Don’t Lose Your DMCA Safe Harbor Protection

If your website allows users to post content, you’re probably already familiar with the Digital Millennium Copyright Act. Among Copyright Image on Keyboardother things, the DMCA provides online service providers a “safe harbor” from potential liability arising from publishing content that infringes a third party’s copyrights, if that content was posted by another person. In order to take advantage of that safe harbor, companies need to take certain steps, including designate an agent to receive notifications of claimed copyright infringement.

Last month, the Copyright Office issued a Final Rule that will impact all online service providers, even those who have already registered for safe harbor protection. Here is a summary of the key changes:

  • Effective December 1, 2016, the Copyright Office will no longer accept registrations on paper or PDF, as it has done since the DMCA was enacted in 1998. Instead, agents must register through an online system.
  • All online service providers must register through the new system by December 31, 2017 – even if they have registered before. Failure to do so will result in a loss of safe harbor protection as of January 1, 2018.
  • Registrations will expire after three years, so online service providers will need to renew their registrations in order to maintain protection. The Copyright Office will send automated alerts to remind account holders about upcoming renewal deadlines. Any amendment or update to a registration will restart the three-year clock.
  • There will be a flat fee of $6 for each registration, amendment, and renewal. Previously, online service providers had to pay a $105 registration. (Renewals were not required.)
  • Online Service Providers can now name a department or even an entire entity (such as a law firm or other service provider) as the designated agent.
  • Until December 31, 2017, copyright holders who want to submit a takedown notice will have to search both the old and the new electronic database when trying to identify registered designated agents.

To help acquaint users with the new system, the Copyright Office has created the various video tutorials to show, step-by-step, how to use the system.

For more information, please see our advisory.

Lessons from Adobe’s State AG Data Breach Settlement

Last month, several state Attorneys General announced a $1M settlement with Adobe Systems, Inc. in connection with a 2013 data incident involving the personal information of roughly 534,000 consumers. The 15 Attorneys General alleged that the software vendor failed to provide reasonable security safeguards, an allegation Adobe denied in the settlement agreement executed by the parties. The settlement provides closure for the company but it also provides a reminder to industry that state enforcers – in addition to the FTC — are closely eyeing the adequacy of security safeguards in software products and services.

Background. Sometime in September 2013, an unauthorized third party accessed and removed customer order information from Adobe’s systems. The information included names, addresses and telephone numbers, usernames, email addresses, encrypted passwords, plain text password hints, and encrypted payment card numbers and payment card expiration dates (PI). Adobe stated that there is no evidence that decrypted payment card data were pulled from its systems and presented an extensive list of remedial measures it took in response to the breach. However, the Attorneys General believed that the risk of unauthorized access was reasonably foreseeable, noting that when the third party exfiltrated the PI, Adobe did not immediately detect it. Adobe’s actions, according to the Attorneys General, ran counter to its promise to consumers that it would take reasonable steps to protect PI.

Settlement Details. This investigation involved 15 Attorneys General representing the states of Connecticut, Arkansas, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Missouri, Minnesota, Mississippi, North Carolina, Ohio, Oregon, Pennsylvania, and Vermont. In addition to a $1M civil penalty payment, Adobe agreed to certain PI-specific safeguards including, training relevant employees regarding security practices, performing ongoing risk assessments and penetration tests, segregating payment card information, and employing tokenization. Adobe also must provide an audit report regarding its security practices relating to PI.

It’s interesting that this settlement concerns an alleged security breach that occurred over three years ago, and indeed underscores the long tail of consequences that a company can face after it incurs a reportable breach involving personal information.  This action, and the over 100 privacy and security enforcement actions by the FTC, are a good reminder to review settlements such as this one to understand state expectations on “reasonable security,” and what constitutes a reasonably foreseeable risk. Helpful resources also include the FTC’s new business guidance on data security breaches, which we covered in a previous post, and earlier guidance on protecting personal information.

