Continue reading »]]>

In an effort to provide clarity on it its revised Children’s Online Privacy Protection Rule (“Rules”), the FTC recently published a list of  Frequently Asked Questions (“FAQs“) with information on how to comply. The FAQs should provide helpful guidance to operators of commercial websites and other online services (such as mobile apps) that are either directed to children under 13 or otherwise collecting, using and/or distributing information from children. The Rules, which implement the Children’s Online Privacy Protection Act (“COPPA”), were amended by the FTC in December 2012 in an effort to “keep up with changing technology”. The Rules appear to be a regulatory priority: on May 15th, the FTC sent letters to 90 companies highlighting the changes and warning that new compliance measures may be necessary — including changes in privacy and data retention policies, notices, and parental consent mechanisms.  

Below are some highlights from the FAQs:

• FAQ 4 clarifies when an operator needs to obtain parental consent for information collected prior to the effective date of the amended Rules. Specifically, operators who have collected geolocation data from children without parental consent, must obtain that consent immediately. Conversely, operators who, before the effective date, collected (i) photos, videos or audio files of children; (ii) screen or user names; or (iii) persistent identifiers, are not required to obtain consent. (Although the FTC recommends they do so.)  However, operators should obtain consent if persistent identifiers or screen/user names are later associated with newly collected information.

• FAQ 30 says that when an app is directed to children, the amended Rules require privacy policies to appear on a home or landing screen, but the Rules do not expressly require those policies to appear at point of purchase. Nevertheless, the FTC encourages app operators to include a link to the privacy policy at point of purchase. However, if an app collects personal information upon download, it will be necessary to provide direct notice and obtain verifiable parental consent as required by COPPA.

• FAQ 32 describes in detail the format and content of information that operators must include in direct notices to parents.

• FAQ 41 makes clear that under the amended Rules, the website/online service operator is liable for the collection of information on its site or through its services (including through ads), even if the operator did not engage in the collection. For example, an operator of a child-directed website may be required to notify parents and obtain verifiable parental consent when data is collected through third-party advertising run on its site.

• FAQ 53 says a teen-focused website may be deemed “directed to children” if it attracts a substantial number of children under the age of 13. Where any website is determined to be directed to children, it may not block children under 13 from using the service.  In those cases, the service must be fully COPPA compliant. However, where children under 13 are not the primary audience of the website/online service, operators may screen out those users who identify themselves as being under 13.

• FAQ 66 states that mobile app operators cannot rely on a parent’s app store account and credit card information — even with the password — to serve as verifiable parental consent.

• FAQs 76-79 give additional clarity on the “support for internal operations” exception. A website may use certain information without consent for performing network communications, authenticating users or personalizing content for the site or service, serving contextual ads or capping the frequency of ads, protecting the security or integrity of the user, site or service, or ensuring legal or regulatory compliance. However, the FAQs also make clear that behavioral advertising and other similar practices will not fall under this exception.

• The FAQs also highlight in several areas that the new Rules require “reasonable” retention and deletion procedures for children’s data.  Companies are not allowed to keep data indefinitely, but only so long as is reasonably necessary for the operation of the business.

There’s more to the FAQs and we encourage you to review them prior to July 1, 2013 — the effective date of the new Rules.

- S. Gregory Boyd, Terri Seligman and Claudine Wilson

Continue reading »]]>

Can you legally re-sell digital goods like the music files you’ve downloaded from iTunes?  That was the question in Capitol Records, LLC v. ReDigi Inc., 2013 WL 1286134 (S.D.N.Y. Mar. 30, 2013).  The court held that the resale of copies of digital music files, as facilitated by the defendant’s technology, was not permissible.  The Court also found that, because the resale of digital music via ReDigi’s online marketplace involved the making of unauthorized copies of digital files, ReDigi was liable for copyright infringement. Here’s a summary.

ReDigi is a startup company that bills itself as “The World’s First Pre-Owned Digital Marketplace.”  As described in the Court’s opinion, files purchased from iTunes or the ReDigi online marketplace could be uploaded to ReDigi’s “Cloud Locker,” and, as part of that uploading process, ReDigi’s service caused uploaded music files to be deleted from the uploader’s personal computer.  An uploaded music file could then be sold to a purchaser for download to his own personal computer or device.

