log in
Print | Back

Lowenstein Sandler LLP

Matt Savare

Matt Savare



  • Corporate
  • Intellectual Property & Patents
  • Franchise and Distribution
  • Blockchain Technology & Digital Assets

WSG Practice Industries


WSG Leadership

ABA Group

Lowenstein Sandler LLP
New York, U.S.A.


A veteran of high-profile representations in the digital advertising, media, and entertainment sectors, Matt brings a proven track record to his work for a broad range of clients. 

Matt has represented clients in copyright, trademark, trade secret, and right-of-publicity matters—with a particular emphasis on how new and emerging technologies are disrupting traditional businesses—in the following sectors:

  • Blockchain and Cryptocurrencies
  • Software (SaaS, PaaS, development, services)
  • Big data 
  • Social media
  • Advertising, financial, and education technology
  • Media and entertainment
  • Life sciences 
  • Retail (online and brick and mortar) 
  • Beauty and fashion
  • Food and beverage
  • Government contracting
  • Investment management

His work also includes counseling clients on information privacy and data security issues (including the California Consumer Privacy Act [CCPA]), cybersquatting, domain name disputes, and technology licensing. He represents The Estée Lauder Companies Inc. in connection with various investments and acquisitions, with a particular emphasis on intellectual property and right-of-publicity issues. He also represents News Corp. in connection with its digital advertising initiatives, and regularly drafts and negotiates endorsement, sponsorship, and personal appearance deals for athletes, celebrities, and major brands. 

During his time as a litigator, Matt handled various entertainment, intellectual property, false advertising, right-of-publicity, and privacy disputes, including defending a copyright infringement suit filed by the Estate of Frank Zappa and assisting in the successful defense of David Chase in connection with The Sopranos.

Prior to joining Lowenstein, Matt worked for the Department of the Army, negotiating and drafting multi-million dollar procurements for communications and electronics equipment and related services, with an expertise with the FAR, DFARS, and AFARS.

Bar Admissions

    New York
    New Jersey


Seton Hall University School of Law (J.D. 2004), summa cum laude, Articles Editor, Seton Hall Law Review, Valedictorian
Monmouth University (M.A. 2001), summa cum laude, Co-valedictorian
Drew University (B.A. 1995), summa cum laude
Areas of Practice

Blockchain Technology & Digital Assets | Corporate | Franchise and Distribution | Intellectual Property & Patents | Intellectual Property Litigation | Investment Management | Life Sciences | Litigation | Media & Entertainment | Media and Entertainment | Patent Counseling & Prosecution | Patents | Privacy & Cybersecurity | Privacy and Information Security | Privacy Law | Seed Stage Investing & Startups | Technology & Media Transactions | The Tech Group | Trademark Prosecution And Enforcement | Trademarks, Copyrights & Trade Secrets | Venture Capital & Tech M&A

Professional Career

Significant Accomplishments

Represents companies involved in every facet of the ad tech ecosystem, including the world's leading publishers, ad networks, ad exchanges, DSPs, SSPs, and data aggregators.

Represents The Estée Lauder Companies Inc. in connection with various investments and acquisitions, with a particular emphasis on intellectual property and right of publicity issues.

Represents numerous hedge, private equity, and other funds and their portfolio companies regarding data privacy, data security, and information technology and services agreements.Regularly drafts and negotiates endorsement and personal appearance deals for athletes, celebrities, and major brands.

Speaking Engagements

Matt Savare will moderate the panel discussion "Wearable Tech – What Is it? What Privacy Professionals Need to Know!" Sponsored by the New Jersey KnowledgeNet chapter, which is co-chaired by Cassandra Porter, the program will include a discussion about wearable technologies and the associated privacy implications. The event will conclude with a wine and cheese reception.

Lowenstein Sandler and Osborne Clarke will host the, "The ABC's of Blockchain: Altcoins, Bitcoins, and Coin Offerings." The explosive growth of blockchain and cryptocurrencies over the past year has led to an unprecedented number of ICO and new crypto tokens globally. The panelists will provide an overview of blockchain and the recent business, legal, and regulatory issues surrounding cryptocurrencies and initial coin offerings from a US, European, and Asian perspective.

For more information, email [email protected]

Matt Savare kicked off the event with an overview of blockchain, setting the stage for the Young Pros audience to first gain an understanding of the technology before identifying its role in advertising and media buying/selling. He covered various related terminology and often provided analogies to break it down when further explanation was needed.

From cookies to pixel tags and mobile devices to connected televisions, privacy and data issues abound in the world of digital advertising. Lowenstein's Matt Savare moderates a lively panel with privacy professionals from the various constituencies in the complex ad ecosystem to discuss the legal and regulatory landscape, commercial contracting issues, and what’s next.

Moderator: Matt Savare, Partner, Lowenstein Sandler LLP


  • Michael Hahn, Senior Vice President & General Counsel, IAB & IAB Tech Lab
  • Daniel Shore, Privacy Counsel, Conversant LLC
  • Julia Shullman, Vice President and Chief Privacy Counsel, AppNexus
  • Travis Davis, Counsel, Hearst

This session takes place 4-5 p.m. on October 4, 2018. The conference is being held at the Cloyd Heck Marvin Center at George Washington University, 800 21st Street, N.W.Washington, D.C. 20052.

Join us for our 4th Annual Cyber Day. This half-day program features sessions led by Lowenstein lawyers and other industry leaders who will discuss how companies can navigate cybersecurity, blockchain, and data privacy issues as well as the cyber insurance market in order to operate in a post-GDPR business landscape.

Topics include:

  • Cyber Risks: Where to Find Coverage and How to Maximize Recovery for Cyber Claims 
  • A Global Perspective: Status Report on the Impact of GDPR and What You Need to Know About the Evolving U.S., Federal, and State Data Privacy Laws
  • Government Investigations: How to Prepare and What to Do
  • Beyond Bitcoin: An Introduction to Blockchain

Lowenstein speakers include: 

The program runs 7:30 a.m.-2 p.m. Program location: Lowenstein Sandler LLP, One Lowenstein Drive, Roseland, New Jersey 07068; 973.597.2500. CLE credit available.

In-house lawyers in industries far beyond the tech world–such as financial services, pharmaceuticals, insurance, and consumer electronics, to name only a few–need practical guidance on the many ways that cybersecurity and privacy issues can affect all stages of business, from the valuation of data as an asset to the allocation of risk.

In response to this need, Lowenstein Sandler has expanded our annual program to include an even deeper dive into cybersecurity issues of special interest to GCs, CPOs, and CIOs. Our interdisciplinary group of privacy and data security specialists has teamed with in-house counsel to develop programming aimed to help corporations and executives navigate the potential risks, regulations, and benefits at stake, as well as best practices to address these issues.

Topics include:

  • Data Protection Law Developments: A Year in Review and What to Expect in 2020
  • Artificial Intelligence: Preparing for the Future of Business
  • Cyber Insurance: What It Covers, Why You Need It, and How To Get It
  • Blockchain Promises Solutions Across Industries, But Will it Deliver?
  • Telehealth and Telemedicine: The Future of Health care?
  • Biometric Data: From Finger Scans to Facial Recognition, a Deeper Dive into Artificial Intelligence
  • State Privacy Laws: A Deeper Dive into New and Amended U.S. State Privacy and Cybersecurity Laws

Program time: 7:30 a.m.-2:15 p.m. 

Program location: Lowenstein Sandler LLP, One Lowenstein Drive, Roseland, New Jersey 07068; 973.597.2500. 

CLE credit available.

Wi-Fi access and conference space will be available to take phone calls and stay connected to your workday.

