Website Policies

The U.S. Copyright Office announced yesterday its new online registration system for designated agents. Online service providers designate agents to receive notifications of claimed copyright infringement. As of December 1, 2016, the Copyright Office no longer accepts paper applications for agent designation. Service providers who previously designated agents in the existing directory have until December 31, 2017 to register in the new online directory.

Online service providers, including websites and online platforms that allow users to store material on their systems, risk liability for direct or contributory copyright infringement from third party materials posted by users without permission.  Since users often do not understand or care about copyright law, an unwary service provider (who often appears to have deeper pockets) may have a rude awakening when it finds itself the sole defendant in a copyright litigation over unauthorized photos or other user generated content posted on its website by a user.

Congress passed the Digital Millennium Copyright Act (“DMCA”) to balance the rights of copyright owners with the needs of online service providers in the face of rapidly developing technology. The DMCA provides a safe harbor from copyright infringement liability in 17 U.S.C. 512 for qualifying service providers who agree to remove copyright infringing content and eject infringing users from their platforms. The DMCA safe harbor protects burgeoning technology such as streaming music platforms.  In order to qualify for DMCA safe harbor protection, a service provider must have an appropriate copyright policy in its terms of use, designate an agent to receive notifications of claimed copyright infringement, register the designated agent with the Copyright Office, and understand and comply with the DMCA notice and take down procedures.

Superheros donning black robes save website operators from liability for users’ copyright infringement of sound recordings fixed prior to 1972.

The Second Circuit Court of Appeals ruled today that the safe harbors provided by the Digital Millennium Copyright Act (DMCA) protect qualifying website operators from liability from such pre-1972 recordings, even though they are not covered by federal copyright law. This decision overrules a finding by the District Court for the Southern District of New York that section 501(a) of the Copyright Act “defines” the term “infringement of copyright” used in section 512(c) to define the scope of the DMCA safe harbor provision for qualifying website operators as limiting the safe harbor to materials infringed under federal copyright laws.

The Second Circuit disagrees, saying Section 501(a) does not provide an exclusive definition of “infringement of copyright” and given that the purpose of the DMCA  “was to make economically feasible the provision of valuable Internet services while expanding protections of the interests of copyright owners through the new notice-and-takedown provision. To construe § 512(c) as leaving [website operators] subject to liability under state copyright laws for postings by users of infringements of which the [website operators] were unaware would defeat the very purpose Congress sought to achieve in passing the statute.” Capital Records, LLC, et al., v. Vimeo, LLC, Docket No. 14-1048/1049/1067/1068S, page 29, (CA 2 Argued Nov. 6, 2015, Decided June 16, 2016).

TIP: Like the idea of having the protection of the DMCA Safe Harbor? Review section 17 USC 512 to learn about the requirements needed to qualify for the safe harbor, including a copyright policy that informs users who infringe copyrights that they will be blocked, a designated agent and understanding the notice and takedown procedure for allegedly infringing material.

 

 

On September 25, 2014, the Internet Corporation for the Assigned Names and Numbers (ICANN) granted the application of fTLD Registry Services (FRS) to operate a new Top Level Domain (TLD) exclusively for the banking industry: .bank. When general registration for the new TLD opens next year, banks and other members of the banking community will be able to operate through custom websites such as Local.bank, as opposed to the traditional LocalBank.com. To avoid the internet land rush for .bank extensions expected during the general registration window, banks with federally registered trademarks can get a 30-day head start towards TheirTrademark.bank by applying (and paying) for a spot on ICANN’s Trademark Clearinghouse registry. (more…)

On November 19, 2014, the Federal Trade Commission announced that it is seeking public comment on a second proposed verifiable parental consent method by AgeCheq, an online privacy protection service. The Children’s Online Privacy Protection Act (COPPA) requires children and family-friendly website operators and app developers to (1) post privacy policies and (2) notify and obtain verifiable consent from parents prior to collecting, using, or disclosing personal information from children under the age of 13.

There are considerable challenges to obtaining verifiable consent from parents in real time–particularly for use of online services by children. The rule lays out a number of acceptable methods for gaining verifiable parental consent and includes a provision allowing parties to submit new consent methods to the FTC for approval. Age Cheq’s new proposal eliminates the need for paper signatures by providing a digitally signed parental declaration authenticated by a verification code on the parent’s mobile device.

(more…)

Or perhaps the notices are a hoax virus– spread by friends bullying friends to spam others to show respect for the poster’s privacy and copyrights. Posting and re posting the Facebook Privacy Notice will not change Facebook’s policies.  If privacy is a concern, adjust privacy settings or avoid using Facebook for private communications. If controlling content is a concern, avoid posting images or register copyright in important materials before posting. To use Facebook, users give it a limited right to “share” their user content. This right does not place user content in the public domain. (more…)

Keeping your Facebook images private is a confounding problem. Ask Mark Zuckerberg’s sister Randi who couldn’t make sense of  FB’s privacy settings. Kashmir Hill, a privacy commentator at Forbes posted a funny analysis of the Zuckerberg predicament and easy to follow directions on how to adjust your settings to keep family photos more private. The settings are easy once you know where to look. User posting behavior sometimes doesn’t match with User privacy concerns.

Regarding content posted online as public is best– no matter what the privacy policy says.  Social media and other interactive businesses struggle  to keep their policies (and practices) current and reflective of how technology actually uses data to provide services online. Users who follow the steps in Kashmir Hill’s article and thinking before posting private content will have fewer social media privacy concerns.

