Laws and Regulations
The US legal and regulatory landscape governing the metaverse is rapidly evolving. The laws and regulations that are implicated by the metaverse are numerous and potentially create a range of legal issues. There are currently no US laws that specifically apply only to the metaverse – however, in some situations existing laws apply; in other situations, new laws and regulation are likely to be developed over time.
Intellectual property laws are key to metaverse governance. The creation of new types of digital assets, such non-fungible tokens (NFTs), raises novel intellectual property issues including those summarised below.
Copyright is a type of intellectual property that protects original works of creators. In the metaverse, this covers user-generated digital content such as avatars, virtual buildings, and digital artwork. The owner of a copyrighted item has the exclusive right to reproduce the work, display it, distribute copies and display it publicly. Copyright also provides the owner the right to authorise others to exercise these exclusive rights. If an artist creates content in the metaverse that is similar to copyrighted content in the physical world, then they may be liable for copyright infringement. For example, an avatar or an NFT in the metaverse that is similar to a copyrighted avatar or NFT outside the metaverse could trigger a copyright infringement claim.
A trade mark is a word, phrase, logo, design, or slogan that indicates the source of goods and services. Trade mark law protects against the unauthorised use of a trade mark by third parties that would cause a consumer to believe that the trade mark owner either was the source of the goods or services, or endorsed or sponsored such goods or services, in a manner that may dilute or disparage the trade mark.
Many companies register their brands with the US Patent and Trade Office (USPTO) for use in connection with virtual offerings as well as those in the physical world. These companies obtain registered trade mark protection for things like virtual goods, retail store services featuring virtual goods, NFTs, and digital tokens.
A patent for an invention is the grant of a property right to the inventor. Generally, a new patent is valid 20 years from the date on which the application for the patent is filed in the United States. US patent grants are effective only within the United States, its territories and possessions. A company developing metaverse-related technologies will need to consider whether to seek patent protection and whether its technology might infringe on the patents of other parties in the same way as technology providers outside of the metaverse.
User-Generated Content Litigation
The proliferation of user-generated content creates risks of unauthorised use of third-party trade marks and brand dilution. For example, some metaverse spaces operate as an online economy, allowing users to create their own virtual worlds, to develop intellectual property, to sell branded creations, and/or to build an online business presence sell their products in the real world. Using another party’s trade marks in these ways can trigger a trade mark infringement claim.
There have already been a number of challenges regarding intellectual property incorporated into user-generated content in the metaverse, including a case alleging trade mark infringement and dilution as a result of a company minting NFTs using trade marks belonging to other companies (Nike, Inc v StockX LLC and Hermès v Mason Rothschild).
Tort law governs civil wrongs such as property damages and personal injury, which can include activity caused by users in the metaverse to other participants. A defendant could be liable for financial compensation related to an act in the metaverse. For example, defamation is a false statement presented as a fact that causes injury or damage to the character of the person it is about. In the metaverse, user-generated content that is false and causes injury to another could trigger a defamation claim.
Tax and Financial Regulations
The purchase and sale of virtual goods trigger tax implications, including sales tax and income tax. NFTs may be subject to US commodities, banking, and securities laws, due to the manner in which these assets are created and exchanged.
In the metaverse, contract law applies to agreements between users, such as selling virtual goods to renting virtual property. Businesses entering into agreements in the metaverse need to comply with laws and regulations applicable to contracts in the physical world, including meeting all consumer disclosure requirements.
Data practices relating to the metaverse are subject to generally applicable US privacy and data protection frameworks, primarily the California Consumer Privacy Act and other comprehensive state privacy laws that go into effect in 2023, Section 5 of the Federal Trade Commission Act, and state laws that prohibit unfair or deceptive acts and practices.
As with other platforms, it is important for companies that have a presence in the metaverse to understand the personal data flows involving the company, the platform, and exchanges between them. Key issues to examine include:
Cybersecurity and Data Security
Companies face potential liability for disclosing personal data to vendors or third parties that do not maintain reasonable data security measures. Therefore, to the extent that personal data will be shared with a metaverse platform, it is important to assess the platform’s cybersecurity practices in advance. In addition, if the metaverse supports operational business activities, then the platform’s general cybersecurity measures, including availability guarantees and ability to resist and respond to various forms of cyberattacks, are important considerations.
Laws and Regulations
Numerous laws and regulations regulate the digital economy in the United States, including a variety of laws, regulations and codes of conduct particular to specific industries or to the type of data and users involved. Laws and regulations at the federal, state and local level – and in some instances even laws of foreign jurisdictions – may apply to a participant in the digital economy in the USA. As a general matter, laws and regulations applicable outside of the digital economy will also apply to the establishment and operation of a digital business, in addition to those laws and regulations focused primarily on digital operations and transactions.
Terms & Conditions
Requiring the customer to affirmatively accept the contract terms after the terms are presented to the customer will decrease the likelihood that a court in the United States will find the contract to be unenforceable as a result of the customer not having actual or implied notice of the contractual terms or the customer not having agreed to those terms. However, certain applicable statutes or common law principles may still lead a court to deny enforcement of certain provisions, such as relating to arbitration provisions or choice of law and forum selection provisions.
The digital economy also implicates intellectual property laws. Companies that offer consumers innovative experiences have to navigate IP issues including branding and trade mark protection, copyright, licences for specific software or technology, patents, trade secrets and knowhow for their digital offerings.
Privacy/Data Security/Consumer Protection
Privacy, data security, and consumer protection laws play a key role in regulating commercial practices in the digital economy. The US Federal Trade Commission (FTC), which has jurisdiction over consumer protection and competition enforcement across broad areas of the US economy, based in part on Section 5 of the FTC Act, which prohibits unfair methods of competition and unfair or deceptive acts and practices. State attorneys general have similar consumer protection authority under their laws against unfair or deceptive acts and practices.
Over the past few decades, the FTC has used its Section 5 authority to establish standards for the processing of personal data through enforcement actions against specific companies, as well as non-binding guidance and policy documents. Until recently, the FTC limited its rulemaking activity to specific industries or practices for which Congress granted clear regulatory authority, such as children’s privacy or the security of personal information that financial institutions handle.
