MediaTech Law

By MIRSKY & COMPANY, PLLC

Website Policies and Terms: What You Lose if You Don’t Read Them

When was the last time you actually read the privacy policy or terms of use of your go-to social media website or you favorite app? If you’re a diligent internet user (like me), it might take you an average of 10 minutes to skim a privacy policy before clicking “ok” or “I agree.” But after you click “ok,” have you properly consented to all the ways in which your information may be used?

As consumers become more aware of how companies profit from the use of their personal information, the way a company discloses its data collection methods and obtains consent from its users becomes more important, both to the company and to users.  Some critics even advocate voluntarily paying social media sites like Facebook in exchange for more control over how their personal information is used. In other examples, courts have scrutinized whether websites can protect themselves against claims that they misused users’ information, simply because they presented a privacy policy or terms of service to a consumer, and the user clicked “ok.”

The concept of “clickable consent” has gained more attention because of the cross-promotional nature of many leading websites and mobile apps. 

Read More

Please Don’t Take My Privacy (Why Would Anybody Really Want It?)

Legal issues with privacy in social media stem from the nature of social media – an inherently communicative and open medium. A cliché is that in social media there is no expectation of privacy because the very idea of privacy is inconsistent with a “social” medium. Scott McNealy from Sun Microsystems reportedly made this point with his famous aphorism of “You have zero privacy anyway. Get over it.”

But in evidence law, there’s a rule barring assumption of facts not in evidence. In social media, by analogy: Where was it proven that we cannot find privacy in a new communications medium, even one as public as the internet and social media?

Let’s go back to basic principles. Everyone talks about how privacy has to “adapt” to a new technological paradigm. I agree that technology and custom require adaptation by a legal system steeped in common law principles with foundations from the 13th century. But I do not agree that the legal system isn’t up to the task.

All you really need to do is take a wider look at the law.

Privacy writers talk about the law of appropriation in privacy. The law of appropriation varies from state to state, though it is a fairly established aspect of privacy law.

Read More

Privacy: Consent to Collecting Personal Information

Gonzalo Mon writes in Mashable that “Although various bills pending in Congress would require companies to get consent before collecting certain types of information, outside of COPPA, getting consent is not a uniformly applicable legal requirement yet. Nevertheless, there are some types of information (such as location-based data) for which getting consent may be a good idea.  Moreover, it may be advisable to get consent at the point of collection when sensitive personal data is in play.”

First, what current requirements – laws, agency regulations and quasi-laws – require obtaining consent, even if not “uniformly applicable”?

1. Government Enforcement.  The Federal Trade Commission’s November 2011 consent decree with Facebook user express consent to sharing of nonpublic user information that “materially exceeds” user’s privacy settings.  The FTC was acting under its authority under Section 5 of the FTC Act against an “unfair and deceptive trade practice”, an authority the FTC has liberally used in enforcement actions involving not just claimed breaches of privacy policies but also data security cases involving managing of personal data without providing adequate security.

2. User Expectations Established by Actual Practice.  The mobile space offers some of the most progressive (and aggressive) examples of privacy rights seemingly established by practice rather than stated policy.  For example, on the PrivacyChoice blog, the CEO of PlaceIQ explained that “Apple and Android have already established user expectations about [obtaining] consent.  Location-based services in the operating system provide very precise location information, but only through a user-consent framework built-in to the OS.  This creates a baseline user expectation about consent for precise location targeting.”  (emphasis added)

Read More

Privacy For Businesses: Any Actual Legal Obligations?

For businesses, is there an obligation in the United States to do anything more than simply have a privacy policy?  The answer is not much of an obligation at all.

Put another way, is it simply a question of disclosure – so long as a business tells users what it intends to do with their personal information, can the business pretty much do anything it wants with personal information?  This would be the privacy law equivalent of the “as long as I signal, I am allowed to cut anyone off” theory of driving.

Much high-profile enforcement (via the Federal Trade Commission and State Attorneys General) has definitely focused on breaches by businesses of their own privacy statements.  Plus, state laws in California and elsewhere either require that companies have privacy policies or require what types of disclosures must be in those policies, but again focus on disclosure rather than mandating specific substantive actions that businesses must or must not take when using personal information.

As The Economist recently noted in its Schumpeter blog, “Europeans have long relied on governments to set policies to protect their privacy on the internet.  America has taken a different tack, shunning detailed prescriptions for how companies should handle people’s data online and letting industries regulate themselves.”   This structural (or lack of structural) approach to privacy regulation in the United States can also been seen – vividly – in legal and business commentary that met Google’s recent privacy overhaul.  Despite howls of displeasure and the concerted voices of dozens of State Attorneys General, none of the complaints relied on any particular violations of law.  Rather, arguments (by the AGs) are made about consumer expectations in advance of consumer advocacy, as in “[C]onsumers may be comfortable with Google knowing their search queries but not with it knowing their whereabouts, yet the new privacy policy appears to give them no choice in the matter, further invading their privacy.”

Again, there’s little reliance on codified law because, for better or worse, there is no relevant codified law to rely upon.  Google, Twitter and Facebook have been famously the subjects of enforcement actions by the states and the Federal Trade Commission, and accordingly Google has been careful in its privacy rollout to provide extensive advance disclosures of its intentions.