Professional Associations

Trustee, Black Maria Film Festival


"Legal Aspects of Independent Film-Making", Temple University, November 2002, 2003, and 2004

Professional Activities and Experience

  • Savare - Section 809 Panel on Streamlining & Codifying Acquisition (2017) - Named advisor on blockchain issues.
  • Savare - IAB Tech Lab Blockchain Working Group
  • Savare - IAB Tech Lab Education and Taxonomy Working Group
  • Online Marketing Institute Top 40+ Digital Strategists - Online Marketing Institute - 2014
  • Rising Star - Super Lawyers New Jersey - (2013-2014)
  • Variety - 2011
  • Outstanding Volunteer of the Year - New Jersey Volunteer Lawyers for the Arts - 2011
  • Distinguished Alumnus - Monmouth University - 2011


Some Going Concerns: A Primer on Intellectual Property Issues in Bankruptcy for Licensors and Licensees
Lowenstein Sandler LLP, June 2020

Westlaw Journal Bankruptcy Much has been written on the myriad of legal issues emanating from the global COVID-19 pandemic: the constitutionality of the lockdowns, liability for stores that open, the process of obtaining PPP loans, and the applicability of force majeure clauses, to name a few. As intellectual property and bankruptcy practitioners, we are fielding more questions regarding the impact of bankruptcies (both actual and potential) on the rights of licensors and licensees...

Fear of Brave? An Analysis of GDPR Challenges to Behavioral Advertising
Lowenstein Sandler LLP, November 2018

On September 12, 2018, a complaint was submitted to the Irish Data Protection Commission1on behalf of Johnny Ryan, Chief Policy and Industry Relations Officer at Brave Software, Inc., seeking to trigger, for the first time, an EU-wide investigation into certain data practices within the digital advertising industry...

Inflection Point for VR?
Lowenstein Sandler LLP, November 2017

 Despite predictions over the last several years that virtual reality (VR) and augmented reality (AR) were going to dominate consumer technology, adoption and sales have been slower than many had forecasted...

Additional Articles

Rampant, worldwide cyber security incidents such as data breaches, phishing attacks, and malware across various industries have caused tremendous damage (physical, monetary, and reputational) to companies and consumers. One only has to open a newspaper (likely a digital one) to witness a new attack. Just in recent years, billions of records have been compromised in massive, high-profile breaches.

Although not a new phenomenon, ransomware has emerged as another nefarious cyber threat. Insurance company Beazley reports that the number of ransomware attacks reported by its insureds quadrupled from 2015 to 2016. In 2016 and 2017, various strains of ransomware such as WannaCry and Petya have entered the global lexicon and wreaked havoc on hundreds of thousands of computers.

Is it time for virtual and augmented reality to enter the mainstream? And what are the IP pitfalls to avoid when embracing this evolving technology?

Read more about the myriad of intellectual property issues that may arise for companies involved in virtual, augmented, and mixed reality, in "Inflection point for VR?," published in Intellectual Property Magazine, authored by Partner, Matt Savare, and Associate, Leah Satlin.


Interested in learning more about open-sourcing issues and related risks developers face when using ethereum as a foundation for their own applications?

Read more about the challenges and potential pitfalls involved in using ethereum's open-source code in "Coders Beware: Licensing Issues Abound for Ether Apps," published in CoinDesk, authored by Partner, Matt Savare and Associate, John Wintermute.

*This was originally published on CoinDesk.

By now, most people have heard about bitcoin.  Fewer people, however, understand the difference between bitcoin and blockchain and even fewer people have heard about – or dealt with – Ethereum and smart contracts.  Read more about how smart contracts can help businesses in various industries and how in-house counsel and their outside law firms can create and implement smart contracts in "Get Smart: Automating Business Agreements with Blockchains and Smart Contracts," published in Global Banking & Finance Review®, by Matt Savare and Kurt M. Watkins.

This article was originally published in Global Banking & Finance Review® 


The State of California recently enacted into law the new, sweeping California Consumer Privacy Act of 2018, which will go into effect on Jan. 1, 2020. Experts estimate that the Act will apply to more than 500,000 U.S. companies, reaching businesses of various sizes in virtually every sector. To be sure, the Act will have profound implications for the digital advertising industry, given its breadth and seeming extraterritorial reach. In this article, we explore the scope of the law and how its more significant provisions will impact digital advertising.

Artificial intelligence (AI) has moved from the silver screen and into our homes and businesses. Without even knowing it, most people encounter some manifestation of AI in their daily lives. From intelligent personal assistants such as Siri and Alexa to integrated AI systems such as IBM’s Watson, AI has already had — and will continue to have — a profound impact on the way we work, play, and live.

As attorneys immersed in the technology space, we have witnessed, assessed, and counseled how technology, including AI, will affect the legal profession and the role of general counsel. Although technological changes are often incremental, the sum of those changes with respect to the increased adoption of AI will be enormous. For example, the ability of artificial intelligence to handle certain repetitive and mundane tasks of a legal department in a consistent and efficient way will precipitate a shift in focus of the legal team and likely reduce the legal resources necessary to perform many tasks.

In this article, we discuss three key areas that we believe AI will disrupt and how they will affect general counsel: (1) the automation of routine legal and compliance services and the corresponding repurposing of existing resources; (2) document assembly and analysis; and (3) the need to shift from tactical to strategic thinking.


It was the scenario that many people in the digital advertising world feared: yet another privacy law. In the past several months, the industry has had to digest not only the GDPR, but also the sweeping California Consumer Privacy Act of 2018. Most recently, on July 23, 2018, two Democratic state senators from New Jersey introduced a privacy bill, S2834, which, if passed and signed into law, would saddle the industry with additional, burdensome regulations. Equally important, the New Jersey bill is modeled on the poorly drafted California law, increasing the belief that other states will adopt the same template for their own regulations.

The bill requires operators of commercial internet websites or online services to notify customers of the collection and disclosure of their personally identifiable information (PII). As with the California law, the bill’s definitions are so broadly drafted that they are virtually boundless. For example, “customer” means “an individual within [New Jersey] who provides, either knowingly or unknowingly, personally identifiable information ….” Unlike most other state privacy laws, which generally protect the states’ residents, the bill purports to cover any individual within the state, regardless of residency.

Similarly, the definition of “personally identifiable information” is so expansive that it is difficult to conceive of any online service – especially one in the digital advertising ecosystem – that does not collect personal data. Under the proposed law, personally identifiable information means “any information that personally identifies, describes, or is able to be associated with a customer of a commercial Internet website or online service….” The definition lists 20 non-exhaustive categories of PII, including not only customary ones such as name and address, but also less-sensitive information such as height. Again, unlike many privacy laws – including California’s – there is no exception for anonymized, de-identified, or aggregated data.

Like the California law, the bill includes certain notice and disclosure obligations and imposes a “Do Not Sell My Personal Information” restriction. Specifically, the bill mandates that:

  • Any operator that collects PII of a customer:
    • Provide a notice in its privacy policy that includes, at a minimum, (1) a complete description of the PII collected, (2) all third parties to which it may disclose such PII, and (3) an email address or toll-free telephone number that the customer may use for specific privacy inquiries
    • Clearly and conspicuously post on its website or online service homepage a link titled “Do Not Sell My Personal Information,” which enables the customer to opt out of the disclosure of the customer’s PII
  • If an operator discloses a customer’s PII and receives a request from the customer, the operator must, within 30 days of the request, provide the following information at no cost: (1) the customer’s PII that it disclosed in the past 12 months and (2) the names and contact information for the third parties that received the customer’s PII

Similar to the California law, the bill prohibits operators from discriminating against or penalizing any customer who elects to opt out of the disclosure of his or her PII. However, unlike the California law, the bill does not expressly permit the operator to charge such a consumer a different price or rate or provide a different level or quality of service to account for the fact that the operator will no longer be allowed to commercialize the data. If the California law is suspect on constitutional grounds, it is difficult to argue how this provision in the New Jersey bill does not constitute an unauthorized taking.

The panoply of disparate, overlapping, and often contradictory state privacy laws is increasingly making operating in the online space, including the digital advertising industry, complicated at best and untenable at worst. If states continue to use the flawed California law as a template for their own privacy statutes, confusion, uncertainty, and compliance costs will continue to rise.

In spite of the various benefits of federalism, there are instances where federal legislation is required. Data privacy is one such area. There are signs from the White House and the Commerce Department that the federal government may step in and create a national privacy standard. Although similar prior efforts have died on the vine, the confluence of GDPR, the Cambridge Analytica scandal, and the numerous competing state laws may compel the federal government to step in and address not only the legitimate privacy concerns of consumers, but also the business and operational realities of living in a digital, connected world.

