Header graphic for print

Back from the Land of Trial Mode: January Quicklinks

There has not been much activity on the blog because we have been engaged in a long copyright and misappropriation of trade secrets trial.  So, we share with you some of the articles we have been reading, but just haven’t had time to write about:

Bloggers entitled to same protections as journalists under the First Amendment.  The Ninth Circuit recently applied libel defense protections normally reserved to the “institutional press” to bloggers reasoning the First Amendment applies to all citizens and there has been a blurring of the lines between who and who is not a journalist.  You can read more about this important decision here.

We have our first Twibel verdict – no defamation in 140 characters.  In three hours, the jury returned a defense verdict saying Courtney Love did not libel her lawyers with a tweet that suggested her prior lawyers had been “bought off.”  The bad news is that during the trial Love stayed off of Twitter, and now, she is apparently back.  More here.

Yelp ordered to disclose identity of reviewers.  A court ordered Yelp to review the identify of seven “anonymous” reviewers who criticized a dry cleaning business in Virginia. The business claimed the reviews are fakes and do not match any of their records.  This is another example of how courts are trying to balance the interests of anonymous speech and a plaintiff’s right to combat defamatory speech.  More here.

Parents take to the court to combat cyberbullying.  Locally, there has been a lot of attention about a lawsuit filed by one set of parents against seven minors and their parents for libel and negligence.   More here.

Will there be more transparency regarding government requests for online data?   The Justice Department is relaxing the rules for technology companies like Google and Microsoft to disclose, in broad terms, the number of requests these companies receive from the government and the amount of data provided.  Tech companies have long reported the number or requests from state and non-national security related requests from the federal government, but this will be the first time they can release general information related to national security letters.  If the numbers are surprising, this could lead to even more push back against the government surveillance programs.  More here.

Supreme Court to consider online re-broadcasting case.  The U.S. Supreme Court will weigh in on the rights to re-transmit broadcast programs via the internet.  Aereo receives over the air broadcasts the old fashion way in a warehouse and then sends them to paid subscribers devices.  The broadcasters are arguing that Aereo is violating the “public performance” copyrights to the programming.   Aereo says what they are no different than the users receiving the digital signals on their own devices.  Both sides wanted guidance from the high court and this is one worth watching.  More here.

New Years Resolution Idea: Update Your Privacy Policy

There is a new California privacy law that goes into effect January 1, 2014, that you need to know about.  It requires you to disclose how you respond, if at all, to do not track requests.  Because it applies to any website used by California consumers, you should make sure you are in compliance.

Earlier this year, California passed an amendment to the California Online Privacy Protection Act (CalOPPA) that will require online and mobile websites to disclose how they respond “do not track” requests.

What are the new requirements for my relatively basic website?

If you have a basic website that merely retains IP addresses and basic information, it is not clear whether you need to change your policy.  Rather than live with the doubt, it makes sense to go ahead and comply with the new disclosures.

The ambiguity is there because the law only applies to use of personally identifiable information (PII).  If you aren’t keeping PII, then no need to worry.

So, what is PII?

The law defines PII as “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: (1) A first and last name; (2) A home or other physical address, including street name and name of a city or town; (3) An e-mail address; (4) A telephone number; (5) A social security number; or (6) Any other identifier that permits the physical or online contacting of a specific individual.”

The California Attorney General says she defines PII as “any data linked to a person or persistently linked to a mobile device: data that can identify a person via personal information or a device via a unique identifier. Included are user-entered data, as well as automatically collected data.”

If the AG enforces the law in a way broader than the definition in the statute, an IP address would be covered by the statute.  Therefore, we are recommending that almost all websites should add the required disclosures than live with the ambiguity.

What do I have to disclose?

The amendment is about disclosure and not action.  You do not have to change your behavior and honor do not track requests — you simply have to disclose what you do about it.  It’s a middle ground that requires disclosures, but does not prevent advertisers from tracking or targeting ads or retaining and using any PII.

There is no magic language.  Although we recommend a more thorough review, you could add something like, “We do not currently respond or otherwise take any action with regard to Do Not Track requests.”

But I rely upon on my outside marketing firms. . . 

