Digital Media Lawyer Blog

On March 9, 2010, the FTC announced that LifeLock had agreed to pay $12 million to the FTC and 35 State attorneys general to settle allegations that claims it made about its identity theft protection service were false. LifeLock is well-known from its TV, radio and Internet advertising which touted its "proven solution" to prevent identity theft before it happened, and offered a $1 million guarantee to consumers. TV ads often featured CEO Todd Davis who would drive around in a van with his social security number painted on the side, while announcing his social security number on a loud speaker. In the ads, Davis would state, "I'm Todd Davis, and I'm here to prove just how safe your identity can be with LifeLock. That's my real social security number."

The FTC complaint, which was made public on March 8, stated that LifeLock's credit protection service actually consisted of the following elements: placing an Initial Alert on its customers' consumer reports with credit reporting agencies, obtaining and providing its customers with copies of their free annual credit reports, and submitting requests on its customers' behalf to remove their names from lists of prescreened offers of credit.

According to the FTC, these steps did not prevent identity theft and did not provide many of the protections LifeLock promised. While an Initial Alert can provide notice to businesses that someone may be impersonating another, it is only useful if the business accesses the consumer's credit report as part of the transaction - something that generally only occurs where a consumer opens a new account. According to the FTC, "Alerts do not protect against more common types of identity theft, such as misuse of an existing credit account . . . medical identity theft, employment-related identity theft, or using another's identity to evade law enforcement." An Initial Alert would also be highly unlikely to prevent wire transfer fraud, since financial institutions do not check credit reports before initiating wire transfers.

The FTC charged that LifeLock falsely claimed that its ID theft prevention service made customers' personal information useless to thieves and prevented unauthorized changes to customer address information. It also charged that LifeLock failed to take appropriate security measures to protect sensitive data that customers provided to LifeLock itself.

On March 9, LifeLock and Davis entered into a Stipulated Final Judgment and Order for Permanent Injunction to settle the FTC's claims. In this order, the defendants did not admit to the allegations in the FTC complaint. However, they did agree to an injunction prohibiting them from engaging in the activities charged in the FTC complaint, including, "misrepresenting" that its ID theft program "provides complete protection against all forms of identity theft by making customers' personal information useless to identity thieves."

Continue reading "FTC Hammer Falls On LifeLock's Online Identity Theft Protection Service" »

Digital media law update: Players have long complained about the lack of compensation they receive when risking their bodies in service of the multi-billion dollar business of college football. However, a court in the Northern District of California has drawn a line in the sand for at least one type of exploitation of their talents. In a February 8, 2010 ruling, Judge Claudia Wilken held that Electronic Arts could be held liable for violating college players' rights of publicity for using their personal characteristics in its NCAA Football video game. While this was only a preliminary ruling, a loss for Electronic Arts (EA) could have big money implications, putting it on the hook to pay for use of player images in games already distributed and requiring it to get licenses before creating future editions.

The case is a class action entitled Keller v. Electronic Arts, Inc., Northern District of California, No 4:09-cv-01967. Electronics Arts, which is based in the Los Angeles area, is the world's largest manufacturer of videogame software. In 2009, its gross revenues exceeded $4 billion on the strength of titles such as Madden NFL. Among its many sports titles is NCAA Football, a game which enables players to recreate football matches between college teams.

According to the complaint, EA designs NCAA Football to include characters that resemble real-life college athletes. The virtual players "share the same jersey numbers, have similar physical characteristics and come from the same home state." While EA omits the players' names, game users allegedly can "access online services to download team rosters and the athletes' names and upload them into the games." The complaint further charges that in recent versions, EA has included features to facilitate the upload of this data.

The complaint alleged that EA's actions violated the players' rights of publicity. California law contains both statutory and common law causes of action for violation rights of publicity. California's right of publicity statute provides that "any person who knowingly uses another's name, voice, signature, photograph or likeness, or in any manner, on or in products, merchandise, or goods . . . shall be liable for any damages sustained by the person or persons injured as a result." Cal. Civ. Code § 3344(a).

Electronic Arts conceded that the allegations in the complaint stated a claim for violation of their rights of publicity. However, EA countered that the players' rights of publicity claims were barred by the doctrines of transformative use and public interest use and a statutory "reporting" exception.

Judge Wilken disagreed.

Continue reading "Keller v. Electronic Arts: Court Finds that Electronic Arts' Use of Personal Traits in Video Games Violated College Footballer's Rights of Publicity" »

On January 29, 2010, the California Court of Appeal issued an opinion holding that the family of a decedent could bring an action for invasion of privacy for the publication on the Internet of gruesome photos of their deceased daughter who was decapitated in an auto accident. Catsouras v. Dept. of the California Highway Patrol. Fn1. This decision does not mean that family members now have the right to bring a claim for the invasion of the privacy of a deceased relative. Rather it is merely an application of an established legal principle that the relatives of a person whose privacy was breached may bring suit, if the breach also invaded their own, separate privacy interests.

It is a fundamental tenet that privacy rights are personal and only the person whose privacy has been invaded can sue to recover damages for a breach. This means that if the victim has died, his relatives may not bring a claim for invasion of the victim's privacy either by suing personally, or on behalf of the deceased's estate. Fn2 As the law treatises put in -- there is no "relational right" to bring a claim for invasion of privacy. Fn3 Among the reasons for this limitation is a general judicial wariness towards claims of pure emotional injury, and concerns about permitting plaintiffs to gain a double recovery. Fn4.

However, courts have permitted relatives to recover where the breach also constituted an invasion of their own privacy rights. For example, in Vescovo v. New Way Enterprises, Ltd., the defendant ran a classified ad in an L.A. paper touting "Hot Lips --- Deep Throat Sexy young bored housewife Norma" and giving plaintiff Norma Vescovo's address. The California Court of Appeal permitted not only Norma, but also her 14 year old daughter, to bring claims for invasion of privacy. This was because the ad had resulted "in excess of 100 persons" coming to the Vescovo's home, day and night, "demanding to see Norma, creating disturbances, and using lewd, abusive and threatening language" and "in excess of 150 motor vehicles stopp[ing] in front or cruis[ing] slowly" by the residence, and subjecting the family, including the 14 year old, to neighborhood ridicule. Because the 14 year old sought to recover for the intrusion into her own seclusion, her claim was proper. Fn5

The Catsouras case fits into this exception. The facts of the case are tragic. On October 31, 2006, 18 year old Nicole Catsouras was decapitated in an automobile accident. CHP officers arrived at the scene and cordoned off the area. They also took multiple photos of the decapitated corpse. Two CHP officers allegedly emailed copies of these "graphic and horrific" photos to members of the public who were not involved in the investigation. Once released, the photos went viral and soon appeared on more than 2.500 websites around the world.

A number of Internet miscreants then decided to use the occasion to torture the decedent's relatives. For example, her father, Christos Catsouras, received several emails containing the photographs, include one entitled "Woo Hoo Daddy" that said "Hey Daddy I'm still alive." These and other emails caused the Catsouras's severe emotional and mental distress. As a result, the Catsouras's sued the CHP on invasion of privacy and related tort theories.

Continue reading "Catsouras v. California Highway Patrol: California Court Recognizes Family's Privacy Interest in Death Scene Photos of Deceased Relative" »

Digital media law update: The FTC has been working on Internet privacy policy since at least 1995. It is currently engaged in a series of roundtables focusing on privacy and behavioral advertising. However, the shape of any new regulations is very fuzzy. This may be because the data is conflicting on the public's true interest in the issue, as well as the lack of a clear Congressional mandate.

At the FTC's December 2009 privacy roundtable, panelists raised concerns that collection and third party use of browsing data invades private space by: (1) revealing a user's innermost thoughts, such as a search history that reflect a user's explorations of his sexual identity, (2) taking away a user's control over her identity, such as by broadcasting compromising photos of a user at a Cancun Spring Break party to a potential employer, (3) revealing sensitive identity or financial information that can be misused by third parties to perpetrate fraud, or (4) intruding on a user's seclusion by serving targeted ads during a browsing session that reveal that outsiders are listening in.

Survey data presented at the roundtable indicated that consumers are aware that information is being collected about them online and are uncomfortable with the idea that third parties are using this data. Alan Westin of a Columbia University stated that surveys indicate that "a majority ranging in numbers from low of 50% all the way up to 70% to 80% say they're uncomfortable with behavioral marketing and would want to have at a minimum a kind of notice, choice, security and ways of intervening that would give them some comfort if they were going to have their information tracked in that way."

A growing number of firms with online presences are offering users a chance to review the data being collected about them and to opt-out or the change the collection and use of that data. For example, Google's Dashboard and Ad Preferences Managers provide users with extensive details on the browsing history Google has collected about them. They also let users select or de-select ad categories they want served to them.

However, most users do not take advantage of these "notice and choice" systems. According to Google's head of U.S. public policy, Alan Davidson, Google gets "tens of thousands of unique visitors to these sites each week." However, "four times as many people who come as visitors to the site actually change their preferences rather than opting out. . . . [a]nd actually, ten times as many people actually do nothing." Rick Erwin of Experian Marketing Services stated that about 7200 consumers choose to opt-out of Experian's marketing data collection activities. Jennifer Barrrett from Acxiom stated that over the past ten years "about a half a million consumers" have asked to opt-out or correct information gathered by her site.