Groups Renew Call for FTC to Act on Influencer Campaigns

In September, we noted that four groups – Public Citizen, Commercial Alert, the Campaign for a Commercial Free Childhood, and the Center for Digital Democracy – had sent a joint letter to FTC encouraging the agency to investigate and bring enforcement actions related to the use of influencers on Instagram. The letter included examples of over 100 allegedly problematic Instagram secretsposts. This week, the same groups sent another letter to the FTC with 50 new examples, and once again urged the Commission to take action to stop this “dangerous trend.”

Although some of the examples provided in the letter could – if the allegations are true – violate the FTC’s Endorsement Guides, others are arguably fine. The problem is that groups misstate some key provisions in the Guides and exaggerate advertisers’ responsibilities. For example, the groups suggest that all paid endorsements must be labelled as ads. Although a label is often necessary, the FTC has acknowledged that a label may not be required if something is obviously an ad. Some of the examples in the letter are obviously ads.

The groups also suggest that the only appropriate labels are #advertisement or #ad, and they argue that a #GotItFree hashtag is not sufficient. However, the FTC has stated that there is “no special wording” for the disclosures and has discussed other labels, in addition to the ones the groups suggest are required. Moreover, the Commission has opined that a simple disclosure explaining that a person received a free product to try “will usually be effective.” Some of the examples in the letter arguably comply with this requirement, as well.

Undoubtedly, many influencer campaigns don’t comply with the law. But as anyone who has worked extensively with influencers knows, there is a lot of gray in this area, and there often aren’t one-size-fits-all answers. A letter that suggests otherwise and lumps compliant campaigns together with non-complaint ones is not helpful. Although it’s too early to see if the FTC will take any action in response to these letters, we can hope that the Commission will see that the letters mischaracterize the Guides and evaluate campaigns with a more reasonable eye.

Regardless of what happens, this letter serves as another reminder of the potential risks associated with influencer campaigns. Not only do companies have to worry about the FTC itself – they also have to worry about being called out by “watchdog” groups.

Do You Venmo? FTC Spotlight on Peer-to-Peer Payments and Crowdfunding

The FTC recently examined peer-to-peer (P2P) payment systems and crowdfunding in the second forum of its FinTech series.  P2P payment systems are online services that allow consumers to share money electronically.  These platforms enable the immediate transfer of money between consumers, typically for free or for a small fee.  In the panel discussion of P2P payments, the following themes emerged:  P2P payments have been transformational to the online payment industry and have changed consumer expectations about how money is being moved; these platforms likely will be disproportionately targeted by sophisticated hackers; and there are high barriers to entry into this market, in terms of cost and regulatory risk.

Crowdfunding is the process by which companies and individuals raise money from the public to fund new products, projects, or individual needs.  Panelists discussed the responsibility platforms bear to shape consumer understanding of crowdfunding campaigns through adequate disclosure and communication.

The following expands on these themes and provides key takeaways from the forum:

P2P Payments as Transformational

Panelists (see list here) described the consumer benefits of P2P payments as enormous. The benefits go beyond splitting the dinner check or paying the babysitter with a few taps on a smart phone.  P2P payments have expanded financial access to underserved communities, in particular, to underbanked and non-banked consumers.  For example, P2P platforms enable instantaneous remittance payments or the wiring of funds, and remove obstacles in conventional banking such as delayed payment transfers and overdrafts.

And P2P platforms are not just a thing for millennials. Studies report that while millennials are conducting approximately 11 transactions a year, 45-54 year olds are conducting about 4 transactions and the over 65 crowd about 3.1

Fraud Risk

P2P payment systems collect more consumer data beyond the traditional credit card services. Therefore, panelists believe these platforms may be disproportionately targeted by sophisticated hackers.  As one panelist aptly noted: “The mode is new, but the scams are old.”  One positive attribute about Fintech companies is their typical approach to data security: they are extremely good at authentication and many view themselves first as security companies.  Indeed, the weakest security points in P2P payments may not be in the platform, but the consumers using the services and security vulnerabilities in their devices (for more on IoT security, see here). In response, panelists noted the importance of appropriate and reasonable data security protocols to protect consumer data in this space.