The FTC, however, has indicated that the growing digital economy, coupled with business models that are based on monetising personal data, may have given rise to unfair or deceptive data practices that are prevalent. As discussed in 4. Artificial Intelligence and Big Data, the FTC is now considering developing regulations to govern “commercial surveillance” and data security, which could apply far more broadly than the sector-specific rules mentioned above.
Other federal and state regulators play an important role in the legal order surrounding the digital economy. For example, a number of federal laws applicable to entities operating in specific industries apply to the operation of a digital business in those industries, including financial institutions, health care providers and insurers (and their business associates), companies doing business with governmental entities, and educational institutions. See 3. Cloud and Edge Computing for a summary of some of these laws.
Laws and Regulations
Entrusting processes or data to a cloud or other distributed computing environment like edge computing may implicate a variety of laws and regulation in the US depending upon the industry, data, and users involved. Laws and regulations at the federal and state level – as well as laws of foreign jurisdictions – may apply directly to providers of these services operating in the US as well as their customers. In addition, these offerings often involve providers processing data on behalf of customers that is subject to additional regulation (such as controllers of personal data). The obligations of those customers are required to be passed through to the providers in the computing contracts.
Sector-Specific Laws and Regulations and Industry Standards
Laws and standards that govern entities operating in specific industries, including financial institutions, health care providers and insurers (and their business associates), companies doing business with governmental entities, educational institutions, and telecommunications common carriers, are applicable to cloud and edge computing providers and information received by the providers. The following laws and standards are frequently implicated when such entities move processes and data to the cloud.
The Gramm-Leach-Bliley Act (GLBA) is a US federal law regulating the treatment of non-public personal information (NPI) by financial institutions, such as banks, financial advisors, and insurance companies.
The GLBA includes provisions on privacy applicable to the collection and disclosure of NPI (the “Privacy Rule”) and security provisions requiring the financial institutions to protect NPI (the “Safeguards Rule”). The GLBA applies not only to financial institutions, but may also apply to companies receiving non-public personal information from a financial institution or who perform activities that are financial in nature or incidental to financial activities. Entities subject to the GLBA generally require their providers to agree to contract terms that reflect the applicable obligations under the GLBA.
An entity subject to the GLBA utilising a third party service provider for processing will need to confirm the selection of a service provider that maintains appropriate policies and safeguards consistent with the GLBA and enter into an appropriate contract.
The Safeguards Rule (and more detailed guidelines for banks, which are not subject to the Safeguards Rule) requires financial institutions to develop and maintain a comprehensive information security programme and to exercise appropriate oversight over service providers, among other requirements. The Federal Trade Commission issued a major revision of the Safeguards Rule in December 2021.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law addressing the treatment and use of individuals’ personal protected health information (PHI). HIPAA applies to healthcare providers, health insurance plans and healthcare clearinghouses (“Covered Entities”) and their business associates (and those business associates’ subcontractors) performing certain services invoking PHI (“Business Associates”). Under the authority granted by HIPAA, the US Department of Health and Human Services has issued Privacy, Security, and Breach Notification Rules, which together establish requirements for the use, disclosure, and protection of PHI. The use of cloud and edge computing services will need to comply with HIPPA to the extent applicable.
Entities participating in federal programmes
Requirements applicable to activities by federal agencies and their contractors include the Federal Information Security Modernization Act (FISMA) and the Federal Risk and Authorization Management Program (FedRAMP). FISMA establishes federal agency roles and responsibilities for information technology security.
The Family Educational Rights and Privacy Act (FERPA) provides certain privacy protections applicable to a student’s educational records. Schools covered by FERPA placing records subject to FERPA in the cloud will need to ensure that its cloud providers are contractually obligated to meet the requirements of FERPA.
Standards for Attestation Engagements No 18 (SSAE 18) sets forth standards used by auditors to review certain practices of service providers. Companies offering cloud-based services in the US frequently make available to their customers on an annual basis a type of report based on SSAE 18 known as a Service and Organization Control (SOC) 2 report focusing on the principles of security, privacy, availability, processing integrity, and confidentiality. A provider providing services materially impacting the financial statements of its customers will often be requested to also provide a SOC 1 report, which focuses on the service provider’s financial controls.
Payment card industry standard
The Payment Card Industry Data Security Standard (PCI DSS) has been created by the Payment Card Industry Data Security Council to address data security for any company that stores, processes or transmits “Cardholder Data” or “Sensitive Authentication Data” as defined by the PCI DSS. A service provider receiving Cardholder Data or Sensitive Authentication Data will be required to meet extensive requirements to demonstrate PCI DSS compliance.
Several federal laws authorise law enforcement and intelligence agencies to compel cloud and edge computing providers to produce personal data and other information in response to subpoenas, court orders, and other forms of legal process. Key statutes include the Foreign Intelligence Surveillance Act (FISA) and the Electronic Communications Privacy Act (ECPA), as amended by the Clarifying Lawful Overseas use of the Data (“CLOUD Act”). The CLOUD Act permits federal authorities in certain instances to compel technology providers based in the US to provide data stored on the provider’s servers located both inside and outside the US.
Given the potential multi-jurisdictional reach of cloud-based products and services, these US laws may conflict with laws of other countries claiming jurisdiction over data or computer assets. For instance, with regard to the European Union, the scope of the US legal authorities’ reach, the strength of judicial and other safeguards, and the rights and protections that Europeans may exercise against government agencies seeking data stored by US-based providers have become major issues following the Court of Justice for the European Union’s July 2020 Schrems II decision. In addition to requisite processes to evaluate and respond to government demands, US-based cloud providers increasingly face demands from their customers to assess the risk of government access to the customers’ data processed by the providers.
Specific Issues for Processing of Personal Data
In addition to the generally-applicable sector-specific laws and standards discussed above, several federal and state laws and regulations govern specific circumstances relating to the type of personal data collected or transmitted. These laws include broadly defined federal and state consumer protection laws, comprehensive state-level statutes, and laws designed to protect either certain categories of data collected or certain data collected on specific populations.
The FTC is the main consumer protection enforcement agency in the US and has long applied its authority to prevent “unfair or deceptive acts or practices” to the data protection arena. Although this authority, defined under Section 5 of the FTC Act, is not specific to data protection, the FTC has used it to bring more than 100 privacy and data security enforcement actions over approximately two decades.
