What happens when the employee who set up the company’s LinkedIn account leaves? Or, what happens when your outside marketing firm set up your Facebook page but refuses to give it to you because of a fee dispute?
Before we talk about what to do in these situations, let’s talk briefly about how to avoid these situations. Most social media sites allow you to have more than one administrator. You should have, at all times, at least two trusted employees designated as such. When one of them leaves, or is about to be fired, the remaining administrator changes the passwords to lock out the departing administrator and finds another suitable back up. The same thing works with your outside marketer — make sure someone (preferably two of you) are co-administrators so you can always have access to the social media account.
You can also contractually determine who controls and owns the social media account and its followers.
Thanks, you’re an hour late and I need to access my account.
If you are too late to implement some safeguard, the first advice is the same we give our children – ask nicely. This applies to the departed employee and the social media platforms. Obviously, if you can’t locate the employee or they refuse to give up access, you have to approach the social media networks. The problem is, historically, they are not nearly as concerned about your page as you are and are not quick to act.
For example, Facebook tells you what to do here. The problem is Facebook is notoriously slow to react taking about two weeks to respond. If it is a LinkedIn Group (say company alumni) as opposed to a company profile, you may not be able to take control. With regard to groups, LinkedIn takes the position groups are created by individual members and therefore they will not transfer ownership or control of a group. LinkedIn may help you reach out to the group owner or help you protect copyrights or trademarks, but taking control of a Group can be difficult.
In the LinkedIn case, Eagle v. Edcomm, the court threw out the Computer Fraud and Abuse Act and Lanham Act claims, but allowed the common law claims of misappropriation, conversion and invasion of privacy claims to continue which are still pending. In the Twitter case, the claims for misappropriation of trade secrets, intentional interference with prospective economic advantage, negligent interference with prospective economic advantage and conversion are proceeding to trial which is expected to take place this week.
It is clear you can sue, but exactly what causes of action apply and the likely result is not yet clear. As a lawyer, we love to blaze new ground. As a client, blazing new legal ground is expensive and dangerous. You should try to avoid it if you can, but know that you can use the courts to seek control of your accounts if you have to.
TheDirty.com is not exactly deserving of sympathy. Much like Playboy and Hustler pushed the boundaries of the First Amendment in the past, rumor sites like TheDirty.com are pushing the limits of Section 230 immunity for online defamation under the Communications Decency Act.
A judge and jury in Kentucky apparently have had enough. This week, a jury found TheDirty.com “encouraged the development of what is offensive” and was therefore liable for the defamatory posts about former Cincinnati Bengals cheerleader Sarah Jones. The jury awarded Jones $38,000 in actual damages and $300,000 in punitive damages.
As a refresher, Section 230 of the CDA provides: ”[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Because the websites are not the publisher or speaker, the sites can’t be liable for defamation. Most courts immediately dismiss website operators from defamation suits when the claim is based on user generated content known as UGC.
Although subjects of defamatory posts hate the CDA, the law is good. There would be no Google, YouTube, Twitter of Facebook if these sites had to defend, let alone be held liable for, each defamatory post by their users.
Jones sued Dirty World Entertainment Recordings which owns TheDirty.com. The site, as expected, immediately filed a motion to dismiss the complaint because all claims were based on the UGC. The trial judge denied the motion arguing the defendant purposefully seeks out and encourages defamatory content. The court wrote “the very name of the site, the manner in which it is managed, and the personal comments of defendant Richie” shows that the site “specifically encouraged development of what is offensive about the content.” Therefore, the summary judgment was denied. With TheDirty.com as a defendant, it is not surprising the jury ruled in favor of Jones.
If you have had the unfortunate reason to visit TheDirty.com, you know the judge is correct in that they do everything they can to encourage defamatory and offensive content. I have argued before that the CDA should be amended to allow for claims against sites like this that encourage defamation. I always thought the change would come through the legislative process rather than judicial fiat. Not surprisingly, TheDirty.com is appealing. You can read more about the case here.
What does it mean?
If you run Facebook, the local newspaper site, or a community site regarding butterflies, you still have nothing to worry about. If you purposefully run an inflammatory site, you need to pay attention to what the court of appeals does with this case.
