Website AccessibilityWhy Companies Should Take A Holistic Approach to Digital Accessibility

Why Companies Should Take A Holistic Approach to Digital Accessibility

Over the past several years, there has been a tremendous increase in the prevalence of digital tools, online businesses, and mobile applications.  This has led to a spike of litigation in both federal court, under Title III of the Americans with Disabilities Act (ADA), and similar state statutes, such as New York Human Rights Law and California’s Unruh Act, as users with a variety of disabilities allege challenges in accessing various components of a company’s online business.  

The Beckage Website Accessibility Team, made up of lawyers who are also web developers and web design business owners, continues to monitor federal and state filings under the ADA, which have more than quadrupled in the past seven years. While no industry is immune, we have noticed a trend of lawsuits targeting the retail and restaurant sector, as more individuals with disabilities are seeking out websites over brick-and-mortar stores, creating higher risk for online businesses with accessibility issues.

Part of the surge in litigation over the past handful of years is caused from the lack of clarity from the Department of Justice, the federal agency responsible for enforcement of the ADA. In 2017, the DOJ declined to issue clarifying regulations, contributing to continued uncertainty on clarity on what digital accessibility entailed. Hence a waive of litigation ensued and shows no signs of letting up. Thus, absent any legislation or guidance from the DOJ, now is the time for organizations for organizations to take a holistic approach to digital accessibility, taking proactive steps to make their digital platforms accessible for users with a variety of disabilities. But what does that look like in practice and why should your organization make accessibility a priority in 2021?

Current Legal Landscape

As any good business understands, it is crucial to always keep the consumer top-of-mind, and your online presence is certainly no exception. Creating a digital platform that can be used by the greatest number of consumers possible should always be the goal, and that number needs to include the 1 in 5 Americans who have a disability.

However, deciphering what exactly it means for an online business to be considered accessible under Title III of the ADA has been a constant challenge for companies, web designers, and attorneys working in the accessibility space. Despite the DOJ’s lack of clarity on this issue, the Web Content Accessibility Guidelines (WCAG) 2.1, private industry standards promulgated by the World Wide Web Consortium (W3C), are widely accepted by the industry and courts for measuring accessibility.  The WCAG standards are broken down into three “levels” of acceptability: Level A, Level AA, and Level AAA.  Level A and Level AA are where most common barriers for disabled users exist and are thus the accepted standards to achieve website accessibility.  

It is also important to note how Title III of the ADA intersects with privacy regulations. For example, while there is currently no federal data privacy law, the California Consumer Protection Act (CCPA) requires that website Privacy Policies be “reasonably” accessible to individuals using screen-reading software and other tools to access a website. This is an important piece of this comprehensive data privacy legislation and while it doesn’t address the accessibility of the rest of a business’s website, making sure your digital tools, such as web forms for data subject rights, cookie consent banners, and other similar tools on your website, are accessible to the greatest number of users makes wise sense in the spirit of this regulation.  Additionally, with a new administration in the White House, anticipate that we may see federal legislation that clarifies clarify both data privacy and accessibility standards on a national level, which would make working towards compliance and avoiding predatory lawsuits easier for companies with an online presence.

What We’ve Learned About ADA Accessibility Claims

Practically speaking, it remains unclear what having an “accessible” website means. For this reason, a very high number of ADA cases filed against online businesses are quickly settled outside of court to avoid the expense of litigating in such uncertain terrain.   

Website and mobile app accessibility claims against businesses in a variety of sectors have become a familiar occurrence.  Most of these cases have similar allegations; a disabled individual argues that they encountered multiple access barriers that denied him/her full and equal access to the goods and services offered online by a company. In most of these cases, the plaintiff has attempted to leverage screen-reading software to access the website or mobile application and claims the platform is incompatible with the assistive technology they are using. 

Other commonly made claims include improperly labeled links and pages, inconsistent placement of on-page elements, like the shopping cart, and lack of image alt-text, title elements, and other features that help blind users navigate a website. Thus, the plaintiff argues, the business has violated Title III of the ADA and related state statute, entitling the plaintiff, among other things, to injunctive relief and attorneys’ fees.   

