to keep the host or SaaS platform secure, and the disaster recovery services, as well as any transitioning services made available and how those work. Technical support is going to generally be available in software licenses, hosting contracts, and SaaS agreements, so is all of these cases how those services will work will need to be carefully defined. The bottom line is that these services relationship should be defined in detail and not left for future interpretation. A poorly drafted contract is going to be very unclear about what the software provider is providing under the relationship, which creates enormous opportunities for disputes to arise, since there may not really be anything agreed upon in the contract.
A fifth sign of a poorly drafted software contract is that the contract fails to define specifically what version or module of the product the contract even applies to. Few software vendors sell a single product without at some point making available optional features and services that can be “added on” for an additional charge. Many, if not most, contracts fail to fully describe the functionality, features or services that the contract applies to, which creates the potential for disputes as new functions, features, services, and/or products are made available, as the scope of what the original agreement applied to is simply not clear.
Finally, a sixth sign of a poorly drafted software contract is that the contract fails to contemplate and set expectations about what will be required for implementation, how long it will take, what would constitute a successful implementation, what milestones would arise in the implementation and how it would be verified that they were successfully performed, and any responsibilities the customer must meet at defined steps in the process. In multiple user scenarios and in many data-focused software products, implementation is a lengthy and very involved process, yet most software contracts are completely silent about implementation. This sets parties up for disputes over implementation. A poorly drafted contract is going to leave customer expectations for implementation largely undefined.
This list is certainly not exhaustive but provides some guidelines for what to look for in order to identify a poorly drafted software contract.
In summary, a software contract should provide significant clarity on the product or services being sold so that a layperson should be able to understand from the terms how the product or service will work and what kinds of expectations he or she should have about the product or service, the applicable fees, any set-up required, etc. If a contract raises more questions than it answers, then this is a fairly strong indication that the contract is poorly drafted.
Silicon Valley Software Law Blog’s Kristie Prinz will be featured as a speaker on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” for a webinar hosted by Arlington, Virginia-based Clear Law Institute on Wednesday, February 21, 2018 from 10-11:15 a.m. PST. The firm has published a press release on the event, which is attached here. To register for the event, please check out the Clear Law Institute website.
Silicon Valley Software Law Blog’s Kristie Prinz will be featured as a speaker for the webinar “Drafting Software Hosting Agreements: Service Availability, Performance, Data Security, Other Key Provisions” for the Atlanta, Georgia-based Strafford on January 23, 2018. The firm has published a press release on the event, which is attached here. To register for the event, please check out the Strafford Publications website
Silicon Valley Software Law Blog’s Kristie Prinz will be presenting a webinar on “Negotiating Software As a Service Contracts” for Clear Law Institute on Wednesday, January 17th from 10-11:15 a.m. PST. The Prinz Law Office has published a press release on the event, which is attached here. To register, please sign up at the Clear Law Institute website.
SaaS attorney Kristie Prinz will be speaking at a webinar on “Best Practices for Drafting SaaS Contracts that Reduce the Customer Sales Cycle & Avoid Disputes” sponsored by The Prinz Law Office. The event will take place on October 26, 2017 from 10:00 a.m. to 11:30 a.m. PST. What you will learn in the webinar: What makes an effective SaaS customer contract? What terms should SaaS customers expect? Common challenges with customer negotiations. What drafting problems frequently result in stalled contract negotiations? Customer disputes? How can better drafting close deals faster? Avoid subsequent customer disputes? No legal knowledge is required to participate, and registration is open to any business. To register, sign up at: http://prinzlawstore.com/saas-customer-agreements/. For more information about the program, please contact Kristie Prinz at 408.884.3577 or
kp****@pr************.com
.
Silicon Valley Software Lawyer Kristie Prinz will be featured as a speaker for the webinar “Negotiating Software as a Service Contracts” for the Arlington, Virginia-based Clear Law Institute on Tuesday, September 12th from 12-1:15 p.m. PST.
Clear Law Institute is making available a special promotional discount of 35% off to attendees who sign up via the Silicon Valley Software Law Blog using this promo code: krpri35.