TheDirty.com asks people to “submit dirt.” Their submission form has entries for the “dirt,” and provides a link to upload photographs. The court seized on the fact that in response to the post about Jones, the site operator wrote “I love how the Dirty Army has a war mentality.” Facebook and the Christian Science Monitor website don’t do this.
The CDA is usually a slam dunk defense for websites that are sued over UGC. Plaintiffs first tried to argue the sites actually “created” the content. Now, plaintiffs will argue the sites are “encouraging” the defamation. While a good policy, I am not sure it will hold up on appeal without a change to the statute by Congress.
So, what about sites like RipOffReport and PissedConsumer.com? Is the next line of attack that they “encourage” defamatory content? I would not be surprised if a plaintiff is making that argument right now in response to a motion to dismiss.
We will keep our eye on the appeal.
While the second special session is winding down (thank goodness), we will take a look at a couple more new laws impacting online media and technology in Texas. While most of the attention was on social media password protections, service via social media and online “compelled prostitution” legislation, two additional bills made it through to become law.
The Defamation Mitigation Act
The first was HB 1759 called the Defamation Mitigation Act, often referred to as the Retraction Statute, which became law as of June 14, 2013. The purpose of the law is to encourage people who feel they have been defamed to demand a retraction and allow publishers to do it.
Here ‘s how it works. A plaintiff has to notify a publisher about an allegedly defamatory statement within 90 days of learning about it. If a plaintiff fails to do so, they may not be able to seek punitive damages or bring suit until this process takes place. The statute lays out the specifics about what needs to be in the notice including a particular statement identifying the defamatory statement and when and where the publication was made. The publisher then has 30 days to correct the mistake by publishing a correction, an apology or the prospective plaintiff’s own statement.
The retraction must be ”published in the same manner and medium as the original publication or, if that is not possible, with a prominence and in a manner and medium reasonably likely to reach substantially the same audience as the publication complained of.” There is a detailed process about challenging the sufficiency of the correction.
If the plaintiff fails to follow this procedure, or the publisher takes corrective action within 30 days, the plaintiff can still sue, but can no longer seek punitive damages unless the plaintiff can show actual malice. If the plaintiff files suit without sending the notification, there is also a process that would allow the defendant to abate the case and allow for the process to take place.
The law is codified at Texas Civil Practice & Remedies Code, § 73.051–.062.
Data Breach Notification
The Legislature also amended the Texas data breach notification law with SB 1610 so that companies have to notify consumers regardless of state of residence and regardless of whether the state of the consumer has their own breach notification law.
Texas law already required all Texas businesses to notify any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person pursuant to the state law of the individuals. The amendment makes it easier for businesses to follow the Texas law or to make the notification pursuant to the law of the individual’s state — as long as the business does one or the other. This closed the hole that allowed businesses to avoid the notifications for residents of states who don’t have notification laws and business concerns that they would have to follow and know the laws of 50 states.
To be safe, businesses should make their best effort to comply with the Texas notification requirement for all individuals regardless of residence.
This new law, called the “Notification Required Following Breach of Security of Computerized Data,” is codified at Section 521.053(b-1) of the Texas Business and Commerce Code.
The Tenth Circuit issued a decision yesterday in the 1-800 Contacts v. Lens.com case we discussed several years ago when originally filed. For those of you who simply want the result, the Court of Appeals ruled:
1. There was no evidence of likelihood of confusion – an essential element to a trademark claim.
2. The court also threw out the secondary infringement claims based on the use of the trademarked term by Lens.com’s affiliate marketers because the agents, or sub-agents, lacked authority to include 1-800’s mark in ads for Lens.com.
3. The court of appeals, however, sent the case back to the trial court on the one claim to determine whether Lens.com was liable for contributory infringement because the evidence could support a reasonable finding that Lens.com did not take reasonable steps to halt the display of 1-800’s marks in affiliate ads once it learned of such display.
The trademarked term was 1800CONTACTS. Lens.com itself bid on the following nine terms (the Challenged Keywords) as AdWords keywords: “1-800 contact lenses”; “1800 contact lenses”; “800 contact lenses”; “800comtacts.com”; “800contacta.com”; “800contavts.com”; “800contaxts.com”; “800contzcts.com”; and “800conyacts.com.” Lens.com did not dispute that it bid on the Challenged Keywords, nor does 1-800 contend on appeal that Lens.com ever bid on the 1800CONTACTS mark itself. Additionally, 1-800 did not claim that any impressions created by Lens.com featured the 1800CONTACTS mark in their text.
