This post is the second in a two-part series concerning emerging uses and considerations involving application programming interfaces, or “APIs.”    

Most retailers and other large and mid-size businesses, and even some small businesses, utilize public APIs:

• Businesses who vet their employees against a government database may be doing so through an API.
• Businesses that rely on vendors to provide data or electronic services (such as HR and payroll management) may be receiving them through APIs.
• Businesses that maintain databases associated with their website or applications, likely communicate with that database through an API.
• Businesses that provide electronic data or electronic services are likely doing so through an API.  When the API license is presented as a take-it-or-leave-it agreement, the terms are often written to protect the provider from any liability for an offering from which the provider derives no direct financial benefit.

Still, regardless as to whether the license is free, prospective business licensees need to consider at least the following:

• The use of most public APIs is contingent upon the user’s agreeing to the distributor’s contractual requirements. APIs made available for free may be provided pursuant to “licenses” or may alternatively be provided pursuant to a “terms of use” that sets forth the conditions under which use is permitted. Under either approach, if the user refuses to accept the terms, then use is barred. APIs made available for a fee may also be styled as a “terms of use” but commonly have “license” or “service”
  

Application programming interfaces, or “APIs,” have become a critical part of ecommerce, and retailers are increasingly finding new and creative ways to use APIs to enhance their offerings and their business.  For example, Kroger deploys an API with information about its groceries, locations, coupons, and loyalty programs.  BestBuy similarly offers APIs to third parties, including one for recommended purchases.  LensCrafters, Williams-Sonoma, and other retailers have further deployed APIs to expand consumer access to their information.  Still, many other retailers are connecting to PayPal and other fintech companies to provide multiple secure checkout options.

This post is the first in a two-part series concerning emerging uses and considerations involving APIs.

The provision of public APIs has exploded in recent years amid ecommerce. More than 60 percent of eBay listings are added via API.  At least 50 percent of Salesforce transactions are via APIs.  Ecommerce service companies Shopify ($25B) and Twilio ($15B) have exploded to multibillion dollar market valuations, in part, through providing APIs to retailers.

Without APIs, a third-party developer could theoretically create a bot to visit these retailers’ websites and “scrape” key information, but such an approach is less effective than an API. First, through an API, the provider controls what third parties access, while “scraping” raises copyright risks. See, e.g., Ticketmaster L.L.C. v. RMG Technologies, Inc., 507 F. Supp. 2d 1096 (C.D. Cal. 2007) (granting injunctive relief on grounds that defendant infringed copyright and terms of use through automated screen-scraping of Ticketmaster’s site in order to facilitate

Many retailers permit their employees to use personal mobile devices, such as smartphones and tablets, to access company-specific information, such as email, under a Bring Your Own Device (“BYOD”) policy. BYOD policies can be popular for employees that want to use hand-picked devices and for retailers that want to avoid the cost of providing, and maintaining, company-owned devices. Nonetheless, the use of company data on non-company devices implicates both security and privacy considerations.

A reported 40 percent of companies offer BYOD to all employees, according to a survey by Crowd Research Partners.  Security concerns, data leakage, and malware were all listed as top concerns of retailers in allowing BYOD.

Consider the following when deciding upon a BYOD policy:

Is the scope of your control over employees’ mobile devices consistent with your company’s interest?  Retailers should consider why they have an interest in knowing about their employees’ mobile devices; that interest should be the basis from which a BYOD policy should emerge. If the company simply wants to allow an employee to access work email on a mobile device, then the policies and restrictions should proceed with that focus.

To what extent and for what purpose does your company monitor employees’ use of mobile devices? Many servers create logs showing when an employee’s device accessed the organization server using certain authentication credentials. As security measures such logs are often appropriate. To the extent that a retailer wants to monitor more substantive actions by an employee on a mobile device, such monitoring

Email is an important marketing tool for retailers, who should be aware of federal and state laws regulating its commercial use. Since its enactment in 2003, the Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”) Act has attempted to curb the number of unwanted emails and impose some rules on a largely unregulated frontier. When followed, CAN-SPAM Act’s restrictions give email recipients some control over their inboxes and also maintain fairness in how emails present themselves. Failure to follow the CAN-SPAM Act can lead to penalties of up to $16,000 per violation.

In addition, thirty-seven states have laws regulating unsolicited email advertising. The majority of these state laws target commercial or fraudulent electronic mail.  Most state anti-spam laws prohibit using misleading information in the subject line of the message; misrepresenting or

New legislation passed by Congress attempts to curb aggressive tactics against the authors of negative online reviews. The legislation bans the practice of contractually prohibiting consumers from posting negative reviews on websites. President Barack Obama has indicated that he will sign the legislation.

The Consumer Review Fairness Act of 2016 (the “Act”) voids, from inception, clauses in form contracts that:

Such chilling gag clauses had been wielded by various businesses against customers who had written or encouraged negative reviews of those businesses’ products and services through online forums such as Yelp.

The Act further restricts any claim to ownership of the underlying intellectual property in such reviews except to the extent that a limited license is provided to display the content. Accordingly, a business cannot claim IP rights in a negative review such that the business could assert infringement if the negative review remains viewable.

The Federal Trade Commission is empowered to enforce the Act under its powers against deceptive trade practices and unfair competition, and will issue best practices for compliance within 60 days of the Act’s enactment. State attorneys general are also empowered to bring actions under the Act.

Importantly, the Act’s application is limited to the specifically identified contractual clauses. The Act does not, for example, prevent parties from adopting clauses related to legal duties of confidentiality or to