One explanation for the low level of consumer response to notice and choice systems is that these systems are simply too complex and confusing for consumers to navigate. Another explanation is that despite the survey data and a few incidents where use of private data led to personal woe, consumers are really not that concerned about the collection and use of their personal data.

Continue reading "The FTC's Privacy Initiatives Pose a Threat to Online Behavioral Advertising, Despite the Lack of a Clear Congressional or Public Mandate" »

On December 17, we reported on the Convertino case in which a judge found that the attorney-client privilege was not waived for emails exchanged on an employer's network, even though the employer had access to them. It did not take long to find a case with virtually identical circumstances in which a Court reached the exact opposite result - a ruling that the privilege had been waived. This was a really bad result for the employee, because it meant that those emails could be used against her in court. See Alamar Ranch, LLC v. County of Boise, D. Idaho, No. 1:09-cv-00004, Memorandum Decision and Order (Nov. 2, 2009).

This case concerns a challenge of Boise County's denial of a permit for Alamar to construct a home for troubled youth. As part of this action, Alamar subpoenaed the records of Jeri Kirkpatrick, an opponent of the project, as well as those of her employer, the Idaho Housing and Finance Association (IHFA), to obtain emails that Kirkpatrick had sent or received through her work email address. IHFA produced the emails, which were stored on its servers.

Kirkpatrick objected that the emails were protected under the attorney-client privilege. Alamar countered that IHFA's employee policies stated that IHFA "reserved and intends to exercise the right to review, audit, intercept, access and disclose all messages created, received or sent over the e-mail system for any purpose." Kirkpatrick responded that she was unaware that her emails had ever been monitored - although she was aware of another IHFA case where monitoring had occurred.

The Idaho Court concluded that the attorney-client privilege for the emails had been waived. According to the Court, the case presented "a simple scenario where the IHFA put all employees- including Kirkpatrick -- on notice their emails would (1) become IHFA's property, (2) be monitored, stored, accessed and disclosed by IHFA, and (3) should not be assumed to be confidential." While Kirkpatrick stated she was not aware of any company monitoring, her bare assertion was insufficient to support a claim for nonwaiver. Rather, "It is unreasonable for any employee in this technological age - particularly an employee receiving the notice Kirkpatrick received - to believe her emails, sent directly from her company's email address over its computers, would not be stored by the company and made available for retrieval."

The Court found that the privilege also had been waived for emails her attorney sent to her company email address. The Court reasoned that "there is no question that her address - "Jeri@IHFA.org" - clearly put [her attorney] on notice that he was using her work e-mail address. Employer monitoring of work-based emails is so ubiquitous that [her attorney] should have been aware that the IHFA would be monitoring, accessing and retrieving e-mails sent to that address."

On the other hand, the Court found that the privilege was not waived for emails sent by other clients of Kirkpatrick's attorney to her attorney, and which copied Kirkpatrick at her work address. The Court reasoned that "laypersons are simply not on 'high alert'" for privilege issues as attorneys "must be", and would have reasonably assumed that they were having a confidential conversation with counsel.

The take-away from this case is the same as in Convertino. Employees should be very wary about making confidential communications to their attorneys from their employers' email systems. Many courts will find that privileges have been waived for emails sent over a system over which an employer has retained a right of access. So if an employee is truly concerned about maintaining the privilege, he/she should send all email communications to his/her attorney from a private email account.

David D. Johnson is a business lawyer whose practice focuses on litigation and other issues relating to digital media and consumer electronics companies. David can be contacted at (310) 785-5371 or DJohnson@jmbm.com.

Digital media law update: On December 10, 2009, a federal judge in the District of Columbia upheld the attorney-client privilege for an employee's emails to his attorney, even though his employer had access to them. The attorney-client privilege generally only exists for private communications between a client and his lawyer, not to communications to which uninvolved third parties have access. Here, the judge concluded that the privilege applied largely because the client was not aware that his employer had access to the emails.

The case is Convertino v. U.S. Dept. of Justice, D.D.C., No. 1:04-cv-00236. The plaintiff, Convertino, claims that the DOJ improperly disclosed information about him the Detroit Free Press, in contravention of the Privacy Act. To prove his case, Convertino served a discovery request on the DOJ seeking production of some 736 documents.

36 of these documents were emails between DOJ employee Jonathan Tukel to his personal attorney. Tukel had originally been a named defendant in the case and had retained an outside attorney to defend him. Tukel sent the emails to his attorney from his work computer at the DOJ - and the DOJ later obtained them from its email server.

The Court noted that under federal rules, a client can be found to have waived his right to the attorney-client privilege if he made an otherwise confidential communication in the presence of a third party, or if he disclosed it to a third party. See FRE 502(b). However, there is no waiver if the disclosure was inadvertent.

When dealing with communications made using equipment controlled by third parties, such as an employer-provided email system, the question of privilege "comes down to whether the intent to communicate in confidence was objectively reasonable." To make this determination, courts look at factors such as (1) does the corporation maintain a policy banning personal or other objectionable use, (2) does the company monitor the use of the employee's computer or e-mail, (3) do third parties have a right of access to the computer or e-mails, and (4) did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?" [citing In re Asia Global Crossing, Ltd., 322 B.R. 247, 258 (S.D.N.Y. 2005)].

Here, the Court found that Tukel's expectation of privacy was reasonable: The DOJ does not ban personal use of company e-mail. Although the DOJ has access to personal email sent by its employees, Tukel was unaware that the DOJ would regularly access and save emails from his account. Tukel also worked to keep his emails private by deleting them as the came into his account - unaware that they were still on the DOJ servers.

While the result turned out well for Tukel here, employees everywhere should be wary about communicating with counsel via their employer's email system. If Tukel had been informed that the DOJ regularly accessed employee emails, and/or had the technical sophistication to realize that deleted emails were still on the company servers, the Court might have found that his privilege had been waived.

Of course, the obvious way that an employee can avoid trouble like Tukel's is simply to use a personal email account from a home computer to send confidential communications to counsel.

David D. Johnson is a business lawyer whose practice focuses on litigation and other issues relating to digital media and consumer electronics companies. David can be contacted at (310) 785-5371 or DJohnson@jmbm.com.

Digital media law update: Can a physician be held liable for disclosing "before and after" photographs of one of his patients to a third party, if the photos don't show her face or state her identity? According to a judge in the Eastern District of Missouri, is "yes" -- but only if the photos provide sufficient detail for someone to figure out who she is.

The case, Doe v. Young, E.D. Missouri, No. 4:08-cv-00197, involves a woman who received plastic surgery in St. Louis, Missouri to removed excess loose skin after she lost substantial weight through water aerobics. The defendants, who were her plastic surgeons, took 65 photos of the woman before and after her surgery. These depicted her face, head, hairstyle, hair and chin, as well as her body in full frontal and posterior naked poses.

Prior to her surgery, the woman filled out a "Photo Consent Form" in which she agreed to the use of her photos for "insurance predeterminations, medical presentations and/or articles." However, she expressly refused to consent to the disclosure of the photos for a list of other purposes, including seminars for prospective patients, websites, advertisements or television.

Nevertheless, the surgeons provided a disk to a reporter for a St. Louis newspaper, the Riverfront Times, which contained photos of the patient's torso, head, hair, and chin, and also provided her initials and written information about her medical history. The Times then published an article about the surgeons that included two photographs of the patient, one before and one after surgery, that depicted her from the neck down to the mid-calf, without showing her head or face. The article appeared in both the Times' print and on-line editions.

The patient, who was living in Georgia at the time the article appeared, learned about it a year later, and filed suit against the surgeons for invasion of privacy under intrusion on seclusion, public disclosure of private facts and misappropriation of name and likeness theories.

The surgeons filed a motion for summary judgment claiming that they could not be held liable for invasion of privacy because the plaintiff could not be identified from the photographs. The argued that the photos did not identify the plaintiff by name and did not contain any identifiable features about her, and that no individual had recognized her from the photos.

While the judge denied the surgeons' motion, he agreed with the notion that to recover for any invasion of privacy claim, the plaintiff's identify must have been disclosed. For example, in Rawls v. Conde Nast Publications, 446 F.2d 313, 318 (5th Cir. 1971), the 5th Circuit denied a claim for invasion of privacy where a photograph of the plaintiffs' home was published, but all possibility of identification was carefully obliterated before publication. The 5th Circuit reasoned that "the plaintiff may not recover for invasion of privacy when, as here, her privacy remains inviolate."

Continue reading "Doe v. Young: Can a Physician Be Liable for Invasion of Privacy for Disclosing Anonymized Photos of a Plaintiff's Torso to a Reporter?" »

On October 23, 2009, Judge Vaughn Walker did something that doesn't happen very often. He rejected final approval of a class action settlement that was opposed by less than .001% of the members of the plaintiffs' class. The reason: he had come to believe that while the settlement would cost Ameritrade millions, and pay $1.87 million to the plaintiffs' counsel, it ultimately provided the plaintiffs themselves with no real benefits.