Virtually every state has enacted narrow legislation to protect specific categories of sensitive personal data of its residents. However, the California Consumer Privacy Act (CCPA); Virginia Consumer Data Protection Act (VCDPA); and comprehensive privacy laws in Colorado, Connecticut, and Utah, go into effect by the end of 2023, and require contracts with service providers/processors such as cloud computing providers to limit the service provider’s data use, assist with consumer rights requests and data protection impact assessments, and ensure personal data security, among other requirements. Below is a high-level description of some of these state statutory requirements.
The CCPA was enacted in 2018 to give Californians more control over the personal information certain businesses collect and use about them. “Personal information” is defined under the CCPA as information that identifies, relates to, or could reasonably be linked with a California consumer or their household, including name, social security number, email address, product purchasing records, online browsing history, geolocation information, and biometric data. Personal information does not include information that is publicly available, de-identified, or aggregated, as defined under the CCPA.
In addition, in November 2020, California voters approved an amendment to the CCPA called the California Privacy Rights Act (CPRA). The CPRA fully went into effect on 1 January 2023. Key amendments under the CPRA include the following.
Consumers have the right to limit or opt out of certain uses of sensitive personal information.
Violations of the CCPA are enforced by both the California Attorney General and the California Privacy Protection Agency, both of which have the power to impose penalties/fines of up to USD2,500 per violation or USD7,500 per intentional violation/violation involving consumers under 16 years of age. The law also affords California consumers a private right of action for breaches of sensitive personal information.
The Commonwealth of Virginia is the second state to enact a comprehensive data privacy law, the Virginia Consumer Data Protection Act (VCDPA). The VCDPA was passed into law in 2021 and went into effect on 1 January 2023.
Virginians have comparable rights under the VCDPA as Californians do under the CCPA. However, Virginia affords additional, specific rights to opt out of targeting advertising and profiling.
Finally, there is no private right of action for Virginians to recover damages for a business’s breach of the VCDPA. The Virginia Attorney General is responsible for enforcing the VCDPA and may impose penalties of up to USD7,500 per violation.
The Colorado Privacy Act (CPA) was signed into law on 7 July 2021 and went into effect on 1 July 2023. The CPA is generally more closely aligned with the VCDPA than the CCPA. Violations of CPA will be enforceable exclusively by the Colorado Attorney General and the 22 Colorado District Attorneys and are subject to penalties of up to USD20,000 per violation under the Colorado Consumer Protection Act. There is no private right of action for Colorado consumers under the law.
Other states may enact their own laws. Given the differences among current state laws, companies will need to devote careful thought to a compliance strategy that accounts for these differences and the laws’ incomplete coverage.
Entities that hold personal information about consumers and businesses should consider privacy, disclosure, equal opportunity/non-discriminatory uses, and transparency concerns. “Big data” is the collection of millions of data points of information about an individual consumer or business across a variety of sources, collected over time, and may be held or used by entities that interact directly with consumers and business (first-person data), or by data aggregators and data brokers (third-person data). “Artificial intelligence” enables machines to analyse information in big data using algorithmic processes.
While there is no comprehensive current federal statutory and regulatory structure in the US dedicated to information used in big data and artificial intelligence, several federal statutes are potentially implicated depending on the type of information at-issue. Case-by-case enforcement of these statutes have formed in the structure of consumer protection relating to big data and artificial intelligence.
At the federal level, the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) have indicated that they may use their authority to prevent unfair or deceptive acts and practices in the AI and big data arenas. For example, in 2022, the CFPB announced that its examinations of financial institutions for unfair, deceptive, or abusive practices would include assessments of whether examinees engaged in discriminatory practices. In late 2022, the FTC issued an Advanced Notice of Proposed Rulemaking (ANPR) seeking comments from the public on proposed rules to protect against consumer harm as a result of entities’ commercial surveillance and data security practices. Following receipt of comments from the public and industry, the FTC may issue rules relating to these topics.
In addition, various states have statutory restrictions on the collection, retention, and use of personal information, generally, or with respect to specific types of personal information.
Despite the absence of a comprehensive federal statutory and regulatory structure for big data, the Federal Trade Commission (FTC) plays a significant role in shaping entities’ practices involving non-public personal information, generally, in the US using case-by-case enforcement and policy statements. The FTC has authority under Section 5 of the FTC Act to declare a business as having “unfair or deceptive acts or practices.” Analysis under Section 5 of the FTC Act is fact-specific to the particular circumstances of an entities’ practices. In its Report on Big Data, “Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues, FTC Report” (January 2016), the FTC described a number of specific practices as unfair or deceptive in its report on big data.
Several comprehensive state privacy laws set transparency and choice requirements in relation to profiling and automated decision-making. In 2021, Colorado and Virginia also passed generally-applicable privacy statutes relating to personal information. Those states, and Connecticut, give consumers the right to opt out of “profiling” (defined as automated personal data processing to evaluate certain individual characteristics) in furtherance of “decisions that produce legal or similarly significant effects concerning the consumer”. California’s privacy regulator, the California Privacy Protection Agency (CPPA), is expected to issue regulations that address similar issues by mid-2023. In addition, the California Consumer Privacy Act (CCPA) mandates disclosure about the collection and use of “a consumer’s personal information”, including disclosure about what personal information is collected, the right to delete personal information, and the right to prevent the sale of the collected personal information. The CCPA also contains a right of non-discrimination for consumers that exercise their rights to protect their personal information, with certain exceptions.
Other federal and state privacy statutes are more narrowly focused on specific types of personal information. For example, the US federal Fair Credit Reporting Act regulates information collected and used by consumer reporting agencies, and federal civil rights laws regulate the use of personal information where the intent or the effect of the use of the information results in a violation of the rights of the statute’s protected classes. Various states have similar and additional civil rights laws relating to this type of information. In addition, certain states provide even greater privacy protections to specific types of personal information. For example, the Illinois Biometric Information Privacy Act (BIPA) protects individuals’ rights over their biometric information, such as facial recognition scans, voice and finger prints, and hand or eye scans.
