Key legal issues
Advances in digital wired and wireless technology are rapidly expanding the types of both media and device that advertising, marketing and brand professionals can use to reach consumers. Not only is the business-to-consumer landscape changing, but even business-to-business marketing is undergoing rapid and often radical shifts in tactics, techniques, challenges and opportunities.
The advertising and marketing buzzwords over the past few years have shifted from 'eyeballs' to 'engagement', 'brand recognition' to 'brand reputation', 'messages' to 'conversations' and 'online' to 'digital', as the inclusion of wireless and mobile applications and interfaces has been transformative in ways we could never have imagined just a few years ago. With technology as a dynamic enabler, cloud computing represents yet another shift in the ability of advertisers and agencies to reach their target audience, and for consumers and businesses to interact with the marketing community.
As technology decreases in cost and increases in utility and accessibility, and as increased bandwidth and compression algorithms expand the capabilities, features and functions of interface devices, marketing professionals are increasingly able to capitalise on these technological innovations in a number of ways, through:
- an abundance of new content (eg, music and video) and programming made for online and mobile, mushrooming at an exponential rate;
- 'apps', which are rapidly becoming the preferred method not only of bookmarking favourite web locations and accessing content, but also of sharing information on social media;
- robust data collection – there is a marked increase in data available, shared, created and collected; and while monetisation and pricing to some extent remain confusing in the marketplace, there has never been such robust capability to capture advertising metrics, demographics, geographic and context-sensitive data, as well as consumer personal information and preferences; and
- technology scalability – spikes in server usage and bandwidth demands are more easily handled, and changes in requirements can often be responded to in seconds, not days or weeks.
Whether you are in a business that advertises, develops advertising, serves advertising, collects advertising information, measures advertising data and effectiveness, monitors advertising or displays or distributes advertising, the real-time digital demands that can change in an instant put a strain on the current IT infrastructure, information security mechanisms and existing storage and processing capacity.
In an effort to manage the load and demand issues in a rapidly changing technological environment, many companies are looking to cloud computing as a means of addressing their changing (and often increasing) IT infrastructure needs. At the same time, global companies are looking to reduce costs and figure out the challenges of global branding, coupled with local relevance. While cost savings are certainly an initial selling point of cloud computing, moving to the cloud, in whole or in part, requires planning and management – and unfortunately, all too often the advertising sales, marketing and brand management groups are not even consulted when a decision to look to cloud computing is considered or taken. Such decision is often viewed purely as an IT, security or compliance matter, and best handled by the IT department.
While there is no industry agreed or standard definition, 'cloud computing' is generally defined as internet-based computing where shared resources, software and information are provided to computers and other devices on demand, like a public utility. Cloud computing allows users to access hardware and software over the Internet on a pay-per-use basis through utility-like access portals, often coupling the availability of programming applications, data and content in a cloud environment as well. While ostensibly a cloud computing model can be implemented internally by a company's own systems and communications staff, this presumably creates none of the prioritisation, control and management challenges that outsourcing to a third-party cloud provider entails. This update focuses on external cloud services provided by third parties over a network connection.
Three primary categories of cloud computing services are available:
- Infrastructure as a service – this delivers virtual servers on demand, such as Elastic Compute Cloud, available from Amazon Web Services LLC (the Amazon.com entity providing cloud services);
- Platform as a service – this delivers developmental platforms, such as Microsoft's Windows Azure AppFabric, which allow each customer to develop and run its applications; and
- Software as a service – this delivers software that users can access over the Internet, such as GoogleDocs (Google's suite of word processing, presentation and spreadsheet programs), which is used over the Internet and stored on Google's servers.
For advertisers, publishers, advertising networks and agencies, a host of benefits are to be found in cloud computing, including scalability, collaboration capabilities, 'ad serving' options (the placing of advertisements on websites) and advanced data collection capabilities.
Cloud computing is highly scalable. Depending on success metrics, timing and other factors, ad serving can be ramped up or reduced, with multiple iterations or variations or types of ads stored and available to be served on demand, without investing in costly infrastructure or without suffering the vagaries of IT peaks and valleys. Businesses can launch new services, or develop and implement corresponding advertising and marketing campaigns, with little concern over whether a spike in demand or views or the need to increase ad serving will create a serious problem or even be unavailable. If an advertiser launches a new advertising campaign with a Super Bowl commercial, the cloud and its scalable capacity should generally be able to handle the resultant spike in demand.
