MediaTech Law

By MIRSKY & COMPANY, PLLC

Blogs and Writings we Like

This week we highlight three writers discussing timely subjects in copyright, technology, and advertising law. Susan Neuberger Weller and Anne-Marie Dao from Mintz Levin discussed a split in thought on when a copyright is officially registered for purposes of filing an infringement lawsuit; Jeffery Neuburger from Proskauer wrote an interesting article reflecting on technology-related legal issues in 2017 and looking forward to potential hot issues in 2018; and Leonard Gordon posted a piece on Venable’s All About Advertising Law Blog about cancellation methods for continuity sales offers.

When is a Copyright “Registered” for Purposes of Filing Suit?

In a recent post, Susan Neuberger Weller and Anne-Marie Dao from Mintz Levin discuss a split among Federal Courts of Appeal about when a copyright is registered. Weller and Dao note that registration of a US copyright is required prior to being able to initiate an infringement suit (or to obtain statutory damages) in federal court, but there is not an agreement on when “registration” actually occurs. Some circuit courts have found that registration happens when the application is filed, but others believe it only occurs when the Register of Copyrights actually issues the copyright registration. The article recounts a recent case in the 11th Circuit in which the court dismissed an infringement case because the copyright holder had filed the application but no action had been taken by the US Copyright Office.

The authors note that the issue could be resolved if the US Supreme Court agrees to hear an appeal by the plaintiff in the 11th Circuit case, although – but, as of April 16, 2018 the Supreme Court had not acted on the plaintiff’s certirari petition.

What We Like: The article raises an important issue for copyright holders that can be critical in copyright infringement cases. In addition to raising the topic, we particularly like the authors’ summary of the various positions among the federal appeals courts about when copyright registration actually occurs. This list is a good reference for any lawyers considering whether (and maybe even where) to bring an infringement case.

***

Reflections on Technology-Related Legal Issues: Looking Back at 2017; Will 2018 Be a Quantum Leap Forward?

Jeffery Neuburger from Proskauer wrote an interesting article reflecting on technology-related legal issues in 2017 and looking forward to issues that will likely be in play in 2018. Neuburger mentions a number of things that came up in 2017 ranging from cybersecurity to privacy. He also discusses the development of blockchain (“a continuously growing list of records, called blocks, which are linked and secured using cryptography,” which is a “core component of bitcoin”) into areas beyond cryptocurrencies and poses questions about potential legal issues that may arise. In the privacy realm, Neuburger opines that “2018 also promises to be the year of Europe’s General Data Privacy Regulation” (GDPR) and notes that mobile tracking also is likely to be a hot issue in the new year.

Most interesting, Neuburger spends almost half the article talking about quantum computing. He explains that quantum computers operate on the law of quantum mechanics and use quantum bits or “qubits” (“a qubit can store a 0, 1, or a summation of both 0 and 1”), and states that quantum computers could be up to 100 million times faster than current computers. The article further sets out four areas of legal issues related to quantum computers: (i) encryption and cryptography; (ii) blockchain; (iii) securities industry; and (iv) military applications. Neuburger ominously notes that “quantum computers may be powerful enough (perhaps) to break the public key cryptography systems currently in use that protects secure online communications and encrypted data.”

What We Like: We’ve always looked forward to Jeff Neuberger’s commentary on new media and tech law issues, particularly his extensive recent blogging on the GDPR and other privacy issues. But we particularly liked his discussion of quantum computing, a topic not ordinarily discussed in these types of summaries and somewhat challenging for non-scientists to tackle. As is clear from Neuberger’s analysis, many aspects of the law may be affected as this technology advances.

***

Sex, Golf, and the FTC – And, of course, Continuity Sales Programs

On Venable’s All About Advertising Law Blog, Leonard Gordon discusses a recent Federal Trade Commission complaint and settlement with a lingerie online retailer related to a continuity sales promotion – “A continuity program is a company’s sales offer where a buyer/consumer is agreeing to receive merchandise or services automatically at regular intervals (often monthly), without advance notice, until they cancel.” (Gordon included a passing reference to a similar case involving golf balls, but did not provide many details – thus, the reference in the title.)

