The GDPR Will Bring Positive and Exciting Changes…But Maybe Not for Everyone.

As the May 25th GDPR compliance deadline inches closer, businesses are scrambling to shore up or rebuild their data security infrastructure. This new set of regulations will serve a seemingly simple and positive purpose: to protect the data of EU citizens and clients who hand over access to that data when they engage with companies online. The law ensures that users and consumers own their personal information and exercise a measure of control over what happens to it, and how it can be used, transferred, or shared. The law has been written and will be enforced by the EU Commission, but since many companies in the US—both big and small—serve EU customers, these companies are complying with the GDPR in ways that bring protections and benefits to their US customers as well.

For example, large entities like Google and Facebook are deciding that it’s more practical to apply these new tighter data protections to all of their users, not just those specifically covered by the language of the GDPR language. 

So how can this be a negative turn of events? If consumers are notified and informed about their data usage, companies act with greater transparency, alerts are provided in the event of a hack or breach, and consent documents are written in plain language that gives users the right to opt in and out, what could possibly go wrong?


Smaller Companies Struggle to Keep Up

The answer comes from smaller, independent companies and fragile startups who find themselves bogged down financially and administratively by steep compliance requirements. Digital marketing firms, online gaming companies, and other small organizations—especially those with business models that depend on data sharing—may be swallowed up by the changes taking place in this year’s data privacy landscape.

While some may consider this a kind of morality tale—a demonstration of how agility and ethical data management contribute to survival, and detriments in those areas lead to failure—the truth is not so simple. Smaller companies may end up struggling to meet compliance obligations in other markets, clearing the path for larger entities with an already disproportionate hold on market share to dominate. And any change that shifts the balance of success in favor of established firms tends to stifle a climate of opportunity, risk, and innovation.

But this age-story doesn’t have to play out along the same old lines, and in 2018, smaller firms can certainly find affordable, manageable support as they navigate this challenge. These small firms face several options, including developing innovative changes to their business models and revenue structure, data collection efforts, and other internal programs to better comply. 

If the GDPR represents an existential challenge to your company and its future, take action before the deadline.



What Do Your Customers Know about GDPR?

We’re entering the final stages leading up to the official launch of the General Data Protection Regulation (“GDPR”), and as one might expect, the world is quickly dividing into two distinct populations: Company owners, IT pros, and data managers who have been thinking about this new law non-stop for more than a year, and customers, who are learning about it now for the very first time.


While your back-office operations managers have been running down GDPR checklists at night in their dreams for months, this acronym is only now entering our mainstream news and cultural discourse—mainly because users and customers are beginning to receive notice emails about updated privacy policies.

Since the questions are about to start rolling in, confusion and concern may briefly reign among long-time loyal users and new clients alike. To answer those questions, it may help to have a quick script in hand and a clear understanding of what these users (non-experts, for the most part) already know.

As you update your privacy policies, draft your notice emails, and coach your customer service team to respond to inquiries, focus on giving clear answers that reassure your customers and reaffirm your credibility. Providing clear answers and proof of compliance to enterprise clients and Series B investors will require one kind of approach. Keeping your existing subscribers and building your customer base will require another.

Here’s a short video that can help you make your own case when you’re asked about the GDPR—What it is, how it works, what aspects of your provider-customer relationship will change, and what aspects will remain the same.

As you already know, but your customers may not, the GDPR has limits. Users may “own” their data, but companies are still within their rights to apply that data to certain search algorithms and marketing strategies. And the discontinuation of some forms of data mining will alter revenue structures for some companies, which may mean a once-free service will no longer be free, for reasons that will need to be explained.   

If you aren’t prepared to explain exactly how the “right to be forgotten” will apply to your customer base, and you aren’t sure what to say when asked why your fee structure is changing, don’t let this cause you to lose customers. Be ready to frame your transition as a positive move for all of your stakeholders—including both customers and employees. Start shaping a central message now, and build your script around that message. At every stage, emphasize your compliance with the law, your respect for customer data, and your flexibility and resilience during a time of change.



Updates Required by the GDPR

The General Data Protection Regulation (GDPR) includes a set of data privacy laws passed by the European Commission that will go into effect on May 25th, and these laws will require tight controls by any business that handles personal data for European customers.

Since most businesses in the US either serve European clients or expect to at some point in the future, the arrival of the GDPR will require these companies to update their publicly facing documents, including privacy policies and terms of service. Companies affected by the new regulations are quickly producing new and revised statements to replace the previous versions that currently appear on websites, in contracts, and in service agreements.