FORCE's Pink Loves Consent

FORCE's Pink Loves Consent

A group of performance artists from Baltimore known as “FORCE: Upsetting Rape Culture” took advantage of a much anticipated media event to bring attention to the importance of consensual sex. The VS All Access Victoria’s Secret fashion show is an such an event, gluing billions of eyeballs to its prime time telecast.

For FORCE, the VS All Access television event was the perfect opportunity to launch its own fashion campaign, Pink Loves Consent, by spoofing Victoria’s Secret’s PINK brand. (more…)

Facebook gets a new groove: proposed updates to privacy and use policies

I guess we of Facebook Nation no longer “think” as one.  Last week Facebook announced proposed changes to its Data Use Policy (explains collection and use of data) and Statement of Rights and Responsibilities (terms of use).

As of November 28, Facebook will be able to change its policies with seven days notice to users. No more voting. In the past, voting on changes allowed some users to flood the system and obscure other user’s input. Will the proposed changes offer more transparency or enhance user’s experience?

The Data Use Policy is slowly becoming less opaque but still obscures some collection methods. For example, the Data Use policy does not explain how the Facebook “Like” button on third party sites may collect about our activities on each website we visit after “liking” a site and then share data with affiliates who serve targeted ads elsewhere.

Will the proposed changes affect businesses and marketeers using Facebook for corporate events, product launches and brand communications?  While the proposed changes do not seem to affect developer and marketing activity, empowering consumers with privacy settings could curb the digital love.

Everything needed to “understand” Facebook’s new moves is here.

Websites should consider treating children as an attractive nuisance. Even consider putting up fences to keep them out. 

The FTC is monitoring many websites that attract children (even unintentionally) for COPPA violations. The Children’s Online Privacy Protection Act, COPPA, requires websites to  obtain verifiable parental consent before collecting personal information from kids under age 13.  Sites that are “directed” to such children must also disclose to parents what it collects about their children, how it uses the information and what it discloses to third parties. If the websites do not comply with COPPA the Federal Trade Commission may investigate, and impose fines and consent orders to curb websites’ tracking of children under 13.

Many website policies include a disclaimer that the website is “NOT directed” to children under age 13 and prohibit or limit access by children under 13 only with direct parental supervision.  Unfortunately, these policies will not limit the liability of a website operator if it knows kids under 13 are providing personal information to its website.  Then, the website is likely to be considered to be directed to such children.  If a website operator knows that kids are attracted to its website, then the website must comply with COPPA as if it the website is intentionally directed to children under 13.

Artist Arena manages fan sites for Justin Bieber, Rhiannon and Selena Gomez (among others)  together collected personal information from more than 25,000 children under the age of 13 without seeking verifiable parental consent.  Artist Arena’s fansites were intentionally directed to ‘tweens as the target audience of the celebrities featured on its fan sites and had COPPA policies, but failed to actually notify the parents and obtain their permission before collecting info from their children.  Artist Arena settled with the FTC, agreeing to pay a cool million dollars, enter into a consent decree against future  COPPA violations, and destroy all data it unlawfully collected from children.

The take-away?

Kids are adept at learning new technology and have unfettered access to smartphones, tablets and desktop computers.  So, it goes without saying that many registration schemes aimed at preventing kids from accessing an attractive website are quickly overcome.  A policy prohibiting use by children is definitely not sufficient. Operators of interactive websites (sites with blogs, forums, comment and sharing features) can’t ignore kids under 13 who are using the site .  Their data stream will likely “rat them (and the operator) out.”  With notice of kids, the operator must either block access or adopt a COPPA policy and enforce it. Get the COPPA FAQ’s  here.

As for Beiberfever.com? Users who admit to being age 13 or younger are persistently blocked from registering:

We are sorry, but you can not register at this time.

Hat/Tip to Sharon Snyder for sending me this Washington Post article about Artist Arena’s woes.

@FTC: Google pays $22M for (unintentional) misrepresentation of privacy practices - no intent required

The FTC hosted a super fascinating Twitter “conversation” following its announcement of the $22 million settlement with Google over its privacy violation in overriding the Safari browser’s privacy settings without notifying users. FTC Department of Enforcement staffers  exchanged tweets with a few privacy-focused Twitter users. Many tweets focused on whether Google intentionally deceived users as to its privacy practices, or if the privacy breach was an accident. Other tweets keyed in on how Google’s fine was calculated, and asked when the FTC first learned of Google’s secret Safari tracking. The FTC responded that Goggle’s intent is irrelevant to the question of whether there are misrepresentations in privacy policies. This reflects FTC precededent. One FTC tweet reflected cynicism that the tech giant is unable to control its privacy practices, saying  “unintentional is Google’s story.”

The takeaway is that over promising protection of personal data in a privacy policy is a bad idea.  Even accidental violations of a privacy policy are actionable. Too many unforeseeable risks are poised by collecting and sharing user data (from hackers to a lack of coordination with technology partners) to make such promises. Ask Twitter about its own FTC settlement.  Expectations (of both consumers and regulators) about the content of privacy policies have changed. Most websites need new policies that contemplate the changes to COPPA,  increased expectations for privacy disclosures for mobile devices and protection of offline data.  Website operators must understand how their technology use the website’s customer data. Details about how both personally identifiable and non-personally identifiable information is collected, shared and protected should be disclosed.

Tweeps who engaged with the FTC last week might wonder how their tweets are being used.  The FTC’s privacy preactices are disclosed in the FTC’s Privacy Impact Assessment and chart showing how user information is collected when interacting with the FTC.