As a result, entities pursuing the collection, retention, or use of information about consumers and businesses in the US should ensure that they have clear disclosures and procedures to safeguard personal information, and that these procedures are fully enforced. In addition, entities should examine the type of personal information being collected, retained, and used, as well as the state jurisdictions applicable to the entity, to implement the appropriate federal and state privacy, disclosure, and transparency procedures and safeguards.
In addition to the privacy, disclosure, equal opportunity/non-discriminatory uses, and transparency considerations raised above, artificial intelligence raises an additional consideration relating to the scope of disclosure and consent. Artificial intelligence necessarily depends on algorithms that evolve or change over time. To the extent an entity provides disclosure that certain personal information is being collected, retained, and used, and the consumer provides consent for that purpose, any changes outside the scope of that disclosure and consumer’s consent may violate federal and state privacy and protection laws or be considered an “unfair or deceptive act or practice” under Section 5 of the FTC Act. Entities should ensure that disclosures and consents are sufficiently specific to inform consumers of the nature of the personal information being collected, retained, or used, and periodically update these disclosures and consent in parallel with changes to their machine learning and artificial intelligence algorithmic processes.
Regulatory authorities in the United States have also increasingly become focused on the potential discriminatory impact of the use of AI in decision-making, such as when algorithms are used in connection with employment decisions or the decision to offer credit to a consumer.
“Smart” or “connected” devices, also known as internet of things devices, follow the federal National Institute of Standards and Technology (NIST) guidelines published by the US Department of Commerce and the statutory requirements found in certain state laws. Further, pursuant to the federal Internet of Things Cybersecurity Improvement Act of 2020, compliance with the NIST guidelines is required for federal procurements.
The NIST guidelines, NISTIR 8259, provides a summary of cybersecurity and privacy risk considerations, as well as assessment tools, and NISTIR 8259A provides a baseline for how a connected device will be defined as “securable”.
Connected devices raise considerations of privacy, disclosure, and cybersecurity concerns relating to information that the connected device uses, receives, stores, or transmits described elsewhere in this article, and in particular, Sections 2, 3, 4, and 8. Two additional frameworks are also significant in this arena: federal and state wiretapping laws and critical infrastructure.
Federal and State Wiretapping Laws
The federal Wiretap Act and similar state laws generally prohibit the interception of electronic communications. Although these laws contain exceptions for recipients of communications and that may allow analysis of communications for security purposes, the application of these exceptions requires fact-specific analysis. For example, some state wiretap laws require all parties to a communication to consent to interception. If this exception is the basis for intercepting machine-to-machine traffic, it is important to understand whether such multi-party consent is necessary.
The Cybersecurity and Infrastructure Security Agency of the US Department of Homeland Security is developing cyber-incident and ransom payment reporting regulations pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Entities in the communications and healthcare sectors, among others, may be covered by these regulations. The reporting requirements, however, are not effective until the regulations are finalised.
In addition, certain states, such as California and Oregon, have statutes specifically focused on securing connected devices by requiring them to be equipped with cybersecurity safeguards which differ depending on the type of connected device. These state statutory requirements and NIST guidelines for securing a connected device should be considered in addition to privacy, disclosure, and transparency statutes, as well as general consumer protection statutes.
Radio and Broadcast Television
The Communications Act of 1934, as amended, with rules promulgated and enforced by the Federal Communications Commission (FCC), governs commercial AM, FM radio, and television broadcast authorisations. An authorisation from the FCC is required to operate a commercial AM, FM radio, and broadcast television station in the US, as described more fully on the FCC’s application guidance.
An application to the FCC for a commercial AM radio station (with frequencies of 540 kHz to 1700 kHz) requires a demonstration of non-interference on the same or on adjacent frequencies as existing US or foreign-based AM stations, as well as harmonic and intermediate frequency analyses. Application and fees are required during allotment application windows.
An application to the FCC for a commercial FM radio station (with frequencies of 92.1 MHz to 107.9 MHz) requires an application for a construction permit and a concurrent petition for rulemaking to the FCC which must, according to the FCC’s application guidance:
If the petition is accepted, the FCC would then issue a notice which would permit public comment on the application. If approved, the new allotment would then be placed in an auction bid which would require the original petitioner to bid on the allotment.
Full-powered television broadcast stations are allocated through the FCC’s Table of Allotment (47 CFR Section 73.622). Applicants seeking a new broadcast television station must petition the FCC and the FCC will then conduct an auction. However, at this time, the FCC states that it is not accepting new full-powered broadcast television station applications.
Video Programming by Cable and Open Video Services
Historically, video programming has been governed by state and local jurisdictions, called local franchise authorities. However, the Cable Communications Policy Act of 1984, as expanded by the Cable Television Consumer Protection and Competition Act of 1992, added cable television regulation to the FCC’s authority under the Communications Act of 1934 while maintaining the primary regulatory role of the local franchise authorities, with the notable exceptions of establishing a prohibition on regulating rates for cable operators that are “subject to effective competition,” as defined by the FCC, and a prohibition on exclusive cable franchises. In addition, Section 653 of the Telecommunications Act of 1996, as amended, established an “open video system” (OVS) distribution method for video programming in the absence of a local franchising authority regulatory requirement. The specific local franchise requirements vary widely across jurisdictions.
Online Video Services
The FCC’s video regulations generally do not apply to IP-delivered video programming that is not provided by a multichannel video programming distributor (MVPD). There are no prior regulatory authorisation requirements to post videos online. However, entities should ensure compliance with federal, state, and local rules when making video available online. For example, a distribution of online videos may implicate the 21st Century Communications and Video Accessibility Act (CVAA), 47 USC Section 613 and FCC rules where the video was previously published or shown on television. Further, interpretation of Title III of the federal Americans with Disabilities Act (ADA), 42 USC Section 12182, varies, and is subject to change through court interpretation, as to whether a website is “a place of public accommodation” requiring equal access for individuals with disabilities, such as through the provision of closed captioning.
The federal Video Privacy Protection Act (VPPA), 18 USC Section 2710, establishes notice and consent requirements for “video tape service providers”, a term that is defined with sufficient breadth to include many online streaming services as well as video-on-demand services. The VPPA generally requires a consumer’s opt-in consent to disclose personally identifiable viewing history information. The VPPA provides a private right of action and has led to a significant volume of class action information against video services providers and, in some instances, advertising platforms.