Practical Steps for Businesses

The sheer volume of settlement agreements and cases Beckage has worked on has exposed some common themes and provided valuable insights into how online businesses can proactively address website accessibility and minimize legal risk.  We recommend the following four-prong approach:  

  1. Consult with legal tech counsel, like Beckage, to evaluate litigation risk and regulatory compliance;
  2. Have your website or mobile app audited with the protection of attorney-client privilege or with a trusted third party vendor against the WCAG Level A and Level AA standards to determine what remediation is necessary to address any existing barriers and test your website using assistive technology, such as a screen reader, to be sure all barriers have been remedied.
  3. Publish a legally-reviewed Accessibility Statement on the forward-facing website and mobile application, and work to develop internal policies, procedures, and a training program that implement regular audit and assessment of accessibility; and
  4. Operationalize accessibility within your organization, prioritizing a top-down, multi-department approach throughout your organization to building accessibility.

Keeping in mind the end goals of improving usability for individuals with disabilities and avoiding frivolous lawsuits, businesses can arm themselves with a proper plan to address their online platforms’ accessibility. From our experience, a holistic approach to digital accessibility that understands how to bring together various stakeholders and decisions makers from throughout the organization as accessibility champions is the best way to operationalize accessibility.

With former web developers and technologists on staff, Beckage is well-suited to help businesses from all sectors and industries navigate the uncertain legal landscape surrounding website accessibility. Through collaborating with in-house technologists, outside vendors, members of the disability community, and internal assistive technologies, Beckage attorneys work under privilege to conduct internal and remedial audits of client websites and mobile applications, evaluate platform compatibility, and oversee implementation of recommended remedial or accessibility-enhancement measures.  Our team can help you develop and implement a sustainable accessibility program that contemplates compliance with the WCAG guidelines and other current and future website accessibility standards and best practices.

Subscribe to our newsletter.

*Attorney Advertising. Prior results do not guarantee similar outcomes.

Data Privacy DayBeckage Attorneys Make 2021 Data Security & Privacy Predictions in Observance of Data Privacy Day

Beckage Attorneys Make 2021 Data Security & Privacy Predictions in Observance of Data Privacy Day

Today is Data Privacy Day – an international event held annually on January 28th with the purpose of promoting privacy and data protection best practices for consumers and businesses. At Beckage, every day is Data Privacy Day – our team of lawyers and technologists works daily with clients on data security and privacy measures, from developing policies and procedures to comply with international and domestic privacy regimes to responding to headline-making data incidents and defending clients in data security and privacy class actions.

The legal landscape surrounding data security and privacy is constantly evolving to adapt to technological advancements and global privacy trends. In observance of this holiday, we asked some of our experienced team members what they expect to see in this space in 2021.


Litigation – Myriah V. Jaworski, Esq. CIPP/US, CIPP/E

My data privacy prediction for 2021 is also related to biometrics. This year we will see the continued rise of regulation over and litigation concerning the use of biometric information.

A few years after the Illinois State Legislature passed BIPA, the Biometric Information Privacy Act, we started to see a slew of class action lawsuits filed against businesses alleged to have violated BIPA’s written release requirement. BIPA class actions have ranged from headline-making cases against major tech companies, such has Facebook, to small and medium-sized businesses across numerous industries.

While biometric lawsuits were once viewed as a risk associated only with doing business in Illinois, other states, like Washington and Texas, have followed suit by passing their own laws mimicking BIPA and others are eyeing their own biometric privacy bills. Of note, a bill nearly identical to BIPA is pending in the New York State legislature, which, if passed, could have a much larger impact on businesses given that New York is one of the largest economies in the United States.

At the federal level, we have recently seen the Federal Trade Commission (FTC) enter the biometric conversation with its consent agreement with EverAlbum, Inc. This consent order may have set a nation-wide standard for businesses’ use and collection of biometric information, regardless of whether those businesses operate in states that have enacted or pending biometric privacy laws.

In short, in 2021 the risks and penalties associated with collecting and using biometric information are steep. Any business, regardless of location, that is engaging in biometric information collection should conduct a privacy audit, look at its written policies, and ensure that it has the requisite consents in mind. As a litigator, I always say “demonstrable compliance is the strongest legal defense,” and that is certainly true in the biometric privacy space.