But rushing to update ToS sheets won’t be quite enough to bring a business into full compliance with the new regulations. This task will need to be checked off the list, for sure, but before a new privacy policy or external terms-of-use agreement is published, businesses should draft and secure internal documentation that can prove the company maintains tight control over the data under its purview.


We recommend appointing a specific individual who can own responsibility for this task.

This person should conduct a deep review of company data management policies and practices, and should produce documentation that reflects:

1.       What personal data the company collects and uses, and why. (“Personal data" may include names, ID numbers, location data, and online identifiers).

2.       Where the company stores or will store this information.

3.       Where the company servers are located, who has access to them, and how this access is tracked.

4.       What third parties can access the data (through company servers, a data warehouse, or any other sharing system).

Once this information has been fully investigated, understood, and made available by the designated person, publicly available documents (like ToS documents) can be produced or updated. These documents will need to demonstrate:

1. Transparency into the company's practices in the form of easily digestible and understandable language.

2. Customer ability to access to all personal data being stored and used by the company.

3. The existence of a company system that allows the deletion of an individual's data upon request.

Keep in mind that the GDPR also covers personal data owned by employees. Any EU-based employees who work for the company will need to provide freely-given, informed, and fully revocable consent before their activities are tracked or their data is collected, used and stored.

Also, please note: “freely-given” consent is a disputed concept, since the leverage an employer generally holds over an employee nullifies this term. So we advise companies to move with caution and be prepared to show adequate reasoning behind any decision to accept this consent and use or access any personal information provided by employees.



New Regulations May Either Help or Hurt the Emergence of Unknown Startups

Recent events like the Cambridge Analytica scandal and Facebook’s resulting congressional hearings have revealed a need to pressure internet giants to protect privacy and user data. Self-regulation hasn’t been sufficient, and with the concurrent rise of the GDPR (General Data Protection Regulation) in Europe and new public and governmental scrutiny of data protection practices in the US, legal regulation appears to be the next step. If large internet giants aren’t inclined to protect users when left to their own devices, or their business models don’t present easy solutions to privacy problems, new privacy laws are likely to compel an increased level of caution.

At the outset, it seems like these events may foretell trouble for the largest and most high-profile internet companies. And as giant companies are required to pause and look inward, and possibly even reshape their user experience in order to generate alternative sources of revenue, they may be brought down to size…which, presumably, clears the path somewhat for startups and internet newcomers. This idea of a zero-sum landscape, in which market access represents a fixed commodity and gain for one provider means loss for another, is attractively simple.


But events may not play out like this, and some signs are pointing to the opposite possibility; new privacy restrictions may actually make life harder for newcomers and easier for established brands that still enjoy a huge measure of recognition and public trust.

Unfamiliar startups and new companies will need to provide their users and shareholders with two stories, not just one. They’ll need to demonstrate value, sustainability, and the potential for meaningful growth, but these new startups will also need to reassure all stakeholders (including both clients and investors) that their data management policies and procedures are fully compliant with both the letter and the spirit of all relevant privacy requirements. When the stakes are high, it’s harder to summon confidence in a market newcomer. This is especially true when established giants have vastly more experience and more to lose in the event of a data breach.

In order to compete, ambitious startups already needed to show up armed with the essentials: A great idea, a strong business plan, and reliable capital. But now they’ll need something else as well: A defensive, proactive approach to data security in an increasingly regulated environment, and an important story to consumers that their data is in good hands.



Blockchain and the Future of Social Media

The recent media attention focused on Facebook revolves around the company’s use and potential misuse of personal information shared by its users. But in the dust-up, related issues are coming to light, specifically: What will become of social media now that Facebook’s central business model has been called into question? Can the widely popular concept that launched the company (providing free access to users and gaining revenue through ads) survive a surging global interest in data security?

Over the long term, Facebook will likely be compelled to tighten its security protocols and place careful controls over who advertises on the site, how they do it, what they post, and what they say. In fact, as early as January of this year, Facebook began a crackdown on ads promoting cryptocurrency and other high risk financial vehicles. Political content and ads may be subject to scrutiny as well, and the company may need to examine new revenue channels that can better meet user and advertiser needs in a new era of data privacy (for example, the company will likely shift in some measure to a subscription service in which users pay, not advertisers).


But in the meantime, some suggest a ready-made social media solution that can provide the same appealing user experience without the risk of data exposure: blockchain.

The value of cryptocurrencies may have declined somewhat over the past few months, but the blockchain concept of decentralized computing still holds adherents and presents enormous possibilities for the future of currency, commerce, and information sharing.

