Banking on a dead celebrity’s right of publicity being public domain is an extremely dangerous advertising practice. Rights of publicity are a suite of legal rights that have developed from invasion of privacy and trademark law since the early 20th Century. There is a web of state and federal laws that can protect dead celebrities– even celebrities from states like New York that specifically do not recognize a post-mortem right of publicity. And the laws can protect rights of publicity for as much as 100 years after death.

As a young lawyer, a common task was determining which state laws apply to a dead celebrity so to determine whether his or her name or image could be used for free.  The analysis is extremely detailed. Which law applies, New York (no protection) or California (broad protection)?  Does the use violate the celeb’s trademark or constitute a false designation under federal law?  An article in Slate today made some stunningly dangerous over-simplifications about how a dead celebrity’s persona is protected.

In my entertainment and sports law seminar, we spend a few classes examining the various ways of protecting a persona. A right of publicity protects the commercial value of a celebrity’s persona. A 1941 Texas case involving Davey O’Brien is my hands down favorite for explaining the basis for protecting a celebrity’s right of publicity. The Texas court gets the analysis wrong, and a dissent by Justice Holmes provides the foundation for modern ROP laws.

All American and Heisman award winner Texas Christian University quarterback Davey O’Brien (more…)

Does your website have a Facebook “Like” button? Is your website, mobile site or mobile app directed at adults but attracts children under age 13?  Pull out your pens.  The Wall Street Journal reports that today FTC is expected to issue new rules proposed last fall to protect children online and on mobile devices. The new rules take effect following  a 30 day comment period.  Take a minute to compare your website audience and information collection practices to the disclosures made in your website terms of use and privacy policy. There are often gaps and mismatches in even the most well meaning policies.  For example, a “Like” button on your website collects and reports a stream of data about your visitors to Facebook — whether they “Like” your website or not.  Is that what your privacy policy discloses?

How about children? How often have you seen kids using tablets and smartphones while their parents are busy? How many younger ‘tweens have their own smartphones? Many children, even very young ones are quite adept with mobile devices.  My secretary’s almost-two-old grandchild already knows how (more…)

The Wall Street Journal has an article about Apps this morning.  The paper has done a great job of revealing the so-called seamy underbelly of the online advertising world. Today the theme is that Facebook apps exploit users (and make Facebook million$) by collecting bits and pieces of personal data, details that alone do not personally identify the user, but collectively tell ad brokers and advertisers what you are most likely to purchase next. Boom the correct ad is served to you. Convenient or creepy?

The unconstrained collection of digital data is stirring feelings of distrust among some users. “Consumers are being pinned like insects to a pinboard, the way we’re being studied,” said Jill Levenson, a creative project manager at Boys & Girls Clubs of America in Atlanta. She recently deleted nearly 100 apps on Facebook and Twitter, she said, because she was uncomfortable with the way details about her life might be used.

via Selling You on Facebook –

Collecting personal data is creepy but not invasive.  Data collection by apps is largely consented to by users. Actually invasive is when journalists from News of the World and other News Corp papers (of which WSJ is one) hack voicemail so they may divulge salacious personal details which, by the way, also sells advertising.

Farmville, FourSquare, Girls Around Me, Instagram, etc. ask you if you want to share your contacts, relationship details, etc.  Don’t get angry with Facebook, just don’t click through and accept such requests without thinking. You have the power!


Cookies are one of my favorite things.  Usually, this refers to the oatmeal raisin variety rather than those tiny bits of computer code that empower websites to remember a user’s login, keep items in a shopping cart and greet the user by name when she returns.  Warm and fuzzy, right?

Sometimes, not so much.  I once shopped for a friend on a website that she loves but is not my taste. So years later continuting to be served display ads from that website is irritating.  Another friend tweeted that “it’s creepy” when a product she was reading about on one website appears later in a display ad on a different website.  It seemed someone was spying on her.  Uncanny!  “Creepy” is a term borrowed from robotics to refer to a use of personal information that does not legally invade your privacy but is frightening because of the “stalker-like” appearance that a website knows everything about the user.

In 1890, another new technology was changing the media. Then as now, legal scholars were concerned that existing law would not protect consumers from the heretofore unheard of technology.  In The Right to Privacy inspired by the invention of “instantaneous photographs”, Justices Samuel D. Warren and Louis D. Brandeis identified privacy as the right of an individual to be left alone. William Prosser further developed Invasion of Privacy into a set of four torts (legal remedy for an injury): False Light, Appropriation of Name or Likeness, Intrusion into Seclusion and Public Disclosure of Private Facts. The body of law that developed from Warren and Brandeis’ article served to protect privacy through the 20th Century until the proliferation of electronic information in the Internet age allowed websites to identify users without using their names or likenesses.