Discovery revealed, however, that two Lens.com affiliates had bid on the keyword “1800Contacts” and close variations of 1-800’s mark. And at least one of the affiliates published at least one ad for www.JustLenses.com (one of Lens.com’s websites) that featured the phrase “1800 Contacts” in its advertising copy.
The main claims against Lens.com related to the conduct of the affiliates were based on two theories. The first—vicarious infringement—imposes liability on a principal for the infringing acts of its agent. The second—contributory infringement—is analogous to aiding and abetting.
The direct claim against Lens.com argued there was initial interest confusion when the trademarked term triggers the ad. Initial-interest confusion results when a consumer seeks a particular trademark holder’s product and instead is lured to the product of a competitor by the competitor’s use of the same or a similar mark. As the name implies, the improper confusion occurs even if the consumer becomes aware of the defendant’s actual identity before purchasing the product.
The court of appeals cited Lens.com’s expert report to find Lens.com’s use of the nine Challenged Keywords yielded 1,626 impressions for Lens.com or its associated websites over eight months. In only 25 (1.5%) of these 1,626 instances did the user click on the ad for Lens.com. (We do not know how many of the 25 made a purchase from Lens.com.) The users in those 25 instances may have been confused into thinking that Lens.com was affiliated with 1-800, or they may simply have wished to look at the offerings of those whom they knew to be 1-800’s competitors. What we can say, though, is that initial-interest confusion occurred at most 1.5% of the time that a Lens.com ad was generated by a Challenged Keyword in those eight months. This number cannot support an inference that Lens.com’s keyword activity was likely to “lure” consumers away from 1-800.
Finally, the court determined there was no evidence Lens.com instructed their affiliates to the use the 1-800 mark in the ad copy. By doing so, the agents went beyond their scope and Lens.com could not be held vicariously responsible. Lens.com may not have taken sufficient action, however, to stop the affiliates from using the trademarked term when notified about it and therefore, there could be a trial on the issue of contributory infringement.
What did we learn?
2. Don’t use the trademarked term in the copy.
3. Instruct your affiliates on #2 and take action if you are told the affiliates have crossed the line.
4. Finally, although I did not discuss the rejection of the plaintiff’s survey in the case, if you are going to do a survey to help show confusion, read this case and take heed.
Sometimes, when you read the basics of a story, it sounds so incredulous, you think “surely, there has to be more to it.” Enter the story of 19-year-old Texan Justin Carter. The quick headlines usually read – Texas Teen Faces Eight Years for Facebook Comment.
Unfortunately for Justin, the post was about shooting up kindergartners. Hence, he was charged with making “terroristic threats” and was for over three months because of a $500,000 bond that recently got paid by an anonymous supporter.
During an online multi-player game of League of Legends when Justin was 18, he got into an argument with someone on Facebook about it. After someone called him messed up in the head, according to the arrest warrant in the case, Justin wrote:
“I’m f–ked in the head alright, I think Ima SHOOT UP A KINDERGARTEN
“AND WATCH THE BLOOD OF THE INNOCENT RAIN DOWN
“AND EAT THE BEATING HEART OF ONE OF THEM.”
According to Justin’s family, the next two lines were “lol” and “jk.”
Allegedly, a Canadian woman saw the post and called the police. For more on the story, read here. Surprisingly, that’s about it — the whole story. It does not appear Justin was a real threat, had any past issues, meant for any law enforcement to get involved, or took any actions to carry out the alleged threat.
Instead, he has been charged with a violation of Section 22.007 of the Texas Penal Code which reads:
TERRORISTIC THREAT. (a) A person commits an offense if he threatens to commit any offense involving violence to any person or property with intent to:
(1) cause a reaction of any type to his threat by an official or volunteer agency organized to deal with emergencies;
(2) place any person in fear of imminent serious bodily injury;
(3) prevent or interrupt the occupation or use of a building, room, place of assembly, place to which the public has access, place of employment or occupation, aircraft, automobile, or other form of conveyance, or other public place;
(4) cause impairment or interruption of public communications, public transportation, public water, gas, or power supply or other public service;
(5) place the public or a substantial group of the public in fear of serious bodily injury; or
(6) influence the conduct or activities of a branch or agency of the federal government, the state, or a political subdivision of the state.