According to some experts, blockchain may expand into a 10 trillion-dollar industry over the next fifteen years. There is a good chance this could happen, and is not just industry puffery, and despite the recent dip in cryptocurrency prices.

In terms of social media, blockchain technology could allow a user to share a photo with a select group of viewers, monitor who can access the photo, and remove it at any time. The alternative (handing the photo over to large centralized corporation and relinquishing control altogether) seems less appealing by comparison.

An additional possibility arises as well—Can recent shakeups surrounding cyberattacks, political upheaval, concern about the security of social media business models, and new privacy regulations soon to be implemented in Europe collectively lead to a surge of interest in the wider application of blockchain systems?

As always, we’ll be closely monitoring the developments surrounding these issues. If you have questions about data security and the future of blockchain, contact our office and find out how we can help.



Comar LLP and Cryptocurrency: What We Do


As our clients navigate the uncharted landscape of cryptocurrency offers and investment opportunities, we stand beside them with a long and growing track record of accomplishments in this space and a deep understanding of the associated advantages and risks.

Delving into the crypto marketplace can put an ambitious startup on the fast track or drive a new business straight into a thorny tangle of litigation and financial disappointments, and the difference lies in two words: planning and experience. We can help with both.

Here are a few areas in which we provide seasoned and reliable support.

We offer counsel on litigation risks. Token offerings may or may not result in private securities litigation by purchasers at some point in the future. Sidestep that possibility by managing the risks and taking appropriate precautions well in advance.

We help issuers structure their token offerings, identifying exemptions from registration under U.S. securities rules, discussing the difference between investment and non-investment tokens, and helping to manage overseas offerings.

We counsel collectors of art and other valuable objects who wish to issue novel asset-backed tokens on blockchains. This move requires an understanding of securities laws and sale requirements, but it can lead to expedient and profitable fundraising.

Our core legal team holds a deep background and an extensive list of accomplishments in venture financing and asset management.

We navigate complex securities and derivatives markets for our clients and our experience with litigation, dispute resolution, and corporate governance helps growing companies comply with regulatory requirements and withstand SEC and investor scrutiny.

To this end, we’ve developed a convertible instrument (a successor to SAFT) that can help resolve questions related to token issuing structure, required SEC filings, and required investor disclosures. Our instrument is called STEM (simple token for emerging money) and with this tool, we hope to encourage innovation and a culture of compliance.

Cryptocurrency markets may be new, but they’re nothing to fear or avoid, and they offer a potentially powerful on-ramp for entrepreneurs, inventors, big thinkers, and new entrants in to the world of global commerce.

In an unpredictable market space, partnering with an experienced legal team can keep a high-potential business apprised of opportunities and protected from avoidable risk.



Crypto Investigations 101: SEC investigations in full swing

As cryptocurrencies pique the interest of investors and entrepreneurs in search of fundraising vehicles, they’re also piquing the interest of another group of individuals: officials at the SEC.

Unregulated, wild west landscapes don’t stay wild forever, and since cryptocurrencies have the potential to leave investors stranded and/or defrauded, cryptocurrency investigations are now high on the list of SEC priorities.  

Because of the rampant speculation, “pump and dump” tactics and sometimes outright fraud that has taken place in the crypto currency arena, even the most well-thought out and compliant crypto currency offering may well be subject to scrutiny and inspection.

Even if you haven’t done anything wrong, knowingly or unknowingly, it’s possible that you may be contacted by the SEC and asked to stop your ICO, answer questions about it, or put it on hold. Specifically, the Office of Compliance Inspections and Examinations will likely be increasing its contacts with those who offer ICOs and also with brokers, dealers, financial advisors and even attorneys who may be pushing their clients toward these products without fully understanding the mechanisms and risks.


Regulators, investigators and policy makers are still trying to understand and form sound opinions related to crypto currency and what it means for the future of American commerce. If you truly believe in the future of cryptocurrency (and you believe that the future of your company depends on it), don’t obstruct progress. Don’t stand up for or side with bad actors. Turn yourself and your company into advocates for better understanding, stronger protections against criminality, and a world in which cryptocurrency is safe, dependable, sustainable, and commonplace. Make sure your words and actions represent a force for good, not a cover for those who wish to do harm without accountability.



Crypto Litigation

We’ve shared a few blogs recently on the topic of cryptocurrency and ICOs (initial coin offerings) as a potential source of capital for growing startups. Conducting an ICO can provide a meaningful fundraising opportunity under the right conditions.