As The Economist also reported, industry trade groups have stepped in with self-regulatory “best practices” for online advertising, search and data collection, as well as “do not track” initiatives including browser tools, while the Obama Administration last month announced a privacy “bill of rights” that it hopes to move in the current or, more realistically, a future Congress.

This also should not ignore common law rights of privacy invasion, such as the type of criminal charges successfully brought in New Jersey against the Rutgers student spying on his roommate.   These rights are not new and for the time being remain the main source of consumer recourse for privacy violations in the absence of meaningful contract remedies (for breaches of privacy policies) and legislative remedies targeted to online transactions.

More to come on this topic shortly.

Read More

Trademarks: Apple Still Fighting “Video Pod”

Sector Labs, a California company that makes a smartphone-size video projector, filed a federal trademark registration in 2003 for the name “video pod”.

Apple, Inc. challenged the registration, filing an opposition to Sector Lab’s registration with the U.S. Patent and Trademark Office.  Apple claimed (among other things) that Sector Labs’ “video pod” “is extremely similar to Apple’s [“iPod” trademarks]”, “consists in part of a significant portion of [iPod] and the entirety of POD, which consumers use as an abbreviation to identify and refer to Apple’s iPod mark and products”, and that Video Pod “covers a device that is or will be used to transmit video for entertainment and other purposes” – much like Apple’s iPod.

Apple’s legal position is that Sector Labs registration would cause source confusion, namely a likelihood of confusion among consumers as to the source of the two companies’ products, and trademark dilution.  Or in other words, “video pod” would dilute the value of Apple’s iPod franchise by reducing the exclusive association in the marketplace of “pod” with Apple and its ubiquitous iPod.

Read More

Startups: Capital Fundraising, Crowdsourcing and Securities Law

“With regulators considering easing fund-raising rules for start-ups …” a recent Wall Street Journal story began, “social-networking sites that link entrepreneurs to large pools of donors are gearing up for a boom.”

First, the background.  Federal and state securities laws govern the sales – including the solicitation of sales – of securities, affecting all efforts to raise capital for startups.  This includes any public efforts to raise money, and includes raising small or large amounts of money.  Generally, sales and solicitations of sales of stock require compliance with SEC and various state securities law, and more particularly the registration requirements of those laws.

Read More

Update: Social Media Policies Violate Federal Labor Law?

Last month I wrote about an NLRB complaint against a Connecticut ambulance company, American Medical Response (AMR), for wrongful termination of an employee who had complained on Facebook about her supervisors and the company. The NLRB had begun proceedings against AMR for violating the employee’s rights under the National Labor Relations Act, specifically rights to take “concerted activity” related to working conditions.

The New York Times reported yesterday that the company had reached a settlement with the NLRB. In particular, The Times reported that the company agreed to modify its workplace policies “to ensure that they do not improperly restrict employees from discussing wages, hours and working conditions with co-workers and others while not at work, and that they would not discipline or discharge employees for engaging in such discussions.”

It is believed that this case was the first of its kind, where the NLRB took action against an employer related to an employee’s comments and conduct on a social media site like Facebook.

According to the San Jose Business Journal, the company reached a separate private settlement with the fired employee, the terms of which were not disclosed by the NLRB, the company or the employee.

Interestingly, while the case obviously did not get to a full precedent-setting decision, a publicly-acknowledged condition to the settlement was the company’s acknowledgment that outside discussions of work conditions could not be acted upon detrimentally by the company. And without explicitly stating so, these outside discussions obviously included facebook and other social media outlets.

Read More

Social Media Policies Violate Federal Labor Law?

A Connecticut company suspended and then fired an employee for making disparaging comments on Facebook about the company and about her supervisor.

Not in dispute is that the employee’s actions violated the company’s social media and other personnel policies, which (among other things) prohibited depicting the company ‘in any way’ on Facebook or other social media sites or from “disparaging” or “discriminatory” “comments when discussing the company or the employee’s superiors” and “co-workers.”

In dispute is whether that social media policy – and the company’s actions in enforcing the policy – violated public policy, in particular Federal labor law.  This came into fast relief when the National Labor Relations Board (NLRB) subsequently filed a complaint against the company, charging the company with violations of the employee’s rights under the National Labor Relations Act (NLRA).

Read More

Facebook Trademarks “FACE” – HOW?

(Thank you to Thomas Yarnell for contributing to this post.)

It’s one thing for Facebook to claim that a website called “Teachbook” infringes upon the “Facebook” trademark. That seems reasonable. But what about when the social network seeks to trademark both the words “FACE” and “BOOK”?

Last week, Facebook took a big step toward securing the first half of its name, as the company received a Notice of Allowance from the US Patent and Trademark Office for the word “FACE”.  Unless something extraordinary happens between now and the pending issuance, soon Facebook will own a registered United States trademark to the word “FACE”.

To be clear, Facebook’s exclusivity is limited to its defined field, namely:

telecommunication services, namely, providing online chat rooms and electronic bulletin boards for transmission of messages among computer users in the field of general interest and concerning social and entertainment subject matter, none primarily featuring or relating to motoring or to cars.

So, on the one hand, exclusivity is narrow.  And this is important, because while Apple Computers owns trademarks for “Apple”, those are limited to computer and electronic products.  

Read More