On September 12, 2018, Johnny Ryan, Chief Policy and Industry Relations Officer at Brave Software, submitted a complaint to the Irish Data Protection Commission seeking to trigger, for the first time, an EU-wide investigation into online behavioral advertising (OBA). The complaint primarily focuses on real-time bidding (RTB), the process often used within the digital advertising industry to carry out OBA. The complaint alleges that (i) OpenRTB, the widely-used technical protocol for RTB promulgated by IAB Technology Laboratory, constitutes a ‘‘mass data broadcast mechanism’’ that violates the General Data Protection Regulation (GDPR), (ii) there are no technical measures or adequate controls to support data protection during the RTB process; and (iii) legitimate interest can never be a valid legal basis in the context of widely-broadcast RTB requests. (A companion complaint filed with the UK Information Commissioner’s Office contains virtually identical allegations.)

In its October 30 decision, French supervisory authority, the CNIL, declared that French ad tech startup, Vectaury, violated the EU General Data Protection Regulation by not obtaining valid consent for its collection and use of geolocation data from partner apps and bid requests for targeted advertising purposes. Most notably, the CNIL concluded that Vectaury’s consent management platform, based on IAB Europe’s Transparency & Consent Framework to a certain degree, did not provide sufficiently transparent information about the purposes of data processing.

Since the TCF is used throughout the digital advertising industry to obtain consent, prognosticators are predicting the decision will end the advertising ecosystem and real-time bidding as we know it. However, we argue the CNIL’s key findings show that most of Vectaury’s consent deficiencies either violated, or were not caused by, the TCF and the TCF-specific issues are remediable.

It has been a particularly rough time for the digital advertising industry recently. In September 2018, complaints were submitted to the Irish Data Protection Commission and the UK Information Commissioner’s Office seeking a declaration that the two most widely-used real-time bidding protocols are “mass data broadcast mechanisms” that violate the GDPR. Then, in late October, the French supervisory authority, CNIL, declared that French ad tech startup, VECTAURY, violated the GDPR by not obtaining valid consent for its collection and use of geolocation data from its partners’ apps and real-time bid requests for targeted advertising and profiling purposes. Most recently, on December 3, the Office of the New York Attorney General (NYAG) announced a record settlement with Oath, formerly known as AOL, for violating the Children’s Online Privacy Protection Act (COPPA).

What makes the Oath settlement so newsworthy isn’t simply that Oath has agreed to pay a record-setting amount—almost $5 million—to settle allegations that, as AOL, it violated the federal privacy statute. This settlement is significant because it has established a new standard for notification under COPPA, with wide-reaching ramifications for the broader digital advertising ecosystem.

For background, COPPA mandates, among other things, that no personal information may be collected, used, or disclosed from children who are under 13 years of age without verifiable parental consent. Typically, COPPA applies to those websites and mobile applications designed primarily for such children audiences, such as the very popular Roblox website mentioned by the NYAG in its announcement. As of 2013, COPPA expanded the traditional definition of personal information to include persistent identifiers, such as device and location information, which have historically not been considered as requiring protection in the United States. COPPA is a strict liability statute that applies to any “operator” of a website or “online service” “directed to children,” or any operator that has actual knowledge that it is collecting or maintaining personal information from a child Both the FTC and state attorneys general have the authority to enforce COPPA.

Traditionally, COPPA enforcement at the federal and state level has focused on website operators and app developers whose users fall directly in the under-13 demographic. In June 2016, the FTC announced a then-record $4 million settlement (which was suspended to $950,000 based upon the company’s financial condition) with InMobi for deceptively tracking users without their permission contrary to representations to do just the opposite and, importantly, for deceptively tracking users under 13 years of age who had explicitly flagged that fact for the company. And, in September 2016, the NYAG announced the results of “Operation Child Tracker,” which focused on violations of COPPA by some of the most popular children’s websites. In both instances, however, the focus of law enforcement was on the website or application that was directly servicing the customer. In those cases, the notice to the companies that content was COPPA protected was simply a matter of evaluating the content of the companies themselves.

The most recent NYAG COPPA enforcement against Oath changes what notice means for a company operating in a COPPA-protected environment. According to the NYAG, AOL’s offending conduct was rooted in its operation of ad exchanges to conduct business and serve online behavioral advertising (otherwise known as targeted advertising) on websites that AOL knew were subject to COPPA.

The most significant aspect of this settlement involves what the NYAG asserted to be actual knowledge in this instance. First, as described by the NYAG, AOL received information directly from its customers that its websites were subject to COPPA and nevertheless served targeted ads to those users. Second, AOL conducted independent reviews of the content and privacy policies of websites, made a determination that those websites were subject to COPPA, and nevertheless served targeted advertising. Finally, AOL disregarded notifications it received from other ad exchanges during the bid process that particular ad inventory was subject to COPPA. In some instances, according to the NYAG, this disregard for COPPA flags was done purposefully to increase revenue. In short, notice was imputed based upon COPPA flags or identifiers passed along from one part of the ad tech stack to another. And, AOL disregarded those flags at its peril.

Companies across the digital advertising ecosystem, from publishers and SSPs to advertisers, DSPs, and exchanges, should pay special attention to this recent COPPA settlement and evaluate their own systems for COPPA compliance. Given that COPPA is a strict liability statute, it is possible that even unintentionally passing along targeting information when a COPPA flag is in place could result in liability. More broadly, with the recent decisions and guidance relating to GDPR and the impending implementation of the California Consumer Privacy Act, such companies should evaluate their data collection, use, and disclosures policies and procedures to ensure that they are complying with these myriad and complex regulatory requirements.

Companies should consider reviewing contractual terms and the implementation of individual contracts for compliance and consistency. And, companies should consider training line agents in how to identify potentially improper transactions before those transactions are made. Given the increased attention by regulators in this space, industry members should contemplate adopting a comprehensive compliance system to manage their risk.

Reprinted with permission from the December 27, 2018 edition of Legaltech News.

© 2018 ALM Media Properties, LLC. All rights reserved.

Further duplication without permission is prohibited. ALMReprints.com – 877.257.3382 - [email protected].

On January 28, 2019, the Panoptykon Foundation filed a complaint with the Polish Data Protection Authority against IAB Europe on behalf of an individual, alleging that OpenRTB, the widely-used real-time bidding (“RTB”) protocol promulgated by IAB Tech Lab,[1] violates numerous provisions of the General Data Protection Regulation (the “GDPR”). The complaint recycles many of the same arguments made to the Irish Data Protection Commission and the UK Information Commissioner’s Office in 2018; we analyzed these other arguments in a previous article.

The complaint argues that IAB should be considered a data “controller” under the GDPR for all processing activities undertaken through OpenRTB.  As discussed below, such a contention would dramatically (and improperly) expand the definition of “controller” and should be rejected by regulatory authorities.


The GDPR regulates “processing activities” (i.e., discrete operations performed on personal data).  An entity is either a data “controller” or a data “processor” with respect to such processing activities. In other words, the determination of an entity as controller or processor must be analyzed in relation to whatever processing activities are in question.

All processing activities have at least one controller. A controller determines the “purposes” and “means” of such processing activities, either alone or jointly with other controllers.  The “purpose” is why a processing activity is being carried out and the “means” are how that processing activity will be carried out.

Although the definition of “controller” has been interpreted broadly, guidance and case law require that an entity, alone or with others, have a certain level of factual “influence” on the purpose and means of processing to be considered to have “control.” Indeed, the Article 29 Working Party (the “WP”) provides that “eing a controller is primarily the consequence of the factual circumstance that an entity has chosen to process personal data for its own purposes.” (Emphasis added). 

The WP further explains that determination of the means “would imply control when the determination concerns the essential elements of the means.” (Emphasis added).

Determination of the “means” therefore includes both technical and organizational questions where the decision can be well delegated to processors (as e.g. “which hardware or software shall be used?”) and essential elements which are traditionally and inherently reserved to the determination of the controller, such as “which data shall be processed?”, "for how long shall they be processed?”, “who shall have access to them?”, and so on. (Emphasis added).

Thus, although determining the purpose of a processing activity automatically renders an entity a “controller,” an entity determining the means of processing is considered a controller only when such determination concerns the essential means.


The complaint relies primarily on one case from the European Court of Justice (“ECJ”) to support its claim that IAB is a controller with respect to all processing activities undertaken through OpenRTB: Case C-25/17 (the “Jehovah’s Witnesses case”). The complaint also cites to Case C-210/16, which we discuss and distinguish in our previous article linked above.