Watch Myriah’s video prediction here.


Incident Response – Daniel P. Greene, Esq., CIPP/US, CIPP/E

At the heart of what we do as incident response privacy practitioners is data breach prevention.  My 2021 prediction for the privacy landscape is an expansion in the use of multi-factor authentication. This is great news for incident response because, often, multi-factor authentication is an important step in helping to avoid a data incident and protect the privacy of data.

Multi-factor authentication is when a user identifies themself through biometrics, like a facial or fingerprint scan, or though entering a code on a device to confirm access to sensitive spaces, like a bank account or work network. It helps in avoiding unauthorized access and we expect to see this technology used in new spaces in 2021, such as when using an ATM or checking out at a grocery store.

We also anticipate an expansion in the use of biometrics over device authentication. There have been numerous documented incidents where device authentication has backfired. A famous example occurred in 2019 when attackers were able to gain access to Twitter CEO Jeff Dorsey’s account using a SIM card swap scheme. Because biometric identifiers are much more difficult to change or duplicate, using a facial scan or fingerprint is a much more secure method of confirming a user’s identity. And while this brings up a host of other issues about safeguarding biometric information, I think we can expect to see it used a lot more soon.

Watch Dan’s video prediction here.


Government Investigations – Michael L. McCabe, Esq., CCEP

In 2021, I expect to see increased enforcement of privacy and data security laws and regulations at both the federal and state level. Considering new leadership in Washington D.C. and the looming impact of the COVID-19 pandemic, I predict not just an uptick in enforcement, but also a more muscular approach by regulators.  More enforcement actions are expected, a further reminder for companies to work with experienced tech privacy and security legal counsel to minimize legal and technical risk.

At the federal level, look for enhanced enforcement by the Federal Trade Commission (FTC), Federal Communications Commission (FCC), and Securities and Exchange Commission (SEC). On the state level, I anticipate a similar response by state attorneys general outside of Washington.   

In 2020, we saw a major uptick in cyber-attacks, due in part to companies having to quickly adopt policies for a distributed workforce.  There were also numerous COVID-related phishing attempts. These developments have resulted in a record number of data security incidents. Therefore, I expect the focus of these enforcement actions to be not just on privacy compliance, but also on effective data security and incident response.  

Watch Mike’s video prediction here.


Privacy Compliance – Kara L. Hilburger, Esq., CIPP-US

My prediction for the privacy compliance area in 2021 is the increased focus on consumer privacy rights. With California’s comprehensive privacy law, the California Consumer Privacy Act (CCPA), now one year old, there is increase awareness and attention to data subject rights.  With a myriad of other states entertaining statutes similar to the CCPA, I anticipate a host of plaintiff related lawsuits filed under these statutes’ privacy right of action provisions. The result is that business operating in this highly global, multi-jurisdictional environment will need to continue to work towards building out robust and scalable data security and privacy infrastructures that take into account not only the GDPR and CCPA but other emerging laws. For example, updating forward-facing website disclosure policies and user agreements will be paramount here to be sure they comply with the required disclosures.

Relatedly, my second prediction as that we will continue to see an uptick in litigation filed under the Americans with Disabilities Act and frankly no end is in sight.  Businesses are continuing to educate themselves on the legal standards necessary for building and maintaining an accessible website.  We also anticipate much in the way of legislation or increase DOJ involvement in this area under the new administration.

Watch Kara’s video prediction here.


Health Law – Allison K. Prout, Esq., Cert. AWS Cloud Practitioner

With so much of our everyday lives moving online in the wake of the COVID-19 pandemic, we have seen a large uptick in data breaches caused by third-party vendors and service providers. And when it comes to the healthcare industry, I anticipate a continued increase in incidents that originate with business associates and other vendors providing services to covered entities. 

 In fact, about 40% of HIPAA breaches involve or are caused by business associates. With a new administration that’s likely to favor regulatory action, we expect to see regulatory authorities continue to enforce actions against covered entities whose business associates or service providers experience breaches. 

