Skip to content

GawkerA few days ago, a jury in Florida awarded Hulk Hogan (real name Terry Bollea)  $140 million because Gawker posted a leaked sex video of the former wrestler. Rather than focus on the lurid details (which you can Google), let’s look at the law that led to the two-week trial.

To recap, Gawker allegedly received the video from an anonymous source. Other news outlets reported the existence of the tape. Gawker decided to publish the video in 2012 and had it on its site for six months.

What Issues Went to the Jury

The lengthy jury instructions indicate Bollea sued for (1) invasion of privacy; (2) violation of his right of publicity; (3) intentional infliction of emotional distress; and (4) a violation of Florida’s Security of Communications Act.  Gawker denied the allegations and contend their actions were protected by the First Amendment.

Florida law on invasion of privacy

A number of acts can constitute an invasion of privacy. The first claim was for invasion of privacy based upon the publication of private facts which requires: (1) the publication of truthful private information; (2) that a reasonable person would find highly offensive; and (3) that does not relate to a matter of legitimate public concern. The final element is why there was a lot of discussion about the “newsworthiness” of the video and the effort by Bollea to distinguish between his real self and the character that he plays as Hulk Hogan.

Bollea also sued for invasion of privacy based on intrusion upon seclusion which requires: (1) the wrongful intrusion through physical or electronic means; (2)  into a place in which Bollea had a reasonable expectation of privacy; (3) in such a manner as to outrage or cause mental suffering, shame or humiliation to a person of ordinary sensibilities. Because of this claim, there was a lot of discussion about whether Bollea knew about videotaping.

Finally, there was a claim for invasion of privacy based on misappropriation of the right of publicity which requires: (1) the unauthorized use of the plaintiff’s name or likeness; (2) for a commercial or advertising gain.

Intentional Infliction of Emotional Distress

This claim consists of: (1) extreme and outrageous conduct by the defendant; (2) that causes severe emotional distress; and (3) was engaged in either with an intent to cause severe emotional distress or a reckless disregard of the high probability that it would cause severe emotional distress.  Extreme and outrageous conduct is behavior which, under the circumstances, goes well beyond all possible bounds of decency and is regarded as shocking, atrocious, and utterly intolerable in a civilized community.

Florida Security of Communications Act

This statutory claim requires: (1) the disclosure of oral communications; (2) in which the plaintiff had a reasonable expectation of privacy; (3) by one who knows or has reason to know that the communications were recorded without plaintiff’s knowledge or consent.

The First Amendment

The court instructed the jury that the newsworthiness of the video was a defense to Bollea’s claim for publication of private facts and a First Amendment defense to each claim. The court explained: “A matter of public concern is one that can be fairly considered as relating to any matter of political, social, or other concern to the community or that is subject to general interest and concern to the public. . . . The line between the right to privacy and the freedom of the press is drawn where the publication ceases to be the giving of information to which the public is entitled, and becomes a morbid and sensational prying into private lives for its own sake, with which a reasonable manner of the public, with decent standards, would say that he or she had no concern.”

Damages

As you know, the jury found in favor of Bollea.  The jury therefore had to assess damages. Bollea’s experts claimed the video raised the value of the website by $5 million to $15 million. Gawker retorted that it only added $11,000 in value because there were no advertisements next to the video.

The court instructed the jury to award “the amount of money that . . . will fairly and adequately compensate Plaintiff for the emotional distress he experienced as a consequence of the publication of the Video.”

On the misappropriation of the right of publicity, the court instructed the jury to award “an amount of money that . . . will fairly and adequately compensate Plaintiff for any economic damages relating to the publication of the Video.” 

The jury awarded compensatory damages in the amount of $55 million for economic damages and another $60 million in pain and suffering. The jury added another $25 million in punitive damages made up of $15 million against Gawker, $10 million against the founder of the site and $100,000 against one of the editors involved. Some media reports suggested Bollea only asked for $100 million in damages. There were reports that the jurors were disgusted by jokes made by Gawker employees at the time of publication and during depositions.

You can read another interesting take on the case here.

Gawker intends to appeal.