Regulatory Risk

Panelists noted the high barriers to entry into this market. This is due to the various state licensing requirements for money transmission, and to the consumer protection issues raised by this type of mobile platform.  Depending on the platform type, different sets of regulation may apply, including the following:

  • Banking regulations and money transfer regulations;
  • Electronic Funds Transfer (EFT) Act, Reg E, requiring that financial institutions and any third party involved in EFT services disclose specific information to consumers before engaging in any transactions;
  • Truth in Lending Act and Reg Z, requiring that creditors disclose clearly and conspicuously in writing the terms of the legal obligation between the parties;
  • Section 5, Federal Trade Commission Act, prohibition against unfair or deceptive acts and practices; and
  • Dodd-Frank’s prohibition against unfair, deceptive, and abusive acts and practices.

In addition, panelists noted the applicability of the new prepaid rulemaking issued by the CFPB. The new rule applies specific federal consumer protections to broad swaths of the prepaid market for the first time. It covers traditional prepaid cards, including general purpose reloadable cards, and extends to newer platforms such as mobile wallets and P2P platforms.  The regulations require adequate disclosure, liability protection, among other things.  See here for more information on this rulemaking.

There was discussion among the panelists on how to communicate effectively to consumers the information collected and stored by these platform. As a cautionary tale, panelists noted the Texas Attorney General action in May 2016 against PayPal involving its Venmo mobile app.  The app allegedly failed to clearly disclose how consumers’ transactions and interactions with other users would be shared, and misrepresented that communications from Venmo were actually from particular Venmo users.  As a result, consumers may have publically exposed private information regarding their payments.

Crowdfunding

Crowdfunding is an evolving method of raising capital that has been used to raise funds through the Internet for a variety of projects.2

There are four basic types of crowdfunding: donation-based (e.g., GoFundMe, etc.); rewards-based (e.g., Kickstarter); equity-based (e.g., Crowdfunder.com); and debt-based (e.g., LendingClub).  Equity and debt-based crowdfunding offerings are considered securities and subject to regulation by the SEC.Donation and rewards-based crowdfunding generally are not regulated.  Hence the FTC’s heightened interest in ensuring these sites are not engaging in unfair or deceptive acts or practices in violation of Section 5 of the FTC Act.

Indeed, the FTC settled its first case in June 2015 against a creator of a crowdfunding project, Erik Chevalier (The Forking Path).  Chevalier allegedly raised money from consumers to produce a board game through a Kickstarter campaign, but instead used most of the funds on himself and refused to provide refunds to his backers.  Chevalier was fined approximately $112,000 and is prohibited from making misrepresentations about any future crowdfunding campaign.

Panelists discussed the import of the FTC’s settlement, in particular, the responsibility that crowdfunding platforms bear to shape consumer understanding and to monitor creators for fraud. Panelists agreed there was a role for both regulators to pursue fraud and for industry self-regulation to adopt best practices.

FinTech companies face high barriers to entry, an uncertain regulatory environment, and increased privacy and data security concerns. But the benefits to consumers of these types of novel platforms are enormous.  P2P payments expand financial services to underserved communities; creators of successful crowdfunding projects may have access to venture capital previously unavailable to them.  Regulators therefore seek to balance technological innovation with consumer protection directives, in particular, to ensure all players keep their promises, tell consumers the truth, and provide adequate disclosures.

  1. Javelin LLC, P2P Payments in 2015: Market Sizing and Evaluation of P2P (Dec. 2015).
  2. U.S. Securities & Exc. Comm’n, SEC Adopts Rules to Permit Crowdfunding (Oct. 30, 2015).
  3. The SEC adopted Regulation Crowdfunding in October 2015 to enable individuals to purchase securities in crowdfunding offerings subject to certain limits, require companies to disclose certain information about their business and securities offering, and create a regulatory framework for the intermediaries facilitating crowdfunding transactions.