With regard to the content of video posted online, pursuant to Section 230 of the Communications Decency Act, providers of an interactive computer service generally are not treated as a publisher or speaker for information provided by another information content provider. As a result, companies with video-sharing platform services will generally not be liable for civil damages for the content of videos where the provider, in good faith, restricts access to, or the availability of, material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected, or where the provider takes action to enable or to makes available technical means to restrict access to the above-described material, along with undertaking other procedural requirements of the statute.
Title II of the federal Telecommunications Act of 1996, as amended (the “Telecommunications Act”), generally governs the offer to the public of interstate and international “telecommunications”, which are transmissions by the aid of wire, cable, radio, or other like connections, through regulations promulgated and enforced by the Federal Communications Commission (FCC) 47 USC §§153(50), (53). The FCC also asserts jurisdiction over certain aspects of interconnected Voice over Internet Protocol (VoIP) services. Whether a transmission is interstate and international, on the one hand, or intrastate, on the other hand, is generally determined by the origination and termination points of the transmission. Generally, providers of telecommunications must possess authorisation from the FCC under Section 214 of the Communications Act of 1934 for interstate and international transmissions, though certain wireless carriers are relieved of the requirement to obtain Section 214 authority and broadband internet access service (“broadband”) is currently subject to distinct regulatory frameworks. All Title II telecommunications service providers and interconnected VoIP providers must obtain an FCC Registration Number (FRN) through the FCC’s website, register with the FCC, and designate an agent for service of process by filing a form with the Universal Service Administrative Company (USAC). These obligations apply to both wholesale providers and resale providers.
Individual state commissions and state and local statutes regulate intrastate transmissions. Providers of intrastate telecommunications must register with or obtain authorisation from each individual state in which the intrastate transmission occurs except where the state legislature or commission has exempted the requirement. Providers of intrastate telecommunications services are also subject to state statutory requirements, such as state statutes on unfair or deceptive acts and practices and privacy.
In contrast to federal Title II “telecommunications services”, transmissions may be subject to reduced FCC regulation if provided on a “private carriage” basis, or if the interstate or international transmission consists of “information services”. Private carriage is the transmission of telecommunications that are not offered to the public. When interstate or international telecommunications are provided on a private carrier basis, the provider is not required to obtain a Section 214 authorisation from the FCC and fewer federal compliance obligations apply. State regulators, however, generally do not recognise the concept of private carriage as an exception to authorisation or compliance obligations.
In addition, there is no requirement to obtain Section 214 authority from the FCC to provide interstate and international information service transmission. Information services are statutorily defined as “the offering of a capability for generating, acquiring, storing, transforming, processing, retrieving, utilising, or making available information via telecommunications” 47 USC §153(24). The definition further states that information service “does not include any use of any such capability for the management, control, or operation of a telecommunications system or the management of a telecommunications service”. Generally, if there is a net change in the protocol of a transmission, the transmission may likely qualify as an information service 47 USC §153(50). Information services have been commonly identified as email, online gaming, web browsing, video conferencing, instant messaging, and other, similar non-voice IP-enabled services. The FCC has a long-standing policy against the economic regulation of “information services”, and there is a prohibition on states subjecting information services to any state economic regulation. However, the FCC’s policy does not prohibit the application of federal and state consumer protection laws to these services.
With respect to VoIP services and VoIP service providers, there is a continuing dispute as to whether federal communications law permits states to require applications for authority; however, one or more states currently assert that authority. For the most part, states either require registrations, typically for purposes of collecting state public fund contributions, or do not impose either a registration or application requirement, although even in such cases, contributions to state public purpose funds may still be required. State economic regulation, such tax obligations, generally apply to VoIP revenues. In general, state regulation of VoIP services and VoIP services providers is limited, but registration, where it exists, varies considerably across the states with state uniquely handling the question of VoIP jurisdiction. In a number of states, legislatures have expressly removed VoIP services and VoIP service providers from the jurisdiction of the state commissions or state commissions have declined to exercise jurisdiction over VoIP services and VoIP service providers, although many such states may permit a “carve out” of residual state commission jurisdiction for purposes of state universal service fund and other public fund assessments.
Technology agreements may cover the deployment or sale of a number of different services, products, solutions and platforms, including on-premise software licences, software-as-a-service offerings, software development and maintenance, data-related product and services, artificial intelligence-enables solutions and many others. Each type of agreement will have its own challenges. However, key challenges often include performance commitments (eg, warranties and service levels), clear upfront pricing and addressing changes to prices over time, compliance with laws’ provisions, intellectual property ownership, data security and privacy, audit, indemnification and limitations and exclusions of liability.
As a general matter, technology agreements will choose the laws of particular state to apply to the agreement and a court will enforce the parties’ choice of law in the contract as long as there is a reasonable relationship to the transaction or the parties, subject to certain exceptions. However, in the United States, federal law generally takes precedence over state laws. While there is no over-arching federal contract law, various federal laws will continue to apply to a technology agreement containing the choice of a specific state’s laws depending upon factors such as the subject matter of the agreement, the industry involved and the technology or data involved. For example, software and products that incorporate encryption may be subject to export restrictions under the Export Administration Regulations, a complex licensing and exemption scheme for encryption exports.
Federal, state and local governmental agencies and entities entering into technology agreements are often subject to laws and regulations applicable to the procurement process for technology agreements as well as specific requirements related to provisions contained within the agreements.
Data Protection and Cybersecurity
An increasingly important data protection and security issue concerning technology agreements is whether the parties are entering into a service provider/processor relationship, or whether personal data that is transferred pursuant to the agreement is between parties with independent rights to determine the means and purposes of processing. Comprehensive state privacy laws establish specific requirements for service provider processor contracts, similar to those under the GDPR. In addition, California requires agreements under which a party sells or shares personal data to include a subset of these provisions, including specifying the purposes of the data transfer, obligating the recipient to comply with applicable privacy laws, and providing the data source the rights to assess the recipient’s compliance and remedy instances of non-compliance.
US laws generally do not require data localisation or restrict storage location (other than in relation to countries that are under sanctions or export controls), nor do they require specific measures for cross-border data transfers. However, the location of personal data storage, including the ability to enforce confidentiality provisions against employees or contractors, is often a factor in assessing a contracting party’s ability to meet contractual obligations and to provide a reasonable level of data security.