The new law also applies if your site allows third parties such as ad networks to collect PII. You have “to disclose whether other parties” collect PII regarding a consumer’s “online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”  It means you also need to know what your marketing firms are doing.  If you have Google AdSense ads on your site or use the service yourself to place ads on other sites, you have to make the disclosure–not your outside marketing firm.

So, what if I don’t change?

If you violate CA OPPA, even if you are not based in California, the California Attorney General can bring a civil action against you or someone in California can bring a class action lawsuit against you.  Granted, you will receive a notice of noncompliance and have 30 days to fix it, but why wait for the notice of non-compliance?  Amend your privacy policies now disclosing what you do, if anything, about do not track requests.

Depository of International Online Privacy Resources

One of our more popular posts of the year was the recent Online Marketers’ Guide to Online Privacy.  It focuses mostly on U.S. law with some mention of of the E.U. Safe Harbor issues.   The purpose of this post is to host information regarding international online privacy issues.  If you know a good resource for a country not listed, let me know and I will update this periodically.

E.U. Regulations and Reforms

Reforms to the transfer of data from the E.U. to the U.S. may be coming.  You can also read here.

The importance of E.U. regulations for online business cannot be understated.  We will monitor these developments.  In the meantime, know the basics and check out the Department of Commerce’s Safe Harbor website.

Other Countries

Brazil

Kazakhstan

Malaysia

Mexico

South Korea

Other valuable resources

Hunton & Williams’ Privacy and Information Security Law Blog

Baker Hostetler’s Data Privacy Monitor

The Electronic Frontier Foundation’s Deeplinks Blog

Hogan Lovells Chronicle of Data Protection

Let me know if I missed something and check back here later for details.

 

Thankful I didn’t copy images, parody the Beastie Boys, use overbearing TOS or have to stand behind TheDirty

With the short Thanksgiving week, I thought we would touch on a few interesting stories developing over the last couple of weeks.

Photographer gets $1 million+ verdict from AFP and Getty for copied Twitpics

In my three part series on using images from the web for your news stories, we talked about the Morel v. Agence France-Press case.  Agence France-Press, the Washington Post and Getty used images of the Haitian earthquake put on Twitter by photographer Daniel Morel.  The Washington Post settled, but the case went to trial last week against AFP and Getty.  AFP thought they had permission from the photographer to use the images, but they did not get permission from the right person.

Previously, a judge rejected AFP’s argument that it could use the images because they were put up on Twitter. The Twitter terms of service did not provide that the photographer gave his rights in the images away or grant anyone else the right to use the images outside of Twitter.  In the trial, it turns out AFP did not follow their internal guidelines on the use of images or take immediate corrective action.  The jury awarded the upper end of the statutory damages.

If you have policies, follow them.  If you make a mistake, you fix it as quick as you can. You can read about the case here and here.

Engineering gift for girls’ video spreads on Facebook – lawsuit follows.

I have a daughter.  I liked this commercial.

http://www.youtube.com/watch?v=UFpe3Up9T_g

I assumed they had the Beastie Boys’ permission.  Apparently, they did not and the Beastie Boys sent a copyright cease and desist letter.  The people at Goldiebox fought back and filed a suit asking the court to declare the parties’ rights.   Is it a parody or do the Beastie Boys have to do this to make sure more people don’t use their songs in commercials?  You can read more about the case here with some legal analysis from the EFF here.  At least Goldiebox will get some more attention with the lawsuit at the beginning of the holiday shopping season.

Want to criticize me, it will cost you!

KlearGear’s terms of service state:

“In an effort to ensure fair and honest public feedback, and to prevent the publishing of libelous content in any form, your acceptance of this sales contract prohibits you from taking any action that negatively impacts KlearGear.com, its reputation, products, services, management or employees.

Should you violate this clause, as determined by KlearGear.com in its sole discretion, you will be provided a seventy-two (72) hour opportunity to retract the content in question. If the content remains, in whole or in part, you will immediately be billed $3,500.00 USD for legal fees and court costs until such complete costs are determined in litigation. Should these charges remain unpaid for 30 calendar days from the billing date, your unpaid invoice will be forwarded to our third party collection firm and will be reported to consumer credit reporting agencies until paid.”