ReDigi argued that this system of uploading and deleting digital files made a consumer’s resale of music files via the ReDigi online marketplace essentially identical to a resale of a physical compact disc, a practice that would be permissible in the context of other online marketplaces (such as E-Bay).   Indeed, resale of certain traditional media, such as lawfully made compact discs and LPs, is generally permissible without the permission of the copyright owner under copyright’s First Sale doctrine.

ReDigi argued that its system of uploading digital files to a cloud-based server, and automatically deleting them from the uploader’s personal computer, is best characterized as “migrating” a user’s file.  However, to Capitol Records, and to the Court in this case, that “migration” process actually entailed unauthorized copying because it involved the creation of a new “phonorecord” on ReDigi’s servers at the time of the upload.

Having found that ReDigi’s digital file migration process involved creation of a reproduction of the underlying sound recording, the Court readily concluded that ReDigi was engaging in copyright infringement.  Moreover, the Court held that the First Sale doctrine was inapplicable because that doctrine applies to redistributions of copyrighted work, but not redistributions of unlawful reproductions.

The Court’s ruling in this case demonstrates that mere removal of digital content from a seller’s computer is not sufficient to permit the sale of that digital content online pursuant to the First Sale doctrine.  It also demonstrates that, barring congressional intervention, reselling digital content online will continue to be more difficult than reselling traditional media.

-          Glen Westerback

Continue reading »]]>

According to a recent settlement, in addition to images of the world’s roads and buildings, Google’s special Street View vehicles may have also collected personal information from users on unencrypted business and personal wireless networks.  

The settlement ends a two year, multi-state investigation that was led by the Connecticut Attorney General’s Office. According to the settlement, Google executives were not aware that the software used in its vehicles was collecting personal data, which may have included URLs of requested Web pages, email addresses, partial or complete email communications, and any confidential or private information being transmitted to or from the network user at the time. Google alleges that it never used this data, and once discovered, the company took steps to segregate and secure the data. According to a press release issued by the Connecticut AG’s Office, Google has since disabled or removed network identification and data collection equipment and software from its Street View vehicles, and has agreed not to collect additional data through the vehicles without notice and consent.

In addition to the payment of $7 million dollars, which will be divided among the 38 states (and the District of Columbia) involved in the investigation, the settlement requires Google to destroy the collected data and to set up a privacy program that includes, among other requirements, annual privacy week events for employees, privacy certification programs for selected employees, refresher training for its lawyers overseeing new products, and training programs for employees who deal with privacy matters. In addition, the settlement requires Google to issue a public service campaign to educate consumers on ways they can secure their data while on wireless networks. The public service campaign will run as a how-to video on YouTube, on Google’s public policy blog, on informational pamphlets, and as half-page ads in major newspapers in the states involved in the investigation. Google has been the subject of other privacy enforcement actions. For example, in 2012, the FTC  fined Google $22.5 million for impermissibly tracking users of the internet browser Safari in violation of an earlier privacy settlement order — the largest penalty ever levied by the FTC for violation of a settlement order.

The Street View  settlement makes clear that data collection remains a regulatory hot spot. If you need advice about data collection, or have other advertising and marketing law concerns, please contact S. Gregory Boyd at 212.826.5581 or gboyd@fkks.com, Claudine Wilson at 212.705.4842 or cwilson@fkks.com, or any other member of the Frankfurt Kurnit Technology, eCommerce and Privacy Group.

Continue reading »]]>

Please excuse the quick commercial, but we are very pleased to report that the National Law Journal just named Frankfurt Kurnit to its 2013 Midsize Hot List – a list of 20 of the nation’s top midsize law firms.  We’re so thrilled with this honor that we wanted to share it with our readers.  Here’s what the National Law Journal had to say about us.

Continue reading »]]>

On March 28, 2013, the New York Court of Appeals rejected challenges by major online retailers and upheld the constitutionality of a New York Internet sales tax statute.  See Overstock.com v. NYS Dept. Taxation & Fin., Nos. 33 & 34, NYLJ 1202593915304, at *1 (Ct. of App., Decided March 28, 2013).  The case was a consolidation of two lawsuits, one brought by Amazon.com and another by Overstock.com, each of which argued that a New York statute violated the U.S. Constitution’s Commerce Clause and Due Process Clause by requiring online retailers to collect sales taxes on purchases made by New York residents if the retailers have agreements with New York based affiliates (i.e., independent sites that link to a retailer in return for a commission or other consideration).