The case is the In re TD Ameritrade Accountholder Litigation, N.D. Cal. C-07-2852, a class action that was originally filed in 2007 regarding an allegedly long-term data security breach at Ameritrade. Ameritrade is a well-known brick and mortar and on-line stock broker, whose commercials star Sam Waterston of Law and Order fame.

In October 2006, Ameritrade customer Matthew Elvey, who graduated from Yale with a B.S. in computer science and mechanical engineering, and works as a website infrastructure consultant (as he describes his business, see his bio at http://www.elvey.com/) decided to test Ameritrade's data security system. So he provided Ameritrade with a unique email address that he had never provided to any other person. In November 2007, Elvey allegedly began to receive stock spam directed to this secret address. The spam allegedly touted low-priced, speculative stock of smaller companies that are traded over-the-counter, and was part of stock "pump and dump" schemes.

Elvey filed a class action against Ameritrade in 2007. The complaint focused on Ameritrade's Privacy Statement which allegedly told customers that "Ameritrade does not sell, license, lease or otherwise disclose your personal information to any third party for any reason . . . " According to Elvey's complaint, the "spam received by Plaintiffs was not consistent" with these representations.

The Elvey suit was later consolidated with a class suit filed by lead plaintiff Brad Zigler. The combined class action sued Ameritrade on breach of fiduciary duty, CFAA, and Nebraska and California unfair trade practices grounds. The plaintiffs claimed that Ameritrade had breached its duties to them by knowingly failing to correct defects in its security system and by failing to disclose the security breach that had led to the spam attacks on its customers. The plaintiffs claimed that they were damaged by "losing the benefit of the bargain on Ameritrade's brokerage fees, which were premised, in part, on Ameritrade's compliance with the privacy statement . . . ."

While TD Ameritrade filed a motion to dismiss the original Elvey complaint -- a motion that was never heard -- it did not file a similar motion for the consolidated complaint. Instead, it began settlement negotiations with the Plaintiffs. This resulted, in October 2008, with a proposed settlement which released Ameritrade for any damage claim, "of any kind," based on "any legal theory whatsoever," that "is, has been, or could have been asserted by" a member of the settlement class for: (i) an unauthorized disclosure of their information by Ameritrade, (ii) their receipt of SPAM e-mail and (iii) misrepresentations in Ameritrade's privacy statement. The settlement applied to any person who had provided Ameritrade with a physical or email address on or before September 14, 2007. It did carve-out a right for individuals to file identity theft claims on their own behalves -- but not as part of a class action.

Continue reading "In re. Ameritrade Accountholder Litigation: Court Rejects Class Settlement He Viewed as Providing Members of Plaintiff Class with No Real Benefits" »

Digital media law update: I recently attended a panel discussion on digital media law, and was surprised when the panel members were unable to cite to statutes or other authority requiring the posting of privacy policies for websites. In fact, a number of international, federal and state regulations require the creation and posting of privacy policies. Here is a list of some of the more important rules:

State privacy policy laws:

• California

The most broad-reaching privacy policy law is California's Online Privacy Protection Act (OPPA). See California Business & Professions Code § 22575-79. OPPA requires all operators of websites or online services that collect "personally identifiable information" about California consumers to post a privacy policy on their websites. While the Act ostensibly only applies to websites that collect information about California residents, it effectively reaches any website that collects information on a national scale -- because it is impractical (and undesirable) to screen out California residents.

OPPA's definition of personally identifiable information (termed "PII") is very broad and includes such things as the person's first and last name, address, email address, telephone number, social security number, any other identifier that permits the person to be contacted, and any other information about the person that is collected along with such PII. So if your website asks users to do something as simple as provide their name and email address, you are required create and post a privacy policy. Cal. Bus. & Prof. Code §22577.

The statute requires three "policy" elements to be included in a privacy policy: (i) identification of the categories of PII collected and the third parties with whom this PII may be shared, (ii) a description of the website's process, if any, by which a person may review and make changes to his PII, and (iii) a description of the process by which the website notifies consumers of material changes to its privacy policy. Cal. Bus & Prof. Code § 22575.

The privacy policy must be conspicuously posted on the home page, on the first significant page after home page, or via a hyperlink that boldly includes the word "privacy." Cal. Bus. & Prof. Code § 22577.

• Texas

Texas Business & Commerce Code § 501.052 provides that if a business requires an individual to disclose his social security number to obtain goods or services, then it must adopt a privacy policy and make it available to the public.

The privacy policy must provide that the individual's social security number will be maintained privately and securely. In addition to this, the policy must disclose how personal information is collected and used, who has access to the personal information; and the method of disposal of the personal information. By its nature, this statute applies to website operators, as well as non-web-based businesses.

Continue reading "Do I Need a Privacy Policy?: When Websites Are Required to Post Privacy Policies" »

The FTC's recent settlement against soft goods marketer Iconix Brand Group, Inc. shows the hazards of trying to skirt the hassles of compliance with the Childrens' Online Privacy Protection Act (COPPA). 15 U.S.C. §§ 6501-6506. If your website privacy policy disclaims an intent to collect information from kids and asks kids not to submit personal information on your site, but you have reason to know that these policies are being ignored, you may actually set yourself up for double penalties -- for failure to comply with COPPA and for engaging in deceptive acts.

COPPA prohibits an operator of a website "directed to children" or who has "actual knowledge" that he is collecting personal information from a child under age 13 from collecting, using or disclosing such information without parental consent. Getting this consent is often no easy task. A website operator is prohibited from simply asking parents to provide consent via an online form. Instead the operator must provide the parent with a notice specifying the information collected and its use, and then get parental consent via telephone, fax, email or similar method.

The operator also must post a privacy policy detailing each type of information it collects and how its uses this information. It must maintain a security system to protect the "confidentiality, integrity and security" of personal information collected from a child.

Some website operators believe that they can avoid the cost and hassle of COPPA by officially not marketing themselves to children under age 13 and by including a specific disclaimer of any intent to collect information from children under age 13 in their website privacy policy. For example, Iconix's privacy policy contained the following disclaimer:

We do not seek to collect personally identifiable information from persons under the age of 13 without prior verifiable parental consent. If we become aware that we have inadvertently received such information online from a child under the age of 13, we will delete it from our records. If you are under the age of 13, please do not submit personally identifiable information to us . . .

Unfortunately, this type of policy and disclaimer can actually expose a website operator to greater liability under COPPA and the FTC Act. Here's why:

First, the FTC, which enforces COPPA violations, has very broad rules for determining whether a website is directed to children. The FTC doesn't just look at the operator's stated policy or intent, but at the overall character of the site. The FTC focuses on objective factors such as the site's subject matter, its visual or audio content, the age of its models, the language it uses, the advertising appearing on or promoting the site, the intended and actual audience composition, and the use of animated characters or child oriented activities and incentives. 16 C.F.R. §312.2.

The FTC believed that a number of these factors suggested that several of Iconix's websites were directed towards children under age 13, including: the use of cartoon graphics, website domain names such as "Candies.com", "Mudd girls", the use of photos of young girls, and the fact that over 1,000 girls under the age of 13 allegedly had registered on Iconix's websites between 2006-2009.

Continue reading "U.S.A. v. Iconix: A Website's False Disclaimer that It Collects Personal Information from Children under Age 13 Can Lead to Doubled Penalties from the FTC" »

Santa Monica, California: Panelists at this Fall's Digital Hollywood agreed that a massive sea-change is about to occur in advertising. There are now "three platforms" -- TV, Internet and mobile -- that are delivering audio-visual content. According to some estimates, Internet media are getting up to 40% of the total share of the eyeball time devoted to media -- and an increasingly greater share of the younger users coveted by advertisers. However, traditional TV still gets 90% of the advertising dollars. This kind of imbalance obviously cannot go on forever.

To compete for a greater share of ad dollars, one strategy used by digital media is to offer advertising that is targeted to the characteristics of individual users. Internet sites are able to provide identification, demographic, browsing, shopping, downloading, and other information about each user and then enable advertisers to deliver ads that are directly targeted to the user's specific interests and needs. Internet sites are now also able to listen in to users' email, Facebook or Twitter conversations, and offer advertising on a real-time basis that is relevant to these discussions -- as well as to each participant's profile.

While these efforts have yet to open up the floodgates of ad money to Internet ads, most people in TV and digital media believe that the flood will come. Since the gross quantity of dollars available for ads is static, these dollars will come from TV ad budgets. This means that TV will have to respond by providing data-enriched content to viewers, and the opportunity for TV advertisers to do more refined ad targeting.

The Jacked solution to targeted content and advertising

A technology that is already here is offered by Jacked. According to its CEO, Bryan Biniak, a Digital Hollywood panelist, Jacked creates web sites that deliver parallel "enriched" content to TV viewers. This content tracks along with a TV broadcast and offers information and advertising that relate in real time to the events on the screen. For example, if a TV viewer is watching a sports program, the Jacked program can present detailed statistical information about the particular team member who has just made a play. It can also provide the viewer with the local (biased) play-by-play radio or TV broadcast, instead of the neutral national play-by-play -- just what the true fan wants!