Read More

Appellate Court Upholds FTC’s Authority to Fine and Regulate Companies Shirking Cybersecurity

In a case determining the scope of the Federal Trade Commission’s (FTC) ability to govern data security, the 3rd U.S. Circuit Court of Appeals in Philadelphia upheld a 2014 ruling allowing the FTC to pursue a lawsuit against Wyndham Worldwide Corp. for failing to protect customer information after three data breaches that occurred in 2008 and 2009. The theft of credit card and personal details from over 600,000 consumers resulted in $10.6 million in fraudulent charges and the transfer of consumer account information to a website registered in Russia.

In 2012, the FTC sued Wyndham, which brands include Days Inn, Howard Johnson, Ramada, Super 8 and Travelodge. The basis of the claim stated that Wyndham’s conduct was an unfair practice and its privacy policy deceptive. The suit further alleged the company “engaged in unfair cybersecurity practices that unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”

The appellate court’s decision is of importance because it declares the FTC has the authority to regulate cybersecurity under the unfairness doctrine within §45 of the FTC Act. This doctrine allows the FTC to declare a business practice unfair if it is oppressive or harmful to consumers even though the practice is not an antitrust violation. Under this decision, the FTC has the authority to level civil penalties against companies convicted of engaging in unfair practices.

What exactly did Wyndham do to possibly merit the claim of unfair practices?

According to the FTC’s original complaint, the company:

  • allowed for the storing of payment card information in clear readable text;
  • allowed for the use of easily guessed password to access property management systems;
  • failed to use commonly available security measures, like firewalls, to limit access between hotel property management systems, corporate networks and the internet; and
  • failed to adequately restrict and measure unauthorized access to its network.

Furthermore, the FTC alleged the company’s privacy policy was deceptive, stating:

“a company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of the business.”

Wyndham requested the suit be dismissed arguing the FTC did not have the authority to regulate cybersecurity. The appellate court found otherwise, however, stating that Wyndham failed to show that its alleged conduct fell outside the plain meaning of unfair.

The appellate court’s ruling highlights the need for companies to take special care in crafting a privacy policy to ensure it reflects the company’s cybersecurity standards and practices. This includes staying up-to-date on the latest best practices, and being familiar with the ever-changing industry standard security practices, including encryption and firewalls.

Read More

.SUCKS: Extortion or Free Speech?

Domain names are an essential part of modern commerce and convey important information about the website’s affiliation and legitimacy. Consumers may briefly glance at the .com or .edu at the end of the page they land on to make sure they’re on the right site, but soon they may see an unfamiliar suffix next to their favorite brand’s page – .sucks.

In 2014, the Internet Corporation of Assigned Names and Numbers (ICANN), a California-based nonprofit that manages and coordinates domain names, agreed to allow Vox Populi, a Canadian domain name registrar, to operate the registry for the new “.sucks” top-level domain (TLD).

Read More

Privacy: Consent to Collecting Personal Information

Gonzalo Mon writes in Mashable that “Although various bills pending in Congress would require companies to get consent before collecting certain types of information, outside of COPPA, getting consent is not a uniformly applicable legal requirement yet. Nevertheless, there are some types of information (such as location-based data) for which getting consent may be a good idea.  Moreover, it may be advisable to get consent at the point of collection when sensitive personal data is in play.”

First, what current requirements – laws, agency regulations and quasi-laws – require obtaining consent, even if not “uniformly applicable”?

1. Government Enforcement.  The Federal Trade Commission’s November 2011 consent decree with Facebook user express consent to sharing of nonpublic user information that “materially exceeds” user’s privacy settings.  The FTC was acting under its authority under Section 5 of the FTC Act against an “unfair and deceptive trade practice”, an authority the FTC has liberally used in enforcement actions involving not just claimed breaches of privacy policies but also data security cases involving managing of personal data without providing adequate security.

2. User Expectations Established by Actual Practice.  The mobile space offers some of the most progressive (and aggressive) examples of privacy rights seemingly established by practice rather than stated policy.  For example, on the PrivacyChoice blog, the CEO of PlaceIQ explained that “Apple and Android have already established user expectations about [obtaining] consent.  Location-based services in the operating system provide very precise location information, but only through a user-consent framework built-in to the OS.  This creates a baseline user expectation about consent for precise location targeting.”  (emphasis added)

Read More

Privacy For Businesses: Any Actual Legal Obligations?

For businesses, is there an obligation in the United States to do anything more than simply have a privacy policy?  The answer is not much of an obligation at all.

Put another way, is it simply a question of disclosure – so long as a business tells users what it intends to do with their personal information, can the business pretty much do anything it wants with personal information?  This would be the privacy law equivalent of the “as long as I signal, I am allowed to cut anyone off” theory of driving.