In the Jehovah’s Witnesses case, Jehovah’s Witnesses members (i.e., preachers) went door-to-door to convert others to their faith.  The members wrote notes on their visits, such as the names of the people they visited, their addresses, and summaries of their conversations.  The Data Protection Supervisor claimed that the Jehovah’s Witnesses religious community (the “JWC”) was a controller in relation to the notes taken by their members during this door-to-door preaching.

The JWC contended that it was not a data controller because it did not determine the purposes and means of processing, alleging (1) the JWC did not formally require the collection of notes by its members and (2) the JWC did not have access to the members’ notes. 

The ECJ, along with the Advocate General, analyzed the JWC’s potential role as a data controller in relation to the specific processing activity in question: members’ note taking when door-to-door preaching. The ECJ held that the JWC “organized and coordinated” the preaching to such a level that it defined the purposes and means of processing in the context of that preaching jointly with its members.  The Advocate General emphasized that the JWC: (1) “gave very specific instructions for taking notes;” (2) allocated areas among the members to better organize the preaching and increase the chances of converting individuals; (3) kept records on how many publications the members disseminated and the amount of time they spent preaching; and (4) kept a register of individuals who did not want to be visited.


First, the complaint alleges that “IAB is one of the two leading actors...in the market of behavioural advertising which organises, coordinates and develops the market by creating specifications of an API...that is utilised by companies that participate in [OpenRTB] auctions in ad markets...Those specifications are accompanied by the rules of their application [in the IAB Transparency and Consent Framework].[2]

The complaint does not claim that IAB is the controller of any specific processing activities. Instead, it claims that IAB is the controller of all processing activities undertaken through OpenRTB that relate to “behavioural advertising” because it is a “leading actor” that “organizes, develops and coordinates the market.” In other words, it is stating that IAB’s control over the market is similar to the JWC’s control over its preachers in that the IAB co-determines what personal data shall be processed and why for all participants within OpenRTB and, by extension, the multi-billion dollar behavioral advertising industry.

The complaint's reliance on the “organized and coordinated” language within the Jehovah's Witnesses case ignores all context in which it was used. "Organization and coordination" was only relevant because it resulted in determination of the purpose and means of processing within that particular fact pattern. In other words, the JWC's "organization and coordination" of the members' note-taking activity amounted to such tight control that it was viewed as instructing them to process personal data on its behalf for a discrete purpose and, thus, determining the "purpose and means of processing" as a joint controller.

However, the level of control in the Jehovah’s Witnesses case is readily distinguishable. The JWC instructed its members (i.e., its preachers) to go door-to-door for the discrete purpose of expanding the JWC's membership (i.e., converting others to its faith). To ensure the effectiveness of the activity, the JWC "organized and coordinated" the activity by assigning members to different areas, keeping track of how long they preached and how many publications they distributed, and providing detailed instructions on what notes to take (i.e., what personal data to process).

Conversely, IAB’s promulgation of the OpenRTB standard does not result in the IAB instructing or direction another business as to what personal data it shall in fact process or transfer through the protocol, or for which purposes. Unlike preachers answering to a centralized authority, entities do not engage in processing activities over OpenRTB at the behest of, or for a shared purpose with, IAB.

A standard’s primary objective is to define technical requirements for interoperability among various systems. As such, it allows entities to carry out activities more efficiently through a common “language.” However, this development of a communication medium by which processing activities may be carried out must be differentiated from the processing activities themselves. The purpose for initiating processing and each subsequent operation relating thereto (e.g., collection, transmission to downstream partners) is determined at the business level. IAB’s defining of the protocol’s structure provides the technological capability for entities to carry out such activities, but it is not, in itself, a processing activity or “purpose.” The alternative would create a virtually unlimited definition of “controller.”  Likewise, IAB’s theoretical ability to lessen the processing capability of the protocol – such as eliminating the “device identifier” field – also cannot be a criterion by which control is decided in this context. If such ability were acted upon, it would only limit the range of processing activities capable within that technology (activities that organizations need not carry out in the first place). This attenuated “control by exclusion” leads to bizarre results and is not what the GDPR intended. For example, any provider that releases technology capable of a range of processing activities would become a controller of all such activities if it ever puts limits on that capability.

Second, the complaint also alleges that “IAB has full control of how the behavioural advertising market within...[OpenRTB] is designed and operates, so it decides at its own discretion how the processing of personal data is to be carried out, e.g., by determining the elements that must be included in the so-called bid request, i.e., a request for submission of bids in an ad market.”  In other words, the complaint argues that IAB, through OpenRTB, decides the essential means of all processing activities carried out under the technical protocol.  

When analyzed against the aforementioned elements highlighted by the WP, IAB does not determine the “essential means” of the processing activities carried out over OpenRTB:

  • Which data shall be processed?
    • IAB does not decide what data will be processed when entities carry out processing activities via OpenRTB. The complaint conflates the capability to allow entities to process personal data with deciding what data shall be processed for any given processing activity.
    • The Panoptykon Foundation and related parties argue that because almost all bid requests sent via OpenRTB contain at least a device identifier, and OpenRTB documentation recommends device identifiers be included in bid requests, IAB decides that entities shall process device identifiers. Such an argument is unavailing. Technology providers routinely recommend that personal data be processed for added business value (e.g., SaaS platforms). No one has seriously argued that these providers automatically become joint controllers by virtue of doing so. The decision to process such data is left to the autonomy of the user.
  • For how long shall the data be processed/when should the data be deleted?
    • IAB does not mandate retention periods. Such a decision is solely within the business’s own legal judgment for what satisfies the storage limitation principle for its particular processing activities.
  • Who shall have access to the data?
    • This decision is, again, controlled entirely by the entities using OpenRTB and differs dramatically depending on the context in which advertising may be transacted (e.g., open auction, private marketplace, programmatic, or direct).

Third, according to the complaint, IAB is a controller because it has general knowledge that processing is happening through OpenRTB:

[T]he JWC, which collects information on its members (as opposed to information on persons visited by its members), becomes, by creating guidelines and maps, a joint controller of personal data of persons visited by its members despite the fact that it does not establish any direct interaction with those persons and has no access to such data. This instance can be directly compared with IAB, as its role is also to provide guidelines and specifications to companies that participate in auctions in ad markets. Like the community analysed by the CJEU, IAB has a general knowledge of the fact that processing is carried out and knows its purposes (matching ads in RTB model), as well as it organizes and coordinates activities of its members by way of management of... [OpenRTB].

Although it is correct that an entity does not need direct access to data to be a controller, it still needs a level of control sufficient to determine the purposes and means of processing.  Much of the above quote is a restatement of the complaint’s previous arguments examined herein.

However, there is one slightly different argument presented: “IAB has a general knowledge of the fact that processing is carried out and knows its purposes...” and thus is a controller. This “general knowledge” standard that the complaint proposes further ignores all context and nuance from the Jehovah’s Witnesses case. Clearly, every company that has a general knowledge that processing is being carried out through its technology, and is aware of the purpose for which its carried out, cannot be a joint controller or else virtually every technology company (e.g., standards bodies, SaaS platforms, and software companies) would be a joint controller.

The CJEU’s mention that the JWC was aware of its members’ processing of personal data (i.e., note taking) was to demonstrate that excessive formalism (i.e., an express written statement telling individuals to process data) should not be required when an entity has such a level of control that it, practically speaking, instructs others to carry out processing of personal data for a defined purpose. As mentioned above, providing guidelines and technical specifications to companies, or simply knowing that personal data is being processed through OpenRTB, does not amount to the level of control contemplated by the GDPR or prior case law to become a joint controller.  

Finally, the complaint contends: “The argument that [OpenRTB] created by IAB is only a technical protocol which does not obligate particular companies to process data is ill-advised and not true. [OpenRTB] enables and facilitates the processing and dissemination of data as the protocols that are connected with [Open RTB] include certain fields that are so designed that they trigger transfers of data, including sensitive data....”