Jacked can also offer targeted advertising in a variety of forms. It can target ads to the individual scenes in a TV program. So if the actors in a romantic comedy start talking about buying a house, it can deliver real estate sales ads. (Jacked does this by pulling information from the closed captioning for the broadcast). Jacked can also target ads to the geographic region in which the user resides.

To create its enriched "second screen" experience and targeted ads, Jacked draws on available information from multiple platforms, including relevant websites, news sites, closed captioning data, etc. Because Jacked advertising is keyed to the content being delivered on the parallel TV screen, it offers a true form of targeted advertising -- but a form that avoids many of the privacy concerns caused by behavioral targeting, per se.

Continue reading "Notes from Digital Hollywood: Will Behaviorally Targeted Advertising Come to TV?" »

Santa Monica, California: A dominant theme at this week's Digital Hollywood conference is the tension between the need to for truly targeted advertising to online audiences and an individual's right to privacy. The Internet creates the ability for businesses to gather a marketer's dream world of data about their customers. This can include identification data (name, address, phone number, email address), demographic data (age, gender, marital status, sexual orientation), financial data (bank and credit card account data), and behavioral data (browsing history, downloading history) and much, much more. If this type of data falls into the wrong hands, it can subject the customer or identify fraud. But even many purely commercial uses can cause embarrassment or harm to the consumer.

In a recent speech, David Vladeck, Director of the FTC Bureau of Consumer Protection gave the example of an adolescent who didn't want to state publicly that he was gay. A generation ago, if he had wanted to find information about persons in his situation, he could have gone to his local library, and emerged with no record of his search. "That effort would be anonymous, and would leave no paper trail. There was no privacy debate to be had," Vladeck said. Today, he would probably look for information on the Internet on his home computer. But, if he did so, Vladeck pointed out "he may be surprised -- indeed, even mortified -- to receive advertising based on his searches and to learn that third parties have access to information about his searches.

I'll take this one step further. If he was a member of a social networking site, and purchased a book on "coming out" from an online retailer, he might be shocked to find that the social networking site had broadcast his purchase to all his online "friends" -- this outing him.

At today's Digital Hollywood sessions, there were many opinions about how to design a privacy policy to deal with concerns like these. Here are some of the commonly-proposed ideas:

• Only use opt-in targeted advertising: This suggestion, which is on the most privacy protective end of the scale, would prevent the embarrassment that the young man in our hypothetical would have faced -- assuming that the advertiser didn't sell the data to some other firm with different policies.

• Disclose the data that is being gathered: Given the dislike of many consumers for reviewing small print, this suggest would be less privacy protective. But might have prevented the problem raised in our hypothetical.

• Provide consumers with access to the data that has been collected about this -- and permit them decide if they wish to permit this data to be used.

• "Anonymization": This was the most frequent suggestion in today's sessions. Anonymization means that the marketer avoids collecting information about individual users, but simply collects information about the use of a particular computer. The information gathered in this way would be less refined in cases where multiple persons used a single computer. For example, in my household, my 4 year old daughter, 5 year old son, wife and myself all share the same home computer.

Continue reading "Notes from Digital Hollywood: Industry Solutions to Privacy Issues in Online Behavioral Advertising May Not Satisfy FTC Chiefs" »

Digital media law update: A September 30, 2009 decision supports a contention we have made for some time: use of a personal name in a gripe or parody website is unlikely to support a cause of action under trademark law. The exception is when a website misuses a famous name that has become synonymous with a business. However, as this decision also shows, even if your name isn't famous, that doesn't mean you have no legal remedy. You still may be able to sue and recover significant damages under defamation or privacy law.

The case is Bernard J. Carl v. BernardJCarl.com, D.C. Vir., No. 1:07-cv-1128. The Plaintiff, Carl, founded a private equity firm called Brazos Europe, Inc. In 2005, Brazos acquired the French linen company, D. Porthault. Brazos retained the French law firm Darrois Villey & Maillot (Darrois) to facilitate the transaction. Darrois, without Brazos' knowledge, subcontracted some of the work to the law firm Cotty Vivant Marchisio & Lauzeral ("Marchisio").

After the closing, Marchisio claimed that Brazos failed to pay it for its work. Brazos responded that Marchisio's work was defective. Marchisio then sued Brazos in a French court -- but lost! Marchisio, however, was not dissuaded. Instead of slinking away, it registered the domain name "bernardjcarl.com" and posted the following message on the site:

Message to the attention of Brazos Europe Inc. and managing partners Mr Bernard J. Carl and Mrs Shannon Fairbanks

In the meantime, feel free to meditate Benjamin Franklin: "Creditors have better memories than debtors." . . . .

The object of this message, Bernard J. Carl, contended that the statement was false and defamatory. He never hired Manchisio and owed it nothing. He also claimed that several potential investors in Brazos raised questions about the claims in the site. Accordingly, he filed suit -- first against the website, and then against its author Manchisio. His suit ultimately proceeded against Manchisio on three theories: (i) false representation under federal trademark law, based on Manchisio's use of his name "Bernard J. Carl" in the domain name of the website (15 U.S.C. § 1125(a)), (ii) cybersquatting under the Anti-cybersquatting Consumer Protection Act, for Manchisio's use of his name (15 U.S.C. § 1125(b)), (iii) cyberpiracy, also for the use of his name (15 U.S.C. § 1129(a)), and (iv) common law libel.

Continue reading "Carl v. BernardJCarl.com: Co-option of Personal Name for Gripe Website Supports Cause of Action for Defamation, but Not Trademark Infringement or Cybersquatting" »

On September 25, 2009, Amazon.com reached a proposed settlement with the plaintiffs in the class action brought over its unilateral deletion of the George Orwell works 1984 and Animal Farm from Kindle devices. See Gawronski v. Amazon.com, Inc., Western District of Washington, No. 09-cv-01084. The settlement not only provides substantial compensation for affected customers, but it also prohibits Amazon for engaging in future deletions of books sold under its current terms of service for the Kindle.

Everyone remembers the flap this past summer over Amazon.com's unilateral removal of the Orwell books from the Kindle devices. Some customers saw their books disappear before their eyes. Others lost important notes they had written in the "margins" of the books. For example, one customer was a high school student who had purchased 1984 for use in a class and had recorded notes on passages in the book on his Kindle device. When Amazon removed his copy of 1984, his notes, which said things such as "remember this paragraph for your thesis," were rendered useless, since they were no longer associated with the text of the book.

On July 30, 2009, shortly after the Orwell works were removed, a class action was filed in a federal court in the State of Washington by two affected Kindle customers. The class action complaint alleged several legal theories against Amazon, including breach of the terms of use for the Kindle device, damage to the plaintiffs' computers in violation of CFAA, trespass to chattels (the plaintiffs' Kindle Devices), conversion (of the deleted material) and other grounds.

Then, on September 3, 2009, Amazon announced that it had contacted all customers whose Orwell books had been deleted and offered to provide them with a new copy of the deleted book, at no charge, or to pay them $30.00. Amazon had apparently already refunded the purchase price of the books to the some 2,000 affected customers at the time it originally deleted the Orwell books.

In its September 25 settlement, Amazon has agreed to go even further to compensate affected customers. Under the proposed settlement, Amazon has now agreed to restore all notes and annotations made by customers whose books were deleted, as well.

Amazon has also agreed that, for all books purchased pursuant to terms of service granting the Kindle purchaser the "non-exclusive right to keep a permanent copy" of each purchased Work and to "view, use and display [such Works] an unlimited number of times, solely on the [Devices] . . . and solely for [the purchasers'] personal, non-commercial use," it will not remotely delete or modify these books from Kindle devices purchased or being used in the U.S. That's a big mouthful. However, from my visit to the Amazon.com site this afternoon, it appears that this language is still included in the current terms of service for the Kindle. So this appears to mean that Amazon has agreed not to delete content from any Kindle devices that have been sold to date.

Continue reading "Kindle Class Action Settlement: Gawronski v. Amazon Suit Regarding Amazon.com's Removal of Orwell Works from Kindle Devices Settles, but Leaves Many Questions" »

Digital media law: On September 23, 2009, Judge Ware of the Northern District of California issued a temporary restraining order in a case in a bank advertently sent a file containing confidential customer information to an unidentified Gmail account. The Judge ordered Google and the unidentified Gmail account holder not to access, use or distribute the confidential customer information and required Google to disclose whether the Gmail account was active or dormant, and if active, to disclose the identity of Gmail account holder. The judge also ordered Google to "immediately deactivate the Gmail account."

While Judge Ware's move to cut off the subscriber's Gmail account has been viewed by some as draconian trespass on the email account holder's rights, it was not without at least some legal basis.

The facts of the case are simple. On August 12, 2009 a customer requested that the Bank send some loan statements to a third party representative of the customer. Later that evening, the customer informed that Bank that his representative had not received the information. The next day, August 13, the Bank investigated that matter and discovered that it had sent the customer's information to the wrong email address -- a Gmail address -- and that it had also attached a file containing "names, addresses, tax identification numbers and loan information for . . . 1,325 customer accounts" -- oops!

