I’ve hesitated to write this post because the law is always changing and you can’t cover it all in one blog post (thank goodness for linking).  I did a presentation to the Houston Interactive Marketing Association this week which forced me to boil it down to digestable bites.  If I had to give you three simple rules they would be:

1. Disclose what you do in plain English;

2. Avoid storing or transmitting Personal Health Information if you can; and

3. Avoid marketing to minors if you can.

At the presentation, we identified the numerous laws and regulations marketers had to know about including at least COPPA, HIPAA, the FTC’s guidelines, Self Regulatory Organization Guidelines, Cal-OPPA and the EU Safe Harbor status.

COPPA

Regarding the Children’s Online Privacy and Protection Act and marketing to minors, you should check out my five-part series here.  COPPA only applies if you collect personal information from children under 13, but the determination of whether you market to minors is not as clear as you might think.  Last year, the FTC allowed private companies to send in suggestions on how to satisfy the parental notification requirement.  The FTC recently rejected the idea of using the social graph.

HIPAA

In September, there were changes to HIPAA – the law governing the privacy of health information.  If you are marketing for a medical practice or anyone that may retain Personal Health Information, unless you want to make medical a core business segment, you may want to avoid becoming what the law calls a “Business Associate.”  If you are a Business Associate, you have to comply with HIPAA and compliance can be a pain.

A Business Associate is defined as someone or a company that provides “consulting, data aggregation, management, [or] administrative . . . services” to or for a Covered Entity, where the provision of the service involves the disclosure of protected health information from the Covered Entity, or from another business associate of such Covered Entity, to the person.

So the issue becomes whether you store or otherwise have access to Personal Health Information.  Again, the analysis is not that simple.  See here.  You need to know both email and IP addresses are covered which is pretty basic information for online marketers.

The specifics of your marketing strategy will determine whether you need to be concerned.  The point of this blog post is to make you think about it.  Here is one marketer’s take on the issue.   If you do a lot of marketing work for medical practices, doctors or hospitals, you should confer with a good HIPAA lawyer.  If you have one medical practice as a client in an otherwise hearty stable of clients, you may want to consider whether that one client is worth the headaches and the risk.

The FTC

The Federal Trade Commission is the agency insisting you disclose, disclose and disclose. The FTC’s more recent focus has been on mobile including this report from February 2013.

The more recent interesting drama has come from the W3C group’s unsuccessful attempts to come up with some “Do Not Track” proposals.  The powerful Digital Advertising Alliance recently backed out leaving the ability of the W3C to promulgate suggestions in jeopardy.

Several years ago, the FTC urged private organizations to make some proposals.  I previously warned the industry needed to police itself or the government would make their own regulations and you can read my 5-part series on Do Not Track here.  For now, there is no Do Not Track law.  You can still do it – as long as you disclose what you are doing and don’t mislead people.  That was Google’s $17 million mistake.

You can read the DMA’s guidelines for online behavorial advertising which is a pretty good place to start.  For mobile, check out the NAI Code of Conduct.

In the meantime, Wyndham Hotels is challenging the FTC’s authority to enforce alleged misrepresentations regarding privacy in a case we are watching.  The court recently heard oral arguments on Wyndham’s motion to dismiss but no ruling has been made yet.

Cal-OPPA

That’s where California comes in and strikes a middle ground.  California did not ban tracking.  But, effective January 1, 2014, if you retain personally identifiable information of a Californian, you will have to disclose how you respond to Do Not Track requests.  I earlier posited that many companies will have to amend their privacy policies because of Cal-OPPA.

EU-Safe Harbor

Finally, there is the EU requirements on privacy.  Generally speaking, the E.U. prohibits the transfer of personal data to non-European Union countries that do not meet the European Union “adequacy” standard for privacy protection as directed in the European Union Directive on Data Protection of 1995. The U.S. is not on that list.

Generally, to comply with existing E.U. guidelines you need to:

1. Give a notice of what you collect and what you do with it and how individuals can ask about it.

2. Give individuals the chance to opt-out of disclosure to third parties for reasons outside of the main purpose.

3. Ensure that the company to whom you transfer data also had adequate protections.

4. Provide users access to the data you have about them.

5. Initiate adequate security, data integrity and enforcement procedures.

If you deal with customers in Europe you should consider looking into the Commerce Department’s Safe Harbor provisions that works like a Good Housekeeping Seal of Approval for dealing with the information of European consumers.

This post does not and cannot answer every question.  Hopefully, now, however, you realize you may need to think a little more about the law when you start storing information about visitors to websites.

There are two bills (SB 568 and SB 501) working their way through the California Legislature that may require social media sites to erase the content of minors.