So what does this mean for the industry?  We expect to see covered entities taking a much closer look at who they are working with—and whether those parties have robust security and privacy protocols. For this reason, business associates may need to prepare accordingly. Whether you are a covered entity or a business associate, now is the time to dust off vendor due diligence and monitoring policies and procedures. It’s also a good idea to take a closer look at those service agreements and business associate agreements to make sure your service providers are making the right security commitments—and assuming responsibility—when there’s a breach.

Watch Allie’s video prediction here.


Global Data Privacy – Jordan L. Fischer, Esq. CIPP/US, CIPP/E, CIPM

My first prediction for the global data privacy space in 2021 is the creation and evolution of additional data privacy regulations across the globe. The so-called “GDPR Effect” has been pushing data privacy trends across the globe, and we expect to this to continue as more regions and countries adopt legislation mimicking parts of the GDPR, putting their own unique twist on data privacy, or modernizing their existing data privacy regulations to make them more compatible with the GDPR and other global privacy regimes.

My second prediction is a major emphasis on cross-border data transfers. The 2020 Schrems II decision invalidated the EU-US Privacy Shield for sending data from Europe to the United States. This decision was focused on data transfers between the United States and the European Union, but it also highlights a challenge we are continuing to see in international law – while these privacy regulations see borders, the digital realm does not.  Thus, it is increasingly hard to segment data and maintain it within a specific region. This year, I anticipate a lot of tension between regions that approach privacy and security from various perspectives that don’t always align. This presents a challenge for businesses to continue to operate efficiently while minimizing risk and dealing with multiple global privacy and security regulations.

Regardless of the specific trends we expect to see this year, one thing is certain – the global data privacy landscape will continue to change rapidly, creating a fascinating environment for data privacy and security lawyers to practice in.  I am very excited to be a part of such a dynamic team that will continue to provide services to our clients in this space.

Watch Jordan’s video prediction here.


Key Takeaways

Today, as well as every other day of the year, we hope you take some time to reflect on data privacy and security and the ways you can better protect your personal or business’ private information. The Beckage team is passionate about to educating the masses on the importance of data security, the consumer privacy rights and the impact on businesses, and the steps you can take safeguard your information. We are committed to providing updates on relevant legislation, current threats, and proactive data security steps. Be sure to follow us on LinkedIn, read our blog, and subscribe to our newsletter to stay up to date on the latest in this ever-changing space. Happy Data Privacy Day!

*Attorney advertising – prior results do not guarantee future outcomes.

Attorney Client PrivilegeWengui v. Clark Hill PLC: Another Decision Addresses the Application of Attorney Client Privilege in Incident Response

Wengui v. Clark Hill PLC: Another Decision Addresses the Application of Attorney Client Privilege in Incident Response

Last week, the District of Columbia federal court added to the growing body of caselaw related to the privileged afforded forensic reports generated in response to cyber incidents.  The ruling found that any such forensic report (or other compliance-related investigation summary) is not privileged if it “would have been created in the ordinary course of business irrespective of litigation.”  See Wengui v. Clark Hill, 2021 U.S. Dist. WL106417 (D.D.C. Jan. 12, 2021) at *1.

In this matter, the Plaintiff sought the work product and arguably privileged report created for the Defendant’s counsel, by security-consulting firm Duff & Phelps.  Where the Defendant argued that the report was created in anticipation of litigation and provided information to defense counsel regarding how the cyberattack unfolded, the Court found that the report was neither attorney-client privileged nor an attorney work-product, as it was created in the “ordinary course” of the response a business that suffered a cyberattack would follow.  As the Court ruled, it was a “necessary business function regardless of litigation or regulatory inquiries.” Id at *2.