Upon discovering its double error, the Bank immediately sent another email to the Gmail account holder asking the recipient to immediately delete the file without opening it or reviewing it. Receiving no response from the Gmail account holder, the Bank contacted Google to determine whether the Gmail account was active or dormant, and if active to get information about the account holder. It also asked Google to deactivate the Gmail account.
Google refused to do any of these things without a court order.

The Bank then filed a complaint against Google, seeking an injunction restraining Google and its account holder from accessing or using the confidential customer information, requiring Google to deactivate the Gmail account, requiring Google to delete the email and the confidential customer information from its system, and requiring Google to disclose information about the Gmail account holder. See Complaint, Rocky Mountain Bank v. Google, Inc., N.D. Cal., Case No. 5:09-cv-04385.

On September 23, 2009, Judge Ware issued a temporary restraining order (TRO) granting most of the relief the Bank had requested. The TRO was only be effective for a short time -- until September 28, when the Court would conduct a hearing on whether or not to issue a preliminary injunction, which would then be in effect until the case was fully adjudicated.

A Court only has authority to make an order in favor of a plaintiff, if the plaintiff establishes that it has some legal right that the order would protect. What is striking is that nowhere in its motion papers did the Bank cite any legal basis, such as a statute or case, that would empower the Court to order Google to disable the Gmail account or to prevent Google and the customer from accessing and using the confidential information. Rather, the Bank based its requests for relief on the mere assertions that "Google and its email account holder have no rights in or to the inadvertently disclosed information, while the Bank and its customers have every right to prevent further disclosure and use of such information."

Continue reading "Rocky Mountain Bank v. Google: Was Judge Ware's Order that Google Deactivate the Gmail of a Customer Inadvertently Sent Confidential Information Appropriate?" »

Consumers who believe they have suffered an injury from a large corporation get excited when they hear that a class action has been filed to requite the wrong. What they often don't realize is that if the class action is successful, it may well result in a settlement that will provide them little or even nothing in the way of direct benefits. In other words, no money.

Such will be the result if the court approves the proposed settlement in the class action brought over Facebook's "Beacon" social advertising system. See Lane v. Facebook, Inc., N.D. Cal., Case No. 5:08-cv-038450. In fact, if the Court approves the settlement, which was proposed last Friday (September 18, 2009), over 96% of the settlement funds will actually wind up being used to pay the plaintiffs' attorneys fees or simply being paid to a Facebook foundation to be used promote online security.

According to the complaint, the purpose of Facebook's Beacon system was to "share news of Facebook members' online purchases with their friends." To make the system work, Facebook set up arrangements with certain online retailers to receive notices whenever their customers made online purchases. When a customer made a purchase, the retailer would notify Facebook electronically of the transaction. If the purchaser was a Facebook member, Facebook would generate a little Beacon popup notifying its member that it had received information about the purchase. Facebook would then create a notice of the purchase and post it on the member's Facebook page.

For example, Sean Lane purchased a white gold and diamond eternity flower ring from Overstock.com for his wife for Christmas 2007. Shortly thereafter, a headline appeared on Sean's Facebook page for all his "friends" to see which read: "Sean Lane bought 14k White Gold 1/5 ct Diamond Eternity Flower Ring from overstock.com." Within two hours, he received an instant message from his wife, Shannon: "Who is this ring for?" She then informed him that Facebook has just put an item on his page saying he bought a ring. It included a link to Overstock, which noted a 51 percent discount on the ring. Sean claimed that his wife's discovery of the purchase ruined his Christmas gifting plans.

Sean Lane thus became the lead plaintiff in this class action against Facebook. While Facebook initially acted as if it intended to contest this case, it put up very little fight -- postponing its motion to dismiss in favor of settlement talks shortly after it was filed. And apparently for good reason. In its motion to dismiss, Facebook admitted that the Beacon system was live for 30 days before it "changed Beacon to require an affirmative opt-in before actions on third party affiliated websites would be fed back to the users' personal profiles." In other words, Facebook admitted that it didn't get users' permission to start gathering information about or announcing their purchases to the world.

While in its court papers and press releases Facebook denied liability, the settlement agreement calls for Facebook to make a $9.5 million payment to settle the class action. In return, Facebook and all other parties stipulated to certification of the class action. This is a benefit to Facebook, because upon final court approval of the class certification and the settlement, Facebook would be relieved from liability from any future suits regarding the allegations in the complaint -- except by plaintiffs who have specifically opted-out of the settlement.

On the surface, that sounds like a pretty fair deal for Facebook. But wait 'til you hear the rest of the story. Of the $9.5 million:

Continue reading "Lane v. Facebook: Privacy Class Action Settlement Requires Facebook to Pay $9.5 Million, but Provides No Direct Benefits to Most Plaintiffs" »

Data security law: There is no question that it is a trend. In the latest in the never-to-be ended series of data breach cases, a Connecticut District Court held that a plaintiff may not maintain a claim for damages after a data breach merely based on a fear of future identity theft losses.

The case is McLoughlin v. People's United Bank, Inc., District of Connecticut, No. 3:08-cv-00944. People's United Bank had a contract with co-defendant BNY Mellon to handle People's customer information, including its customers' names, addresses, Social Security numbers and bank account information. In February 2008, a metal box containing six to ten unencrypted backup tapes of People's customer data was lost or stolen from a courier truck. The truck had a broken lock and was left unattended during the transport.

About two months after the breach, Peoples and BNY Mellon began informing customers of the loss of the unencrypted back-up tapes. BNY Mellon ultimately offered affected customers two years of free credit monitoring, $25,000 in identity theft insurance and free credit freezes. The plaintiffs eventually brought the present case -- a class action against People and BNY Mellon.

After removal to Federal court, the defendants moved to dismiss for lack of standing, arguing that the plaintiffs had pleaded no actual damages.

Citing U.S. Supreme Court precedent in Friends of the Earth, Inc. v. Laidlaw Envtl. Servs., 528 U.S. 167, 180 (2000), the District Court stated that "to satisfy Article III's standing requirements, a plaintiff must show (1) it has suffered 'injury in fact', that is (a) concrete and particularized, and (b) actual and imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision."

To be cognizable, actual damages may flow directly from the defendants' act, or may flow indirectly, in the form of costs spent to remedy the harm. For example, in a case brought against a bank for giving faulty tax advice, actual harm was held to include the "costly and time-consuming step" the plaintiffs had taken "to rectify errors in their past or future tax filings" and the fees they paid for advice. Denny v. Deutsche Bank AG, 443 F.3d 253, 264 (2nd Cir. 2006). Under Second Circuit precedent, "injury in fact" may also be based on "the fear or injury of future harm." Id.

Here, the plaintiffs' claims for damages were not based on direct losses or indirect payments of fees or expenses, but solely on their fear of future losses from identity theft. However, while fear of identity theft been held sufficient to confer standing, it has also been held to be insufficient to satisfy the "actual damages" elements of state tort claims. For example, in Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F.Supp.2d 273 (S.D.N.Y. 2008), the court found that an employee had alleged sufficiently alleged injury-in-fact for standing purposes when his laptop was stolen from his employer, but could not sustain a claim for negligence or breach of fiduciary duty. See also Ruiz v. Gap, Inc., 540 F.Supp.2d 1121 (N.D.Call 2009) (standing but no quantifiable damages where thief broke into data processor's office, stealing laptops containing unencrypted personal data).

Following these precedents, the Court in McLoughlin found that the plaintiffs had pled an injury-in-fact sufficient to comply with Federal standing requirements. However, also following these precedent, the Court found that the plaintiff had not alleged damages sufficient to state a claim under Connecticut law which controlled here.

Continue reading "McLoughlin v. People's United Bank: No Claim for Future Identity Theft Losses where Plaintiffs Were Unable to Claim that Data Lost in a Breach Was Misused" »

New York trial courts seem to be confused over which of the several prevailing standards for uncovering the identity of an anonymous blogger should be followed by New York courts. In the Liskula Cohen case, a New York County judge imposed a "light" standard, and merely required the plaintiff to show that her motion would survive a motion to dismiss. However, in another recent case, involving former Congressman Richard Ottinger, a Westchester County judge applied a much heavier standard, and required the plaintiff to provide evidence to support each of the elements of his defamation claims, to the extent such evidence was under his control See In re Ottinger & Ottinger, Supreme Court of the State of New York, County of Westchester, IAS Part, Index No. 08-03892 (July 1 2008). (Thanks to Wendy Davis, editor of the Daily Online Examiner, for telling me about the Ottinger case).

Trial courts around the U.S. vary greatly on the standards they impose on plaintiffs seeking to uncover the identity of an anonymous author of a web post. On the light end of the scale, some merely require a plaintiff to show that his/her complaint against the unknown blogger would pass a motion to dismiss. On the heavy end, others require a plaintiff to provide evidence for every element of his/her claims against the blogger -- a virtual impossibility in many cases. As a alternative to these extremes, some courts have adopted a middle path and require a plaintiff to provide evidence in support of claims to the extent that such evidence is within the plaintiff's control. Many courts also require a plaintiff seeking an order to uncover an anonymous blogger's identity to take steps to notify the anonymous of the action.