Cloud computing also facilitates activities that are not simple or that may be resource-intensive (or unavailable) using traditional IT infrastructures. For instance, cloud computing can provide the ability to collaborate online and to access information anywhere in the world, with multiple applications, multiple access points, common content, information and data availability in real time across time zones and geography – all without requiring any additional resources, effort, equipment or software by anyone on the collaborative team. Removing dependence on these allows the advertiser to collaborate with agencies, suppliers, talent, publishing networks around the globe, as well as internally with marketing and legal, whether inside or outside counsel.
Cloud computing has the potential to change the way in which companies and industries operate. The creation of private clouds designed to reflect the unique requirements, standards and services of a company or an industry will proliferate. Of course, to be ubiquitous and feature-rich, they will need to interface and interoperate with other clouds; but consider that today, it remains common practice to send CDs or DVDs back and forth, send emails with links (or even attachments), or to create FTP sites in order to review commercials as they are being developed. Reviews may be made by creative teams, marketing, compliance, legal – all of which may have input or may require editing before a commercial can be released, whether for network clearance or public viewing. A cloud enables the collaboration to take place with standardised tools and techniques, auditable methodology, interactive cooperation and clearly a more cost-effective platform, reducing the overall preparation, operation and distribution expense.
Ad serving options
Further, cloud computing offers a wider array of choices and flexibility for advertisers to distribute and display advertising. Consider the ability to create and distribute advertising that could reach consumers regardless of the technology they have available. The cloud could detect and serve ads in a form, format and version that is just right for the device which the consumer is using at that very moment. Similarly, through authentication methodologies, individuals travelling or outside their home base will still be served advertising relevant to them, because the cloud will 'know' the log-in credentials or the mobile device number. Travelling to Spain, you will still see ads in English targeted at you – unless of course, you tell the cloud you want something different.
Context-sensitive searches will allow consumers to select advertising based on their preferences, literally on a moment's notice. Visiting Amsterdam? A search for local restaurants and adverts can target your needs. Business meetings in Buenos Aires? Search for directions and you could see English-language adverts for business services in or around town. Although all of these features may currently be available today using non-cloud platforms, their cost-effectiveness, universal availability and ubiquitous functionality are meagre compared with the robust capabilities that will soon be available in the cloud.
Advanced data collection capabilities
Cloud computing increases the ability to gather data and analyse metrics across different platforms. The most precise data (ie, personal identifiable information about a consumer) still remains the subject of volatile and heated debate. In the cloud, global data, both aggregate and consumer-specific, will become the subject of even hotter debate. As is noted below, privacy, surveillance and similar issues will continue to be hotly debated, but something that everyone is likely to agree on is the fact that cloud computing will make significantly greater amounts of valuable information – gathered on a global scale, segmented in as many ways as the marketer's imagination can conjure up – accessible and usable.
Although myriad legal issues arise in a cloud computing environment, this update focuses on three key areas of concern:
- confidentiality, privacy and data protection;
- global regulatory compliance; and
- intellectual property.
Confidentiality, privacy and data protection
One of the primary legal concerns expressed by regulators, consumer groups and information security professionals when it comes to cloud computing revolves around issues of privacy and data protection – the security, integrity and reliability of information and data. In a cloud computing environment, businesses are concerned about ceding control over their data, their proprietary processes and, ultimately, their digital capabilities to a third party. Consumers search for assurances that, for example, their personally identifiable information, personal and private data and financial and health records will be safe and secure, protected not only from unwanted and unauthorised intrusion, misappropriation and alteration, but also from use in ways that were not intended and are often unknown and undisclosed.
Information and data may be subject to laws governing their collection, processing, storage and use. Who is responsible for compliance may well depend on the relationship of the parties (eg, business-to-business, business-to-consumer or a combination) and the laws and regulations that apply (either by contract or based on the jurisdiction that applies to one or more of the parties). Multiple parties, multiple jurisdictions and the blurring of responsibility for delivering data, content, application programs, processing resources and communications or interface capabilities will likely give lawyers much to negotiate (and litigate) over the next decade.