To register for the event, sign up at this link: http://clearlawinstitute.com/shop/webinars/negotiating-software-service-contracts-091217/.
Silicon Valley Software Law Blog Author Kristie Prinz will be co-presenting a webinar on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” with Kelley Miller of Reed Smith on August 8, 2017 at 10:00 a.m. PST/1:00 p.m. EDT. To register for this webinar, please sign up at: https://www.straffordpub.com/products/negotiating-saas-agreements-drafting-key-contract-provisions-protecting-customer-and-vendor-interests-2017-08-08.
Democratic Senator Brain Schatz of Hawaii and Republican Senator Ron Johnson of Wisconsin have introduced the “Protecting Our Ability to Counter Hacking Act of 2017,” also known as the “PATCH Act of 2017” in the U.S. Senate Homeland Security and Governmental Affairs Committee, following the recent “WannaCry” ransomware attack, with the intention of requiring government agencies to submit any security holes in software products they discover for independent review in order to determine any vulnerabilities that need to be secured, as reported by HealthCare IT News and Reuters. According to HealthCare IT News, the PATCH Act of 2017 is supported by Republican Senator Senator Corey Gardner of Colorado, Democratic Representative Ted. Lieu of California, and Republican Blake Farenthold of Texas, as well as McAfee, Mozilla, The Information Technology and Innovation Foundation, and New America’s Open Technology Institute.
The text of the PATCH Act of 2017 is available for viewing here.
The bill would require the establishment of a Vulnerability Equities Review Board comprised of permanent members, ad hoc members, and National Security Council members who are neither of the above, if approved by the President and requested by the Board. The permanent members would include the following:
- Secretary of Homeland Security or the designee of the Secretary, who shall be chair of the Board;
- Director of the Federal Bureau of Investigation or the designee of the Director;
- Director of National Intelligence or the designee of the Director;
- Director of the Central Intelligence Agency or the designee of the Director; and
- Secretary of Commerce or the designee of the Secretary.
The Ad Hoc Members would include:
- Secretary of State, or the designee of the Secretary, if the Board considers the matter under the jurisdiction of the Secretary;
- Secretary of the Treasury, or the designee of the Secretary, if the Board considers the matter under the jurisdiction of the Secretary;
- Secretary of Energy, or the designee of the Secretary, if the Board considers the matter under the jurisdiction of the Secretary; and
- Federal Trade Commission (“FTC”), or the designee of the Commission, if the Board considers the matter as relating the the FTC.
The purpose of the Board would be to establish policies relating to “whether, when, how, to whom, and to what degree information about a vulnerability that is not publicly known should be shared or released” by government to a non-government entity and the process by which such information should be shared or released to a non-governmental entity. In other words, as Reuters reported, the bill is intended an attempt to put the process “into civilian control” and remove such decisions from the purview of the National Security Agency (“NSA”).
According to reporting by ThreatPost, this bill codifies the process that the White House has long claimed to have in place to evaluate information on security vulnerabilities, but in fact rarely actually has utilized. According to Threat Post, in the particular case of the WannaCry attack, the NSA did in fact tip off Microsoft of the security issue, which allowed Microsoft to make the patch available to customers in advance of the attack.
While the WannaCry attack was initially reported only to have hit Windows machines, according to reports by ThreatPost, it is now known that medical devices and industrial control systems have also been hit by the attack, including equipment used in medical radiology facilities.
Reuters is reporting today that, for victims who have not paid the ransom and/or recovered their files, French Researchers have developed a last resort workaround, which will successfully unlock the encryption key for files hit by the attack in certain conditions. According to Reuters, Europol has stated on Twitter that its European Cybercrime Centre has tested this tool and confirmed it will successfully recover data in some circumstances. The technical details of this tool can be accessed through the Reuters article.
In light of the popularity of the SaaS model of doing business, it is not uncommon to come across deals in which one software company is buying a third party company’s SaaS assets. While there are many reasons to be wary of these types of deals, regardless of what side of the transaction you are on, it has been my experience that the parties tend to be in a hurry to close the deal and rarely take the time necessary to contemplate the issues that should be considered in connection with the acquisition.