How the Defendant Argued for Attorney Work-Product Privilege & Attorney-Client Privilege

The Defendant’s argument for maintaining work-product privilege, i.e., that the forensic report was created to aide counsel’s understanding of the attack in anticipation of litigation, was based on defendant’s use of a parallel investigation.  The Court did not find this persuasive, but the Defendant explained that two investigations unfolded in response to the breach: (1) a business-continuity oriented response for which the cybersecurity vendor was retained to “investigate and remediate” the cyberattack; and (2) a litigation-oriented response in which litigation counsel retained a firm “for the sole purpose” of “gathering information necessary to render timely legal advice.”  Id. at *3.  Additionally, the Defendant argued that the work provided by the consultant to the Defendant’s counsel constituted privileged communication as it translated the incident into a digestible report for the attorney.  Id. at *5.

The Court’s Analysis

While the defendant argued that the parallel investigation path is well-worn and generating a protected report for litigation is separate from a business-continuity report, the Court’s careful review of the record is a reminder of how key factual details and steps can impact an argument over privilege.  For instance, the Court noted that the Defendant claimed that its understanding of the root cause and progression of the attack was “based solely on the advice of outside counsel and consultants retained by outside counsel.”  Id.  Furthering that analysis, the Court noted that there is no evidence that suggests the second, litigation-oriented investigation “produced any findings, let alone a comprehensive report like the one produced” about the root cause of the breach.  Id.  The distribution of the root-cause business continuity report also worked against the Defendant in the Court’s analysis, as it suggested the report was the one document with the “recorded facts” of the incident.  Id. at *4.  Additionally, the Court found that the record suggested the Defendant relied the work of the business-continuity investigation, “instead of, rather than separate from or in addition to” the litigation-oriented investigation. Id.  The Court built off existing case law, including Capital One, on the basis that the report was used for non-litigation purposes and the Defendant did not meet the burden of demonstrating that a substantially similar report would not have been produced in the absence of litigation.  Id. at *5.

In considering the attorney-client privilege argument, the Court declined to extend such privilege to all manner of services or attached it to reports of third parties made at the request of the attorney.   The Court instead reviewed the factual record and concluded that Defendant’s counsel used the security firm for its “expertise in cybersecurity, and not in obtaining legal advice” based on an in-camera review of the report and the Court’s note that it “provides not only a summary of the firm’s findings, but also pages of specific recommendations on how [Defendant] should tighten its cybersecurity.”  Id. 

What Now?

This ruling shows how steps taken in the immediate response of a cyberattack can echo significantly into a litigation.  The greatest takeaway may be in the Court’s acknowledgement that “[a]lthough [Defendant] papered the arrangement through its attorneys, that approach ‘appears to [have been] designed to help shield material from disclosure’ and is not sufficient in itself to provide work-product protection.”  Id. at *4.  The Court’s ruling suggests that the use of parallel investigations is not at issue, but the parallel investigations should be genuine and produce reports oriented to the stated purpose. Counsel thus should consider such steps when assigning responsibilities in response to a cyberattack.  Additionally, the substance and distribution of the generated report(s) can reflect to a Court the presence or absence of legal assistance vs. security and business continuity advice.  A report heavy on recommendations and distributed widely can defeat attorney-client privilege and attorney work product protections according to this ruling, and IR counsel should take note when engaging third-party incident response firms.

In any incident, it is important to work with sophisticated and experienced tech counsel.  The attorneys at Beckage have years of experience responding to large-scale data breaches and can help provide the guidance needed at every stage of a data incident.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes.

Biometric InformationBIPA Illinois Biometric Law Sets the Stage for Biometric Litigation

BIPA Illinois Biometric Law Sets the Stage for Biometric Litigation

COVID-19 is accelerating company adoption of biometric technologies.  With a global shift towards remote working, biometric technologies, which measure physiological, behavioral, and psychological characteristics, can promote, or at least monitor, productivity by recording employee performance.  Facial recognition biometric systems have also been vital in contactless engagement, especially in the airline and retail sectors, and such systems will remain after the pandemic subsides.  This burgeoning biometric industry is garnering interest from lawmakers. Given the firm’s technology-driven focus, Beckage has been tracking biometric laws and will continue to monitor legal and business developments surrounding biometric technologies. 