Much high-profile enforcement (via the Federal Trade Commission and State Attorneys General) has definitely focused on breaches by businesses of their own privacy statements.  Plus, state laws in California and elsewhere either require that companies have privacy policies or require what types of disclosures must be in those policies, but again focus on disclosure rather than mandating specific substantive actions that businesses must or must not take when using personal information.

As The Economist recently noted in its Schumpeter blog, “Europeans have long relied on governments to set policies to protect their privacy on the internet.  America has taken a different tack, shunning detailed prescriptions for how companies should handle people’s data online and letting industries regulate themselves.”   This structural (or lack of structural) approach to privacy regulation in the United States can also been seen – vividly – in legal and business commentary that met Google’s recent privacy overhaul.  Despite howls of displeasure and the concerted voices of dozens of State Attorneys General, none of the complaints relied on any particular violations of law.  Rather, arguments (by the AGs) are made about consumer expectations in advance of consumer advocacy, as in “[C]onsumers may be comfortable with Google knowing their search queries but not with it knowing their whereabouts, yet the new privacy policy appears to give them no choice in the matter, further invading their privacy.”

Again, there’s little reliance on codified law because, for better or worse, there is no relevant codified law to rely upon.  Google, Twitter and Facebook have been famously the subjects of enforcement actions by the states and the Federal Trade Commission, and accordingly Google has been careful in its privacy rollout to provide extensive advance disclosures of its intentions.

As The Economist also reported, industry trade groups have stepped in with self-regulatory “best practices” for online advertising, search and data collection, as well as “do not track” initiatives including browser tools, while the Obama Administration last month announced a privacy “bill of rights” that it hopes to move in the current or, more realistically, a future Congress.

This also should not ignore common law rights of privacy invasion, such as the type of criminal charges successfully brought in New Jersey against the Rutgers student spying on his roommate.   These rights are not new and for the time being remain the main source of consumer recourse for privacy violations in the absence of meaningful contract remedies (for breaches of privacy policies) and legislative remedies targeted to online transactions.

More to come on this topic shortly.

Read More

RTs are Not Endorsements – Social Media Policies

“RTs do not = endorsements.” We’ve all seen it on Twitter bios, usually bios belonging to members of the media.

These kinds of disclaimers, disassociating the tweets from the people who retweet them, are common. The Twitter bio belonging to Brian Stelter of the New York Times (@brianstelter) notes, “RT & links aren’t endorsements.”

A Social Media Policy Addressing RTs and Linking

But for some, those disclaimers are not enough.  Last fall, the Associated Press introduced an updated social media policy for its reporters and editors.  As recently reported in Yahoo! News, the AP memo advised reporters and editors that “Retweets, like tweets, should not be written in a way that looks like you’re expressing a personal opinion on the issues of the day. A retweet with no comment of your own can easily be seen as a sign of approval of what you’re relaying.” The guidelines note, “[W]e can judiciously retweet opinionated material if we make clear we’re simply reporting it.”

Read More

FTC Blogger Guidelines – A Look at Enforcement

It is a task often relegated to the office interns: posting promotional content to outside social media sites.

Despite the fact that this practice is officially frowned upon in the Federal Trade Commission’s 2009 endorsement guidelines, companies will often engage paid individuals – either employees on the payroll or outside bloggers who receive compensation in the form of a free sample – to post positive reviews online, including to places like Twitter, personal blogs, or online public forums without identifying the connection between the commenter and the product being commented on.

The FTC’s endorsement guidelines seek (among other things) to ensure that unbiased positive reviews online can be considered credible, while also ensuring that positive reviews that are partially the result of some sort of compensation be acknowledged as such.

Read More

Twitter API and Legal Issues for App Developers

Much has been made lately of tension between Twitter and its outside developers.  The issues stoking the fire are less legal issues than business issues brought to front-burner by two particular factors:

(1) The maturity of Twitter as a development platform, or in the words of Ryan Sarver of Twitter, “In the early days, all the clients except Twitter.com were built out by ecosystem companies, mainly because Twitter was so focused on keeping the lights on.  But we learned that in order for us to really grow, we had to start taking over that core experience.” (quoted in the NY Times, 7/17/11).

(2) A reported Federal Trade Commission inquiry into the relationship by the , which has (in some views) caused Twitter to re-think its liberal open-door policy when it came to permitting outside development on its platform.