A Utah couple criticized KlearGear on RipOff Report.  Soon thereafter, KlearGear sent the couple a bill for $3,500.  KlearGear never sued, but did report the couple as delinquent to the credit reporting agencies.  We have talked about being proactive, but not too proactive, when it comes to online complaints.  Since the news of this broke, KlearGear has shut down its Facebook page and its Twitter feed to hide from the blow back.  You can read more here, here and here.  This is not the kind of press you want before the shopping season.

Update 11/27/13 -  a lawyer is now representing the couple and has sent a demand to KlearGear to remove the notation with the credit agencies or face a Fair Credit Reporting Act lawsuit.  Read about it here.

Reputable companies line up to support TheDirty.com

Finally, we update you on the Jones v. TheDirty case we have talked about before.  This is the suit by a former Cincinnati Bengals cheerleader against the website TheDirty.   A Kentucky judge allowed the case to proceed against the rumor and trash site despite Section 230 of the Communications Decency Act which normally provides immunity for website operators based on user generated content.  The jury awarded $380,000 and TheDirty.com appealed.

While some may believe the ends justified the means against this particular defendant, the refusal to dismiss this case flies in the face of almost every other Section 230 case.  In this case, the court wrote “the very name of the site, the manner in which it is managed, and the personal comments of defendant Richie” shows that the site “specifically encouraged development of what is offensive about the content.”  TheDirty.com asks people to “submit dirt.” Their submission form has entries for the “dirt,” and provides a link to upload photographs. The court seized on the fact that in response to the post about Jones, the site operator wrote “I love how the Dirty Army has a war mentality.”  Thus, no dismissal by the judge.

Section 230 has its place.  Imagine if Facebook, Google, or YouTube could be sued or had to police all of the user generated content.  I don’t think those services would exist.  That’s why many of them have filed amicus briefs with the Sixth Court of Appeals urging the court to reverse the ruling and dismiss the claims.  You can read more here about how and why the likes of Amazon, Google, LinkedIn, Google and Microsoft are asking for the reversal.

 

The Online Marketer’s Guide to Privacy

I’ve hesitated to write this post because the law is always changing and you can’t cover it all in one blog post (thank goodness for linking).  I did a presentation to the Houston Interactive Marketing Association this week which forced me to boil it down to digestable bites.  If I had to give you three simple rules they would be:

1. Disclose what you do in plain English;

2. Avoid storing or transmitting Personal Health Information if you can; and

3. Avoid marketing to minors if you can.

At the presentation, we identified the numerous laws and regulations marketers had to know about including at least COPPA, HIPAA, the FTC’s guidelines, Self Regulatory Organization Guidelines, Cal-OPPA and the EU Safe Harbor status.

COPPA

Regarding the Children’s Online Privacy and Protection Act and marketing to minors, you should check out my five-part series here.  COPPA only applies if you collect personal information from children under 13, but the determination of whether you market to minors is not as clear as you might think.  Last year, the FTC allowed private companies to send in suggestions on how to satisfy the parental notification requirement.  The FTC recently rejected the idea of using the social graph.

HIPAA

In September, there were changes to HIPAA – the law governing the privacy of health information.  If you are marketing for a medical practice or anyone that may retain Personal Health Information, unless you want to make medical a core business segment, you may want to avoid becoming what the law calls a “Business Associate.”  If you are a Business Associate, you have to comply with HIPAA and compliance can be a pain.

A Business Associate is defined as someone or a company that provides “consulting, data aggregation, management, [or] administrative . . . services” to or for a Covered Entity, where the provision of the service involves the disclosure of protected health information from the Covered Entity, or from another business associate of such Covered Entity, to the person.

So the issue becomes whether you store or otherwise have access to Personal Health Information.  Again, the analysis is not that simple.  See here.  You need to know both email and IP addresses are covered which is pretty basic information for online marketers.