Notwithstanding such allegations, OpenRTB does not obligate companies to process personal data. None of the required fields to send a bid request per OpenRTB documentation contain personal data. Fields at issue in the complaint, such as the description of a URL’s content, geolocation, device identifier, and user agent string, are optional. This optionality makes sense because OpenRTB is used for activities outside of “behavioral advertising,” such as digital out-of-home and contextual advertising, and in such cases personal data is often irrelevant or not processed.

As mentioned above, the complaint conflates providing entities the capability to process personal data, or recommendations to process personal data (e.g., bid request examples and recommended fields within OpenRTB documentation) for added business value, with having the requisite control to decide what data shall be processed by a particular entity. 


It seems evident that behavioral advertising critics desire IAB to amend OpenRTB so that no personal data is capable of being transmitted at all. In their singular focus to bring about this result, these parties advocate expanding the definition of controller so broadly as to render almost all companies in every industry as controllers.

If they succeed, although they may accomplish their own goals, they may also stop (or diminish) the willingness of technology providers and standards bodies to engage in the European market.  Here, we should heed the Advocate General’s warning in the FashionID opinion that excessively expanding the scope of what constitutes a controller will create such a lack of clarity that it “...crosses into the realm of actual impossibility for a potential joint controller to comply with valid legislation.”

[1] The Complaint is filed against IAB Europe; however, IAB Tech Lab, rather than IAB Europe, promulgates the OpenRTB standard. For convenience, we use the term “IAB” throughout this article.

[2] All quotes taken from the complaint have been translated from their original Polish.

The digital advertising industry is undergoing a rapid regulatory transformation. The EU General Data Protection Regulation went into effect more than a year ago, and the California Consumer Privacy Act is right around the corner with a Jan. 1, 2020, effective date. Other jurisdictions are likely to follow. Industry lawyers created legal frameworks to comply with the GDPR but now need to determine what changes are needed to comply with the CCPA and, potentially, future privacy laws in other states.

One important part of that assessment is the data processing addendum.

Chapter excerpt: Talia Joy Castellanos, a thirteen-year-old YouTube and Instagram star, passed away on July 16, 2013, after a six-year battle with neuroblastoma and leukemia. Talia’s social media postings on makeup, fashion, and her battle with cancer, connected with fans worldwide. In addition to accumulating millions of YouTube and Instagram followers, Talia appeared on The Ellen DeGeneres Show and was named an honorary face of CoverGirl cosmetics. At the time of her death, the videos on Talia’s YouTube channel had accumulated tens of millions of views and were valuable assets.

Talia’s social media following created extensive and lucrative digital assets that raise a special set of questions about how these assets should have been managed before and upon her death. Who owns Talia’s videos and other postings? Who has the right to control her accounts?


The American Bar Association's Tax, Estate, and Lifetime Planning for Minors focuses exclusively on the pertinent issues facing adults when planning for younger family members. This updated edition looks at the many and often complicated issues involved in these situations, including taxation, education funding, insurance, disability, and even planning for an adult’s incapacity or death. Combining core legal concepts with practical wisdom, Tax, Estate, and Lifetime Planning for Minors is a unique resource for attorneys advising clients in their estate and financial planning when minor children are involved. This is a ready reference not only for seasoned practitioners but for the general or novice practitioner handling their first estate plan.

(purchase required to access article)

In August 2018, Congress expanded the authority of the Committee on Foreign Investment in the United States (CFIUS) to review, block or unwind certain transactions involving foreign investment without “control” of key US assets, businesses or technologies. Following the passage of the Foreign Investment Risk Review Modernization Act (FIRRMA), CFIUS acting on authorities granted in FIRRMA issued new regulations under which certain transactions involving “critical technologies” impact the new pilot program industries that targets 27 industries.

Unlike the pre-FIRRMA CFIUS submissions that were technically voluntary, the new pilot program submissions are now required. (See 31 CFR Part 801.) Failure to submit a now required CFIUS Pilot Program submission can carry a maximum civil penalty equal to the value of the underlying transaction. The pilot program went into effect on November 10, 2018.

For transactions covered by the pilot program, which currently covers 27 critical industries, parties must submit a mandatory declaration if a transaction would give a non-US person control over the business or when a foreign person does not even gain “control” but merely makes a particular investment.

Pain Points and Requirements

The core new “pain point” is the now possible mandatory CFIUS Pilot Program (PP) filing, unlike the earlier filings which were “voluntary.” Broadly and with certain exceptions, the PP sets forth a 2-part test to assess if a mandatory filing applies to a transaction.

  1. The transaction must involve a Pilot Program US business even if a foreign person does not acquire “control” but would afford the foreign person access to “any material nonpublic tech info” possessed by the PP US business or membership on a board/governing body of the PP US business or any involvement (other than thru voting of shares) in substantive decision making of the PP US business about the use, development, acquisition or release of “critical technology” or the transaction could result in foreign “control” of the PP US business.
  2. The US business that is the recipient of the foreign investment must be one that produces, designs, tests, manufactures, fabricates or develops a “critical technology” that is (i) utilized in connection with the US business activity in a PP industry or (ii) designed by the US business specifically for use in one or more PP industries.

Shortly after the pilot program went into effect, the DOC’s Bureau of Industry and Security (BIS) issued a proposed rule to add 14 technology categories to list of emerging technologies, which could also be subject to the mandatory CFIUS declarations and would also impose new export license requirements by amending or adding additional Export Control Classification Numbers (ECCN) which are an alphanumeric designation (e.g., 1A984 or 4A001) used in the Commerce Control List (CCL) to identify items for export control purposes. Companies or individuals that wish to export items, technology or software on the CCL may be required to obtain an export license depending on the item being exported as informed by the correct ECCN properly determined and the country to which the item is being exported. Among these 14 additional technology categories were robotics, quantum computing, and artificial intelligence (AI).

It’s important to note that even if your organization is not seemingly related to one of the 27 specific industries, under other recent US Commerce Department action, your company may still be subject to the mandatory export license requirements. The DOC recently added discrete microwave transistors, continuity of operation software, post-quantum cryptography, underwater transducers, and air-launch platforms to the list of emerging technologies and designated these items with ECCNs than can trigger DOC export license requirements, outside the CFIUS purview.

The Issues with AI

The Trump Administration is keenly interested in controlling foreign access to AI. Artificial intelligence is increasingly viewed as critical to protecting US security interests because of its possible implications for military and national defense or other security policy. The AI field, which is focused on the capability of a machine to imitate intelligent human behavior, is rising rapidly with the advent of technologies such as driverless cars and autonomous weapons.

Machine learning, a collection of algorithms that can learn from and make predictions based on recorded data, makes up a large part of what drives AI. The accuracy of a machine learning model depends on the quality of that data. Within the IP sector, the number of machine learning related patents is growing because software-based methods and systems are generally patentable.

The data used to train machine learning models may be classified as “technical data” or information under export regulations. The International Traffic in Arms Regulations [ITAR] and the Export Administration Regulations [EAR] generally define export-controlled technical data or technology as information for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of as relates to certain items as specific in the applicable control. There are various exclusions from export regulations of technical data or technology and may include:

  • Public domain or publicly available information
  • Education information, including that commonly taught in schools and universities
  • Fundamental research

Technical data or technology that falls into one of these three categories generally does not require a license to export, reexport, transfer, release or disclose to a foreign person. It is critical to know that any such export, release or disclosure in the United States to a foreign person, such as your employee, contractor or agent will be deemed by the US Government as an export to that foreign person’s country of nationality or birth in certain cases. These are commonly called “deemed exports.” Such export control license requirements are completely outside the scope of CFIUS’ purview.

Takeaways for AI Companies

The export controls DOC has proposed could end up hindering American AI technology development because the open availability and freewheeling exchange of information among employees and contractors of AI training data is so essential to researchers making strides in the field. As more AI may become subject to new and stricter export controls, the need to consider to obtain an export license to carry on with “routine” AI work will be critical. However, DOC also stated that it will not expand its jurisdiction over what it considers “fundamental research.”

The current policies assume that differentiating between commercial and military AI applications is easy, when in reality is there is plenty of overlap between the spaces. For example, iPhone users can unlock their phones with facial recognition technology. That same technology could be used to target weapons. As the regulations continue to roll out for identifying and imposing export controls on new ECCNs to AI and other emerging technologies essential to US national security, it will be important for lawmakers to consider how the AI export controls will be implemented so as not to hinder innovation.