What to Expect from the FTC

MacLeod

Our colleague Bill MacLeod, chair of the Antitrust Section of the American Bar Association, and former director of the FTC’s Bureau of Consumer Protection, penned the following blog post on what we might expect at the FTC under the new administration.  The post focuses on antitrust issues, but the anticipated short term outlook and transitions are very similar for consumer protection issues.  Although historically Republican administrations have focused less on national advertising and marketing conducted by established brands, the FTC during the Bush administration overhauled the Telemarketing Sales Rule to include the National Do Not Call Registry, dramatically changing the way businesses engage with consumers, and kicked off its data security initiatives that were the foundation for current activity.  The campaign trail offered little insight into the mark Donald Trump might make on consumer protection, but consumer complaints presumably will continue to dictate the FTC’s priorities, with debt collection, fraud, and identity theft at the top of the list.  Keep watching our blog for updates.

The Antitrust Forecast – William C. MacLeod

It’s not that hard to predict. If you want to factor the antitrust forecast into your business plans, you have two weather patterns looming.  We can assess the first one quite accurately already.  And notwithstanding all the speculation, we can get a pretty good feel for the second front as well.

Forget about the first 100 days. The first phase of the new antitrust era will last a good six months, and could stretch out longer.  The immediate outlook?  More of the same.  If you are responding to an investigation, if you have a deal pending, the wind is hardly going to shift.  Your encounter next week or next month will remind you of your last meeting. If you have negotiated a deal with the staff, don’t expect them to change their mind.  And don’t expect them to postpone the proceeding.  Virtually all the officials who are looking at your matter today will be handling it this winter, and probably next spring.  That goes from bottom to top.

I’ve worked through the last five transitions at FTC and DOJ (inside the agencies during one), and I don’t recall a single administration that had its full antitrust team in place before the cherry blossoms staged their show. We may know who the new agency heads will be by next spring, but how they operate will remain to be seen.  New FTC Commissioners and Assistant Attorneys General must be nominated by the President and confirmed by the Senate.  (Of course, a sitting FTC Commissioner could be given the chair and an acting head could be named at DOJ’s Antitrust Division).  These decisions typically do not come in the first wave of appointments.

Once the new heads are announced, confirmed and sworn in, the first thing they will do is assemble their teams.  It takes time to recruit bureau directors, deputy assistant attorneys general and front office personnel.  It takes more time to coordinate and deploy them.  Meanwhile, the career civil servants, who occupy all but a few positions at the agencies, will continue to do the daily work of law enforcement.

Sometime next summer the second phase will probably begin, but we won’t notice it right away. We will hear about it in speeches, and some of us may experience it first-hand with investigative  requests, but it will take another year or two before most businesses feel its effects.  The reason is simple.  Every new administration inherits the pipeline of the last one, and right now at the antitrust agencies that pipeline is full.  It takes months for an agency to devise new strategies and much longer to convert them into enforcement initiatives.  We should not expect to see the results of new approaches until year two or three of the administration.

What might we see in the way of a course correction? Don’t expect a pirouette.  The history of transitions in the last three decades suggests that antitrust enforcement in the future will look remarkably like it does today.  The debate over enforcement today (and there was a debate in the campaign) does not portend the end of that history. Ironically, most of the criticism of current enforcement has come from advocates of more, not less, regulation than the current administration imposed.  By and large, there is consensus about the policies at FTC and DOJ.

One more factor suggests that the antitrust we know today is a good barometer of the antitrust we’ll face tomorrow. Antitrust is, after all, law enforcement.  The agencies don’t get to make the law they enforce.  It comes from century-old statutes that Congress is not likely to change.  The interpretation of those statutes is in the hands of federal judges, whose decisions have placed limits on the agencies’ options.  We know they are not going anywhere soon.

It is always fun to speculate about the storms that might sweep through antitrust. But we have no basis to predict abnormal weather patterns in the seasons ahead.  We know where the trouble is likely to arise, and we should be able to avoid it.  It makes perfect sense to plan now for an uneventful voyage.