Biometric Data and the Law

Unlike other personal data, such as passwords, social security numbers, and payment card information, biometric identifiers cannot easily be changed once breached.  Because they are immutable by nature, regulations classify them as a sensitive class of personal data.  Notable laws that govern biometric data include the E.U. Global Data Protection Regulation (GDPR) and U.S. state laws, including California’s comprehensive privacy law. Three states, Illinois, Texas, and Washington, have passed biometric specific laws. New York State recently introduced the Biometric Privacy Act, a bill that is nearly identical to Illinois’ BIPA, and other states, such as Arkansas and California have amended their breach notification laws to reflect biometric data as personal identifying information.

The first step to knowing whether biometric regulations apply to your business is understanding the definition of biometric data.  The GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.” Art. 4(14).  Similarly, U.S. biometric laws protect biometric data characterized in terms of personal identifiers, including retina scan, iris scan, fingerprint, voiceprint, hand scan, and face geometry.  For example, the Illinois Biometric Data Act (BIPA) defines biometric information as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.” Sec.10.

U.S. Biometric Litigation Trends

Recent rulings in biometric litigation indicate that BIPA currently drives the legal landscape on biometric data protection in the U.S.  BIPA litigation is on the rise following the Illinois Supreme Court 2019 decision in Rosenbach v. Six Flags.  The plaintiff in Rosenbach was the mother of a minor whose fingerprint was captured to verify his identity for entry to an amusement park owned by the defendant.  The Court rejected the defendant’s allegations that the plaintiff had not suffered any actual or threatened harm.  Consequently, the Court held a plaintiff can sue based on a mere technical violation of the law.  This decision means that a person does not have to suffer actual harm to pursue a biometric suit under BIPA.  Further, federal courts have agreed that failure to implement privacy policies outlining procedures for collection, retention, and destruction of biometric identifiers is sufficient to demonstrate a violation of the law.  For example, in May 2020, the Seventh Circuit in Bryant v. Compass found the Rosenbach ruling instructive in holding the plaintiff can pursue a lawsuit against a vending machine operator if the vending machine installed at a workplace integrated biometric authentication in lieu of credit card payments.

The types of companies involved in BIPA litigation are diverse.  Any company that collects, stores, or uses biometric information related to Illinois residents is subject to BIPA.  To that end, no industry seems immune: plaintiffs have sued big tech companies using facial recognition technologies and smaller companies, such as nursing homes, using fingerprinting systems for timekeeping.  The Compass ruling illustrates that third-party vendors who provide biometric authentication systems in the workplace are within the reach of BIPA.

The diversity in cases signals the legislative impact of the law and spotlights the role of privacy policies and procedures.  BIPA is the only biometric law in the U.S that allows individuals to sue a company for damages in amounts ranging from $1,000 to $5,000 per violation.  Thus, the stakes can be high for companies without proper biometric data governance.

What should companies do?

To comply with the evolving BIPA compliance and other biometric laws, companies should work with experienced lawyers who understand biometric technologies and regulations to address the following controls and practices:

  • Properly inform individuals or responsible parties about the purpose of collecting their biometric data.
  • Properly inform individuals or responsible parties about the company’s biometric collection, retention, storage, and dissemination policies and procedures.
  • Obtain written consent from individuals or their responsible party before collecting biometric data.
  • Make the company’s written biometric policy establishing retention schedule and destruction guidelines publicly available.

A robust biometric compliance program should reflect current laws and be flexible and scalable to adapt to the changes laws that new biometric legal rules will inevitably bring to their privacy compliance programs.  Beckage’s lawyers, who are also technologists, are equipped with the skills and experience to build a robust biometric compliance program.  We stand ready to answer any of your questions.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes.

Parler v. AWSParler v. Amazon Web Services – The Ongoing Conversation Surrounding Social Media, Big Tech, and Freedom of Speech

Parler v. Amazon Web Services – The Ongoing Conversation Surrounding Social Media, Big Tech, and Freedom of Speech

As the fallout from last week’s attack on the Capitol continues to be front page news, big questions surround big tech’s role as the arbiter of acceptable online speech.

After Facebook suspended President Trump’s account indefinitely and Twitter shut him down permanently, YouTube announced Wednesday that it will be freezing the president’s account for a week, citing concerns over the ongoing potential for violence.