From the advertisers' perspective, the 'service' in a cloud will likely consist of a continuum of activities, from creating advertising to delivering the ads themselves, and ultimately, to measuring the effectiveness and resultant product and service delivery when positive responses are received with respect to the advertising. Contractually allocating the risks involved at each stage of the process is likely to be something with which the industry struggles for some time to come, as standards will be difficult to define and the sheer diversity of parties, roles and responsibilities with endless permutations can be numbing.
While the protection of personal and personally identifiable data and information is subject to a variety of laws and regulations in the United States (eg, the Graham-Leach-Bliley Act applies to personal information collected by financial institutions, and the Health Insurance Portability and Accountability Act to medical and health information) and many countries around the world, the advertising and marketing industries face new and uncharted challenges as the regulation of all kinds of information derived from digital advertising is being targeted for legislation and regulation. Most industry professionals are all too familiar with terms such as 'browser ad blocking', 'opt-in' cookie legislation, 'online behavioural advertising', 'tracking' and 'location-based marketing'. All of these terms have arisen in the context of some technological innovation, enabling advertisers to gather more information, segment demographics more granularly and focus increasingly relevant advertising tat the right target audience. Unfortunately, the abuses that have crept into the system have caught the attention of regulators and legislators, and it is too early to tell what, if any, beneficial effect the industry's self-regulatory initiative (ie, the Digital Advertising Alliance and the online behavioural advertising self-regulatory guidelines) is having on these abuses.
In addition to industry regulations, most states in the United States have laws regulating the collection and security of the personal information of their residents, and states are continuing to strengthen these laws by proposing new laws or amendments to current laws. In April 2011 California introduced a bill that would require companies doing business in California to provide internet consumers with a method to opt out of the collection or use of any "covered information". Other states have also introduced new bills relating to data collection and/or security breach requirements, including Massachusetts, Hawaii and Colorado.
Data protection laws and regulations abound. Laws and regulations in the United States, European Union and throughout the world create a patchwork of obligations, disclosure requirements, restrictions, responsibilities and liabilities that global and multinational companies will need to navigate in a cloud environment.
When it comes to security, there are laws, regulations and, increasingly, industry self-regulatory requirements (eg, the Data Security Standards of the Payment Card Industry) that companies must comply with as consumer information is collected in connection with advertising and marketing. Encryption and data security is or will be required when, for example, personally identifiable information, credit or other payment and financial information and health and medical information is involved.
The requirements often extend not merely to the advertiser, but also to every entity that touches the information: agencies, vendors and suppliers, distributors, networks and publishers will be required to contractually commit (or be formally subject to regulations). Due diligence, modified contract terms and conditions and constant re-evaluation are needed to ensure that each of these entities has adequate physical and logical security controls for safeguarding the information and data, and is properly authenticating users and controlling, among other things:
- who is given access to the information;
- who the information and data is shared with; and
- when, where and how appropriate disclosures, opt-in or opt-out opportunities are given.
Should advertisers seek to add (or require that their agencies, suppliers and others add) specific clauses that prohibit cloud providers from monitoring their information and data, or using it, other than as necessary to provide the services (eg, capacity planning, network traffic monitoring, operational and systems configuration)?
Consider the following. Not that long ago, in an advertising environment ruled by passive, one-way communication (ie, television, print, radio, direct mail) only the advertiser, its agency and perhaps the retailer conducting the promotion or redeeming a coupon would be in a position to gather personally identifiable information about consumers. Rating services and metrics were by inference and statistics, more often than not, rather than by direct observation.
Today, network publishers, ad serving networks, search engine providers, social network operators, wireless carries and even browser technology providers are in a position to gather such data and information. Indeed, not only first-party advertisers, but also parties can now obtain, store, analyse and ostensibly use behavioural marketing information about consumers.
The Federal Trade Commission (FTC) takes the view that a company's website policies and its terms, conditions and privacy statements (the agreements by which consumers are bound when they visit or register and use a particular website) represent claims and express representations to consumers about how their information and data will be collected, stored, used and, if applicable, shared. Failure to adhere to one's own website statements, even if well beyond what the law requires, not only can give rise to a cause of action from a consumer alleging breach of contract, but may also draw action from the FTC for misleading or deceptive advertising under Section 5 of the FTC Act.