. . .
(e) An offense under Subsection (a)(4), (a)(5), or (a)(6) is a felony of the third degree.
The main issue in this case is hilited — Intent. It is not clear whether the prosecutor is going to try and prove a violation of 4, 5, or 6 (we know they are pressing for a third degree felony), but does it really matter? Can anyone prove, beyond a reasonable doubt, Justin intended to scare anyone or get law enforcement involved.
There are real threats made on social media and elsewhere. People that make bomb threats or take other actions meant to scare targeted people or waste law enforcement’s time should be prosecuted. People who have bad taste shouldn’t.
We can prove beyond a reasonable doubt, the comment was in bad taste — but the same may hold true for trying to prosecute the man unless there really is more to this story that has not come out yet.
I have not posted in some time because I enjoyed some traveling with the family in Hungary. Some of my cousins – by marriage – are lawyers in Budapest. They mainly peppered me with questions about the NSA and our take on privacy. I can’t repeat the compelling soliloquy I made for all Americans after a few Czech brews, but it was noticeable we had different takes about online privacy. This is not just a matter of good discussion at a ruin pub, your business needs to pay attention to E.U. privacy law, too.
The E.U. already has strict guidelines that apply to all of their member nations. Rather than relying upon protections for only certain types of health, financial data or information related to children like we do here in the U.S., the E.U. looks to protect all personal information regardless of how benign it may appear.
Generally speaking, the E.U. prohibits the transfer of personal data to non-European Union countries that do not meet the European Union “adequacy” standard for privacy protection as directed in the European Union Directive on Data Protection of 1995. The U.S. is not on that list.
Generally, to comply with existing E.U. guidelines you need to:
1. Give a notice of what you collect and what you do with it and how individuals can ask about it.
2. Give individuals the chance to opt-out of disclosure to third parties for reasons outside of the main purpose.
3. Ensure that the company to whom you transfer data also had adequate protections.
4. Provide users access to the data you have about them.
5. Initiate adequate security, data integrity and enforcement procedures.
The Department of Commerce, in consultation with the European Commission, developed a “Safe Harbor” program that qualifies companies to store and transfer personal information on E.U. residents so you don’t have to hire E.U. counsel. You can learn more about the process here at the Department of Commerce website.
Compliance in the Future
While already stricter than U.S. requirements, the E.U. is considering strengthening its laws with changes that may take place as soon as next year.
1. Will you need a forget me button?
Recent proposals have suggested a “right to be forgotten” will have to be implemented requiring companies to erase all information about individuals. You can read more here on this proposal and how U.S. companies may fight it. If it becomes law in the E.U. next year, will you be able to offer this service?
2. Will you need consent to share data?
The E.U. is leaning towards a disclosure and consent process before any of your personal information can be shared. This may require an affirmative opt-in for all cookies with full disclosure of how the information will be used and shared.
As you may imagine, marrying a lawyer can make for some interesting conversations (or dreadful depending on your outlook) at home. The same holds true with an extended family with multiple lawyers working on difference continents with different outlooks.
As the summer arrives in full force, I am watching a lot of my start-up friends take advantage of the unpaid internship to help with some needed coding, design or marketing projects they haven’t gotten to. These kids are smart, hungry, can use the experience and wouldn’t it be nice to have someone pick up coffee and donuts for you once in awhile?
- the training is similar to that which would be given in a vocational school (even though it includes actual operation of the facilities of the employer);
- the training is for the benefit of the trainees;
- the trainees do not displace regular employees, but work under their close observation;
- the employer that provides the training derives no immediate advantage from the activities of the trainees, and on occasion operations may actually be impeded;
- the trainees are not necessarily entitled to a job at the conclusion of the training period; and
- the employer and the trainees understand that the trainees are not entitled to wages for the time spent training.
Oops . . . I shouldn’t have posted that.
California Senate Bill 568, which has already passed the Senate, would allow minors to request websites to remove that picture the teen thought would be awesome to post at 2:30 in the morning, but no longer looks good while you are applying for jobs or a spot at Harvard. It only applies to content actually posted by the minor and not those pictures posted by the teen’s friends who have less scruples.