But of course, cryptocurrencies represent a new, unproven, and as-yet mostly unregulated foundation for a sustainable business. So before investing in or presenting a coin offering, founders would be wise to research potentially applicable law and regulation, and they need to be ready to reassure potential investors that the reasons behind the ICO are sound. If your fundraising decisions can withstand careful scrutiny and regulatory audits, that’s great.

…Unless something goes wrong. Despite the most carefully laid foundations and scrupulous planning, entrepreneurs who rely on crypto funding may find themselves on the defense if those who placed their faith in a struggling currency have reason to believe the offering was illegal. Similarly, investors who purchase coin may not gain the returns they expected, and may later find out that their chosen coin offering did, in fact, violate applicable securities laws. Most likely, the coin in question may have been presented as a “utility” token, when in fact, the coin better fits the definition of a “security” or investment vehicle.

If you’d like to include an ICO in your fundraising efforts, but are concerned about legal backlash in the event of misunderstandings or downturns in the cryptomarket, here are a few things to keep in mind.


You’re wise to be concerned.

This recent lawsuit filed on March 1, 2018 against CoinBase shows that people are realizing that cryptocurrencies may be subject to scrutiny and oversight from state and federal judges through litigation. CoinBase is being accused of insider trading and misrepresentation, allegations that would classically apply to the trading of securities. Because it is abundantly clear now that many (perhaps the majority) of cryptocurrencies will be subject to securities laws, we should absolutely expect to see an explosion of securities-based litigation brought by holders of crypto currencies, against issuers and intermediaries.

As with traditional securities litigation, savvy litigators will be looking at offering documents for ICOs and thinking about issues related to misrepresentation, insider trading, and failure to disclose material information related to the offering.

You can still move forward...carefully.

This concern shouldn’t stop you from pursuing your chosen path; it’s just one of the calculated risks you’ll need to take as you look for sustainable funding. In a sense, offering an ICO is just as risky as issuing any other form of security…but in different ways. For one thing, in a classic private offering, a company may only issue securities to a dozen or so purchasers, perhaps a few dozen at most. Many current ICOs are structure to issue coin to thousands of purchasers. As there are more holders, the potential for litigation from any one holder increases dramatically. Your offering documents need to be carefully vetted, and the risks explained to you, about the securities pitfalls that can befall a poorly-planned ICO.

Honesty and full disclosure can prevent a host of problems.

As with any securities offering, full disclosure is essential. All parties should be well-informed about the nature of your blockchain-based currency model, how it works, its stage of development, your future plans, and essential risk factors associated with holding the offering.

Documentation is essential.

Our recommendation to our clients at this stage is to be extremely conservative with legal documentation, to over disclose, and to assume that every single document related to the ICO will be later scrutinized. Accordingly, we generally advise that every ICO should have a well prepared suite of offering documents, well vetted risk factors, and a purchase agreement that borrows heavily from the securities framework. The ICO also needs to internally vetted to ensure compliance with applicable securities laws and to ensure that there is an appropriate exemption from registration under the Securities Act.



ICOs and Crypto Capital: Common Legal Questions

When you’re in the process of launching a business, regardless of your sector or your area of focus, you’ll need to take a universal first step: fundraising. Tech startups, wholesalers, and restaurants all typically start the same way: they incur debt, issue equity, or enter into convertible loan agreements.

A growing number of startups are choosing a totally new option: selling digital tokens (cryptocurrency).  But this path is relatively untested, and while some ICOs make news and generate instant millions, others fall far below the expectations of both issuers and investors.

And in almost all cases, ambitious startups begin the process with a series of common legal questions that need to be sorted out before they proceed. In the age of cryptocurrency, here are some of the smart questions we hear most often from startup teams.


Will our business model / white paper attract crypto-focused investors?

Many crypto investors are looking for new opportunities to invest after hitting it big in a previous ICO, and they are looking to roll over their BitCoin, Ethereum, or other crypto currency into a potential new opportunity. Crypto investors will be looking for a strong white paper, a strong team, and a strong investment case that the digital token answers a market need, both in terms of implementation as well as with expected growth. While some are looking for any token opportunity, many crypto investors are highly sophisticated and want to make sure that a company isn’t simply sprinkling the words “ecosystem” and “blockchain” throughout a poorly written white paper.

We encourage our clients to treat the offering of a token as any other securities offering, not only with respect to compliance and legal, but also with respect to the marketing of a prospectus. Does the white paper make a strong investment case? Is the vision realistic? Does the white paper make promises that no one could possibly meet? Counsel should absolutely vet the white paper to make sure that the Company is not making statements that may lead to claims of misrepresentation later.