In the Ottinger case, the judge adopted a blend of the heavy and moderate positions. The Ottingers are both long-time New York politicos. Richard Ottinger is a former U.S. Congressman from the State of New York. His wife, June Ottinger, served as a Trustee for the Village of Mamaroneck and chairman of the Harbor and Coastal Zone Management Commission (the "Commission"). In 2007, the Ottingers applied for building permits and approvals from several Village boards to renovate their home. One of the boards they applied to was the Commission, of which June was Chairman at the time -- although she did not participate in the consideration of the building permit.

Some of the Ottingers' neighbors and local activists began attending public meetings at which their permit applications were being discussed. One such neighbor and activist, Suzanne McCrory, became convinced that the Village was giving the Ottingers favorable treatment. She filed a petition challenging their permits. She also spoke at a televised meeting in which she stated that the confirming deed for the Ottinger property was "invalid' and "fraudulent."

Shortly thereafter, an anonymous blogger posted a forum on LoHud.com, a public forum section of the online version of the local newspaper -- The Journal News -- entitled "The Sounds of Silence." In this forum he posted comments suggesting that the Ottingers' deed was fraudulent, and that the Ottingers had used political pressure and bribery to get permits for their renovation project. Here is an example of one of the posts:

"THEY PAID THE RIGHT PEOPLE OFF! They started off with taking care of the Mayor, everybody knows that. I would guess the Building Inspector and Zoning Board were not forgotten in their largesse. The Ottingers have been very generous in greasing the wheels of corruption. With the news of the fraudulent deed they submitted it becomes quite clear that they must have taken care of the surveyor and the prior owner of the property, under they are two of the dumbest people on earth!"

Continue reading "Ottinger v. Tiekert: New York Trial Courts Are Split on the Burdens to Be Imposed on a Plaintiff Seeking to Uncover the Identity of an Anonymous Blogger" »

Internet privacy law: Lawyers frequently vent their frustration over the widely variant interpretations given to the outdated Electronic Communications Privacy ACT (ECPA) by courts around the country. A recent decision by a court in the Eastern District of Illinois reveals the problems caused by these differences, and also illustrates how thoughtful forum selection and "kitchen sink" pleading can prevent a plaintiff from being deprived of a remedy.

The facts of the case:

The case is Steinbach v. Village of Forest Park, Northern District of Illinois, Case No. 06C4215. The plaintiff, Theresa Steinbach was elected Commissioner of the Village of Forest Park in 2003. Upon her election, the Village provided Ms. Steinbach with a personal email account that was hosted by Hostway Corporation, a third party webmail service. Ms. Steinbach had a Village IT tech configure this email account so that it would forward all email traffic to her personal email account, which was not associated with the Village.

In 2006, Ms. Steinbach ran for mayor against co-defendant Anthony Calderone, but lost. Around this time, she discovered that she was not receiving all of her email in her private account. An investigation revealed that eleven emails she had sent from her personal email account had been forwarded to Calderone.

Ms. Steinbach sued Forest Park under four different legal authorities: (i) ECPA Part I (a/k/a, the Wiretap Act, 18 U.S.C. § 2510 et seq.); (ii) ECPA II (a/k/a, the Stored Communications Act, 18 U.S.C. § 2701 et seq.); (iii) The state common law claim, "intrusion of seclusion," and (iv) CFAA (18 U.S.C. § 1030).

The Court's inconsistent rulings on ECPA Parts I and II are based on a troublesome 7th Circuit position

Parts I and II of the ECPA were enacted as part of the same legislative process and use many of the same terms. For example, ECPA Part I contains a lengthy definition section, which Part II does not bother to repeat. Instead, the definition section for Part II, 18 U.S.C. § 2711, merely provides that the terms used in Part II have the same meanings given in the definition section for Part I, 18 U.S.C. § 2510. Similarly, both sections permit private causes of action for violations of their provisions "from the person or entity which engaged in that violation." See §§ 2520(a); 2707(a).

In apparent disregard of this parallelism, the Court found that the plaintiff did not have a right to bring a cause of action against the Village under ECPA Part I, but permitted her to maintain her cause of action against the Village under ECPA Part II. The Court never explained these inconsistent rulings. Its decision to reject the ECPA Part I claim was based on the fact that this ruling was required by controlling 7th Circuit precedent -- which itself seems to rest on very shaky ground.

Continue reading "Steinbach v. Forest Park: Navigating the Federal Court Splits on the Interpretation of the Electronic Communications Privacy Act (ECPA) to a Remedy" »

I should have anticipated this. On the very same day (August 25) that I posted a blog entry questioning whether the predicted flood of Twitter-squatting suits would ever arrive -- a suit that verges on Twitter-squatting or Twitter-jacking was announced.

The case involves transgender, Nampa, Idaho mayoral candidate Melissa Sue Robinson. According to the local Fox radio affiliate, Ms. Robinson discovered that someone had created a Twitter account under her name and displaying her photograph with the title "woman with a penis." She reportedly asked Twitter to remove the account, but got did not get immediate action to remove the site.

Twitter's Terms of Use provide that users "must not abuse, harass, threaten, impersonate or intimidate other Twitter users." The Terms of Use also state that violations of this or other Twitter policies "will result in the termination of your Twitter.com account." My own check of the Twitter site yesterday indicated that the account has been deactivated. So apparently, Twitter has now acted on Ms. Robinson's complaint and terminated the account under its stated policies.

Ms. Robinson is reported to be in the process of unmasking the identity of the anonymous blogger. Prospective plaintiffs seeking to sue an anonymous blogger are often required to commence legal proceedings against the blog host to uncover the blogger's identity. However, this may not be necessary here. Twitter's Privacy Policy includes the following provision:

"Compliance with Laws and Law Enforcement: Twitter cooperates with government and law enforcement officials or private parties to enforce and comply with the law. We may disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims, legal process (including subpoenas), to protect the property and rights of Twitter or a third party, the safety of the public or any person, to prevent or stop any illegal, unethical, or legally actionable activity, or to comply with the law."

This suggests that Twitter may be willing to voluntarily provide the name of the blogger without requiring Ms. Robinson to institute court proceedings against it.

Ms. Robinson has indicated that she plans to file an action for defamation and invasion of privacy against the blogger, once his/her identity is revealed. While Ms. Robinson may have an actionable claim against the blogger, I would not expect her to be able to maintain similar claims against Twitter, because these causes of action would likely be blocked by the Communications Decency Act.

Ms. Robinson's case may technically not be a case of Twitter-squatting, because it is unclear whether the Twitter account at issue was under her name, or whether it merely referenced her name in a tweet. If her name was not part of the account name, then it may be better to categorize this as a case of Twitter-harrassment. While the flood of Twitter-squatting suits may not yet be here, this case represents at least one drop of rain.

David D. Johnson is a business lawyer whose practice focuses on litigation and other issues relating to digital media and consumer electronics companies. David can be contacted at (310) 785-5371 or DJohnson@jmbm.com.

Digital media law update: News has just broken about a suit filed by five individuals against Facebook for alleged privacy violations. While the ink has barely dried on the court filings, in my view, the plaintiffs face significant legal hurdles to recovery of significant damages. Here is an initial analysis of the claims in the complaint -- Melkonian, et al., v. Facebook, Inc., et al., Superior Court of the State of California, County of Orange, Case No. 30-2009-00293755:

The plaintiffs and their allegations

This is not a class action, but a joint suit by a rather mixed bag of plaintiffs:

• The lead plaintiff, Melkonian, is a photographer who claims that images she took have been posted on Facebook without her consent.
• Two plaintiffs are minors under age 13 who created Facebook accounts without their parents' consent and uploaded personal information and photographs onto the site.
• The fourth plaintiff is a college student who joined the original form of Facebook, "Thefacebook," in May 2005 and uploaded personal information when the site operated under an allegedly more privacy-protective set of terms and conditions.
• The fifth plaintiff is an actress who claims that digital images of her have been uploaded onto the site without her consent.

Much of the 41-page complaint is devoted to a history of Facebook's changing policies on user privacy, its interactions with groups such as "People Against the New Terms of Service," discussions about public attitudes toward privacy, and various private and public investigations into Facebook's privacy practices. The primary factual allegations in the complaint are:

(1) Facebook data mines personal information posted on its site and exploits this by providing it to advertisers who use it to target ads to users;

(2) Facebook's posted privacy policies are incomplete, misleading and unfair. For example, on February 4, 2009, Facebook unilaterally changed its terms of service to include, inter alia, a grant by users of "an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license to use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, edit, frame, translate, excerpt, adapt, create derivative works and distribute User Content . . . and to use your name or likeness and image for any purpose, including commercial or advertising . . ." According to the Complaint, this is an outrageous extension of Facebook's rights over its user's data;

(3) Facebook fails to adequately warn users about the dangers of posting sensitive personal information online;

(4) Facebook fails to prominently disclose its privacy policies and terms of use at sign-up and employs confusing and ineffective privacy protection tools;

(5) Facebook has no technical safeguards to prevent misappropriation of user data by third-party developers who have access to the site;

(6) Facebook fails to provide users with a simple and permanent means to delete their accounts and personal data;

(7) Facebook's uses "social ads" -- customized advertisements that use private data, such as a user's name and photo -- to advertise products and services to the user's "friends" and others users within that person's network;

(8) Facebook uses tracking technology called "Beacon" that allows third parties to gather information about user's purchase activities and then create social ads regarding such purchases;

(9) Facebook lacks adequate safeguards to prevent registration or use by children under age 13.