Before minors celebrate by temporarily posting offensive jokes or pictures, the bill wisely provides that there is no guarantee removal by the initial website ensures complete elimination of the materials from the entire web. The law states the removal process:
does not ensure complete or comprehensive removal of the content or information submitted to or posted on the operator’s Internet Web site, service, or application by the user.
The existing federal COPPA regulations provide for a similar removal process of content for children under 13 by the parents, but this law would force websites to add the process for those up to 17 and allow the request to come from the minor. Considering most social media reputational harm is likely to happen in college (let’s just say I’m glad I went through college before smartphones and social media), I am sure there are some who like this to be law for people of all ages?
And now, a word from our sponsor.
Another interesting part of SB 568 prohibits websites from marketing a product or service to a minor, if the minor cannot legally purchase the product or participate in the service in the State of California. This prohibition applies to all sites and apps “directed to minors” or if the operators “has actual knowledge that a minor is using its” service.
This “directed to” or “actual knowledge” is also a similar COPPA concept which is why certain sites like Facebook do not allow users under 12, but do allow users 13 and above. Because Facebook has actual knowledge of its users between 13 and 17, it would not be allowed (or possibly allow others) to market alcohol or possibly even R-rates movies.
Dude, my mom erased my PII!
California SB 501, meanwhile, would require websites to remove personally identifiable information about minors upon the request of the minor OR the parent within 96 hours of the request.
As opposed to the first bill, this one would only apply to a “Social networking Internet Web site” which is defined as:
an Internet Web-based service that allows an individual to construct a public or partly public profile within a bounded system, articulate a list of other users with whom the individual shares a connection, and view and traverse his or her list of connections and those made by others in the system.
Why do I care?
If you have a website “directed” to minors or with actual minors using it, the law will require certain disclosures and procedures. Simply failing to have the listed disclosures can get you in trouble. You will have to be careful in how you accumulate and store information so that you can respond to requests timely to avoid related civil penalties. Perhaps, between now and when (or if) these bills become law, you will have to consider what value the 13-17 year old market means to you in light of these changes?
Even if you are so uncool that your site does not want to deal with teens (and won’t be deemed “directed” towards teens based on your content), you should at least adjust your terms of service to prohibit use by anyone under 18 to avoid having to deal with these proposals.
Google and Facebook are fighting this law, so perhaps there will be some changes or they will die. For more on these bills and the implications, read the Privacy and Security Matters Blog.
Although the Governor called a special session extending the Texas Legislative session, the topics to be addressed are political ones and not the ones we have been tracking. We can therefore wrap-up our watch of the three bills we were monitoring.
First, bring out your dead!
HB 318/SB 118 social media passwords
A bill that would have prohibited employers from demanding social media passwords from its employees and applicants garnered much attention, was passed by the house, but then died. Texas will not join about a dozen other states who have passed similar laws to provide what I think is a solution to a non-existent problem. I seriously doubt that between now and 2015, employers will run amok demanding social media passwords — especially with the pro-employment attention Texas has been getting (shameless plug for my hometown). The National Conference of State Legislatures has a good page on the efforts by various states.
HB 1989 service by social media
This bill also generated attention, but did not get very far. It would have allowed judges to authorize service of a lawsuit via social media. The existing rules allow judges to authorize substituted service when necessary which could include social media assuming certain due process protections are in place. This bill would have given judges more comfort with the idea, but its death does not mean it can’t still be done. This Outside Counsel article by Michael Lynch suggests service of process via social media may become more common without extra rules or laws.
The lone survivor
Only SB 94 was passed and will become law on September 1, 2013. It allows for private civil lawsuits against websites that allow advertisements for what the law calls “compelled prostitution,” better known as sex trafficking. As explained in my initial post, there is a serious legal question of whether the Texas law would run afoul of Section 230 of the Communications Decency Act which generally shields website operators from liability for user generated content. Hopefully, it is a purely academic discussion and this law is little used because of the lack of necessity. If a website is sued, it will make for an interesting defense.
The Legislature now focuses on redistricting – expect some fireworks and perhaps another escape.
Is liking something expressive activity protected by the First Amendment? Does being a Facebook “friend” create the appearance of impropriety requiring the judge to recuse himself from the case? Leave it to Facebook to make us answer these questions.