By now, you have probably read about how the FBI is asking Apple to create software that would help the FBI unlock the iPhone of one of the deceased San Bernadino attackers. You have probably heard the talking heads scream about the privacy vs. security policy debate, but what law is at play?

The All Writs Act

You may have even heard the government is relying upon the All Writs of Act which was passed in 1789. Three years of law school and sixteen years of practice and I had not heard of the All Writs Act at 28 . § 165U.S.C.  Surprisingly, it is very short:

(a) The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.
(b) An alternative writ or rule nisi may be issued by a justice or judge of a court which has jurisdiction. 

The purpose of the law is to fill in the gaps to give courts the power to enforce their orders and subpoenas.  Obviously, the use of the All Writs Acts has to be “agreeable to the usages and principles of law.”

How We Got Here

On February 16, 2016, the government received an ex parte order (which means without having anyone from Apple or anyone else arguing against the request) requiring Apple to provide “reasonable technical assistance to assist law enforcement agents in obtaining access to the data.” The order then lists what the court considers “reasonable technical assistance” including the oft-discussed decryption key that needs to be created to help unlock the phone. A copy of the order is here:  SB-Shooter-Order-Compelling-Apple-Asst-iPhone.

Apple’s Legal Argument

download (2)Apple primarily argues that Congress has already decided tech companies like Apple cannot be forced to provide access to encrypted devices. Apple’s brief is here. Specifically, Apple cites to the 1994 Communications Assistance for Law Enforcement Act at 47 U.S.C. § 1001, et seq.  CALEA, Apple argues,  specifically states that electronic communication service providers and mobile phone manufacturers cannot be forced to “implement any specific design of its equipment, facilities, services or system configuration” to unlock or decrypt phones.

Apple then argues that Congress has considered amendments to CALEA, but decided not to amend the 1994 law to require so-called back doors to encrypted devices or programs. According to the brief, “Congress, keenly aware of and focusing on the specific area of dispute here, thus opted not to provide authority to compel companies like Apple to assist law enforcement with respect to data stored on a smartphone the designed and manufactured.”

Case Law on the All Writs Act

The U.S. Supreme Court spelled out the test for whether the All Writs Act could be used in U.S. v. New York Telephone, 435 U.S. 159 (1977). In that case, the Court required the phone company to install a pin register device on two telephone lines.

The Court provided a three-part test:

(1) is the company so far removed from the controversey that its assistance could not be reasonably compelled?

(2) What is the burden on the company whose assistance is sought?

(3) Are there other alternatives?

In light of those factors, Apple argues:

(1) the company does not own or control or the phone or the data the government is seeking;

(2) It would be difficult for Apple to build the requested unlocking key and Apple does not want to for marketing and concerns about additional requests in the future.  Apple says it would take six to ten employees two to four weeks to develop it.

(3) The government made it more difficult when they changed the iCloud password and did not prove that the government exhausted all of the available digital forensics resources available to them.

Finally, Apple contends forcing them to create software would force them into compelled speech in violation of the First Amendment and would constitute an unlawful arbitrary action against Apple without due process in violation of the Fifth Amendment.

The Department of Justice’s Response

FBI-1In its response, the Government tried to shift the focus back to the specific facts of this case and this one phone in light of the three-part test and away from a greater policy argument.

The government says that just because Congress did not make any changes to CALEA does not mean the All Writs Act does not apply to fill in the gap as it has been used a number of times to require companies to unlock phones and other devices.

Regarding the three factors from the New York Telephone case,

(1) Apple purposefully licensed the operating system in the phone that allowed for encryption, so Apple’s involvement is sufficient.  Involvement does not mean a company participated or even specifically knew there was criminal conduct. It only requires that Apple be “closely connected” to the crime.

(2) While the burden to create the software might be burdensome on a small company, the Government says it would not be unreasonable for Apple which encrypted the software in the first place.  The Government would compensate Apple and work to minimize the burden.

(3) The FBI says it cannot unlock the phone without Apple because Apple built the code to prevent any access. They claim the fact that Apple cannot access it without building something new proves Apple is necessary.

Apple can file a response on March 15 and the hearing is scheduled for March 22.