Oops . . . I shouldn’t have posted that.

California Senate Bill 568, which has already passed the Senate, would allow minors to request websites to remove that picture the teen thought would be awesome to post at 2:30 in the morning, but no longer looks good while you are applying for jobs or a spot at Harvard.  It only applies to content actually posted by the minor and not those pictures posted by the teen’s friends who have less scruples.

Before minors celebrate by temporarily posting offensive jokes or pictures, the bill wisely provides that there is no guarantee removal by the initial website ensures complete elimination of the materials from the entire web.  The law states the removal process:

does not ensure complete or comprehensive removal of the content or information submitted to or posted on the operator’s Internet Web site, service, or application by the user.

The existing federal COPPA regulations provide for a similar removal process of content for children under 13 by the parents, but this law would force websites to add the process for those up to 17 and allow the request to come from the minor.  Considering most social media reputational harm is likely to happen in college (let’s just say I’m glad I went through college before smartphones and social media), I am sure there are some who like this to be law for people of all ages?

And now, a word from our sponsor.

Another interesting part of SB 568 prohibits websites from marketing a product or service to a minor, if the minor cannot legally purchase the product or participate in the service in the State of California.  This prohibition applies to all sites and apps “directed to minors” or if the operators “has actual knowledge that a minor is using its” service.

This “directed to” or “actual knowledge” is also a similar COPPA concept which is why certain sites like Facebook do not allow users under 12, but do allow users 13 and above.  Because Facebook has actual knowledge of its users between 13 and 17, it would not be allowed (or possibly allow others) to market alcohol or possibly even R-rates movies.

Dude, my mom erased my PII!

California SB 501, meanwhile, would require websites to remove personally identifiable information about minors upon the request of the minor OR the parent within 96 hours of the request.

As opposed to the first bill, this one would only apply to a “Social networking Internet Web site” which is defined as:

an Internet Web-based service that allows an individual to construct a public or partly public profile within a bounded system, articulate a list of other users with whom the individual shares a connection, and view and traverse his or her list of connections and those made by others in the system.

Why do I care?

These bills are not likely to become law in the next couple months (S.B. 568 would not go into effect until January 1, 2015).  Even if you are not running Facebook, you should care.  To the extent you advertise on social media adult products or services, you need to pay attention and be prepared for any changes.

If you have a website “directed” to minors or with actual minors using it, the law will require certain disclosures and procedures.  Simply failing to have the listed disclosures can get you in trouble.  You will have to be careful in how you accumulate and store information so that you can respond to requests timely to avoid related civil penalties.  Perhaps, between now and when (or if) these bills become law, you will have to consider what value the 13-17 year old market means to you in light of these changes?

Even if you are so uncool that your site does not want to deal with teens (and won’t be deemed “directed” towards teens based on your content), you should at least adjust your terms of service to prohibit use by anyone under 18 to avoid having to deal with these proposals.

Google and Facebook are fighting this law, so perhaps there will be some changes or they will die.  For more on these bills and the implications, read the Privacy and Security Matters Blog.

 

After looking at the most popular posts from 2012 in our last edition, today we look at what are likely going to be the big trends for 2013 in internet and marketing law.  

Privacy and COPPA – Although this issue is not likely to dominate the general business population, privacy and COPPA will continue to dominate the media’s coverage of internet law issues — just look at Instagram’s latest dustup.  Right before the new year, the FTC officially passed their COPPA regulations.  Although the changes have been in the works for almost a year, it will take a while for companies covered by the Children’s Online Privacy Protection Act – generally websites targeted or directed to users under 13 – to comply.  Surprisingly, respected folks like Nickelodeon have had COPPA issues and the FTC is watching the mobile app industry

Cyber-Security – An issue likely to catch people off guard is cyber security legislation that may be written broad enough to cover more than just the major telecoms.  Last year, efforts like the Cyber Intelligence Sharing and Protection Act (CISPA) and the Cybersecurity Act of 2012 failed to become law.  Both the CSA and CISPA drew critics mainly related to personal privacy.  The President may simply act by executive order.  The business question remains how broad will any laws be, what sites and service providers will have to comply, what will that mean and how much will that cost?  For more, David Gewirtz outlines the 14 Global Cybersecurity Challenges for 2013 on ZDNet.