Companies must be aware that while an export is generally considered to be materials, information, and technology that leaves the US, a deemed export is something that may be occurring frequently under the company’s nose. If deemed exports of newly controlled AI is not properly licensed for release or disclosure to foreign persons, export control violations will likely occur which may carry severe penalties. Items and technology that are controlled either by the EAR or ITAR will also be considered as critical technology by CFIUS for both voluntary and mandatory CFIUS purposes.

Companies looking to get ahead of the potential deemed export control implications, or seeking investment from foreign investors, should determine the ECCN of their AI, software, and other technology items. While there is still uncertainty in what will be implemented for CFIUS review, knowing these classifications will make it easier to understand what export licenses may be required in the future.

Reprinted with permission from the August 8, 2019, edition of Legaltech News.

© 2019 ALM Media Properties, LLC. All rights reserved.

Further duplication without permission is prohibited. ALMReprints.com – 877.257.3382 - [email protected].

In May 2000, long before the creation and launch of Facebook and Twitter, the Federal Trade Commission (?FTC?) issued its ?Dot Com Disclosures.? That document addressed how the FTC?s consumer protection rules and regulations regarding unfair and deceptive business practices applied to the brave new world of online advertising. 

Fast forward 13 years. With the advent and proliferation of social and mobile media, the advertising landscape of today is dramatically different. 

In light of these technological and cultural changes, the FTC decided it was time to dust off its original guidelines and, in March 2013, it issued its revised ?.com Disclosures: How to Make Effective Disclosures in the Digital Age? (the ?.com Disclosures?).

Although the new guidelines do not have the force and effect of law and adherence to them does not serve as a safe harbor, they are intended to provide businesses examples and direction on how to avoid unfair or deceptive business practices in connection with digital advertising. 

In addition, the FTC could use a failure to comply with the .com Disclosures as a basis to bring an enforcement action under the FTC Act.  Therefore, brands and agencies are well-advised to reevaluate their advertisements and disclosure practices in light of these new revisions and to adopt certain best practices.

This Legal Guide for Direct Brands provides a concise overview of legal issues often confronted by companies, particularly direct brands. Direct brands are companies characterized by their direct connections to consumers and are disrupting the business model of market-leading companies. This guide covers:

  • Why founder and equity agreements are vital for direct brands and the documents necessary for such investment transactions.
  • How commercial and intellectual property issues and privacy policies and terms can ensure companies retain all rights in the intellectual property of their businesses.
  • The essentials of privacy, advertising, and marketing law for direct brands.
  • The various types of product liability claims, legal defenses for product liability, and potential product liability claims for software that direct brands face.

This guide is intended to help companies spot issues that should be discussed with counsel and is not a substitute for legal advice.

A merger or acquisition is often one of the most important decisions a company will ever make. M&A activity can completely change the trajectory of a company's future and has the capacity to spectacularly fail or succeed.

Consider some of the most profitable (e.g., Disney and Pixar, Disney and Marvel, Exxon and Mobil, and Google and Android) and some of the most unsuccessful deals ever (e.g., America Online and Time Warner, and Sprint and Nextel).

Despite a strong U.S. economy, there have been fewer global mergers and acquisitions in 2019 compared to prior years. 

With fewer (but often higher-priced) deals, the stakes are greater than ever to consummate the right deal at a proper valuation. Accordingly, due diligence has taken on increased importance in the M&A deal-making process.

This article focuses on the legal due diligence process, and certain best practices for the management thereof, in transactions involving private sellers. We will provide a high-level review of some of the pain points in the legal diligence process and identify several techniques for the management of information flows through a specialist-fueled legal deal team.

We will also briefly touch on the impact that the advent of representation and warranty insurance policies has had on the due diligence process and what an insurance company may expect to receive prior to underwriting a policy.

The collaborative nature of open source software development has shaped the way in which technologists create revolutionary tools. 

From the most agile blockchain, health care, and telecommunications startups, to the world’s largest banks, automotive and insurance companies, open source software is an omnipresent factor in virtually every technology-enabled organization.

However, the risks of using open source software should be recognized along with its advantages.

Particularly for technology companies seeking an exit event — be that through a merger, acquisition, initial public offering or other means — an understanding of potential open source software risks should be considered early in the development stage, lest the presence of an unanticipated or “infectious” license affect their future valuation.

In this commentary, we delve into open source software considerations and their potential impact in the context of a mergers and acquisitions deal.

It is time for a top-to-bottom review of the acquisition process.

I take no joy in writing this article, but it is a desperate plea for improvement.

From 1995-2001, I worked for the Department of the Army as a contract specialist procuring advanced communications and electronics systems, equipment and services.

The first contract I ever negotiated was valued at over $3 million opposite an emerging company from Massachusetts. I had just finished my four-week Contracts 101 training in Virginia, and I was eager to put my newfound knowledge of the Federal Acquisition Regulation (FAR), Defense Federal Acquisition Regulation Supplement (DFARS), and Army Federal Acquisition Regulation Supplement (AFARS) to work on behalf of the Army and the American taxpayer. Then reality set in. Despite being armed with this new knowledge and skill, I was hamstrung by a procurement system so vast, complex and rigid it would make Kafka blush. 

Throughout the course of my next seven years with the Army, we were promised acquisition reform, enhanced efficiencies, paperless transactions and less red tape, particularly in connection with the procurement of commercial items and services.

Since leaving the Army, I have focused my practice primarily on commercial contracts in a variety of industries, ranging from media and entertainment to digital advertising and technology. Increasingly, however, I have been handling more government contracting issues for our clients, including negotiating contracts for prime and subcontractors and handling diligence and regulatory issues in connection with mergers and acquisitions. It never ceases to amaze and disappoint me how different these commercial contracts are to federal contracts. The commercial process is still so much faster and efficient; the contracts are generally much shorter and less complex; and the parties are able to navigate contentious issues through negotiations rather than having to abide by a panoply of opaque and largely wasteful regulations.

To illustrate, a client of ours provides its customers access to its hosted marketing platform via a standard nine-page contract. The company has been offering this product on a Software-as-a-Service (SaaS) basis for years to its commercial customers. It typically negotiates all of its contracts using its in-house counsel.  It has—due to the onerous and largely unnecessarily complex requirements and restrictions of becoming a government contractor—refused to do direct deals with the federal government. Instead, it uses resellers to do business indirectly with the government.

In its most recent acquisition, the prime contractor had a massive marketing and advertising deal worth hundreds of millions of dollars with the Army. The prime contractor engaged a subcontractor to provide certain products and services. And this subcontractor, in turn, engaged our client to provide its SaaS offering. Our client was slated to make approximately $1 million dollars a year on this transaction, which for the company was meaningful, but certainly not its largest contract.

Aside from the fact that this transaction required no fewer than three separate contracts—the Army with the prime, the prime with the subcontractor and the subcontractor with our client—the Army certainly paid more than if it had procured the SaaS offering directly from our client. Additionally, each of the other parties had to draft and negotiate its contract with its respective counterparties. 

Although this cumbersome process would be true in many transactions involving multiple tiers of contractors, the problems were greatly exacerbated by the inefficiencies inherent in the government contracting process. First, there are simply too many regulations. The series of transactions, which were for the ultimate benefit of the Army, involved literally hundreds of contract clauses incorporated either in full or by reference from the FAR, DFARS, AFARS and local procurement regulations.

Second, many of the over 50 FAR and DFARS clauses that were slated to “flow down” to our client (i.e., clauses that were included in the prime contract that flowed down to the subcontractor that flowed down to our client) were simply inapplicable. Our client is a small business and the transaction was a fixed-price, commercial item contract under FAR Part 12. Notwithstanding, the contract included a host of clauses not applicable to commercial items or small businesses. Of the remaining clauses that were required, by regulation, to be included in our contract, most should not be required in these types of contracts.

For example, although it is a laudable goal for all companies to create, maintain and enforce a robust anti-kickback policy, is it really necessary to impose such a requirement on a small business providing a SaaS offering?  The FAR says it is.