The specifics of your marketing strategy will determine whether you need to be concerned.  The point of this blog post is to make you think about it.  Here is one marketer’s take on the issue.   If you do a lot of marketing work for medical practices, doctors or hospitals, you should confer with a good HIPAA lawyer.  If you have one medical practice as a client in an otherwise hearty stable of clients, you may want to consider whether that one client is worth the headaches and the risk.

The FTC

The Federal Trade Commission is the agency insisting you disclose, disclose and disclose. The FTC’s more recent focus has been on mobile including this report from February 2013.

The more recent interesting drama has come from the W3C group’s unsuccessful attempts to come up with some “Do Not Track” proposals.  The powerful Digital Advertising Alliance recently backed out leaving the ability of the W3C to promulgate suggestions in jeopardy.

Several years ago, the FTC urged private organizations to make some proposals.  I previously warned the industry needed to police itself or the government would make their own regulations and you can read my 5-part series on Do Not Track here.  For now, there is no Do Not Track law.  You can still do it – as long as you disclose what you are doing and don’t mislead people.  That was Google’s $17 million mistake.

You can read the DMA’s guidelines for online behavorial advertising which is a pretty good place to start.  For mobile, check out the NAI Code of Conduct.

In the meantime, Wyndham Hotels is challenging the FTC’s authority to enforce alleged misrepresentations regarding privacy in a case we are watching.  The court recently heard oral arguments on Wyndham’s motion to dismiss but no ruling has been made yet.

Cal-OPPA

That’s where California comes in and strikes a middle ground.  California did not ban tracking.  But, effective January 1, 2014, if you retain personally identifiable information of a Californian, you will have to disclose how you respond to Do Not Track requests.  I earlier posited that many companies will have to amend their privacy policies because of Cal-OPPA.

EU-Safe Harbor

Finally, there is the EU requirements on privacy.  Generally speaking, the E.U. prohibits the transfer of personal data to non-European Union countries that do not meet the European Union “adequacy” standard for privacy protection as directed in the European Union Directive on Data Protection of 1995. The U.S. is not on that list.

Generally, to comply with existing E.U. guidelines you need to:

1. Give a notice of what you collect and what you do with it and how individuals can ask about it.

2. Give individuals the chance to opt-out of disclosure to third parties for reasons outside of the main purpose.

3. Ensure that the company to whom you transfer data also had adequate protections.

4. Provide users access to the data you have about them.

5. Initiate adequate security, data integrity and enforcement procedures.

If you deal with customers in Europe you should consider looking into the Commerce Department’s Safe Harbor provisions that works like a Good Housekeeping Seal of Approval for dealing with the information of European consumers.

This post does not and cannot answer every question.  Hopefully, now, however, you realize you may need to think a little more about the law when you start storing information about visitors to websites.

Can you use pre-suit discovery to unmask an anonymous blogger in Texas?

Last week, the Supreme Court of Texas heard oral arguments on whether a party can use a pre-suit deposition to identify an anonymous blogger.  The petitioner tried to use a pre-suit subpoena to force Google to identify a blogger that constantly railed on how bad the company and its owner was.   The trial court allowed the discovery, the court of appeals affirmed the trial court’s decision and now the highest court in Texas will have to answer the question.

The case is In re John Doe a/k/a Trooper.  You can read the case summary here and the listen to the oral arguments here.  We have talked about how to unmask the anonymous online tormentor before, but this case will shed some light on some of the more practical applications.

Jurisdiction

While the issue of anonymity is complex enough, the case also asks “whether Texas court rules governing discovery before a lawsuit is filed means that the trial court must have ‘personal jurisdiction’ over the ‘John Doe’ defendant–that is, the authority to hear a case against a person only after he has been served with papers notifying him of a suit–before his identity may be discovered.”  Much of the argument focused on jurisdiction which is  less sexy, but an equally important issue.

In Texas, under Rule 202, you can ask for discovery without filing suit to investigate the possibility of a claim.  The company’s chairman lived here in Houston so the company sought to use Rule 202 to force Google to provide all information about the blogger.

The blogger filed documents that not only challenged the ability to unmask his identity, but challenged whether the Texas courts had any jurisdiction over him.  If you do not have sufficient contacts with a state, usually you cannot be sued in that state.   The anonymous blogger provided an affidavit claiming he did not live in Texas and did not have any contacts with Texas.  When there is an actual lawsuit with an identified target, normally you are allowed to use discovery to challenge the assertions.  If the person is not identified, challenging the assertion is next to impossible.