So, what are some of the issues that an acquiring software company should be concerned about in a SaaS company asset acquisition?
First and foremost, if the acquiring software company seeks to acquire the code comprising the SaaS product, then the company needs to verify that the target SaaS company actually owns the code comprising the software product. It has been my experience that entrepreneurs and companies of all sizes frequently overlook this issue and make significant investments in software development without first obtaining the appropriate rights in the products to be developed. I receive at least a few calls each month from C-level executives whose companies have developed a software product using outside developers without the appropriate contracts in place and call me after a dispute arises over ownership of the code in the product. If a problem is identified with the code to be acquired, it should be addressed before the acquisition talks are ever commenced, since once a negotiation begins, it will be much more difficult to procure the necessary rights in the code.
Second of all, if the acquiring software company seeks to acquire the SaaS company’s customers as part of the deal, then the acquiring company needs to verify that the customers are actually bound by subscription agreements that are automatically assignable in the event of an acquisition. Where the customers to be assigned are enterprise-level relationships, the acquiring software company also needs to verify the quality of the contracts in place. In general, SaaS company customer contracts are very poorly drafted and do not include the key terms of the business relationship, which will be of particular concern in cases where the transfer of a particular customer relationship or group of relationships is essential to the deal. Again, if the customer contracts are deemed to be insufficient, then this is a problem that should be resolved in advance of the commencement of acquisition talks.
Third, if the acquiring software company seeks to acquire the hosted software platform as part of the deal and not just the code comprising the software, then the acquiring company needs to verify the terms of the relationship in place with the target company’s host, assuming the target company is relying on a third party host as is typical in the industry. What kind of contract is in place with the host and is it automatically assignable to an acquiring company? Are the terms of the service level agreement governing the relationship sufficient to operate the software platform without service failures and without breaches of the customer contracts in effect? If the host is handling personal health information for the SaaS company, is there an appropriate business associate agreement in place that complies with HIPAA? It has been my experience that most SaaS companies do rely on a third party host for the software platform, and that a significant portion of those companies do not have an appropriate contract in place with the host to provide the expected hosting services that could be assigned to the acquiring company as part of a deal. If a the contract with the host is identified as inadequate, then this is a problem that should again be resolved in advance of the commencement of any acquisition talks with the target.
Fourth, since SaaS products are by their very nature “service” offerings rather than simply code, an acquiring software company may very well seek to acquire the SaaS company workers necessary to provide the services. In any such case, the acquiring company needs to verify that these worker relationships are in fact employment relationships that can be transferred to a successor company as opposed to contractor relationships that may not be transferable to the acquiring company and/or that may pose worker misclassification problems for the acquiring company. Where a problem exists, the acquiring company may want the SaaS company to address the issues in advance of the commencement of negotiations. In general, it has been my experience that SaaS companies are relying largely on independent contractors to provide services for their SaaS platforms, so encountering issues with any acquisition of a SaaS company workforce is to be expected.
The bottom line is that many of the SaaS company assets that an acquiring software company will seek to acquire as part of a SaaS company asset purchase will be accompanied by a certain amount of problems–problems that the acquiring software company may prefer to resolve in advance of any deal discussions rather than as part of the usual, time-sensitive, deal discussions. Anticipating the problems that are likely to be present with a target company’s assets before commencing negotiations can help to ensure a smoother negotiation as well as a smoother transition once the deal is closed.
The Department of Justice has launched an investigation into Uber’s use of the “Greyball” software program, following recent reports about the company’s use of this software to evade local law enforcement officials and regulators in new markets where the service was not yet permitted, according to Reuters. Reuters reports that Uber has received a subpoena from a grand jury in Northern California “seeking documents concerning how the software tool functioned and where it was deployed.”
According to Reuters, the investigation is still in its “early stages” and the nature of any potential federal criminal violation is “unclear.”
Reuters is also reporting that the city of Portland, Oregon is also planning on issuing a subpeona to Uber to force it to disclose the Greyball software. According to Reuters, if Uber does not comply with the subpoena, the city of Portland will “review” Uber’s ability to operate in the city.