The Court noted that federal case law requires an online retailer to have a “physical presence” in a state before the state may collect sales tax from that retailer.  The Court also noted that “active solicitation” of customers that produces a significant amount of revenue has been held to be sufficient to qualify as “physical presence.”

The plaintiffs argued that their relationships with affiliates (i.e., participants in Amazon’s “Associate’s Program” and Overstock’s “Affiliate’s Program”) did not constitute a sufficient “physical presence” in New York.  The Court, however, disagreed and found that such relationships effectively established an in-state sales force for the plaintiffs, and therefore qualified as “solicitation” sufficient to qualify as “physical presence”.  Thus, the Court found that sufficient contact existed with New York to permit state taxation without violating the federal Constitution.

The Court also rejected a challenge to the law under the Constitution’s Due Process guarantee.

As of the date of this posting, the plaintiffs were reportedly considering appealing the Court’s holding to the U.S. Supreme Court.  Meanwhile, momentum has grown in the U.S. Congress for federal legislation to address the issue.

-By Glen Westerback and Adam Nelson

Continue reading »]]>

Is the use of a competitor’s name in keyword advertising a violation of his or her right of publicity?  This issue was recently addressed by a Wisconsin appellate court in Habush v. Cannon, 2013 WL 627251 (Wisc. App. Ct. Feb. 21, 2013).  The case arose after one personal injury law firm, a defendant in the case, purchased names of a competing law firm’s partners as advertising keywords on several search engines.  In purchasing the advertising keywords, the defendant firm was able to assure that people searching on those search engines for the plaintiffs’ names would be shown sponsored links identifying the defendant’s website.  In granting the defendant’s motion for summary judgment, the Court found that this usage is distinguishable from putting a competitor’s name or image in an advertisement or on a product.  Accordingly, the Court held that the defendants’ use of the keywords did not constitute the kind of “use” prohibited by Wisconsin’s right of publicity statute.  The Court classified this use of the plaintiffs’ names as a “non-visible” use because consumers could not actually see the plaintiffs’ names in the defendant’s ads, but declined to extend its holding to all “non-visible” uses and instead restricted itself to Internet keyword search terms specifically.  In its analysis, the Court analogized the circumstances to the placement of billboards near a competitor’s store because such a strategy does take advantage of the plaintiffs’ names and reputation but does not violate the Wisconsin right of publicity statute.

By Glen Westerback and Adam Nelson

Continue reading »]]>

In December, an FTC order barred Epic Marketplace, Inc. from continuing a practice known as history sniffing. The technology employed by the company allowed them to track sensitive information including certain medical and financial information for millions of consumers. According to the terms of the settlement, the company must cease those practices and destroy any information collected previously and, upon FTC request, submit to auditing of data collection practices, consumer data complaints, and the company’s terms of use agreements for three years. The settlement also bars Epic Marketplace from making future misrepresentations regarding the collection of such information.

Epic Marketplace is a large advertising network with connections to more than 45,000 websites. Consumers who visited these sites received a cookie, which stored information about their online practices including sites they visited and the ads they viewed. Epic’s privacy policy only disclosed that it would gather information about the sites viewed within the Epic Marketplace network, not third-party sites. However, the technology employed by the company could track previously viewed sites. In many web browsers, links that that been used by a viewer are a different color than links that have not been viewed. By monitoring the color of links on sites within its network, Epic Marketplace was able to gather information about a user’s interest in third-party sites as well. The FTC determined that this undisclosed history sniffing practice was deceptive and allowed Epic Marketplace to know if a consumer had visited more than 54,000 domains, including pages relating to fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy.

The FTC complaint states that depending on the domains a consumer visited, Epic assigned the consumer an advertising interest segment. These interest segments included categories such as “Incontinence,” “Arthritis,” “Memory Improvement,” and “Pregnancy-Fertility Getting Pregnant.” After an interest segment was assigned, Epic targeted ads to consumers based on those interests.

Website and mobile application operators should be mindful of their data collection and use practices, especially regarding behavioral advertising. Many behavioral technologies are new to the marketplace and most likely are not in alignment with previous privacy policy disclosures. This case underscores the need for close cooperation between legal and technical departments within organizations. Companies should monitor new technology used in advertising, make clear disclosures regarding privacy practices, and schedule regular privacy policy reviews to make certain that disclosures are consistent with FTC regulatory guidance.