Hungary 461Earlier this month the Court of Justice of the European Union struck down the EU-U.S. Safe Harbor Framework which previously provided U.S. companies comfort in that they could follow the framework and know they were not violating the more strenuous E.U. personal data privacy laws. The scrapping of the Safe Harbor is a result of recent Snowden revelations about the U.S. data collection efforts in the E.U.

Created in 2000, the Framework allowed for the lawful transfer of European citizens’ personal data to the U.S.  Without it, the E.U. prohibits the transfer of personal data to non-European Union countries that do not meet the European Union “adequacy” standard for privacy protection as directed in the European Union Directive on Data Protection of 1995.   The U.S. is not on that list. For a good description of the ruling, go here.

I’m not Facebook or a cloud storage company, so why do I care?

Data transfers have not come to an immediate hault. Likewise, trans-Atlantic trade has not stopped. But, you may not realize you transfer the personal data of E.U. citizens and need to be prepared. Certainly, if you previously relied upon the safe harbor, you need to make some changes.

Do you take orders from E.U. customers?  Do you have subsidiaries in the E.U., but process the H.R. functions here? Do you host the company email here that includes email accounts of E.U. citizens?  Do you store information from E.U. citizens? You can see how easily you can become susceptible to possible data transfers of personal information of E.U. citizens.

So what do I do?

Because the ruling is so new, a lot of people are still trying to figure out what exactly this means.  Some suggested actions include:

1. Update the Privacy Policy

Many privacy policies provide that the company follows the Safe Harbor guidelines. This should be updated and the policy should go into greater detail about what “adequate protections” you use to protect data.

2. Get consent for transfers of data outside the E.U.

Under the E.U. Directive, you can legally transfer personal data with the subject’s consent.  This is based on one of the derogations to the EU Data Protection Directive. This may help with the occasional customer, but when it comes to your employees in the E.U., many of the authorities have found that you cannot get real consent from employees because of the lack of leverage for the employee to say no.

If you are dealing with consumers, you would need to document and obtain actual consent.  Having a statement in a privacy policy hidden on your website is not sufficient.  You must make the E.U. citizen actually consents through a click-wrap agreement and document their consent.  It may not be enough to simply have them agree that you may transfer their data to other countries with less rigorous data protection laws, but you may have to notify them that their data may be transferred to a jurisdiction where their data may be subject disclosure pursuant to a court order or other governmental action.

3. Use one of the alternative mechanisms

The options other than Safe Harbor that were available before the ruling are still possibilities. These include the Binding Corporate Rules and Standard Contractual Clauses.

The Standard Contractual Clauses can provide an efficient short-term fix.  They can be used to transfer data within one company (the H.R. or email server issues) or between a company and a vendor. The magic involved here is in describing what and how data is collected, stored and protected in the appendices of the SCCs.

The Binding Corporate Rules may be an alternative, but it may take time to get them approved because they require approval from the data protection authorities in each country of the E.U. from where you would transfer data. This process can also be expensive to implement. Some jurisdictions are tougher than others. The U.K. is less restrictive than Germany, for example. Therefore, it may depend on in which jurisdictions you have operations.

4. Segregate E.U. Data

To the extent you store data, you can segregate it and keep from transferring the data on E.U. citizens out of the E.U. This may not be practical for most people, but if it is an option, it may be the better one than trying to navigate through this morass.

5. Stay Classy San Diego

ron-burgundy-2 (1)While you can no longer rely upon on Safe Harbor to avoid problems, you should maintain those safeguards in place because you promised to do it. Showing that you are taking best practice precautions may save you from any harsh penalties if anyone ever complains.

The likely outcome is that E.U. and U.S. officials will create a new framework that addresses some of the concerns set out in the order to allow for transfer of data. The good news is some European officials have already stated they plan on proposing new guidelines and do not plan to aggressively enforce any data transfers in the near term that satisfied the Safe Harbor.

In the meantime, stay calm and consider the options. Watch to see if the European authorities issue guidelines you can live with. Check in here for guidelines that may be forthcoming. Individual countries may also provide their own guidelines.

No, the world is not ending, but a change will have to be made. We will monitor the situation and provide updates as available.

UPDATE: 10-15-15

This morning, I participated in a conference call with our international partners in our First Law Institute Data Protection/Retention Group.  The general consensus was that SCCs are the way to go in the interim, but they are not foolproof for all situations and entering into the agreements does not really address the policy concerns raised in the court’s ruling.