Then again, the purpose of pre-suit discovery is to determine whether you have a claim before you file suit.  If you cannot file suit against someone with no contacts with Texas, then you should not be able to use the Texas courts to get information you may not be able to obtain in other jurisdictions.  Other than the chairman of the company being in Houston, there was no other connection with the state.  Plus, the blogger suggested the court should order the disclosure of only the IP address which could be tracked to a physical location.

Anonymous Speech

There is little to no dispute that before a court requires the disclosure of an anonymous blogger, the person seeking the identity has to provide some basis to seek the identity.  If the speech is purely political and protected by the First Amendment, it would be difficult to unmask the blogger.  If it is commercial speech advertising a product, then there is little to no protections.

If the court gets over the jurisdictional hurdle, it will then have to decide what level of proof or pleadings does someone need to present before a court will order the identity to be disclosed.  There are three standards: (1) a good faith basis for a claim; (2) sufficient pleadings to survive a motion to dismiss that assumes every allegation is true; or (3) a prima fascie case that would survive a motion for summary judgment that requires the right allegations and some proof.

The blogger wants the court to require pleadings and proof.  The party seeking the information says the standard should be lower, but then says it can satisfy any one of the three levels.

It’s possible, the court could rule on the jurisdictional basis in a way that would allow it to punt on the anonymity issue.  As often as it comes up and is likely to come up again, it would be nice to have some guidance.  We’ll be keeping an eye on this case and report on it when the decision comes down.  A lot of times, it is obvious — like when the sheriff seeks to unmask someone critical of the sheriff’s actions.  That blogger will almost always be entitled to protection.  The person that criticizes the company down the street based on a financial transactions and accuses the owner of accounting fraud deserves a little closer scrutiny.

 

Regulating revenge porn and explicit online communications with children – easier said than done

Everyone supports the prevention of sexual predators texting illicit material to people under 17.  Everyone knows that revenge porn is a scourge on public decency.  But, can the law do anything about it?  Should it?

Texas Throws Out Law Banning Explicit Online Communications With Minors.

Yesterday, the Texas Court of Criminal Appeals (our highest court that hears criminal cases) reversed the conviction of a 53-year-old man who was charged with the third degree felony of communicating in a sexually explicit manner with a person whom he believed to be a minor with an intent to arouse or gratify his sexual desire.  You can read about the case here and read the court’s decision here.

The overturned law, Texas Penal Code 33.021(b)(1) states:

A person who is 17 years of age or older commits an offense if, with the intent to arouse or gratify the sexual desire of any person, the person, over the Internet, by electronic mail or text message or other electronic message service or system, or through a commercial online service, intentionally:

(1) communicates in a sexually explicit manner with a minor; or

(2) distributes sexually explicit material to a minor.

To be clear, you cannot solicit a minor for sex (conduct), but sending indecent, but not obscene materials (protected speech) is not illegal.  The court said criminal laws “may protect children from suspected sexual predators before they ever express any intent to commit illegal sexual acts, but it prohibits the dissemination of a vast array of constitutionally protected speech and materials.”  The court also noted there are several other statutes that criminalize other inappropriate conduct with minors.

For the constitutional lawyers out there, the court determined the  “sexually explicit communications” provision is facially unconstitutional because it is content-based speech regulation that could not withstand the strict scrutiny analysis.  Under that test, there needs to be a compelling state interest and the restriction on speech must be narrowly tailored.

While there is a compelling state interest to protect minors from sexual predators, the law covers merely indecent speech which is constitutionally protected.  In light of the many other laws that protect children (solicitation, child pornography, obscenity, harassment), the court said the restriction was too broad.