It is likely that additional and/or revised regulations lie ahead as regulators begin to address the data privacy risks involved in cloud computing. For instance, we have already seen the proposal of several new federal privacy bills.
Global regulatory compliance
In a cloud computing environment, a company may no longer know where its data is at any particular point in time – physically or logically – and while technically it may be possible to audit and trace each bit and byte, in practice, from an availability and access viewpoint, the data might be stored on one or more servers somewhere else. Which jurisdiction's laws and regulations govern? What level of data and privacy protection is "adequate"? What about transborder data flow? Is your company subject to the laws and regulations of multiple jurisdictions - potentially dynamically changing jurisdictions? Due process and subpoena requirements are not harmonised around the globe – in some jurisdictions, law enforcement and government officials have wide-ranging power to examine and even confiscate data resident on processors or storage devices within their borders.
While a company's service agreement with its cloud provider can address choice of law between the two parties, it will not provide either a company or an individual user with a choice of where its data will be stored, where it might be routed or processed and how it can be dealt with by others in a variety of jurisdictions. The USA PATRIOT Act can provide government access to private data. First Amendment protections under the Constitution might not be immune from defamation, criminal or civil liability in other jurisdictions. As most advertisers already know, advertising standards and regulations vary widely across jurisdictions, and while the assumption is that it is only where the ad is displayed or visible that laws and regulations really apply, this notion is borne more in common sense than in legal or regulatory precedent. Newsweek.com has moved its website to a cloud provider.(2) The Chicago Sun Times is deploying its editorial software in a cloud computing environment.(3) Are journalists and news content accorded the same protections everywhere? In a cloud environment, that is not a trivial question.
What if the IP laws in one or more nations provide little or no protection? What if your data is passing through, en route to its destination, but transmitted through servers and repeaters and transmission mechanisms in multiple jurisdictions? Imagine having a telephone conversation between individuals in country A and country C, but the signal passes through country B on its way. What if country B has no protections against wiretapping, listening in on the conversation or taking the contents of the call and using it within country B? What if country B has laws that prohibit, restrict or object to content transmitted across its borders for any number of reasons? Serving advertising is not that different from serving any other content, and if a country has the capability and the right to censor or restrict one, it can do so with any content, including advertising.
Some cloud providers (eg, Amazon's EC2 Service) address this by allowing users to select 'availability zones'. Amazon currently has multiple availability zones in the United States and Europe.(4) While of some comfort, an availability zone is still not dispositive of the route that personally identifiable, trade secret or sensitive health or financial information may take on its way from point A to B. The situation is indeed cloudy and it may take quite some time before it can be seen clearly and before cloud users have the ability to manage these issues with less risk than is evident today.
Cloud computing holds significant promise for the advertising, media, gaming and entertainment industries. But make no mistake: there are challenges and concerns that must be carefully considered and evaluated based on the nature of the activities, data and information and requirements. For advertisers, agencies, network and publishing providers, the decision to go to the cloud should be made carefully, taking into account these factors and weighing up the benefits and risks. While the technology and the regulatory landscape of cloud computing are changing and likely will continue to change dynamically in the months and years ahead, cloud computing, like any innovation, can represent extraordinary risks and potential new liabilities, but may also provide a host of benefits and a promise of increasingly globally effective, locally relevant, readily distributable, inexpensive delivery of high-quality advertising in the future.
For further information on this topic please contact Joseph I Rosenbaum or Keri S Bruce at Reed Smith LLP by telephone (+1 212 521 5400), fax (+1 212 521 5450) or email ([email protected] or [email protected]).
(1) Google Terms of Service, www.google.com/accounts/TOS (last visited June 13 2011).
(2) "Newsweek.com Explores Amazon Cloud Computing", April 25 2010, www.adweek.com/news/press/newsweekcom-explores-amazon-cloudcomputing-115212.
(3) Sun-Times Media Live with First Phase of DTI Cloud Conversion, October 28 2010, www.prweb.com/releases/2010/10/prweb4710144.htm (last visited June 14 2011)
(4) Amazon Elastic Cloud Compute, http://aws.amazon.com/ec2/.