During the esoteric part of the conversation, some of the European partners conceded that other countries engage in surveillance and if you applied the policy behind the ruling, there should be no data transfers outside of the E.U. to almost any other country that engages in any form of cyber surveillance. No matter what measures a company puts in place, the ruling focused on the government surveillance rules which would trump whatever the contractual arrangements are in the SCCs.

The good news is that our European partners believe new guidelines, or a Safe Harbor 2.0, will emerge soon.

 

 

I love college basketball.  Given that my Missouri Tigers haven’t given me much to talk about, I thought we could discuss the efforts by this upset Duke fan to have her image removed from the Internet captured during the Miami – Duke game that snapped Duke’s incredible 41-home-game winning streak.  You can read about it here.

I am not a Duke basher (nor fan) and I don’t want to pile on this poor fan.  Believe me, after what Kentucky did to Mizzou last night, I felt worse.  This does, however, raise some interesting legal questions.

How do you remove images from the Internet?

 

1. Copyright

The primary way is to use the Digital Millennium Copyright Act.  If you own the copyright to the image, it is usually pretty easy to get images removed from websites operated in the U.S. and to have the search engines de-index them.  You can read more about the DMCA here.  Generally, if you take the picture, you own the copyright.  The copyright to this image belongs to ESPN and probably the ACC or NCAA.  You know that really quick copyright notice for broadcasts – any use of images is prohibited, blah, blah, blah.  Screen shots would be included.  The fan could ask ESPN to get these images removed.  ESPN may be a little busy, however, because I think Tom Brady may have sneezed.

2.  Invasion of Privacy

There is little expectation of privacy in the stands of a nationally televised sporting event.  Do a search for certain NSFW conduct at sporting events to see how people forget this sometimes.  Also, look at the back of your ticket next time you head to a game.  There is a lot of fine print about the lack of privacy you may experience.  Nevertheless, let’s go through the common law claims of intrusion upon seclusion, publicity to private facts, appropriation of likeness and false light.

Intrusion upon seclusion.  The elements of the claim are: (1) intentional intrusion; (2) upon private affairs of another; (3) that is highly offensive to another.  Being upset at a basketball game is not a private affair.  Most states follow the stand in doctrine which provides that if the media stands where the general public could observe the events, then there is no intrusion.

Publicity to private facts.  To prevail on a claim, the information must not be a matter of legitimate public concern and its publication would be highly offense to a reasonable person.  I am not suggesting comments to a blog are true indications of what is offensive, but a quick view of them reveal that using that screenshot is not highly offensive to most.

Commercial appropriation of likeness.  This requires the (1) appropriation of one’s name or likeness; (2) for a commercial purposes.  Although ads are sold on blogs, the use of the name is not for a commercial purpose.  This cause of action usually applies to celebrities when a store tweets about them without permission or makes video games about them.  If a UNC fan used this picture to start selling t-shirts, then she may have a claim, but not for the use of the image on Twitter or blogs.

Portrayal in false light.  It requires: (1) publishing information that creates a false impression; (2) thereby casting the person in a false light; (3) creating emotional (as opposed to commercial) harm; and (4) the act is highly offensive.  I suspect there is nothing false about this fan’s feelings.  Like I said, no one saw me in my living room with a look of disgust last night, but there is nothing false impression about how she is feeling and why she is upset.

3.  Approach the websites

According to the article, the first image appeared on Twitter.  Under the Twitter Rules, posters are not supposed to abuse others, infringe on the rights of others or violate copyrights.  If you ask nicely and point out how posts violate a site’s terms, sometimes the wesbites will take it down although they may not legally have to.  In fact, in the terms of service, Twitter says it may not monitor the tweets and:

You understand that by using the Services, you may be exposed to Content that might be offensive, harmful, inaccurate or otherwise inappropriate, or in some cases, postings that have been mislabeled or are otherwise deceptive.

In addition to being at the mercy of Twitter’s whims that day, the problem is now that the image is on many other sites as well.