Data Protection and Cybersecurity
Trust, digital identity, and similar services process personal data that may be highly sensitive because of its potential to be misused for fraud, identity theft, or account compromise. Personal data used in the course of providing such services may be subject to data breach notification laws, which have been enacted in all 50 states, the District of Columbia, and several US territories. These laws typically provide exemptions for encrypted data, provided that encryption keys are not compromised, but determining whether or not this exemption may require a forensic investigation of the relevant data security incident.
Other data protection and cybersecurity considerations that relate to trust and identity services include the following.
The federal United States Electronic Signatures in Global and National Commerce Act (the “ESIGN Act”), as supplemented by Uniform Electronic Transactions Acts (the “UETA Act”) and similar laws adopted at the state level, establishes that electronic records are not invalid solely because of their electronic nature when the parties have chosen to use electronic documents and signatures. The ESIGN Act permits individual states to further address electronic signatures for transactions subject to the individual state’s laws, other than in certain areas where the ESIGN Act overrules (or pre-empts) state law. While most states have adopted an act very similar to the model UETA Act, some states have modified the model act or not enacted it. In addition, the model UETA contains certain exceptions to the use of electronic signatures, such as their use with wills, codicils and certain trusts.
Generally speaking, a party to an agreement seeking to establish the validity of an electronic signature will need to:
Additional requirements apply to transactions involving consumers in some cases.
In addition to meeting the requirements related to electronic signature, an electronic contract will still need to meet the requirements for an enforceable contract under applicable state law (ie, an offer, acceptance of the offer and consideration).
3 World Trade Center
+ 212 808 7800
+ 212 808 firstname.lastname@example.org www.kelleydrye.com
Real World Meets Virtual World: Emergent Metaverse Use Cases and Attendant Legal Considerations
Over the past year, real-world businesses have rushed to develop metaverse strategies, with many even purchasing “virtual land”. The metaverse is likely to touch every industry, some minimally and others (such as real estate, entertainment and consumer discretionary) much more deeply. Yet, with the promise of a fully immersive metaverse similar to the one found in the movie Ready Player One believed to be years away, many businesses that have made the initial investment and dipped their toes in the virtual water find themselves asking, “what now?”
It is a question the e-commerce industry answered six or seven years ago with a dash of irony: propel the hi-tech online experience forward by weaving in elements of “old school” offline retailing. The result was a shift away from pureplay online-only offerings toward “clicks-to-bricks” and omnichannel models. In other words, e-commerce’s progression has been, in significant part, driven by the:
The metaverse may be following a similar path with consumer-facing industries beginning to rethink existing engagement models and test new applications developed to drive consumer metaverse adoption through the blurring of physical and virtual experiences.
Below is a discussion of the emerging technologies and use cases serving to increasingly blur the lines between physical and digital assets, experiences, and identity, and an examination of the potential legal issues that should be considered.
Unreal Estate: Metaverse Property
According to RubyHome (using data from a number of sources), the sales of metaverse land exceeded USD1.9 billion in 2022 on the top 10 metaverse platforms. Metaverse landowners include celebrities (such as Snoop Dogg and Deadmau5), entertainment properties (eg, The Walking Dead, Smurfs and Care Bears) and consumer brands (eg, Nike, Wendy’s and Hyundai).
While the early “generation” of metaverse buildings were quick to take advantage of the loose (or non-existent) application of real-world logic and physics, deploying features such as floating staircases, fantastical waterfalls and hallway-roaming tigers, the pendulum appears to be swinging in the other direction with the emergence of “digital twins” or metaverse assets intended to emulate their real-world counterparts.
For example, Snoop Dogg is creating a “Snoopverse” where he plans to recreate his real-world mansion in Diamond Bar, California. Likewise, the Atlanta Braves, a Major League Baseball team, last year revealed their plan to create a digital twin of Truist Park in the metaverse. The plan opens up a slew of fan engagement opportunities for the Braves, including the ability to eventually give fans the power to view live games in the metaverse stadium via technology similar to the Netaverse Experience debuted by the NBA’s Brooklyn Nets (which allows fans to experience virtual reproductions of real games in real time, from a perspective not feasible for most ‒ or even possible ‒ in the real world). For example, metaverse fans may be able to virtually watch games not only from dugout or courtside seats, but even from the perspective of the actual players.
As suggested above, the purpose of the digital twin strategy is not simply to create digital analogues of real-world properties, but rather to blur the line between the two. Not only are digital users able to experience the replication of live events happening in the real world, but real-world fans, through the use of augmented and mixed reality technologies, will also be able to interact with and activate metaverse elements from the real world. As an example, fans may soon be able to point their phone camera on different stadium signs to access off-limits areas via the metaverse (such as locker rooms).
Further, this digital twin strategy has applications beyond commerce, extending into educational and charitable territories. For example, it would not be a stretch to imagine Boston’s Freedom Trail recreated within a metaverse environment and, conversely, the real-world Freedom Trail experience enhanced by augmented and mixed reality to deliver more vivid learning experiences.
Potential legal issues
The nature, rights and characteristics are entirely controlled by the software of the metaverse platform and that platform’s terms of service (ToS). Metaverse “virtual land” is very different from traditional land. Mark Twain’s famous quote about real estate ‒ “buy land, they are not making it anymore” ‒ is not true in the metaverse. Generally, the current major metaverse platforms can make an unlimited amount of additional virtual land, which can affect the value of the virtual land purchased. The ToS of the metaverse platforms are generally very favourable to the platform; for example, the Sandbox ToS permit Sandbox to remove any virtual assets from its metaverse without notice for any “reason or no reason”. Similarly, ToS for Decentraland permit the decentralised autonomous organisation (DAO) that runs the Decentraland metaverse to terminate the terms of service and suspend a user’s accounts in its sole discretion. In the real world, businesses can, and do, negotiate co-tenancy restrictions with landlords to prevent a brand’s message and foot traffic from being diverted by competitors. Given the centralised nature of current metaverse platforms and the fixed nature of their ToS, this option is not available and the projection of negotiating power some businesses enjoy in the real world may not entirely translate to the digital world. This reality will require deeper due diligence in the relevant platform’s ToS, not only ensuring the intended metaverse use complies with the platform’s ToS, but additionally confirming the intended use is consistent with co-tenancies; the clearest example of this is a family-oriented brand which finds that a virtual “neighbour” is launching adult entertainment offerings.