The Presidential, Senate and House Elections, Results and Policy Implications

Designed to serve as a comprehensive review of Tuesday’s elections, our guide analyzes the 2016 results and looks ahead to the 115th Congress with an in-depth review of upcoming changes to the House and Senate. The presentation further reviews key policy issues facing the President and the Congress, including tax, trade, healthcare, transportation and infrastructure, regulatory reform, communications & technology and food & agriculture. We also take a look at potential Supreme Court nominees and the 2018 Senate races.

Client Advisory: The FCC’s Broadband Privacy Order

On Wednesday, November 2, 2016, the Federal Communications Commission (FCC) released the text of its long-awaited Broadband Privacy Order, which it adopted on October 27, 2016. For an overview of the Order, you may read our client advisory here.

The practical impact and reach of the rules will not be known for some time, but at this point we can offer a few of our key takeaways from the Order:

  • All carriers must prepare and maintain public-facing privacy notices. The Commission’s new notice rules will require all telecommunications carriers to draft and post public-facing privacy policies that describe their collection, use, and sharing of customer PI. Formerly, this obligation only applied to BIAS providers (through the Commission’s transparency rule). We expect that disclosures in these privacy policies will be a significant area of enforcement, similar to the Commission’s enforcement of annual CPNI certifications.
  • The sensitivity-based consent framework upends the existing CPNI approval framework. The Commission’s adopted rules fundamentally reshape the consent framework for telecommunications carriers, focusing on the sensitivity of the information, rather than on the particular uses and recipients of the information (as the voice CPNI rules did). As a result, all carriers should carefully review and revise their policies, procedures, and systems for obtaining and tracking customer approval.
  • The Order leaves a significant interpretive role for FCC’s Enforcement Bureau with respect to data security. Unlike the existing voice CPNI rules and the Commission’s proposed data security rules, which mandated specific data security compliance practices, the new rules simply require carriers to adopt “reasonable” data security practices. By focusing on the “reasonableness” of carriers’ privacy and data security practices, the Commission leaves significant room for its Enforcement Bureau to interpret whether particular practices are reasonable, in a manner similar to the FTC’s approach to privacy and data security enforcement. For this reason, providers should carefully review the Commission’s “exemplary” data security practices and Enforcement Bureau consent decrees in order to gauge which practices the Commission expects of providers.
  • Now is the time to begin reviewing contracts with vendors. In the Order, the Commission makes clear that carriers will be held responsible for the acts of their agents, vendors, and other third parties with whom they share customer PI. As a result, carriers should take the opportunity now to review contracts with those third parties to determine whether they include specific terms addressing privacy and security. This is particularly important for non-BIAS telecommunications carriers serving enterprise customers, who will be able to take advantage of the Commission’s expanded business customer exemption.

Kelley Drye’s Communications and Privacy & Information Security practice groups are well-versed in privacy law at the federal and state level, and stand ready to help interested parties understand the scope of these rules and how to operationalize them. Should you have any questions, please contact any of the attorneys listed in the margin.

For Better or Worse: Privacy Shield Challenges and (Actions for) Annulments

Over the course of the past two months, three privacy groups in France and one in Ireland filed separate actions for annulment with the European Court of Justice seeking the invalidation of the EU-U.S. Privacy Shield Framework. The Privacy Shield honeymoon phase appears to be over, and the first year of the transatlantic relationship may prove to be the hardest. Although information is scarce, here’s what we know so far:

  • Disloyal DPAs: Calling Into Question the Independence of the Irish DPA. On September 16, 2016, Digital Rights Ireland (DRI), an Ireland-based digital rights advocacy group, filed the first action for annulment, allegedly claiming that (1) Ireland contravened its obligations under the Data Protection Directive to properly implement the Directive and (2) the Irish Data Protection Commissioner is not independent from the Irish Government, as required under Article 8 of the Charter of Fundamental Rights. (See Case T-670/16).
  • Surreptitious Surveillance: Schrems N’est-ce Pas? On October 25, 2016, three French privacy groups, La Quadrature du Net, French Data Network and the Federation FDN, sought the invalidation of Privacy Shield via a separate action for annulment. (See Case T-738/16). By contrast, here the parties took issue with the mass surveillance concerns that underscored the Schrems decision and argued that the European Commission violated Articles 7, 8, and 47 of the Charter of Fundamental Rights.
  • Conflict Avoidance: The Article 29 Working Party Moratorium. You may recall that in an earlier blog post we noted that The Article 29 Working Party agreed to a moratorium on any Privacy Shield challenges until the annual review of Privacy Shield in August 2017.