Subsection (b) covers a whole cornucopia of “titillating talk” or “dirty talk.” But it also includes sexually explicit literature such as “Lolita,” “50 Shades of Grey,” “Lady Chatterly’s Lover,” and Shakespeare’s “Troilus and Cressida.” It includes sexually explicit television shows, movies, and performances such as “The Tudors,” “Rome,” “Eyes Wide Shut,” “Basic Instinct,” Janet Jackson’s “Wardrobe Malfunction” during the 2004 Super Bowl, and Miley Cyrus’s “twerking”* during the 2013 MTV Video Music Awards. It includes sexually explicit art such as “The Rape of the Sabine Women,” “Venus De Milo,” “the Naked Maja,” or Japanese Shunga. Communications and materials that, in some manner, “relate to” sexual conduct comprise much of the art, literature, and entertainment of the world from the time of the Greek myths extolling Zeus’s sexual prowess, through the ribald plays of the Renaissance, to today’s Hollywood movies and cable TV shows.

*I will leave it for someone else to determine whether this is the first reference to “twerking” to make it into case law — a sign that the fad needs to go.

The prosecutors say they may appeal to the U.S. Supreme Court.

Revenge Porn – a perplexing topic for legislators

The American Bar Association recently wrote an excellent article on revenge porn you can read here.  For the uninitiated, revenge porn is when the ex publishes what were supposed to be private nude pictures for the world to see often including full names, addresses, phone numbers and links to social media profiles.  There is a whole cottage industry bubbling up of websites who encourage posters to provide this information.

As a victim, you can bring civil claims like invasion of privacy, intentional infliction of emotional distress and copyright claims if you took a selfie because the copyright usually belongs to the photographer and not the subject.  But, these claims are expensive to bring and there are no guaranties because a lot of people blame the victim for having nude pictures in the first place.

Meanwhile, it is hard to sue the websites where these pictures are downloaded because Section 230 of the Communications Decency Act gives immunity to websites based on claims related to user generated content.

California passed a law last month that seeks to punish “Any person who photographs or records by any means the image of the intimate body part or parts of another identifiable person, under circumstances where the parties agree or understand that the image shall remain private, and the person subsequently distributes the image taken, with the intent to cause serious emotional distress, and the depicted person suffers serious emotional distress.

Professor Goldman on his Technology and Marketing Law Blog points out the faults of the law which include: (i) it does not apply to selfies; (ii) it does not apply to redistribution or websites which could have Section 230 issues; and (iii) the difficulty in proving beyond a reasonable doubt the parties’ expectations of privacy or the intent of the accused.

While having the intent to cause severe emotional distress may avoid First Amendment scrutiny, over broad laws would cover the publishing of Anthony Weiner’s infamous photos. Here is a Wired article by Sarah Jeong arguing that criminal laws may not be the answer.

While there are some class action lawsuits against some of the sites that encourage this behavior that we will keep an eye on, one of the best weapons may be to shine the light on the scum who engage in revenge porn using the same social media tools and the let the markets take care of the websites.

UPDATE – NOVEMBER 1 - Ask a question and the Internet answers.  Professor Goldman directed me to one of his earlier tweets:

 

TechStreet Houston: Crowdfunding

I’m proud of the city where I grew up and am now raising my own kids.  Although not a popular tourist destination, there are a lot of great things happening here, and here, and here, and here, and here–including a burgeoning start-up scene.  Houston Tech Street is just more evidence of that.

Houston Tech Street is an event that will have an open and collaborative platform for the community to learn, share, showcase and promote their creative and innovative ideas, expertise and technologies for better living.  The inaugural event will be November 20, 2013.    You can learn more about it here.

They are already putting up content on their blog, including a piece I recently wrote on crowdfunding.  Go check it out.

Does California’s Amended Online Privacy Law Mean We All Have to Change Our Privacy Policies?

When it comes to privacy policies, I usually tell clients they need to comply with California law.  Beginning January 1, 2014, California is adding a new wrinkle we all need to consider.

If you comply with California’s law, you can be confident you have satisfied most of the requirements for other states.  Plus, California’s laws apply to any California consumer who visits your site or uses your mobile app regardless of whether you are based on San Francisco or San Antonio.  In fact, California’s current law requires a privacy policy for all websites that retain any type of information which is one of the reasons we all have basic privacy policies in the first place.