Third, and interrelated, our client had no interaction, or opportunity to interact, with the government contracting officer. So, when we rightfully objected to many of the over 50 ridiculous government contract clauses being imposed on us, all questions/requests/communications had to be with the subcontractor, which then routed them to the prime contractor, which then routed them to the contracting officer, who offered the perfunctory, “It’s required by the FAR.” Again, keep in mind that our transaction was for a commercial item that our client had been licensing to nongovernment customers for years using a subscription agreement of only nine pages. FAR Part 12 was drafted specifically to resolve this madness.

By the time our negotiations were over, it had taken our client several weeks, thousands of dollars in outside legal fees and extensive internal resources to finalize a deal of over 50 pages that should have taken an afternoon with no out-of-pocket expenditures. Moreover, our client, in an effort to close the deal, ultimately agreed to provisions it would never agree to in a typical commercial agreement. Despite the lucrative contract, the inefficient process reaffirmed and cemented our client’s decision not to do business directly with the federal government.

In an era where the Chinese, Russian, and other foreign governments simply take technology from their domestic companies, doing business with the U.S. federal government is comparatively benign. Nonetheless, as evidenced by the recent $4.8 trillion budget for fiscal year 2021 with massive increases in spending for artificial intelligence, quantum computing and military research and development, government procurements involving cutting-edge technology are critical to the safety, security, and well-being of our country. 

There is simply no excuse for our antiquated, byzantine procurement process. How much of that $4.8 trillion dollars is wasted through inefficient procurement processes and procedures? How many wonderful companies refuse to do business with our government because of that? What technologies will the government never have access to because of this administrative morass? These are deficiencies that the government was promising to resolve back in 1995 when I first started as a civil servant, and they have not gotten any better. How long must we wait? 

It is high time that the government do a comprehensive review of our procurement system from top to bottom and not only reduce or eliminate many of the myriad statutes, regulations, rules and policies, but also simplify the entire acquisition process to incentivize all companies to do business with our government. 

Reprinted with permission from the June 12, 2020, issue of SIGNAL. © 2020 AFCEA International. All Rights Reserved. Further duplication without permission is prohibited. 

Much has been written on the myriad of legal issues emanating from the global COVID-19 pandemic: the constitutionality of the lockdowns, liability for stores that open, the process of obtaining PPP loans, and the applicability of force majeure clauses, to name a few.

As intellectual property and bankruptcy practitioners, we are fielding more questions regarding the impact of bankruptcies (both actual and potential) on the rights of licensors and licensees.

This article highlights some of the most frequently raised issues, both for licensors and licensees evaluating their rights due to a recent or pending bankruptcy filing, as well as for parties re-evaluating their risk profiles when entering into new license agreements amid the COVID-19 pandemic.

We also explore some of the pitfalls of source code escrow agreements and the impact of a release of source code due to a bankruptcy filing.

Rights of a licensor when a licensee enters bankruptcy

Generally, a license agreement is like any other contract in that it can be terminated upon the mutual agreement of the parties or as otherwise set forth in its terms (typically for a party’s uncured breach or upon expiration).

Many license agreements contain language purporting to authorize a party to terminate such a contract upon the counterparty’s insolvency or filing for bankruptcy (known as “ipso facto” clauses).

However, such clauses are typically unenforceable in executory contracts (i.e. contracts where material performance obligations remain due on both sides) when a counterparty files a chapter 11 or chapter 7 case under the United States Bankruptcy Code (the “Bankruptcy Code”) as the Bankruptcy Code generally forbids the termination of such a contract (and a party’s rights or obligations thereunder) based solely on the debtor counterparty’s insolvency or the commencement of a bankruptcy case under the Bankruptcy Code, whether or not on such a termination right exists in the contract.1

This is logical, because the Bankruptcy Code seeks to preserve the rights of the debtor/bankruptcy estate so that the business may continue uninterrupted while the trustee (in a chapter 7 case) or “debtor-in-possession” (in a chapter 11 reorganization case)2 decides what contracts should be “assumed” (and continue to be performed under) or what contracts should be “rejected”.

In the intellectual property context, the prohibition on the enforcement of ipso facto clauses combined with the Bankruptcy Code’s automatic stay is often critical as such provisions prevent a non-debtor licensor from terminating a debtor licensee’s right to use intellectual property needed to operate (such as a license for infrastructure software) upon the commencement of a bankruptcy proceeding.

Licensed rights of intellectual property (whether a patent, copyright, trademark, trade secret, publicity, or otherwise) are not typically assignable by a licensee without the consent of the licensor under non-bankruptcy law.

The Bankruptcy Code specifically states a trustee of a bankruptcy estate may not assign a contract where the default position under applicable non-bankruptcy law is to excuse the counterparty to the agreement from accepting such an assignment.3

Thus, although a non-debtor licensor cannot terminate a license simply due to a debtor licensee’s insolvency or filing of a bankruptcy petition under the Bankruptcy Code, such non-debtor licensor may ultimately prevent the debtor licensee from assigning its interest to a third party.

Such non-debtor licensor may then ultimately be able to seek relief from the Bankruptcy Code’s automatic stay to terminate the license that cannot be assigned, and arguably therefore cannot be assumed.4

However, where the license agreement expressly allows the licensee to assign the license agreement (whether generally or specifically in connection with a sale of all or substantially all of the licensee’s assets), then an executory intellectual property license would likely be assignable under applicable law and such a contract would not be terminable by the licensor.

Thus, it is critical for a licensor and licensee to closely review and critically negotiate all intellectual property contract/license agreement provisions, including those provisions relating to assignment and termination upon bankruptcy.

Rights of a non-debtor licensee when a debtor licensor enters bankruptcy

Under the Bankruptcy Code, a debtor (in a chapter 11 bankruptcy) or chapter 7 trustee (in a chapter 7 liquidation) has broad authority, upon approval of the court, to assume (i.e. accept) or reject (i.e. deem the contract breached)5 executory contracts of the bankruptcy estate in order to maximize the value of the debtor’s assets for the benefit of its bankruptcy estate.6

When a debtor enters bankruptcy, the trustee/debtor may believe that the best way to preserve the value of the bankruptcy estate is to terminate any outstanding license agreements (to the extent possible) in order to increase the value of the bankruptcy estate’s intellectual property.

However, section 365(n) of the Bankruptcy Code protects the rights of intellectual property non-debtor licensees by giving the licensee the ability to (a) accept any such rejection of the contract by the debtor licensor, or (b) retain the licensee’s rights under such intellectual property license despite the rejection of such contract.7

Although allowing for a unilateral rejection of the license by the debtor licensor could increase the value of the bankruptcy estate’s applicable intellectual property assets, allowing such rejection without protecting the rights of counterparty non-debtor licensees would be too disruptive for licensees, and could result in substantial consequences for these downstream licensees.

Such consequences could include potentially bankrupting a licensee that would no longer be able to conduct its business if its license rights could so easily be vaporized.

Since the Bankruptcy Code not only seeks to preserve the value of a business as a going concern and the rights of creditors, but also to minimize the effects of a bankruptcy filing on the rest of the economic ecosystem, the inclusion of these provisions in the Bankruptcy Code is logical and necessary.

If the non-debtor licensee chooses to retain its contractual rights upon a license agreement’s rejection by a debtor licensor, the licensee will need to continue making any payments required under the license agreement to the bankruptcy estate.

The applicable intellectual property assets that are subject to the license may be sold during the bankruptcy proceedings, and the license would be transferred with them.

Note that the restrictions noted above regarding the non-assignability of an intellectual property license by a debtor licensee would not apply, as the default rule preventing the assignment of intellectual property licenses is only for licensees, while licensors may generally assign their interests under applicable non-bankruptcy law.

In such circumstances, the license would need to be transferred with the intellectual property, and the assignee will step into the shoes of the previous licensor.

One question that is often raised is whether an exclusive license is converted to a non-exclusive license as a result of the bankruptcy of the licensor.

Although this may sound like a reasonable approach for the Bankruptcy Code to have taken (essentially treating the licensee as another creditor and limiting its recovery), the provisions of section 365(n) of the Bankruptcy Code expressly state that exclusivity rights of a non-debtor licensee shall continue to be effective if the licensee elects to retain its intellectual property rights despite rejection of the license agreement in the bankruptcy proceedings.