- S. Gregory Boyd

Continue reading »]]>

In early 2012, Zappos, a division of Amazon, was the victim of an enormous customer data breach affecting 24 million records. Class action attorneys filed cases against the online shoe retailer citing multiple breaches of contract and privacy violations. Zappos’  Terms of Use (TOU) contained an arbitration provision, which may have saved the company from the plague of the class action bar, but it didn’t. In what may become a trend, a federal district court in Nevada found the TOU invalid for two reasons. 

First, the Zappos TOU was never explicitly agreed to by the consumers.  Generally speaking, there are two types of TOU found on the internet, clickwrap and browsewrap. A browsewrap agreement is a link at the bottom of a webpage or application containing a TOU. The user agrees to the browsewrap agreement merely by browsing the site, without having actually read the agreement or accepting the terms of it in any way. In the Zappos case, the court held this type of TOU unenforceable because the user never actually indicates consent. The alternative would have been for each Zappos user to click “I accept” to the TOU when creating an account or when making a purchase. This would have been a better indicator of consent than is available via a browsewrap agreement.

Second, the Zappos TOU contained a very common provision that stated Zappos could modify the TOU at any time. The court took this to an extreme and stated that this power included removing or modifying the arbitration clause. In traditional contract law, a contract that is unilaterally amendable is not an enforceable contract: if one party can change the contract at any time, then what does it really mean and how can a court enforce it? The court did not take into account that this type of provision is nearly ubiquitous on the internet.

One solution for these problems is simple and may have saved Zappos substantial resources defending class action litigations. First, we recommend that clients consider making any TOU on a monetized website or application a clickwrap agreement, not a browsewrap agreement. User consent is most easily obtained during account registration and purchases. Second, consider removing any language in a TOU permitting you to modify the terms of the TOU at any time. Instead, keep track of the user base and have them periodically accept (e.g. for new users, application patches, or purchases) the new TOU whenever you modify it.

As a best practice, a website or application should review its Privacy Policies and TOU at least annually for compliance with updates in the law as well as changing technology.

- S. Gregory Boyd

Continue reading »]]>

The Federal Trade Commission (FTC) issued a staff report on Friday recommending ways for participants in the mobile ecosystem to improve their mobile privacy disclosures. The report includes guidance tailored for key commercial players involved in the mobile area, including platforms (such as Apple’s iOS and Google’s Android), app developers, certain third parties (such as ad networks and analytics companies), and trade associations. The report is based, in part, on feedback the FTC received at a May 2012 workshop, as well as other panel discussions and written submissions. Similar recommendations from California’s Attorney General were released last month. 

The FTC noted in the report that its recommendations are intended to be “sufficiently flexible to accommodate further innovation and change” and, to the extent any guidance in the report extends beyond the requirements of existing law, that guidance “is not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC.”

The recommendations are largely focused on making sure that consumers receive timely and easily understandable disclosures about what data is being collected, and how that information is used. Specifically, the report includes the following guidance:

 A.   Recommendations for Mobile Platforms

• Provide just-in-time disclosures to consumers and obtain their affirmative consent prior to allowing apps to access sensitive content (e.g., geolocation data);
• Consider creating a dashboard of privacy controls to allow consumers to review the types of data accessed by the apps they download and to revisit information choices previously made;
• Use icons to communicate key concepts to users, such as to alert users when data is being transmitted;
• Promote best practices to app developers;
• Clearly disclose to consumers the extent to which platforms review apps prior to making them available for download and conduct compliance checks for apps placed in app stores; and
• Consider offering a Do Not Track mechanism for smartphone users.

B.   Recommendations for App Developers

• Make sure to have a Privacy Policy easily accessible through the app stores;
• Provide just-in-time disclosures and obtain affirmative express consent prior to collecting or sharing sensitive information (to the extent platforms have not already done so);
• Improve coordination with advertising networks and other third parties (e.g., analytics companies) in order to make sure accurate disclosures are made to consumers; and
• Consider participating in self-regulatory regimes and industry organizations.

C.   Recommendations for Advertising Networks and Other Third Parties

• Communicate and coordinate with app developers to help them provide truthful and complete disclosures to consumers; and
• Work with App Platforms to implement mobile Do Not Track.