Today it is important to understand and take steps to control the personal information tracked by websites and online technology.  Much of the technology is used to provide an internet visitor with a consistent experience across Internet Platforms. Here are descriptions of common types of technology websites use to track users:

  • Cookie. A cookie is a small file containing a string of characters that is sent to a user’s computer when the user requests a website address. When that user later returns to the website, the cookie allows that site to recognize the user’s browser. Cookies are usually discarded when the person ends the session and closes the browser.
  • Persistent Cookie. Cookies that include an expiration date will persist until the arrival of the expiration date, potentially long in the future. Cookies may store user preferences and other information. A user can reset her browser to refuse all cookies or to indicate when a cookie is being sent.
  • Pixel Tag.  A pixel tag, sometimes called a web beacon, is a tiny graphic file placed on a website, in an ad or within the body of an email for the purpose of tracking activity on websites, or notifying a sender when emails are opened or accessed, and often used in combination with cookies to connect an ad to an interested consumer.
  • Server Log.  Website servers automatically record the page requests made by visitors to the website in log files. Server logs typically record web requests, Internet Protocol addresses, browser type, browser language, the date and time of a request and one or more cookies that uniquely identify the user’s browser.
  • IP Address.  Computers connected to the Internet are assigned a unique number known as an Internet protocol (IP) address. Since these numbers are usually assigned in country-based blocks, an IP address can often be used to identify the country from which a computer is connecting to the Internet. Depending on how a user connects to the internet, the IP Address may identify one computer or may change each time the user connects to the internet.
  • Anonymous Identifier.  An anonymous identifier is a random string of characters that is used for the same purposes as a cookie on platforms, including those for mobile devices, where cookie technology is not available.

While each of these technologies may be used for administrative purposes such as noting whether a user is a return visitor, remembering the user’s preferences or providing confirmation that the correct ad was served to a particular website to allow a publisher to correctly charge the advertiser for an ad the user clicked, the same technologies may also be used by third parties to quantify and predict consumer behavior. Aggregating non-personally identifiable information stored on user’s browsers allows third party ad servers to accurately predict when a user will purchase a particular product. These third parties use web beacons to find a likely buyer and scan her cookie and log file information to analyze the value of serving a particular ad to that user.  Advertiser can then bid on the value of the ad to be served to the user.

Although the third party ad server cannot identify the human, it knows many details about the user’s browsing history and product preferences. That’s when things start to feel creepy.  This practice is not an invasion of privacy recognized by Warren, Brandeis or Prosser, but it may be actionable as a deceptive practice under the Federal Trade Commission Act.

Less than one might  think. Online privacy focuses on the use of personal information and how it is contributed, collected, shared and used by the user and other people and companies providing web services.  “Personally Identifiable Information” (a.k.a. “PII”) is protected by a web of laws – but non-personally identifiable information collected by many websites is largely unregulated.

Not all personal information is protected either. A person’s name alone is not privateor protected. A name with a corresponding social security number, driver’s license number, credit/debit card account number or other financial account number is protected as “Personal Information”  under a variety of U.S. state data breach notification laws.  Unauthorized disclosure, theft or breach of  unencrypted personal information triggers notification requirements, and imposes liability for penalties and/or damages on the company whose data was breached. Credit card numbers alone (or when stored with expiration dates) are often not  protected as PII under many state data breach notification laws. No notification to the holder of the account is required despite the ability of criminals to clone fake but functional credit cards with a credit card number and expiration date alone.

 Websites collect both PII and non-personally identifiable information about their users. PII is collected from website visitors when they fill out forms to register for website services or to make purchases from online retail stores.  Non-personally identifiable information is anonymous data about a visitor detected and used by the website for various purposes, such as to remember if a user is a return visitor, or to remember a visitor’s login information or preferences, to operate shopping carts, and serve ads relevant to the consumer’s interests as determined by tracking the user’s browsing habits. In some cases non-personally identifiable information is collected from a user as she browses across multiple sites and provides a detailed picture of the consumer’s habits.  Non-personally identifiable information about a consumer is stored by the website in cookies and log files on the consumer’s own hard drive.

Only a few state laws address protection of privacy online. California’s 2003 Online Privacy Protection Act (OPPA) was one of the first laws to require that websites used by California residents have policies that notify users how the website collects, uses, shares and protects PII collected from visitors and to notify users how to opt-out of collection of PII. OPPA’s definition of PII includes: first and last name, home or other physical address, email address, telephone number, social security number and other identifiers that could permit physical or online contact with the identified user. 