Apple, Google, and Amazon have also pulled the plug on Parler, a social network that has become increasingly popular in recent months with conservatives, with a reputation for allowing content that would not otherwise be tolerated on other channels, including numerous calls for violence. Parler has responded by filing a lawsuit against Amazon, including claims that Amazon Web Services (AWS) violated antitrust laws and is in breach of contract for not providing a 30-day notice of cancellation.

In the 18-page complaint, filed in the U.S. District Court for the Western District of Washington, Parler argues that the decision to suspend its account “is apparently motivated by political animus” and designed to “reduce competition in the microblogging services market to the benefit of Twitter,” which recently signed a long-term deal with AWS and stands as one of Parler’s main competitors. The suit includes claims for breach of contract, tortious interference, and violation of antitrust law, alleging that Amazon failed to take similar actions in suspending Twitter’s account that included similar rhetoric. Parler is seeking a temporary restraining order to prevent Amazon from removing the social platform from its servers and prevent what it says will be irreparable harm to its business.

Can Amazon really do that? What about the First Amendment?

The suit also comes as tensions over alleged First Amendment violations remain high.  It’s well established that the First Amendment limits the government’s ability to restrict people’s speech, not private businesses’ ability to do so. Stated differently, the First Amendment only applies to public places, not private spaces, such as a social media platform.  But not so fast –  in 1980, the Supreme Court in Pruneyard v. Shopping Center v. Robins held that a shopping mall owner could not exclude a group of high school students who were engaged in political advocacy in quasi-public spaces in a private shopping mall. The Court accepted the argument that it was within California’s power to guarantee this expansive free speech right since it did not unreasonably intrude on the rights of private property owners. Likewise, in 2017, the Supreme Court in Packingham v. North Carolina held that the First Amendment prohibited the government from banning sex offenders from social media websites, finding implicitly social media to be a public space. The question, then, of whether Twitter and other social media spaces, and their associated cloud servers, where people congregate are “public” and deserving of First Amendment protections is not clear-cut. 

For its part, Amazon claims it was well within its rights to dismiss Parler after it failed to promptly identify and remove content encouraging or inciting violence against others, a direct violation of Amazon’s terms of service. According to court documents, Amazon says it reported more than a hundred examples of such violative content to Parler in just the past several weeks. In its official response to Parler’s restraining order request, AWS states that this “case is not about suppressing speech or stifling viewpoints. It is not about a conspiracy to restrain trade. Instead, this case is about Parler’s demonstrated unwillingness and inability to remove from the servers of Amazon Web Services (‘AWS’) content that threatens public safety.”

Most experts see Amazon’s decision to remove Parler as legitimate, and the microblogger will have a steep climb arguing against what are clear violations of terms. It’s also not without precedent: Cloudflare, a small company that provides tools to help websites protect against cyber attacks and load content more quickly, made a similar decision after facing pressure to drop The Daily Stormer, a neo-Nazi hate site, from their service after the deadly riots in Charlottesville in 2017. It later dropped 8Chan, a controversial forum linked to several deadly attacks, including those in El Paso, Texas and Christchurch, New Zealand.

What does this means for businesses, consumers and the future of social media?

While this case was born out of a national crisis, there is little incentive and less legal standing for businesses to start an online political witch hunt. As Amazon stated in their response to Parler, “AWS has no incentive to stop doing business with paying customers that comply with its agreements.”

But while Amazon and others are arguably on solid legal ground in their choice to drop Parler or block the president, these decisions bring up much larger questions about how we ended up with a few huge companies holding immense power over the trajectory of public discourse.

In many ways, the Constitution and our legal frameworks have not caught up to the pace, scope, and influence of online and social media. There’s not a lot of legal guidance on how tech companies or third-party vendors should treat illegal or inflammatory content posted on their networks or produced with their tools. Lawmakers are also grappling with how much responsibility should fall on social behemoths, like Facebook, that produce and house immense amounts of online content, but are not treated like traditional publishers under the law.

This is certainly both a landmark moment and a moment of reckoning for digital media consumers and providers. It’s too soon to tell how this will push transformation in the tech world and the digital town square of social media, but we’ll be following the conversation closely.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes.

1 2