The Streisand Effect

We have talked about the Streisand Effect before.   It’s the name given to the phenomena resulting from increased attention to online posts, stories, websites, etc. only after someone complains about them or raises a legal issue about them.  Had the fan not asked to remove the image, I would not have read about it and would not be blogging about it. Sometimes, the wiser move is to let it go (no, I will not sing it).  It’s a bad business development strategy on my part, but is often the best advice I have ever given.

On the bright side, at least the fan was not wrongfully accused of being caught cheating on her boyfriend at the Ohio State v. Alabama game.

http://www.youtube.com/watch?v=-2QQj1n57ok

 

 

 

 

One of our more popular posts of the year was the recent Online Marketers’ Guide to Online Privacy.  It focuses mostly on U.S. law with some mention of of the E.U. Safe Harbor issues.   The purpose of this post is to host information regarding international online privacy issues.  If you know a good resource for a country not listed, let me know and I will update this periodically.

E.U. Regulations and Reforms

Reforms to the transfer of data from the E.U. to the U.S. may be coming.  You can also read here.

The importance of E.U. regulations for online business cannot be understated.  We will monitor these developments.  In the meantime, know the basics and check out the Department of Commerce’s Safe Harbor website.

Other Countries

Brazil

Kazakhstan

Malaysia

Mexico

South Korea

Other valuable resources

Hunton & Williams’ Privacy and Information Security Law Blog

Baker Hostetler’s Data Privacy Monitor

The Electronic Frontier Foundation’s Deeplinks Blog

Hogan Lovells Chronicle of Data Protection

Let me know if I missed something and check back here later for details.

 

I’ve hesitated to write this post because the law is always changing and you can’t cover it all in one blog post (thank goodness for linking).  I did a presentation to the Houston Interactive Marketing Association this week which forced me to boil it down to digestable bites.  If I had to give you three simple rules they would be:

1. Disclose what you do in plain English;

2. Avoid storing or transmitting Personal Health Information if you can; and

3. Avoid marketing to minors if you can.

At the presentation, we identified the numerous laws and regulations marketers had to know about including at least COPPA, HIPAA, the FTC’s guidelines, Self Regulatory Organization Guidelines, Cal-OPPA and the EU Safe Harbor status.

COPPA

Regarding the Children’s Online Privacy and Protection Act and marketing to minors, you should check out my five-part series here.  COPPA only applies if you collect personal information from children under 13, but the determination of whether you market to minors is not as clear as you might think.  Last year, the FTC allowed private companies to send in suggestions on how to satisfy the parental notification requirement.  The FTC recently rejected the idea of using the social graph.

HIPAA

In September, there were changes to HIPAA – the law governing the privacy of health information.  If you are marketing for a medical practice or anyone that may retain Personal Health Information, unless you want to make medical a core business segment, you may want to avoid becoming what the law calls a “Business Associate.”  If you are a Business Associate, you have to comply with HIPAA and compliance can be a pain.

A Business Associate is defined as someone or a company that provides “consulting, data aggregation, management, [or] administrative . . . services” to or for a Covered Entity, where the provision of the service involves the disclosure of protected health information from the Covered Entity, or from another business associate of such Covered Entity, to the person.

So the issue becomes whether you store or otherwise have access to Personal Health Information.  Again, the analysis is not that simple.  See here.  You need to know both email and IP addresses are covered which is pretty basic information for online marketers.

The specifics of your marketing strategy will determine whether you need to be concerned.  The point of this blog post is to make you think about it.  Here is one marketer’s take on the issue.   If you do a lot of marketing work for medical practices, doctors or hospitals, you should confer with a good HIPAA lawyer.  If you have one medical practice as a client in an otherwise hearty stable of clients, you may want to consider whether that one client is worth the headaches and the risk.

The FTC

The Federal Trade Commission is the agency insisting you disclose, disclose and disclose. The FTC’s more recent focus has been on mobile including this report from February 2013.

The more recent interesting drama has come from the W3C group’s unsuccessful attempts to come up with some “Do Not Track” proposals.  The powerful Digital Advertising Alliance recently backed out leaving the ability of the W3C to promulgate suggestions in jeopardy.