Analysis of the causes of action

Based on these wide-ranging allegations, the complaint states six separate causes of action against Facebook, including: (i) and (ii) statutory and common law misappropriation of the right of publicity for its use of the plaintiffs' names and photographs without consent for advertising purposes; (iii) violation of the California unfair competition law for its data mining practices and dissemination of the plaintiffs' personal information, (iv) violation of the California Constitutional Right to Privacy for its commercialization of plaintiffs' personal information; (v) violation of the California Online Privacy Act for failing to "conspicuously post and comply" with the privacy policies required under the Act, and (vi) violation of the California Consumer Legal Remedies Act for unconscionably changing its Terms of Use and privacy policies without notice, and representing that user information would remain private, but then providing it to third party advertisers.

The claims of the lead plaintiff, Melkonian, appear to be claims for copyright infringement. As such, some or all of her claims here could be preempted by the Copyright Act. Putting this issue aside, the remaining four plaintiffs' claims are based on allegations that their names, personal information and/or photos were used commercially without their consent.

So do these claims have any legs?

Causes of action 1 & 2: misappropriation of name and likeness

To make out a valid claim of common law misappropriation of name or likeness, a plaintiff must show that (1) the defendant used his/her name or likeness; (2) the use was to the defendant's advantage, commercially or otherwise; (3) lack of consent; and (4) resulting injury. Eastwood v. Superior Ct. (1983) 149 Cal.App.3d 409, 417. To make out a valid claim under the California privacy statutes, a plaintiff must prove the same elements, however the defendant must have used the plaintiff's name directly in connection with the advertising or sale of goods. California Civil Code § 3344.

Continue reading "Melkonian v. Facebook: New Privacy Suit against Facebook Faces Challenges" »

The Federal Trade Commission (FTC) is increasingly using its broad powers to require businesses to enact privacy measures to protect their customers' personal data. According to the FTC, all companies must "maintain reasonable and appropriate measures to protect sensitive consumer information." And the FTC is ready and willing to step in and make them implement such measures -- regardless of whether Congress has enacted a specific statute requiring the business to do so.

When most people think about the Federal Trade Commission (FTC), they think about a federal agency that fights monopolies or big consumer frauds. However, the FTC Act, the statute that created the FTC, gave it a very broad mandate: "to prevent persons, partnerships or corporations . . . from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce." 15 U.S.C. § 45(a)(2). In the digital media world, throughout the past decade, the FTC has used this vague "unfairness" mandate to require consumer-based businesses to enact data security measures.

There are federal laws that impose data security requirements, such as the Fair Credit Reporting Act (15 U.S.C. § 1681e) and the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.). These laws apply to financial institutions and credit reporting agencies. However, in its recent enforcement actions, the FTC has begun apply these data security rules to consumer businesses as a whole. (Fn1) According to a June 17, 2009 statement by the FTC to the U.S. House (Fn2), since 2001, the FCT has brought 26 cases against businesses that allegedly failed to protect consumer's personal information. This includes cases against Microsoft, TJX, LexisNexis, Tower Records, Petco, Reed Elsevier, CVS and Compgeeks.com. None of these companies would commonly be considered financial or credit reporting companies.

The legal authority for the FTC's actions in each case differed, but in some cases, such as the TJX and Compgeeks.com cases, rested solely on the FTC's broad mandate to fight "unfairness." (Fn3) Nevertheless, the terms of the consent orders reached in both cases imposed on TJX and Compgeeks.com the same obligations required of financial companies under the Gramm-Leach-Bliley Act. Both consent orders required the implementation of "a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers." This is language taken directly from 16 C.F.R. §314.3, the FTC's rules implementing Gramm-Leach-Bliley.

The FTC complaints in its cases against non-financial businesses "have alleged such practices as the failure to (1) comply with posted privacy policies; (2) take even the most basic steps to protect against common technology threats, (3) dispose of data properly, and (4) take reasonable steps to ensure that they do not share customer data with unauthorized third parties." According to the FTC, "all of the cases stand for the principle that companies must maintain reasonable and appropriate measures to protect sensitive consumer information."

Some may wonder about the breadth of the FTC's powers. However, prior case law had held that the FTC is not limited to merely enforcing specific laws that the Congress has elsewhere enacted. To the contrary, the FTC has the power to declare legal practices as unfair or deceptive, hence making them illegal.

Continue reading "On-line Privacy Update: FTC Uses Its Mandate to Expand Reach of Consumer Data Security Laws to Non-Financial Businesses" »

TJX's legal saga concerning its massive security breach in 2003 and 2006 lives on. TJX is a large retailer, with over 2000 T.J. Maxx, Marshalls, HomeGoods, Bob's Stores and A.J. Wright stores in the U.S. and Puerto Rico, During 2003 and 2006, hackers broke into the TJX computer network that handled its credit and debit card, check and return merchandise transactions. The intrusion involved transactions occurring in 2003 and from May-December 2006. TJX learned about the intrusion in mid-December 2006, but delayed making public notification until January 17, 2007. Reports indicated that approximately 45.7 million customer credit and debit cards were affected by the breach.

According to TJX's most recent 10-Q (May 2, 2009), TJX initially established a reserve of $178.1 million to reflect its losses from the data intrusion. TJX later reduced this reserve by $39.4 million. This means that TJX's expects its net losses from the data intrusion to total almost $139 million. While TJX will survive, this is truly a massive loss and represents one of the largest computer-related losses experienced by a company.

An expanding of body of federal and state law has imposed two types of data security regulations on companies handling consumer financial transactions: (i) a duty to employ reasonable security measures, and (ii) a duty to notify consumers when a breach of security has occurred.

After TJX announced its data security breach, it was hit with a lengthy list of legal actions. These included: (i) a regulatory complaint by the FTC; (ii) claims by the credit card companies to recover tens of millions in fraud losses; (iii) regulatory actions by over 40 state attorneys general; (iv) several consumer class actions; and (v) a class action on behalf of thousands of banks that had lost money as a result of the breach. All but one of these major legal actions appear to have been resolved.

The FTC Complaint was resolved in July 29, 2008 with the entry of a consent order requiring TJX to install and maintain a "comprehensive information security program to protect the security, confidentiality, and integrity of personal information collected from customers." TJX is also required to provide initial and biennial audits affirming the quality of this system for the next 20 years. (Fn1) The State Attorney General actions were settled on June 22, 2009 with another consent decree requiring TJX to maintain a "comprehensive information security program." TJX also agreed to comply with state breach notification laws and to pay the states $9.75 million.

The credit card company claims were settled for an amount estimated to be at least $24 million, but possibly much more. The consumer class action was settled in early 2008 in consumer class action dollars: including (i) the choice of a $60 gift certificate or $30 in cash, (ii) three years of credit monitoring from Equifax, (iii) the replacement cost of a drivers license and(iv) the amount of any actual, unreimbursed damages. Plus, TJX agreed that all its stores would hold a one-time Special Event (a sale) in which prices at its stores would be reduced by 15%. The plaintiffs' attorneys received $6.5 million in attorneys fees, as well. (Fn2)

The major piece of litigation that remains is the financial institution class action. (Fn3) The suit is brought on behalf of "thousands of financial institutions" who apparently suffered losses too small to bring individual actions. So if the court refused to certify the plaintiffs as a class action, their claims would likely go away.

Continue reading "TJX Data Security Breach Saga Continues: Financial Institution Class Action against TJX Survives on Based on Unfair Competition Claim Predicated on Statements in FTC Complaint against T.J. Maxx / Marshalls' Parent Company" »

As data storage moves from equipment controlled by its authors into the "cloud" -- storage on equipment controlled by third parties -- there is an increased risk that unauthorized third parties will access this data and use it for nefarious purposes. The Stored Communications Act ("SCA", 18 U.S.C. § 2701 et seq.) is widely thought to provide protection from disclosure for emails and other private data that are in such electronic storage. However, a less-known loophole in the SCA can permit stored information to be accessed without the author's permission and then divulged to competitors, to adversaries, to strangers, or to the general public, without liability under the SCA.

The SCA provides that any person who intentionally accesses stored electronic communications without authorization or beyond the scope of his authorization is subject to civil and criminal penalties. 18 U.S.C. § 2701(a), (b). However, there are two important exceptions to this protection:

Even if an author of a communication has not authorized a third party to access that communication, the SCA provides that this unauthorized third party is immune from liability if he/she was authorized to gain access by the provider of the electronic communications service --such as the ISP or the business the operates the network. The SCA further provides that an unauthorized third party is also immune if he/she has been given permission to access the communication by a user of the service on which the communication is stored -- such as a member of a private website, such as a MySpace page.