D.   Recommendations for Trade Associations, Academics, and Researchers

• Create short form disclosures (e.g., icons and badges) for use by app developers;
• Promote standardized forms of privacy policies that will enable consumers to compare data practices across apps; and
• Educate developers about privacy.

The report also mentions that the FTC recently settled charges that Path, Inc. (“Path”), a mobile social networking service, deceived consumers about the collection of address book information on mobile devices through its mobile app, and illegally collected information from children in violation of the Children’s Online Privacy Protection Act (COPPA). According to the terms of the consent order, Path will, in addition to other requirements, pay a civil penalty of $800,000.

This enforcement action, together with the report, clearly demonstrates the FTC’s continued focus on consumer privacy issues in the mobile app context.

- Glen Westerback

Continue reading »]]>

California’s Attorney General recently released a set of official privacy recommendations for consideration by mobile app developers, mobile ad networks and related industry players. The recommendations, published in a report entitled, “Privacy on the Go: Recommendations for the Mobile Ecosystem,” include development and disclosure recommendations that encourage participants in the mobile app ecosystem to consider privacy at the outset of the app design process and to focus on minimizing surprises to users from unexpected privacy practices. Although some of the recommendations are already required by existing law, most of them are provided for purposes of educating the industry and promoting privacy best practices. This report comes on the heels of recent enforcement actions initiated by the California Attorney General against mobile app producers, as well as a recent FTC report critical of mobile app privacy practices.

The report includes the following suggestions:

I.   Recommendations for App Developers

• Consider privacy at the outset of the development process. Create checklists to review the personally identifiable information (“PII”) your apps could collect, and to help you make privacy decisions about data collection, use, disclosure, and retention.

• Avoid or limit collections of “sensitive information” (e.g., precise geo-location, financial and medical data, stored data such as contacts or photos, children’s information, etc.) and any PII not needed for your app’s basic functionality. Do not retain PII longer than strictly necessary.

• Develop a Privacy Policy that is clear, accurate, and comprehensive. The Policy should be conspicuously available for review by users before download and also readily accessible from within the app itself. Consider hosting the Policy online to facilitate Policy updates. Format the Privacy Policy in a manner that is easily readable on mobile devices, and highlights the most relevant privacy issues.

• Supplement the Privacy Policy with enhanced communications to alert users of data practices that may be unexpected. Such communications may be delivered in context and just-in-time through the app or via separate short privacy statements. For example, when an app accesses sensitive device features (e.g., a camera or microphone), or data stored on the device (e.g., call logs, contact lists, text messages), supplemental notices or alerts are appropriate.

• Provide users with control settings to help them manage how their information is treated, especially for sensitive information. Develop mechanisms to give users access to their PII.

• Use an app-specific or other non-persistent device identifier rather than a persistent, globally unique identifier.

• Make sure the app’s default settings are privacy protective.

• Use security safeguards (such as encryption) to protect PII from unauthorized access, use, disclosure, modification or destruction.

• Comply with applicable laws (such as laws pertaining to Apps directed to children) and industry requirements (such as Payment Card Industry Data Security Standards).

• Designate someone in your organization to have responsibility for App privacy and provide appropriate training to employees concerning privacy.

II.   Recommendations for Mobile Ad Networks

• Avoid delivering ads outside of the context of the app. For example, avoid modifying users’ mobile web browser settings or placing icons on their mobile desktops. However, if ads will be delivered outside of the app, obtain prior consent from users, and provide clear attribution to the applicable host app.

• Share your Privacy Policy with the app developers that enable delivery of targeted ads through your network. Provide a link to your Privacy Policy for developers to share with their users.

• Use enhanced communication methods (e.g., just-in-time notices), and obtain prior consent from users, before accessing PII.

• Use app-specific or temporary device identifiers, rather than device-specific identifiers.

• Transmit user data securely.

III.   Recommendations for App Platform Providers

• Allow users to access and review Privacy Policies for apps from within the app platform prior to their download of the app.

• Educate app developers about their privacy obligations, and encourage consumers to look for relevant privacy policies and controls.

• Provide users with tools to report non-compliant apps.

IV.   Recommendations for Others

• Developers of operating systems for mobile devices – such as Apple, Google, and Microsoft – are encouraged to develop global privacy settings that allow users to control the information and device features accessible to apps.

• Mobile Carriers are encouraged to educate mobile customers on mobile privacy, especially with respect to children.

- Glen Westerback