Legal certainty was one of the selling points of the Privacy Shield framework and the Article 29 Working Party moratorium reinforced that promise. These two actions will call into question this very notion. As always, we’ll continue to monitor these updates as they unfold.

School’s in Session for the Ed Tech Industry: California AG Gives Lessons on Student Data Safeguards

ca-attorney-generalOn Wednesday, California’s Attorney General released a report with recommendations for the education technology (“Ed Tech”) industry, a multi-billion dollar industry that is transforming learning as we know it. The Ed Tech industry has the potential to greatly enhance the student learning experience through data management systems and tools that support educators and provide personalized curricula and adaptive learning for students. However, these systems and tools (such as cloud services), create added risks and challenges when it comes to safeguarding student personal information and respecting the privacy rights of students.

Working in conjunction with several stakeholders, including Ed Tech providers, the Attorney General’s Privacy Enforcement and Protection Unit issued the following six recommendations, which are specific to website operators and online service providers that primarily target or market services for K-12 school purposes:

  1. Data Collection and Retention: Only collect the types and categories of information necessary to accomplish the objectives of the Ed Tech service as outlined by the educational institution with whom you contract. Be transparent with students and describe data collection and data use practices, as well as data retention policies.
  2. Data Use: Do not use any information acquired from your site or service for profiling students and/or targeted advertising.
  3. Data Disclosure: Notify students of third party disclosures of covered information; specifically, the types of entities that receive covered information and the purpose for the disclosure. Apply the appropriate safeguards to protect covered information when sharing information with third parties.
  4. Individual Control: Implement policies and procedures to permit student access and correction of covered information.
  5. Data Security: Implement and maintain reasonable safeguards and practices to protect student information, including employee privacy and security training. Have an actionable plan in place for data breach incidents.
  6. Transparency: Provide a conspicuous and plain language privacy policy that identifies a privacy contact who can address questions regarding privacy concerns.

The California Attorney General report concludes with appendices containing relevant California laws that the Ed Tech operators should note and review as they grapple with new challenges in the Ed Tech space. The report is a must read for individuals in the Ed Tech industry and should serve as helpful reminders on ways to mitigate the risk of violating student and children’s privacy laws.

Ninth Circuit Holds Yelp Is Not Responsible for Bad Reviews

The Ninth Circuit recently reaffirmed the protection afforded to website providers and users under Section 230 of the Communications Decency Act. In that case, a locksmith sued Yelp over a bad review and one-star rating that had been posted by a consumer. The locksmith accused Yelp of being responsible both for creating the review and for “transforming” it into an ad by republishing it on Google. The Court rejected both arguments, holding that Yelp was immune under Section 230.

Section 230 generally states that websites cannot be held liable as a publisher or speaker for content provided Yelpby someone else. The law does not provide a blanket immunity, however. Website owners can be held liable as a publisher or speaker when they are “responsible, in whole or in part, for the creation or development” of unlawful content. The question in many CDA cases is at what point a website crosses the line between simply allowing others to post content and playing a role in the creation of that content.

In this case, the Ninth Circuit rejected the plaintiff’s attempt to “plead around” Section 230’s grant of immunity, and held that Yelp’s development of content-neutral tools that used or collected user-generated input did not make the website the “creator” or “developer” of unlawful information supplied by its users. You can read our article with a more detailed analysis of the case here. (And click here for a recent case in which a court held that Yelp was not entitled to Section 230 immunity.)

LexBlog