The protections of section 365(n) of the Bankruptcy Code only apply to “intellectual property.” However, the Bankruptcy Code does not clearly delineate all categories of intellectual property that would be protected by section 365(n).

Accordingly, licensees of intellectual property should include language such as the below in their license agreements to make clear that such licenses are intended to fall within the definition of “intellectual property” subject to the important protections of section 365(n) of the Bankruptcy Code:

Bankruptcy Protection. The parties agree that all of the rights to any [Licensed Materials] hereunder constitute “intellectual property” as defined in Section 101(35A) of the United States Bankruptcy Code (the “Bankruptcy Code”) and that this Agreement shall be governed by Section 365(n) of the Bankruptcy Code. If [Licensor] voluntarily or involuntarily becomes subject to the protection of the Bankruptcy Code, and [Licensor] or the trustee in bankruptcy rejects this Agreement under Section 365 of the Bankruptcy Code, [Licensee] shall have the right to: (i) treat this Agreement as terminated; or (ii) retain [Licensee’s] rights under this Agreement, specifically including, without limitation, the right to exercise its rights granted herein to such [Licensed Materials].

Source code escrow

Another hot topic is the impact of a bankruptcy on an agreement that includes a source code escrow provision. Software is typically licensed solely in object code form (i.e., the form readable by a computer, but not understandable by humans), rather than as source code (i.e., human readable).

When licensing software that is material to its business, a licensee should seek to have the licensor place the source code for the applicable software into escrow with a third-party agent (such as Iron Mountain).

Pursuant to an agreement between the licensor and the escrow agent, the agent will release the source code under certain limited conditions negotiated between the licensor and the licensee in the underlying license agreement (most typically, conditions relating to circumstances where the licensor no longer supports or maintains the software).

The vast majority of software licensors rightly seek to maintain the secrecy of that software’s source code. Businesses built entirely around their proprietary software consider their source code to be the company’s crown jewels and are often very reluctant to make it available under any circumstances, including in escrow.

Nevertheless, licensors providing critical software often find such escrow provisions necessary in order to close the deal with their customers.

The conditions triggering the release of source code pursuant to an escrow provision may include the bankruptcy of the licensor or the assignment of the applicable license agreement by the licensor. Both of these concepts may be implicated by a bankruptcy filing and should be taken into consideration prior to any voluntary bankruptcy filing occurring.

Although no company wants to consider a potential bankruptcy when negotiating a license agreement with a potential licensee (and over-arguing on such contingencies may be viewed as a weakness of the licensor’s business to the licensee), it is important for licensors not to allow such release conditions to be triggered too easily.

A useful strategy for licensors when negotiating release conditions and rights of a licensee following such a release is to focus on the respective parties’ shared interests rather than the consequences of a bankruptcy and/or release of source code.

By highlighting the goal of maintaining business continuity for a licensee — and that the licensee may not be in a position to maintain and support the software itself if the source code is released — the parties should be able to reach a reasonable middle-ground on the release conditions and the terms surrounding the usage of the source code thereafter.

It should be noted that the release of source code from an escrow account is not the same as a transfer in ownership. Nevertheless, licensors and licensees need to carefully draft source code escrow provisions in their underlying license agreement to ensure that their interests are adequately protected.

In a properly drafted escrow provision, the source code should remain the intellectual property and confidential information of the licensor, and the licensee would have the right to use such source code only to the extent still allowed under (and for the remainder of) the applicable license agreement.

In the context of a bankruptcy, acquirers of the intellectual property rights and source code of the bankruptcy estate typically consider such assets’ value to have diminished substantially upon any source code release.

This is the case even when the provisions of a source code escrow agreement require the licensee to maintain the source code’s confidentiality upon release or other reasonable restrictions.

For this reason, a potential acquiror of such intellectual property assets from a bankruptcy estate may seek to come to an agreement with any potential recipients of the source code in escrow to avoid its release if the acquiror agrees to maintain the software for the licensees following the purchase and/or provide additional consideration.

Looking forward

Whether analyzing rights with a licensor impacted by the current pandemic or exploring a new business opportunity with a counterparty, it is important for businesses relying on the value of intellectual property to consider and appropriately address the interplay between bankruptcy and intellectual property law, and how such interplay affects their related commercial intellectual property agreements.

Although the Bankruptcy Code may override certain provisions in a contract, the parties to intellectual property licenses have great latitude to plan for many scenarios, and potentially mitigate their respective risks, by negotiating contractual provisions to protect their respective rights in the event that a contract counterparty undergoes a bankruptcy.

Although it may be unpleasant to negotiate and plan for the bankruptcy of either party to a license, such initial additional efforts will prove worthwhile in the long run should a bankruptcy become a reality.

Reprinted with permission from the June 22, 2020, issue of Westlaw Journal Bankruptcy. © 2020 Thomson Reuters. All Rights Reserved. Further duplication without permission is prohibited. 

To see our other material related to the pandemic, please visit the Coronavirus/COVID-19: Facts, Insights & Resources page of our website by clicking here.

1 See 11 U.S.C. § 365(e)(1). However, 11 U.S.C. § 365(e)(2) contains an important exception to this general rule limiting section 365(e)(1) in situations where the non-debtor contract counterparty is excused from accepting performance from or rendering performance to an assignee of such contract or lease. As a result, section 365(e)(1) does not impact ipso facto clauses in those contracts that are not assignable under applicable non-bankruptcy law. See generally 3 COLLIER ¶ 365.07[1] at 365-67 (stating that “§ 365(e)(2) provides that the invalidation of ipso facto clauses does not apply to contracts or leases that are non-assignable under applicable non-bankruptcy law”). However, the non-debtor licensor will not be able to immediately terminate a licensee’s rights following a bankruptcy filing due to the automatic stay protection provided under 11 U.S.C. § 362(a) the Bankruptcy Code, although the non-debtor licensor is not obligated to accept the assignment of the license in the bankruptcy proceedings, and may subsequently seek relief from the automatic stay to terminate the license under an ipso facto clause or other termination for breach provisions in such license.

2 In a chapter 7 liquidation, a chapter 7 trustee is appointed to take over the debtor and maximize the value of the debtor’s assets for the benefit of the debtor’s “estate”. In a chapter 11 reorganization, typically no trustee is appointed and the debtor continues to run its business as a “debtor-in-possession”. The Bankruptcy Code gives certain rights and powers to a “trustee”. In a chapter 7 case, such rights are exercised by the appointed chapter 7 trustee. In a chapter 11 case, such rights are exercised by the debtor company (unless a chapter 11 trustee is appointed for cause such as due fraud, dishonesty, incompetence, gross mismanagement, or the like).

3 See 11 U.S.C. § 365(c)(1)(a).

4 There is a split in the bankruptcy case law whether a contract that cannot be assigned also cannot be assumed, which has implications for a debtor seeking to reorganize under chapter 11 of the Bankruptcy Code. Thus, an analysis of licensor and licensee rights needs to be performed depending on the location where the bankruptcy case is filed.

5 Certain courts had historically treated “rejection” of an executory contract as akin to termination of such contract and the counterparty’s rights thereunder. However, the Supreme Court in Mission Product Holdings, Inc. v. Tempnology, LLC, 587 U.S. ___, 139 S. Ct. 1652, 203 L.Ed.2d 876 (2019) held that rejection of an executory contract is akin to breach of such contract outside of bankruptcy. See Mission Product: Supreme Court Protects Rights of Trademark Licensees in Bankruptcy Despite “Rejection” of Underlying Trademark License Agreement by Debtor-Licensor, available at https://bit.ly/3hyyXc2.

6 See 11 U.S.C. § 365(a).

7 While the non-debtor licensee can retain its intellectual property rights, such rights would only exist as of the bankruptcy filing (so the licensee likely will not be able to force debtor-licensor to take affirmative actions under the contract such as providing maintenance, updates, support or even defend the intellectual property). Additionally, other related non-intellectual property rights under the license agreement such as the right to distribute products may be found by a court to not fundamentally be subject to the protections under section 365(n) of the Bankruptcy Code.

WSG's members are independent firms and are not affiliated in the joint practice of professional services. Each member exercises its own individual judgments on all client matters.

HOME | SITE MAP | GLANCE | PRIVACY POLICY | DISCLAIMER |  © World Services Group, 2020