Additionally, real-world trade mark, copyright and advertising laws and regulations are likely to follow our avatars into the metaverse. Consequently, companies will need to play both virtual offence and defence, ensuring their trade marks (in the case of brand names) and copyrights (in the case of real-world architecture protected by the Architectural Works Copyright Protection Act in 1990) are not being copied by others, as well as ensuring their offerings are compliant with real-world marketing and advertising contractual requirements and applicable law. In the case of professional sports venues mentioned above, sponsorship agreements should not only recite the rights and obligations of the team and sponsor with respect to the physical stadium, but should also address whether said rights and obligations translate to any digital iterations of the venue.
Movie Night in the Metaverse
High speed internet, 5G and the rise of streaming services have thus far revolutionised the distribution and consumption of audio-visual content for the masses. Theatrical attendance has decreased precipitously (with box office revenues remaining elevated pre-COVID as a result of increased ticket prices and plummeting post). The “movie” night as we knew it has predominantly migrated to our living rooms where the popcorn is free and the furniture germ-free. So, what is lacking from the movie-going experience, one might ask?
Film industry experts and audiences proclaim that many film genres are better enjoyed as a communal experience, particularly with strangers, and that the cinema experience itself is an immersive experience not to be lost. While a movie night in the living room lacks the communal experience a theatre may offer, the metaverse presents an opportunity for willing fans to regain that experience. Already, second screen engagement has become widespread across many streaming programs and several platforms have introduced shared viewing functionalities. Inside an immersive metaverse, fans can fully engage with others and the programming itself in the simulated theatre, sharing laughs, gasping in horror or expressing other spontaneous reactions. A couple separated by geographical boundaries can reunite and share date night at the movies, and possibly even holds hands with meaning through the use of haptic gloves. The classic “Rocky Horror Show” custom screenings can be experienced in a an entirely new manner in the virtual theatre.
Companies have already begun experimenting with virtual theatres, including allowing users to experience programming available on traditional streaming platforms in immersive theatres as well as invite-only film festival screenings hosting industry professionals in the metaverse. A more interesting twist will be Hollywood-type content that will allow the user to engage, participate or even choose their own ending in an immersive setting. All of these experiences and more will develop as engagement increases in the metaverse and greater content migrates to the virtual platforms.
Potential legal issues
Creation of high-value content involves the engagement of high-level talent of various types, including writers, directors and on-screen talent, as well as various below-the-line crew (eg, makeup artists, set designers, etc) and implicates other rights as such soundtrack and licensed music incorporated into the programme. Even the simple idea of migrating a film or television programme from the big screen or small screen to the virtual screen requires an analysis of the scope of exploitation rights the party seeking to do so possesses and the financial implications (residuals, participation payments, etc) of such forms of exploitation.
Will subscribers of a traditional streaming service operating a virtual theatre also be allowed to watch the service’s programmes in the virtual theatre at no additional cost or will a premium subscription or fee be applicable? Will admission fees be charged and into which category of revenues will those fees fall for purposes of accounting and paying any share of those revenues to various participants and entertainments guilds? Moreover, the concept of an interactive or “choose your own ending” type feature film raises the prospect of additional use fees and approval rights that talent may have based on what may be viewed as derivative or out-of-context work based on the original performance. These and many other intellectual property and commercial rights issues will be implicated as the movie-going experience migrates into the metaverse.
Virtual Moshpits: Live Musical Performances
To date, a variety of live events have been staged in the metaverse, including concerts, sporting events, interactive gaming events, trade shows, job fairs, award shows and graduation ceremonies. A number of factors have prompted the foray into such experiences in the metaverse, including:
Of the different types of live events and performances that have been hosted in the metaverse, live musical performances have proved to be the most popular to date. Travis Scott’s Fortnite performance in April 2020 had over 28 million people teleporting in to view the concert. Justin Bieber’s performance on Wave, a virtual music platform, in November 2021, and Young Thug’s performance on Meta’s Horizon Venues platform in December 2021 also found great success. Other artists like David Guetta (through the Roblox platform), Calvin Harris (through the Pico VR platform) and Ariana Grande (through the Fortnite platform) have taken their metaverse concerts to another level by incorporating dance battles, puzzles, mini-games, virtual merchandise and other interactive features to their performances to further engage attendees.
The interest in live musical performances in the metaverse has also sparked a new wave of metaverse start-ups with music ambitions. For example, Popins is a start-up using volumetric video technology to turn artists into 3D avatars, which can then be viewed on mobile devices and used by fans to create their own content (such as duets). SolTunes, an NFT start-up, allows consumers to use its software to mix and match musicians, thus creating new pieces of content. MetaCities is focusing on recreating real-world locations in the metaverse, and then providing experiences in those virtual spaces that include music performances.
Some of the biggest technology and gaming companies are also expanding their music aspirations. In the last two years, Fortnite’s publisher Epic Games acquired music-games developer Harmonix, music platform Bandcamp and music licensing start-up Lickd to expand the types of music-based metaverse experiences available to its users. League of Legends developer Riot Games has hosted hybrid concerts at its esport events, combining real-world arts with Riot Games’ virtual music stars such as K/DA, True Damage, and Pentakill.
The staging of live events, in particular live musical performances, in the metaverse and on new and existing platforms will continue to be a driver of audiences to the metaverse. It will be a useful tool to engage with new and existing audiences eager to be the first to experience a particular event live that they otherwise could not or would not attend in person.
Potential legal issues
While live virtual musical performances trigger a number of different legal issues to be considered, music rights clearance tops the list. The metaverse poses various challenges to traditional forms of music licensing. For example, with traditional synchronisation licences – which are used when songs are paired with audio-visual content such as a film or television series – rights-holders know exactly how their music is being used (eg, in the opening or closing credits of a film) and negotiate fees based on such usage. In the metaverse, however, the audio-visual content to which the song is paired could be part of an evolving platform and/or user-generated content, making negotiation of a synchronisation licence far more difficult.