Software and Tech Patent Reform – Whenever a programmer finds out I am a lawyer, I instantly get a tirade about our broken patent system.  I’m guessing Apple, Samsung and Motorola would agree.  In the well-covered battles,, the only winners appear to be the lawyers.  Although I don’t practice patent law (it is not a field where one dabbles, so I leave that to my colleague David Henry), I have a hard time deciphering what was to be learned from those expensive battles and what developers should do.   Maybe there is some hope for sensible patent reform

Amending the Communications Decency Act – The CDA is the law that prevents people from suing the likes of Yelp and RipOff Report for reviews generated by users.  It certainly makes sense not to allow lawsuits against Facebook and Google for defamation from other people’s content which would cripple those services.  But online defamation remains a hot issue and more people are fighting back.  I’m not sure if there will be any changes as the law is applied to consumer review sites, but what about loosening the law as it applies to sites whose whole sole purpose is to slander and then extort?  Sites that call people whores with photos and run SEO’ed pure gossip sites of private individuals, but then offer “reputational protection” services for a fee to remove the materials.  I purposefully don’t mention names or link to them so you won’t go check them out.  Instead, if you are interested, go to a good advocacy group like CiviliNation.   

The New Advertising Model – The FTC may push harder on Do Not Track legislation that could interrupt behavioral or targeting online advertising this year.  Facebook and everyone else is still trying to figure out mobile marketing.  I waxed philosophically at the end of last year about where advertising and user generated content may be going.  (Are the YouTube commercials you can’t escape getting longer and do I want to wait to see a 30 second video I am already skeptical about?)  Kirk Cheyfitz of PandoDaily says the best online ads of 2012 were not sctually ads.  There are bright minds trying to figure this out and I expect by the end of the year, we will talking about one of them and a new product, service or idea we haven’t heard of before.

We continue our video series on the Children’s Online Privacy and Protection Act with the basic guidelines the Federal Trade Commission lists to make sure you are complying with COPPA.

You have to excuse the interruption in the middle of the video for the break regarding CLE verification code which you can ignore.

 You can also read my overview of COPPA.  

 

 

 

I did a Lawlines CLE entitled Online Marketing to Minors: Legal Pitfalls & Ramifications.  Over the next couple of weeks, I will be posting some clips from the presentation here that should give you a good idea of proposals the FTC is making to update the Children’s Online Privacy and Protection Act. For a basic introduction of COPPA, go here.

I opened the presentation with a Contracts 101 lesson about why courts refuse to honor contracts with minors and invalidate them.  This first clip takes a look at how this accepted rule comes into play in a more modern online world.

In cooperation with Lawlines, I will be presenting a webinar titled “Online Marketing to Minors: Legal Pitfalls and Ramifications” on Tuesday, November 8, 2011, at 2:00 p.m. central (fee required).   The presentation will be recorded and available later on the Lawlines website.

We will discuss the Federal Trade Commission’s recent guidelines on the Children’s Online Privacy Protection Act, or COPPA, at length.  The FTC’s frequently asked questions available here are helpful.   If you just want the general rules of thumb, here they are:

1. Tell parents exactly what inform you collect from children and how the information is used or disclosed.
2. Obtain verifiable consent from parents prior to any data collection.
3. Invoke a mechanism that allows parents to review the specific personal information collected and provides parents an opportunity to refuse the further use of the data.
4. Only collect what is reasonably necessary to provide the service to the child.
5. Take reasonable steps to protect the confidentiality, security, and integrity of the children’s personal information.
6. Include a link to the FTC’s website to provide tips on protecting children’s privacy online: www.OnGuardOnline.gov.

We’ve discussed contracting with minors and the Children’s Online Privacy Protection Act in our prior two parts of the series.  There’s more to it than just those issues and we wrap up the series with some recent troubles from Facebook.

Facebook forbids thirteen-year-olds from creating profiles and those under 18 to have their parents’ permission.  The reality shows a different picture.  A Consumer Reports “State of the Net” survey revealed over 7.5 million Facebook users were under 13 and more than five million were under 11. 

The numbers are not Facebook’s only problems.  Remember, minors cannot contractually provide consent to various agreements such as the consent to allow Facebook to share a user’s “likes.”  In May, a class action lawsuit was filed against Facebook in New York claiming the social network violated New York advertising law by allowing minors to “like” products without their parents’ consent.  New York has a law that prohibits the using an individual’s likeness for advertising without permission.  As explained above, the law says minors cannot give contractual permission. 

The suit seeks the revenue Facebook received from the allegedly unauthorized use of the names of images of minors who liked advertisements and products. 

The Bottom Line

If you have even just a suspicion that you collect data on children or in any way require the consent of a minor to do any type of business or marketing on your site, you need to be careful.  No policies or requirements can guarantee you will not get sued, as evidenced by Facebook’s troubles, but taking some basic precautions can keep the harm to a minimum.