How will we structure our ICO?

As you structure your ICO, you’ll need to decide whether and how to cap the number of tokens you sell, and whether you’ll sell the available tokens on a first come-first served basis (or some other way). Most startups who chose the ICO path cap their tokens and sell to first-comers. But that’s not your only decision; you’ll also have to determine how the price is set. Will you base the price on market value? Will you set a fixed price based on your own criteria? Or will you sell a certain percentage of your tokens at a fixed price and allow purchasers to make bids? You may also want to take some tokens and set them aside for your own team, employees, and/or advisors, but this may have an impact on the price of those that remain up for purchase.

How can we stay out of trouble and stay compliant with regulatory requirements?

Companies that are selling tokens are now coming under very intense scrutiny from regulators, including the SEC. And unfortunately, much of the legal advice that has been offered publicly to companies has simply been wrong.

For example, it is very likely the case that there is no such thing as a “utility” token, and as this article from Venture Beat points out, companies that issued SAFTs on the assumption that they were offering utility tokens are almost certainly going to be subject now to regulatory action.

We have strongly advised our clients to assume that any and all tokens they offer will be considered securities, and to treat the token offering as any other offering of securities. We recognize this is a conservative approach given current market practice, but we believe current market practice to be illegal, and that there will be a reckoning. The SEC will not stand idly by as companies sell tokens.

Also keep in mind that the regulatory rules will also vary based on the jurisdiction in which you operate, and the jurisdictions in which you offer the tokens. The US, China, Singapore, and Europe are all overseen by a host of regulatory agencies with varied requirements. In the US, the sale of tokens should be assumed to be a sale of securities, and are subject to securities rule. Again, there’s no need to abandon the prospect of an ICO in the face of daunting regulations, and in your case, the fundraising potential of your ICO may be well worth the extra step of navigating through these thorny issues. Find out before you move forward.



ICOs as a Funding Mechanism: Can it Work for You?

Until late 2017 and the earlier part of 2018, ICOs have been considered a kind of brave new world, an unregulated, uncharted wild west rife with both unknown risk and untapped opportunity.

Nothing excites the imagination like an uncharted landscape, and in the later part of last year, prospective investors rushed in.

By December, ICOs had raised more than six billion dollars and ICO funding had surpassed that of angel and early stage VC funding combined.

But uncharted landscapes don’t stay uncharted or unregulated forever. As startups and established companies increasingly turn to ICOs as funding mechanisms, regulatory agencies are subjecting ICOs to serious scrutiny.

Both the SEC and the CFTC are hard at work now regulating cryptocurrencies and token offerings, and also looking at ways to hold errant ICOs accountable, particularly under securities laws. Some jurisdictions are also looking for ways to outlaw fundraising through ICOs and are requiring already-raised funds to be returned to investors.

In the US, (as in some other jurisdictions) regulatory requirements apply to anything that can be offered and sold as a “security”, though some ICOs have attempted to skirt this definition by offering their tokens as so-called “utility tokens”, or consumptive tokens. The definition of security remains circumstantial and nuanced, but in general, it depends on how the tokens are marketed and whether or not they are presented as an item that will increase in value or can be used in secondary market trading. The SEC has recently taken the position that in its view, there are very few token offerings (if any) that are legitimate utility tokens.

We are working with several clients to make sure their token offerings and/or business models that rely on token offerings are compliant from a securities perspective as well as from a CFTC perspective. The days when you could just issue a bunch of securities to accredited investors is rapidly coming to an end. And our guess is that the SEC may require disgorgement by those companies that did those illegal ICOs.

The takeaway message: If you’re considering investing in or issuing an ICO, you’ll need to have a sense of the regulatory requirements that can affect your plans. And these regulations are more likely to apply if your chosen token can be considered an investment vehicle rather than a form of currency designed to be spent. Show caution and consider the legal implications if you can answer yes to any of these questions:


Does your coin give the holder a right to share in the profits or capital drawn from your project?

Do you expect that people will be buying the coins because they will increase in value over time?

Does your coin hold value based on another asset, like a commodity, a currency, or an underlying index?

Tokens that operate as true utilities are generally safer from regulatory restrictions and requirements, but once a coin can be described or presented as an investment vehicle, due diligence will require a closer look. Seek legal guidance before putting your trust and the future of your growing company in the hands of an ICO. Feel free to contact us if you have further questions.