Performance royalties must also be considered. Traditionally, performance royalties are earned anytime a song is played publicly, including live concerts, satellite or broadcast radio stations, and restaurant or bars, and collected through performing rights organisations (PROs) or collective management organisations (CMOs). Songs performed publicly in the metaverse will presumably similarly require royalty payments or blanket licences through PROs and CMOs and this area continues to develop.
Lickd is an example of a company that has already begun to tackle the issue of music rights and licensing in the metaverse. In the last few years, Lickd has entered into licensing arrangements with publishers such as Warner Music Group and Empire so that it can provide pre-cleared music licensing for virtual content creators. By way of example, the deal between Lickd and Vegas City, a virtual world within the metaverse-based 3D world Decentraland, signed in 2022, will allow Vegas City to play background music in venues and public spaces throughout its district, the same way that consumers listen to music in restaurants and bars in the real world.
In addition to music licensing, guild and union issues must be considered. For example, if the virtual concert involves the use of performances by actual performers, that performance (including everyone from the lead singer to the background dancer) is likely covered under the Screen Actors Guild - American Federation of Television and Radio Artists (SAG-AFTRA). This means that the content creator – whether the creator is a studio, video game company, metaverse platform or other entity – will need to negotiate with SAG-AFTRA for such usage.
Another issue to consider in connection with live musical performances is censorship. The metaverse is intended to be open, transparent and inclusive, but if big technology companies ultimately control the metaverse platform then they can control the content that users see and the information that is disseminated during the live musical performance.
There may also be other types of intellectual property besides music that must be cleared in connection with a live virtual musical performance. For example, a digital representation of a brand’s mark on the clothing of an avatar or represented on the virtual stage or in the virtual arena, could have both trade mark and copyright protection requiring clearance.
Publicity rights must also be considered. Publicity rights are intended to protect a person’s persona – such as their name and image – but in the metaverse, what constitutes a protectable persona gets murky. Over the years, courts have begun to protect other indicia of an individual’s identity, such as look-alikes, catchphrases, caricatures, nicknames, and performance characteristics. As live virtual musical performances become more prolific, it is very likely that the scope of protection of a person’s persona will also increase, or at least be brought into question.
“Identify Yourself, Avatar!”: Digital Identity and Reputation
One of the hallmark benefits ascribed to blockchain technology is the ability to own certain property and transact free from scrutiny from or control by centralised powers. This is achieved, in part, through the veil of anonymity. Transactions are trustless because the subject consensus protocol verifies the transaction terms on both sides of the equation, irrespective of party identity. But what if you wanted to trustlessly validate transactions based not on transaction terms, but on party identity?
Enter identity and reputation tokens. Depending on who you ask, these tokens may be viewed as either one of the most important developments in metaverse and blockchain evolution, or the antithesis of blockchain’s reason for being – freedom from centralised control. Whatever your blockchain ideology, identity and reputation tokens are here and their use cases are likely to expand quickly. Accordingly, consumer-facing businesses should begin considering the implications, benefits and potential pitfalls surrounding merging of real world and on-chain identity. Perhaps the most promising development driving identity and reputation use cases is SoulBound Tokens (SBT).
On 11 May 2022, Vitalik Buterin, E. Glen Weyl and Puja Ohlhaver released a white paper titled, “Decentralized Society: Finding Web3's Soul”. The white paper describes the potential for the foundation of a fully decentralised society (DeSoc) governed by its users. SBTs would operate at the heart of DeSoc and serve as the on-chain repository of users’ real-world credentials, identity and reputation.
Technically, SBTs are NFTs that certify a fact about the holder. Such facts may include the holder’s:
The potential is limitless. Once SBTs are issued to a holder’s wallet, they are forever bound and cannot be transferred. Possession of a medical SBT could allow an avatar to enter a metaverse clinic and immediately be recognised by the owner’s real-world medical records. An SBT signifying the holder as a 2023 spring enrollee in a Philosophy 101 class at ACME university might gain the holder access to metaverse lectures and course materials. Real-world private clubs might issue SBTs to members allowing access to SBT-gated social spaces and events in the metaverse.
In addition to personal facts and history, SBTs can also serve to record and manage relationships between brands and their consumers. It is not a stretch to imagine a brand tokenising its loyalty programme and issuing SBT to customers based on both digital and real-world brand interactions. In fact, Binance has already launched an SBT called the Binance Account Bound (BAB) token. The BAB acts as an identity passport across the entire Binance network for those users who have satisfied KYC requirements. The token will also allow customers access to special projects as well as the accrual of benefits to holders who perform certain actions, giving Binance the ability to gamify customer experience and tie specific touchpoints and critical interactions to rewards.
Potential legal issues
Privacy is almost certain to become a central battleground as SBTs proliferate and evolve. On-chain identity passports containing drivers’ licence numbers, medical information and the like will certainly be considered personally identifiable information (PII) under US privacy statutes, as well as personal data under the General Data Protection Regulation (Regulation (EU) 2016/679). A more nuanced review may be necessary to evaluate on-chain loyalty elements that integrate activities and data points that span across a brand’s ecosystems. The matter is likely to be complicated as user wallets begin to collect SBTs from disparate sources that do not amount to PII individually, but may do so as an aggregate. Additionally, data breaches may not be a brand concern under the current vision for SBTs where data is stored in user-controlled wallets. However, if SBTs begin to be issued to user wallets custodied by a brand, breach protection will become a significant focus.
While a lifetime lived fully virtually may arise in the future, the nearer term will belong to more limited experiences as the metaverse technology evolves. As metaverse technology evolves it is likely to involve “blended worlds” which include both virtual and real-world experiences. As these “blended world” use cases continue to expand in novel ways, so too are the legal complexities likely to multiply. Navigating these developments will require legal counsel to not only firmly grasp of the real world and virtual world legal issues as well as the manner in which the virtual world technology works so that legal counsel can synthesise these two regimes, creating issues of first impression. Counsel will need to be comfortable providing guidance in territories for which there are no maps (yet) and agile enough to anticipate issues as this nascent industry develops.
2000 Avenue of the Stars
Los Angeles, CA
+1 310 595 3000
+1 310 595 3300Tom.Ara@us.dlapiper.com www.dlapiper.com