An excellent story and accompanying podcast on this subject appeared in the NY Times last week, written by Claire Cain Miller.

Bottom line: Twitter is seeking to control the applications that control access to Twitter, meaning desktop and mobile, and leaving the field open to enterprise applications, usability applications, analysis and similar applications.

Certainly the business reasons seem pretty clear, in that Twitter seeks to control core functionality – and the development of that core functionality – of the mother ship.  Although it is not terribly surprising that that strikes some critics as cynical, see for example here (“Twitter, just be honest: ‘The only way we can figure out how to make money is same ol’ display ads and we need to own the client for that.’”)

There are legal issues here, namely the ability of the platform to restrict access to its API.  As Claire Miller and others have noted, part of the problem for Twitter is that developer expectations may have been artificially inflated.  But there is more.  The FTC hint of antitrust scrutiny may be causing Twitter some heartburn about its historical open-ness.  Some analogy from two unrelated contexts: In trademark law, the concept “use in commerce” requires confirmation of continued public use of a registered trademark every 5 years or so.  In real property law, a property owner’s failure to restrict public access to property – and thus demonstrate its private claim – can, under some circumstances, support a court’s granting a permanent public right of way.

Quoting Rob Diana from Regular Geek, “Twitter also now owns the platform as a whole and must be as reliable as a utility company.  They must provide all of the capabilities that consumers need in the clients.” (emphasis added) A danger for a “public utility” of the information superhighway is creeping expectation of the duties and obligations of public purpose: Loss of commercial freedom, permanent regulatory scrutiny and public stakeholder claims.  It may very well be that Twitter is acting much like New York’s Rockefeller Center, which closes public access to traffic one day a year as a legal “fiction” in order to continue to assert private ownership rights.

Twitter rolled out its new API TOS (“Developer Rules of the Road”) in March of this year.  Rob Diana noted at that time that the announcement may have been – or perhaps should have been – anticlimactic, in that “A basic Twitter client is a terrible idea in today’s ecosystem.”  Wrote Diana:

Unless there is major functionality outside of the existing solutions, a new client is a losing idea. There is a high barrier to entry when we already have third-party clients like Tweetdeck, Seesmic, HootSuite and PeopleBrowser. This does not include some of the other applications that focus on team or brand management. So, by saying not to develop a new client, Twitter has saved us and investors a lot of time and money.

Read More

Who Needs a Privacy Policy?

A privacy policy?  Who needs a privacy policy?  Privacy is a mess.  You’re building an online business, and you figure you have to have a privacy policy.  But why?  Is “because everyone else has one” a good enough reason?  Ever wonder what you really need to know about privacy law?  I mean … what you have to comply with as a business operating in an online environment?

Here, then, the first of several Frequently Asked Questions about privacy policies.  Or to be more precise, here now some practical answers on privacy practices:

FAQ #1: Can I simply post a privacy policy and forget about it?  Short Answer: No.  Longer Answer: No, because as between posted statements and actual compliance, actual compliance is what’s required.  

Read More

Podcast #1: FTC’s recently issued privacy proposals

Podcast #1: December 30, 2010


In today’s podcast, we discuss the Federal Trade Commission’s recently issued privacy proposals. My guest is Karen Neuman, a founding partner of St. Ledger-Roty Neuman & Olson LLP, a Washington, DC law firm that focuses on regulation of information technologies and communications law, including privacy & data security, mobile communications, the Internet, media, telecommunications and related transactional matters.

At the core of the new privacy proposal is the idea that the current system of self-regulation does not provide enough consumer protection.  Basically, from the FTC’s perspective, people do not pay enough attention to the data-collecting activities of websites and not enough companies are up-front about the data they do collect from visitors to their sites.  The FTC says that while many companies detail their data collection through privacy policies, consumers bear too much of a burden in having to sort through such long, legalistic documents.

Among other proposals, the FTC’s new framework would require a “Do Not Track” option, much like the one we currently have to avoid telemarketers.  “Do Not Track” would essentially prevent companies from tracking things like your browsing history and buying habits, making it much more difficult for them to target consumers with personalized ads.  The proposal also aims to have companies incorporate more consumer protection into their business practices through simpler, more transparent options and by allowing consumers more access to the data being collected about them.  The FTC issued its proposed rules just last week, and requested public comment from both businesses and the public.

Please click play on the audio player below to hear the podcast.

Read More