Uber’s use of the “Greyball” software program first came under scrutiny as a result of a story by the The New York Times, which was published in early March 2017 and reported on how Uber had used this software program as part of a larger program at Uber known as “VTOS”–an abbreviation for “Violation of Terms of Service.” Following the publication of the report, Uber announced that it had ended the program, as reported by The New York Times.
The Mercury News described Greyball as a tool that “allowed Uber to display a fake version of the app to certain customers” and to “block law enforcement” from requesting rides where Uber was “operating in violation of local rules.
It has been reported that the law firm of Sherman & Sterling has been retained by Uber’s board to conduct an internal investigation into how the software was used. See The Mercury News.
The Department of Justice investigation is the latest in a string of legal problems for Uber this year, which have included legal issues over Uber’s classification of drivers, sexual harassment claims, and a trade secret lawsuit. One cannot help but wonder what the long-term business impact will be of all of these legal problems on the ultimate success or failure of the company.
Updated 6.21.24
When a client sends me a software license agreement or SaaS agreement to review or update, I always make a priority of reviewing any terms in the contract involving fees and then carefully reviewing the website and any marketing materials or fee schedules to confirm that the fee terms in the contract clearly match the fees listed outside the contract. Then, I will also confirm that the contract terms clearly articulate how the fees listed on the website and in other marketing materials or a fee schedule are to be calculated. I have generally found it to be rare for the contract terms and website, marketing materials, or fee schedule to match. More often than not, it is clear upon review of all of the supplemental materials that the fee terms of the contract are poorly drafted and make no sense.
So, what are some of the usual discrepancies that I will find?
No Terms in the Contract to Explain How Users are Added and Dropped
One common issue I often see is that the marketing materials or the fee schedule suggest that the license or subscription fees are being calculated according to the number of authorized users, but there are no terms in the contract to explain what constitutes an authorized user, what rights the authorized users obtain through the license or subscription, whether authorized users are made available in blocks of users or individually and for what fees, or how you would add or drop authorized users. Whether your software contract is a license or a SaaS subscription, just listing the total fees and total users and not drafting contract terms describing the relationship between the licensee and users or subscriber and users and how that relationship works is completely inadequate. Those terms need to be clearly defined in the contract and not just in marketing materials.
The Functionality for the Offering is Not Clearly Defined
A second issue that I frequently come across upon review is that the marketing materials or fee schedule suggest that there are multiple types of software licenses or SaaS subscriptions being offered to the customer, each of which provides different levels of functionality or services for a different fee, but the terms of the contract only reflect a single level of functionality or services and provide no clarification as to what functionality or services are comprised by that single offering. Whether the software contract is a software license or a SaaS subscription, the contract always needs to define the scope of the license or subscription being offered for a particular fee, and if multiple options are being made available for different fees, the contract needs to carefully describe the base option extended and the add-on option extended and how the various options and the applicable fees work.
Professional Services are Alluded to but Not Defined
A third issue I frequently come across upon review is that a fixed fee amount for “professional services” is listed in the fee schedule or marketing materials. However, often the terms of the contract are completely silent on what professional services are being provided under the software license or SaaS subscription, what the hourly or project rate is for the services and how many hours are being provided, or any other clarification about what constitutes the “professional services” to be provided under the agreement. Moreover, it’s generally unclear as to how fees would be billed for additional professional services.
Avoid Overrelying on Marketing Materials and Fee Schedules in Lieu of Well-Drafted Contract Terms
In general, the problem with many software contracts is that companies are relying on marketing materials and fee schedules to justify fees that are never explained in the contract terms. However, the contract terms are what is binding on the customer–not the marketing materials, vague fee schedule, or other supplemental documents. So, clearly, software companies need to exercise the same sort of drafting caution that I exercise in my reviews, and go through each and every marketing material and fee schedule to confirm that any fee described is carefully explained in the terms of the contract. Where disparities exist, software companies need to identify those disparities and revise their contract terms to address the issues. When they fail to exercise such care in their drafting, they significantly increase the risk of future customer disputes.