This means that even if the author has not consented for anyone except for the recipients to access his/her private emails, a lot of people could still be looking at them, copying them and doing whoknowswhatelse to them -- with SCA-immunity.

That sounds bad enough. However, the next section in the SCA -- Section 2702 -- opens the door to unauthorized disclosure even wider.

Continue reading "Will Cloud Computing Create a Thunderstorm?: Loophole Permits Private Emails and other Digital Data Stored by Third Parties to Be Divulged to the Public without Stored Communications Act Liability" »

Two recent rulings indicate that posting private information about a third party on a social networking site will be treated as giving "publicity" of private facts that is sufficient to support a claim for invasion of privacy -- regardless of the number of persons who actually view the site.

On June 23, 2009, the Minnesota Court of Appeals, in Yath v. Fairview Clinics (Case No. A08-1556), considered a case in which a worker at a clinic created a MySpace webpage in which she revealed that the plaintiff had a sexually transmitted disease, had recently cheated on her husband and was addicted to plastic surgery. The worker obtained this information by improperly accessing the plaintiff's medical records. The record showed that the MySpace page was only up for about 24 hours before being blocked by MySpace, and may have had as few as 6 visitors.

The plaintiff sued the worker, inter alia, under Minnesota's invasion of privacy common-law tort theory, which required her to prove: (1) a defendant gave "publicity" to a matter concerning her private life, (2) the publicity of the private information would be highly offensive to a reasonable person, and (3) the matter was not of legitimate concern to the public. Bodah v. Lakeville Motor Express, Inc., 663 N.W.2d 550, 553 (Minn. 2003).

The Minnesota Court of Appeals in Yath found that publication on the MySpace page, even though accessed by only a few users, was sufficient to meet the publicity element. The Court's reasoning was based on well-established legal principles that have been recognized for decades. Citing the Restatement (Second) of Torts, a venerable treatise on common law, the Court noted that there are two methods to satisfy the publicity element of an invasion of privacy claim: (1) by a single communication to the public, or (2) by proving communication to individuals in such a large number that the matter is deemed communicated to the public.

In applying the first rule, courts around the U.S. have generally held that publication in any type of public forum, including a newspaper, the radio, a press release or in a public address to a large audience is sufficient to meet the publicity element. See David Elder, Privacy Torts § 3:3 (2002). A number of cases have held that publication on the internet also meets the publicity element of an invasion of privacy claim. See, e.g., Michaels v. Internet Entertainment Group, Inc., 5 F.Supp.2d 823 (C.D.Cal. 1998); Lambert v. Hartmann, 898 N.E. 2d 67 (Ohio App. 2008). Moreover, publication in a public forum, such as a newspaper or newsletter, will constitute publicity, even where the forum has a small distribution. Id.

Continue reading "The Yath and Moreno Cases: Publication on a Social Networking Site Is Sufficient to Meet the "Publicity" Element of an Invasion of Privacy Tort Claim" »

In its May 22, 2009 decision in Worden v. Alaska, the Alaska Court of Appeals overturned a criminal conviction that was based on the presence of several images of child pornography in the web browser cache on a defendant's hard drive. This decision followed a much-criticized 2006 ruling by the Ninth Circuit in the Kuchinski case that also found that a defendant cannot be convicted of possession of child pornography based on the presence of images in a browser cache, if he is unaware of their presence.

Under federal and some state statutes, merely viewing child pornography, whether intentional or not, is not criminalized. (Fn1) Instead, these federal and state statutes criminalize receipt, transportation, shipment, distribution and possession of child pornography. (Fn2)
However, when a computer user surfs the web, its browser automatically saves a version of any images viewed into a cache on the computer's hard drive. So the act of viewing images containing child pornography on the web will, in most cases, put you in possession of these images -- in your browser cache.

While it is possible to delete images from an internet cache, this does not mean that the code for the image is no longer located on the hard drive. In many cases, prosecutors and their computer experts have been able to locate even "deleted" images -- and such deleted images been used as the basis for pornography convictions. (Fn3)

The courts have recognized that there is a genuine risk that illegal images can be unintentionally received by computer users. For example, a person may unintentionally receive child pornography from a spam email message, in a pop-up while web surfing, or via a computer virus. (Fn4) In addition, while federal and many state statutes define child pornography to include explicit images of "minors", who are defined as persons under the age of 18, some states define minors as persons under lower ages, such as 16. So a web surfer seeking "adult" images that are legal in such a locality could well receive images that would constitute child pornography under U.S. and state laws.

However, most courts recognize that mere receipt or possession of an illegal image is not sufficient to impose criminal liability. (Fn5) Rather, to be guilty of a crime, a person must have a sufficient mens rea, or mental state. Generally, federal courts require that a person must "knowingly" have received, transported, shipped, distributed or possessed child pornography to be found criminally guilty. (Fn6)

Where the basis for a claim of possession is the presence of images in a disk cache (or of images that have now been deleted from the cache), the courts have held that "the defendant must, at a minimum, know that the unlawful images are stored on a disk or other tangible material in his possession." (Fn7) If a defendant is found to have downloaded or otherwise purposely saved images to some location on his computer system, or to have accessed and manipulated images in a cache, courts have found that possession occurred. (Fn8) In most child pornography cases, there is sufficient evidence of such purposeful control over images on a hard drive for courts to find both knowledge and possession.

This is where the Kuchinski decision comes in. If the sole available evidence is the presence of illegal images in a cache, at least some courts have found that this is insufficient to find criminal possession. In Kuchinski, an examination of the defendant's hard drive revealed 106 downloaded images in files and in the recycle bin, and between 12,904-17,784 images in Deleted Temporary Internet Files -- deleted cache files. (Fn9) Kuchinski admitted to possession of the 106 downloaded images, but denied possession of the 12,000+ images in the cache files. In fact, there was no evidence that Kuchinski knew that the cache images existed. The Ninth Circuit found that given his lack of knowledge, there was no basis for holding him criminally liable for possession of the images. The Ninth Circuit stated that "where a defendant lacks knowledge about the cache files, and concomitantly lacks access to and control over those filed, it is not proper to charge him with possession and control of the child pornography images located in those files, without some other indication of dominion and control over those images." (Fn10)

Continue reading "Worden v. Alaska: The Ignorance is Bliss Defense Rides Again" »

In a report released on January 14, 2009, the Internet Safety Technical Task Force concluded that the technologies currently being used by digital media companies to address youth safety are "helpful in mitigating some risks to minors online, but none is fail-safe." The study, which was conducted at the Berkman Center for Internet and Society at Harvard University for the 52 State Attorneys General, reviewed technologies such as age verification and identity authentication, filtering and auditing, text analysis and biometrics. (fn1) However, it found that these technologies do not even address the most common online threats faced by minors -- harassment and bullying. Moreover, while the these technologies can be of use against other threats, such as preventing minor access to adult content, each can be circumvented.

The Task Force report identified three major categories of threats faced by minors online: (1) sexual solicitation, (2) online harassment and cyber-bullying, and (3) exposure to problematic content. Of these, the Task Force found that bullying and harassment, most often by peers, are the most frequent threats that minors face online. Bullying and harassment include acts designed to embarrass, humiliate or threaten a minor.

While sexual solicitation is a risk, the study found that "the image presented by the media of an older male deceiving and preying on a young child does not paint an accurate picture of the nature of the majority of sexual solicitations." Rather, most solicitation is between minors, and even in most off-line encounters arranged through the Internet, the minor knows that he is being solicited by an adult. While there is a risk of exposure to unwanted harmful material, "those most likely to be exposed are those seeking it out, such as older male minors."

Continue reading "Harvard Study Finds Significant Limits in the Ability of Current Technology Used by Social Networking Sites to Reduce Online Risks to Minors" »

The Children's Online Privacy Protection Act (COPPA), which prohibits website operators from collecting personal information from a child under age 13 without parental consent, has been around for a little over a decade. (fn1) However, because it believes sufficient time has passed for website operators to become aware of and compliant with the rules, the Federal Trade Commission has started imposing higher penalties on violators. In its most recent COPPA enforcement action, against Sony BMG Music Entertainment, Sony agreed to a $1 million fine as part of its settlement with the FTC. .

A brief excursion around the Web suggests that most popular sites appear to attempting to comply with COPPA. Common techniques, for interactive sites that don't want to deal with the hassle of obtaining parental consent, are to post a policy stating that submissions from persons under age 13 will not be accepted, and/or to require users to provide their birth date before being allowed to begin a registration process that allows access to a site.

However, these exclusionary techniques can be easily circumvented. It is no difficult feat for an enterprising 11 or 12 year-old to falsify her birth date in order to gain access to a social networking site. Once on the site, it would not be surprising if that 11 or 12-year old then posted information that provided her true age -- such an account of her birthday party, or pictures from her school yearbook, showing her to be in the 5th grade and listing her actual age. Part of the very purpose of social networking sites is facilitate the exchange of such personal information. This creates a potential COPPA compliance problem for the website operator.

Continue reading ""Actual Knowledge" Language in COPPA Places Interactive Web Sites at Risk of Non-compliance" »