Several years ago, the FTC urged private organizations to make some proposals.  I previously warned the industry needed to police itself or the government would make their own regulations and you can read my 5-part series on Do Not Track here.  For now, there is no Do Not Track law.  You can still do it – as long as you disclose what you are doing and don’t mislead people.  That was Google’s $17 million mistake.

You can read the DMA’s guidelines for online behavorial advertising which is a pretty good place to start.  For mobile, check out the NAI Code of Conduct.

In the meantime, Wyndham Hotels is challenging the FTC’s authority to enforce alleged misrepresentations regarding privacy in a case we are watching.  The court recently heard oral arguments on Wyndham’s motion to dismiss but no ruling has been made yet.

Cal-OPPA

That’s where California comes in and strikes a middle ground.  California did not ban tracking.  But, effective January 1, 2014, if you retain personally identifiable information of a Californian, you will have to disclose how you respond to Do Not Track requests.  I earlier posited that many companies will have to amend their privacy policies because of Cal-OPPA.

EU-Safe Harbor

Finally, there is the EU requirements on privacy.  Generally speaking, the E.U. prohibits the transfer of personal data to non-European Union countries that do not meet the European Union “adequacy” standard for privacy protection as directed in the European Union Directive on Data Protection of 1995. The U.S. is not on that list.

Generally, to comply with existing E.U. guidelines you need to:

1. Give a notice of what you collect and what you do with it and how individuals can ask about it.

2. Give individuals the chance to opt-out of disclosure to third parties for reasons outside of the main purpose.

3. Ensure that the company to whom you transfer data also had adequate protections.

4. Provide users access to the data you have about them.

5. Initiate adequate security, data integrity and enforcement procedures.

If you deal with customers in Europe you should consider looking into the Commerce Department’s Safe Harbor provisions that works like a Good Housekeeping Seal of Approval for dealing with the information of European consumers.

This post does not and cannot answer every question.  Hopefully, now, however, you realize you may need to think a little more about the law when you start storing information about visitors to websites.

Rocky Mountain National Park

Because of an extended working vacation away from Houston’s heat in Colorado, I’ve been away from the blog.  Like my kids gearing up to go back to school, I’m getting back to the normal work mode back in the office while recovering from a separated shoulder from a mountain biking incident (riding across on overpass in Houston is apparently different than actual mountain biking).  As a warm-up, here are a few quick links to interesting stories from the last couple of weeks.

Another Adwords Trademark Dismissal

From Professor Goldman’s Technology and Marketing Law Blog — another unsuccessful keyword advertising lawsuit.  The plaintiff was a collection agency and the defendant was a law firm that bid on the plaintiff’s name that triggered the following ad:

a link titled “Stop Collection Calls—Is Allied Interstate Calling You?” Below the link are two lines of text, the first listing Defendants’ URL, www.creditlaw.com, and the second bearing the slogan “Stop the calls for free!”

Under most circumstances, I would advise clients to avoid using the competitor’s name in the ad copy.  But, this is one of those easy exceptions.  It is clear the law firm is not trying to confuse consumers into thinking the law firm is the same as the collection agency.  It is a pretty easy decision, but a good reminder of how trademark law plays into search engine advertising.

An Eraser Button for Minors on Social Media

Charlie bags his first 14’er — sort of because it was Mt. Evans and we drove most of the way.

We previously mentioned an eraser button for minors on social media.  It appears the California Legislature is also back from vacation which, according to Edwards Wildman’s Digilaw Blog, means the law may be a reality soon.

Hi-Jacked Sites

One of the most difficult things to do is help clients deal with IP theft from pirates outside of the U.S.  Seyfarth Shaw’s Trade Secret Blog provides some tips on how to deal with these issues–assuming you have enough clout to get your state attorney general involved.

Cascade Falls

Don’t let your independent contractor use your email.

Evan Brown’s Internet Cases blog discusses a recent Texas opinion regarding the dangers of letting an independent contractor use the company email.  An independent contractor cannot usually bind a company to an agreement because they don’t usually have the authority.  The company, however, can clothe the independent contractor with the indicia of authority and lead the other party to believe they are dealing with the right person.  One way to do that — have the independent contractor send emails from the company account.