There are numerousU.S.federal laws and federal agency regulations that govern the use of PII and non-personally identifiable information. How personal information is protected online varies by industry and the financial or reputational risk presented by use of personal information.  For online activities, including digital advertising, several federal laws apply including:

  • Children’s Online Privacy Protection Act (COPPA) that requires websites collecting personal information from children under age 13 (whether intentional or not) to provide notice and obtain verifiable consent from parents to the website’s collection and use of a child’s PII. 
  • The CAN-SPAM Act seeks to protect consumers from unsolicited “junk” email by limiting businesses to emailing only those consumers with whom the company has a business relationship.
  • Federal Trade Commission Safe Web Act of 2006 that extends the FTC’s authority over deceptive collection of consumer information on the Internet. If a company’s privacy policy is inaccurate when compared to the company’s actual information collection practices or is confusing to consumers, the FTC may bring an enforcement action requiring changes in data collection and privacy policies, and/or assess monetary penalties.
  • The Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices to their customers and protect sensitive financial information about their customers.
  • The HIPAA Privacy Rule requires healthcare providers to protect the privacy of individually identifiable health information by mandating security standards for the collection and storage of sensitive health information.

As online technology continues its rapid development, experts and government regulators (US and foreign) are calling for changes in privacy laws to protect consumers from invasive collection of non-personally identifiable information.  The FTC issued a report in 2010 calling for “Do Not Track” mechanisms to facilitate consumer choice about online tracking.  The U.S. White House recently released its Consumer Privacy Bill of Rights.

Collection of data about users visiting websites is commonplace online. Digital advertising supports the free web and mobile services people enjoy. Determined to ensurethat privacy concerns not halt technological advances in digital advertising, the industry formed the Digital Advertising Coalition and developed a self-regulatory program, a consumer education program and PII opt-out program and icon to be embedded in ads that collect multi-site data. The FTC and US White House recently commended the industry for its self-regulatory program.

Undressing Online: Managing User Privacy in an Interactive World

Speakers Kashmir Hill, David Hale, Josh Freemire and Moderator Al Yukna

The evolution of digital and social marketing makes it easier than ever for agencies and marketers to target consumers. But there are gaping legal pitfalls. Because of lax or downright misleading privacy policies, some of the largest online players – including Facebook, Twitter and Google – have bull’s-eyes on their backs; and the Federal Trade Commission is taking aim.

So, how can agencies and marketers stay out of the FTC’s crosshairs?  Join the AAF Baltimore and Ober|Kaler on Wednesday, January 18, 2012, for a panel discussion featuring some of the most respected privacy experts in the industry. We’ll explore the risks associated with digital advertising and mobile technology. And we’ll talk about how electronic medical and financial data is used in marketing—legally and illegally.  It’s not just tech companies that have something to worry about, many healthcare businesses sell  …


Like ButtonFacebook settled with the FTC today over its chameleon-like  privacy policy reports Gizmodo, putting the user into the driver’s seat for privacy settings. No more Big-Daddy-Knows-Best privacy changes.  FTC announced that given the long history of Facebook privacy changes and broken promises, it issued an order that Facebook be barred from making misrepresentations about the privacy of user’s personal information and users must opt-in to future privacy changes. Facebook must also prevent access of a user’s materials more than 30 days after his or her account is deleted, address privacy issues in new and existing products and services available on the site, and obtain regular third party audits of its privacy practices to ensure ongoing compliance with the FTC order.

Starting with the basics, what is a “Flash cookie” you ask?  They are files known as LSOs (local shared objects) installed on your browser by websites that use Adobe Flash. Similar to HTML cookies (hence the Flash cookie name), an LSO stores data such as graphics, usually for user convenience so graphics and video files load more rapidly upon a return visit.  Privacy concerns about Flash cookies have arisen because they store information about the websites you visit and can persist even after you opt-out of behavioral ad tracking or delete HTML cookies.  These persistant consumer tracking mechanisms have lead some commentators to conjure up a vision of the undead… (more…)

Does online behavioral advertising (OBA) invade consumer privacy? Federal regulators claim that it does and threaten to increase regulation of online advertising if the industry does not soon provide consumers with tools to understand and control what personal data is shared with OBA. “Do-not-track” tools will soon be available so consumers can opt-out of OBA on websites they visit. The ad industry finally responded to the regulators’ requests for “baked-in” browsing tools that offer consumers control over what data may be collected by OBA. (more…)