You don’t like me, you just want my coupon . . .
The Fourth Circuit Court of Appeals is wrestling with the question of whether liking something on Facebook is protected First Amendment activity in the case of Bland v. Roberts. A jailer in Virginia liked his boss’s opposition during a campaign for sheriff. The incumbent won and the plaintiff was fired. The sheriff said it was for competency issues, but the plaintiff said retaliation was the motivating factor for the termination.
Public employers, and some private employers in some states, cannot retaliate against an employee for taking part in Constitutionally protected activity that does not interfere with work. In other words, you can’t fire a public employee just because they spoke out on a issue or supported a candidate.
So, it seems like a slam dunk case for our fired jailer. The district court dismissed his case because the court ruled “liking” something on Facebook did not amount to a “substantive statement” worthy of protection. The court determined that without more, the simple act of making one-click on Facebook does not reveal that someone is engaging in protected speech. While it is true half of the people on Facebook would like Osama bin Laden to get a 15% discount at Target, “liking” a candidate or a cause is political speech.
It’s dangerous to predict the outcome of an appeal based on oral argument, but according to this report from Bloomberg, I would put my money on a reversal.
“Carter clicked the Like because he liked something,” U.S. Circuit Judge Stephanie Thacker said to a lawyer for Hampton Sheriff B.J. Roberts during the 40 minute hearing. “How is that any different than perhaps putting a sign in the yard saying ‘I Like Ike’?” she asked.
Facebook, which got a few minutes at the hearing to argue for a reversal, made similar arguments.
The opinion should be issued in a few months and will tell us whether the over 3 billion “likes” a day on Facebook are entitled to First Amendment protection.
It is not likely your “like” will make its way to the Supreme Court. The lesson is to be careful of making employment decisions based on what you see on Facebook. The issue is more problematic for public employers, but as we have discussed before even non-union private employers need to make sure their social media policies and employment decisions do not upset the NLRB. ”Liking” a complaint from a co-worker about working conditions cannot be the basis of a termination. ”Liking” Coke when you work at Pepsi in an at will state probably can be.
MAKING “FRIENDS” WITH THE JUDGE
In Youkers v . Texas, the criminal defendant was accused of violating the terms of his parole supervision which sent him to jail for eight years. On appeal, Youkers argued the father of the victim in the underlying crime was Facebook friends with the judge and sent the judge a Facebook message. Therefore, the defendant argued, there was an improper bias and the conviction should be overturned.
The Facebook message
When you only hear part of the story, things look bad. Yes, there was an ex parte Facebook message from the victim’s father to the judge. The message, however, sought leniency for the defendant. The judge also disclosed the message to everyone without any objection and warned the father not to do it again.
The Facebook “friendship”
The more interesting question is whether merely being friends with a judge on Facebook provides even an appearance of impropriety. I’ve had interesting discussions about this topic at various ethics CLE’s with judges and private practitioners. And, yes, I am Facebook friends with several judges.
The court of appeals ruled judges are not prohibited from using social media. In Texas, unfortunately, we elect our judges. The court realized the judges need to be on social media.
As pointed out in Professor Goldman’s Technology and Marketing Law Blog:
Merely designating someone as a “friend” on Facebook “does not show the degree or intensity of a judge’s relationship with a person.” ABA Op. 462. One cannot say, based on this designation alone, whether the judge and the “friend” have met; are acquaintances that have met only once; are former business acquaintances; or have some deeper, more meaningful relationship. Thus, the designation, standing alone, provides no insight into the nature of the relationship.
Without more, the defendant could not prove there was an improper evidence.
The ABA cautions judges to use social media within the existing ethical rules (endorsing political candidates is a tough one) and this case should give lawyers here in Texas a little more comfort about friending judges. The practicing bar has a little more freedom. Yet, the existing ethical rules still apply to our social media use. For instance, we cannot imply we hold any sway with a particular jurist and a simple Facebook friendship does not do that – particularly when the elected judge is friends with hundreds of lawyers.
A lot of the judges are our friends. Before they got on the bench, they were our colleagues. Once on the bench, they are still our neighbors, our kids’ coaches and friends. We socialize with them outside the courthouse. With Facebook, there is just a record.