California recently passed an amendment to the California Online Privacy Protection Act (CA OPPA) that will require online and mobile websites to disclose how they respond “do not track” requests.

For most of our clients, we recommend the privacy policy simply provide that you don’t disclose the user’s information to anyone else although you may use cookies or other technologies to track where users came from and where they go.  As long as the website operator did not sell the information, a basic disclosure like that was usually sufficient.

What are the new requirements for my relatively basic website?

If you have a basic website that merely retains IP addresses and basic information, it is not clear whether you need to change your policy.  Rather than live with the doubt, it makes sense to go ahead and comply with the new disclosures.

The ambiguity is there because the law only applies to use of personally identifiable information (PII).  If you aren’t keeping PII, then no need to worry.

So, what is PII?

The law defines PII as “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: (1) A first and last name; (2) A home or other physical address, including street name and name of a city or town; (3) An e-mail address; (4) A telephone number; (5) A social security number; or (6) Any other identifier that permits the physical or online contacting of a specific individual.”

The California Attorney General says she defines PII as “any data linked to a person or persistently linked to a mobile device: data that can identify a person via personal information or a device via a unique identifier. Included are user-entered data, as well as automatically collected data.”

If the AG enforces the law in a way broader than the definition in the statute, an IP address would be covered by the statute.  Therefore, we are recommending that almost all websites should add the required disclosures than live with the ambiguity.

What do I have to disclose?

The amendment is about disclosure and not action.  You do not have to change your behavior and honor do not track requests — you simply have to disclose what you do about it.  It’s a middle ground that requires disclosures, but does not prevent advertisers from tracking or targeting ads or retaining and using any PII.

But I rely upon on my outside marketing firms. . . 

The new law also applies if your site allows third parties such as ad networks to collect PII. You have “to disclose whether other parties” collect PII regarding a consumer’s “online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”  It means you also need to know what your marketing firms are doing.  If you have Google AdSense ads on your site or use the service yourself to place ads on other sites, you have to make the disclosure–not your outside marketing firm.

So, what if I don’t change?

If you violate CA OPPA, even if you are not based in California, the California Attorney General can bring a civil action against you or someone in California can bring a class action lawsuit against you.  Granted, you will receive a notice of noncompliance and have 30 days to fix it, but why wait for the notice of non-compliance?  Amend your privacy policies now disclosing what you do, if anything, about do not track requests.

 

Facebook “Like” is Protected First Amendment Speech

I don’t often make predictions on legal outcomes, so when I do and I get it right, it’s worth sharing.  In May, we talked about whether “liking” a candidate would constitute protected speech under the First Amendment.  A district judge in Virginia ruled it was not.  The Fourth Circuit Court of Appeals recently reversed in Bland v. Roberts.

In that case, a jailer in Virginia liked his boss’s opposition during a campaign for sheriff. The incumbent won and the plaintiff was fired. The sheriff said it was for competency issues, but the plaintiff said retaliation was the motivating factor for the termination.

I wrote back then that “it seems like a slam dunk case for our fired jailer,” before describing the district court’s dismissal based on the judge’s opinion that “liking” something on Facebook did not amount to a “substantive statement” worthy of protection.  Both the lunacy of the idea of liking a candidate on Facebook not being considered “substantive” enough to warrant protection and the questions asked during the appeal according to this Bloomberg report, I wrote, “I would put my money on a reversal.”

Winner, Winner Chicken Dinner! 

Reversing, the Fourth Circuit compared liking on Facebook to putting a campaign sign in your yard.  “On the most basic level, clicking on the ‘like’ button literally causes to be published the statement that the User ‘likes’ something, which is itself a substantive statement.”

It is not likely your “like” will get you fired and set up a Supreme Court case. The lesson, however, is to be careful of making employment decisions based on what you see on Facebook.  The issue is more problematic for public employers, but as we have discussed before even non-union private employers need to make sure their social media policies and employment decisions do not upset the NLRB. ”Liking” a complaint from a co-worker about working conditions cannot be the basis of a termination.  In some states, it is illegal to fire someone for engaging in protected speech.  ”Liking” Coke when you work at Pepsi in an at will state, like Texas, can still probably get you fired.