Understanding the law and the government’s 

Sunrise in Grand County, Colorado

To get a good baseline understanding of the law underlying the government’s ability to (store, monitor, read, index, search – you choose the verb) / (phone records/meta data/emails/cell location information — you choose the object of the verb), NPR’s Morning Edition has a good story explaining the 1978 Supreme Court decision that may say all of this is perfectly legal.

I have not posted in some time because I enjoyed some traveling with the family in Hungary.  Some of my cousins – by marriage – are lawyers in Budapest.  They mainly peppered me with questions about the NSA and our take on privacy.  I can’t repeat the compelling soliloquy I made for all Americans after a few Czech brews, but it was noticeable we had different takes about online privacy.   This is not just a matter of good discussion at a ruin pub, your business needs to pay attention to E.U. privacy law, too.

The E.U. already has strict guidelines that apply to all of their member nations.  Rather than relying upon protections for only certain types of health, financial data or information related to children like we do here in the U.S., the E.U. looks to protect all personal information regardless of how benign it may appear.

Compliance Now

Generally speaking, the E.U. prohibits the transfer of personal data to non-European Union countries that do not meet the European Union “adequacy” standard for privacy protection as directed in the European Union Directive on Data Protection of 1995.   The U.S. is not on that list.

Generally, to comply with existing E.U. guidelines you need to:

1.  Give a notice of what you collect and what you do with it and how individuals can ask about it.

2.  Give individuals the chance to opt-out of disclosure to third parties for reasons outside of the main purpose.

3.  Ensure that the company to whom you transfer data also had adequate protections.

4.  Provide users access to the data you have about them.

5.  Initiate adequate security, data integrity and enforcement procedures.

The Department of Commerce, in consultation with the European Commission, developed a “Safe Harbor” program that qualifies companies to store and transfer personal information on E.U. residents so you don’t have to hire E.U. counsel.  You can learn more about the process here at the Department of Commerce website.

 

The children with my father-in-law.
My children with my father-in-law who left Hungary in 1956.

Compliance in the Future

While already stricter than U.S. requirements, the E.U. is considering strengthening its laws with changes that may take place as soon as next year.

1.  Will you need a forget me button?

Recent proposals have suggested a “right to be forgotten” will have to be implemented requiring companies to erase all information about individuals.  You can read more here on this proposal and how U.S. companies may fight it. If it becomes law in the E.U. next year, will you be able to offer this service?

2.  Will you need consent to share data?

The E.U. is leaning towards a disclosure and consent process before any of your personal information can be shared.  This may require an affirmative opt-in for all cookies with full disclosure of how the information will be used and shared.

The whole Hungarian Family (by marriage) including more than one Hungarian lawyer.

You can read more about some the proposals and the reaction by U.S. companies here, here, here and here.

As you may imagine, marrying a lawyer can make for some interesting conversations (or dreadful depending on your outlook) at home.  The same holds true with an extended family with multiple lawyers working on difference continents with different outlooks.

 

After looking at the most popular posts from 2012 in our last edition, today we look at what are likely going to be the big trends for 2013 in internet and marketing law.  

Privacy and COPPA – Although this issue is not likely to dominate the general business population, privacy and COPPA will continue to dominate the media’s coverage of internet law issues — just look at Instagram’s latest dustup.  Right before the new year, the FTC officially passed their COPPA regulations.  Although the changes have been in the works for almost a year, it will take a while for companies covered by the Children’s Online Privacy Protection Act – generally websites targeted or directed to users under 13 – to comply.  Surprisingly, respected folks like Nickelodeon have had COPPA issues and the FTC is watching the mobile app industry

Cyber-Security – An issue likely to catch people off guard is cyber security legislation that may be written broad enough to cover more than just the major telecoms.  Last year, efforts like the Cyber Intelligence Sharing and Protection Act (CISPA) and the Cybersecurity Act of 2012 failed to become law.  Both the CSA and CISPA drew critics mainly related to personal privacy.  The President may simply act by executive order.  The business question remains how broad will any laws be, what sites and service providers will have to comply, what will that mean and how much will that cost?  For more, David Gewirtz outlines the 14 Global Cybersecurity Challenges for 2013 on ZDNet.

Software and Tech Patent Reform – Whenever a programmer finds out I am a lawyer, I instantly get a tirade about our broken patent system.  I’m guessing Apple, Samsung and Motorola would agree.  In the well-covered battles,, the only winners appear to be the lawyers.  Although I don’t practice patent law (it is not a field where one dabbles, so I leave that to my colleague David Henry), I have a hard time deciphering what was to be learned from those expensive battles and what developers should do.   Maybe there is some hope for sensible patent reform

Amending the Communications Decency Act – The CDA is the law that prevents people from suing the likes of Yelp and RipOff Report for reviews generated by users.  It certainly makes sense not to allow lawsuits against Facebook and Google for defamation from other people’s content which would cripple those services.  But online defamation remains a hot issue and more people are fighting back.  I’m not sure if there will be any changes as the law is applied to consumer review sites, but what about loosening the law as it applies to sites whose whole sole purpose is to slander and then extort?  Sites that call people whores with photos and run SEO’ed pure gossip sites of private individuals, but then offer “reputational protection” services for a fee to remove the materials.  I purposefully don’t mention names or link to them so you won’t go check them out.  Instead, if you are interested, go to a good advocacy group like CiviliNation.   

The New Advertising Model – The FTC may push harder on Do Not Track legislation that could interrupt behavioral or targeting online advertising this year.  Facebook and everyone else is still trying to figure out mobile marketing.  I waxed philosophically at the end of last year about where advertising and user generated content may be going.  (Are the YouTube commercials you can’t escape getting longer and do I want to wait to see a 30 second video I am already skeptical about?)  Kirk Cheyfitz of PandoDaily says the best online ads of 2012 were not sctually ads.  There are bright minds trying to figure this out and I expect by the end of the year, we will talking about one of them and a new product, service or idea we haven’t heard of before.

By now, you have probably read the uproar caused by Instagram’s proposed change to the terms of service this week.   On Monday, Instagram, which is owned by Facebook, added the following:

You agree that a business may pay Instagram to display your photos in connection with paid or sponsored content or promotions without any compensation to you.

The blogosphere immediately considered the worst case scenario (much like we lawyers do) and expressed concern that Instagram could take the cute picture of your kid and sell it so that it suddenly appeared in print, billboard or online advertisements without asking your permission or paying you.  You can read some of the alarming immediate reaction here from CNet.  Instagram eventually capitulated to the masses with a Thank You and an attempt to clarify on its blog.  You can read Professor Goldman’s take on how it relates to a Facebook class action settlement.

The change was not as drastic as many had suggested because Instagram, and many other companies, already take expansive licensing over other people’s content.  The existing terms already allow Instagram’s to “place such advertising and promotions on the Instagram Services or on, about, or in conjunction with your Content.”  Nilay Patel of the Verge argues the new language is actually better than the old.

So where is advertising going?

Facebook and Instagram have to make money.  On the blog post, Instagram unabashedly stated:

From the start, Instagram was created to become a business. Advertising is one of many ways that Instagram can become a self-sustaining business, but not the only one. Our intention in updating the terms was to communicate that we’d like to experiment with innovative advertising that feels appropriate on Instagram.

Josh Sternberg of Digiday suggests brands are still figuring out how to engage on the platform and whether to copy Facebook’s gameplan.

But is there another way?

As explained in some of the links, isn’t it just a difference of degree and not kind that a brand can use my photo or content as a “Sponsored Post” on Facebook compared to taking that picture and putting it on a billboard? I can’t really foresee brands really wanting to engage with customers with amateur content running real risks of alienation.

But to make the most out of social media, brands need content. The current strategy involves buying time on Facebook as opposed to radio, print or TV using my stuff without paying me – the creator.

Yes, I, as the content creator, get to use Facebook/YouTube/Twitter/Instagram for free. But, I also get to watch TV for free. I would turn off 30Rock before I let them broadcast to the world a picture of me in my skivvies in my living room watching the show telling the world Travis Crabtree likes 30Rock, you should too. Is the current social media advertising model much different?

Will there come a time when this changes? Will there be a way for brands to pay for quality engaging content where the masses, as content benefit financially? Brands have marketing budgets and spent the money in the past on content. They can and will still do so. The trick is whether this can be done on a platform that attracts a large engaged audience?

2013 starts in 11 days. I say why not?