Socially Aware Blog | Social Media Lawyers | Morrison & Foerster
Social media sites are transforming not only the daily lives of consumers, but also how companies interact with consumers. Here at Morrison & Foerster, across all of our practice groups, we are seeing complex, cutting-edge legal issues arising out of social media.
The California Attorney General continued its series of public forums regarding the California Consumer Privacy Act (CCPA), with forums last week in Riverside (January 24, 2019) and
Los Angeles (January 25, 2019). As in the previous forums, there were a significant number of attendees, but few elected to speak publicly regarding their views on the Act. You can read our reports on the public forums held earlier this month in San Francisco and San Diego.
Lisa Kim, Deputy Attorney General for the AG’s Privacy Unit, provided opening remarks at both forums and identified the areas of the AG’s rulemaking on which speakers should focus their comments, specifically those areas of the Act that call for specific AG rules. Ms. Kim encouraged interested parties to provide written comments and proposed regulatory language during this pre-rulemaking phase. Consistent with the prior forums, she noted that the AG’s office would be listening, and not responding, to comments made in Riverside and Los Angeles.
Of note, the presentation slides made available at the forum (and available here) state that the AG anticipates publishing proposed rules in Fall 2019, after that there will be a period for public comment and additional public hearings.
Participation at the Forums
Twenty people provided comments at the Los Angeles forum, while only four made remarks at the Riverside forum. The majority of the public comments in Los Angeles, and all of the comments made in Riverside, were by business or trade association representatives. Consumer advocates provided limited comments at the Los Angeles forum.
Each speaker was allocated five minutes to speak. While some of the comments echoed those made at the previous forums, others raised new issues.
Business and industry representativesprovided the following noteworthy comments regarding the AG’s rulemaking:
Verifying access requests. Multiple speakers once again expressed concern with the requirements to verify consumer requests. One speaker suggested that companies be required to undertake “commercially reasonable” efforts to verify consumer requests. Another speaker suggested that companies could use credit bureaus as intermediaries to confirm a consumer’s identity, similar to the process for registering for an online bank account. A third speaker requested that the AG support companies who use artificial intelligence and machine learning to analyze and comply with consumer requests.
Feedback on opt-out disclaimers.Several speakers voiced support for a uniform opt-out logo or button, instead of a text link to an opt-out page stating “Do Not Sell My Personal Information” (as would be required by the Act). Business representatives voiced concern that consumers may be alarmed by use of the word “sell” where a business may not be “selling” PI in a traditional sense.
Clarifying key definitions. In addition to the points raised at previous forums regarding definitions in the Act (such as the repeated concern that the Act does not exempt employee PI), business representatives highlighted the following issues with the definitions of “personal information” and “sale”:
“Personal information.” One speaker suggested that the definition of PI should not include IP addresses because businesses could not identify a unique individual or identify individuals without collecting or receiving other personally identifying information. Another speaker urged the AG to clarify or exclude information related to a particular “household” from the definition of PI. And a third speaker suggested limiting the scope of PI to sensitive categories of PI only, such as financial information and Social Security numbers.
“Sale.” Several speakers expressed concern with the Act’s broad definition of “sale.” Multiple speakers asked the AG to clarify whether a “sale” encompasses transfers of assets of a business, that include personal information, such as the sale of a credit card portfolio.
Enforcement priorities. Several speakers noted concerns about the potential impact that the Act will have on small businesses. One speaker asked the AG to consider specifically the disparate impact complying with the Act will have on smaller businesses when creating rules and enforcing the Act. Another suggested that the AG focus its enforcement efforts first on larger companies in the advertising and data brokering industries, in order to more efficiently protect consumer privacy.
Safe harbor and federal preemption. Several speakers urged the AG to establish safe harbor provisions, such as for companies that are in compliance with GDPR. One speaker requested the AG establish a compliance certification framework, and several requested that the AG provide template notices. One speaker voiced concern that a patchwork of state regulations would be burdensome and that California should await a federal data protection law.
Non-discrimination requirements. Multiple speakers urged the AG to clarify the Act’s non-discrimination provision, including, for example, to allow news organizations to charge a reasonable fee to access content on their website without advertisements.
Minimum level of security. One speaker asked the AG to clarify what specific security safeguards companies should implement to comply with the Act, and whether the AG still considers the CIS Top 20 framework as the standard for compliance per the data breach guidance issued by the AG in February 2016.
In addition, consumer advocates requested that the AG consider rulemaking on the following:
Categories of personal information. In contrast to comments from business and industry representatives, several speakers urged the AG to keep the broad definition of PI, including ensuring that IP addresses continue to be considered PI.
Exercising consumer rights. Several speakers commented that required disclosures should be easily accessible and prominently displayed. One speaker reminded the AG that consumers without technical experience require simple and easy to understand options. Another speaker suggested that the AG adopt recent European data protection guidance by requiring that consumers be able to exercise opt-out rights within two clicks of the opt-out notice.
Non-discrimination provision. One speaker suggested that companies be periodically audited for compliance with the non-discrimination provisions of the Act to ensure that financial incentives offered to consumers are not unfair, as evaluated against the value the business assigns to consumer personal information.
Upcoming Forums and Next Steps
The AG will hold three additional public forums: Sacramento and Fresno in February, and Stanford (newly added) in March. Information regarding the time and location for each of the upcoming forums can be found on the AG’s website, and anyone who would like to speak can pre-register here.
Sacramento, Tuesday, February 5, 2019
Fresno, Wednesday, February 13, 2019
Stanford,Tuesday, March 5, 2019
Written comments can be directed to the AG by email to email@example.com or by mail to California Department of Justice, ATTN: Privacy Regulations Coordinator, 300 S. Spring St., Los Angeles, CA 90013. Please visit our Resource Center for up-to-date information regarding the Act.
 When the Act was amended in September, the Legislature extended the general deadline within which the AG is directed to adopt implementing regulations from January 1, 2020 to July 1, 2020. Cal. Civ. Code § 1798.185(a), as amended. The amendment, however, potentially created a drafting issue, as several rulewriting provisions continue to require the AG to issue rules within one year of passage of the Act (i.e., June 2019). See §§ 1798.185(a)(3), (6), and (7), as amended.
In anticipation of preparing rules to implement the California Consumer Privacy Act, the California Attorney General recently announced six public forums that he will host in January and February 2019 across California. On January 8, 2019, the AG hosted the first of these forums in San Francisco. The following provides an overview of the forum and the comments made at the forum.
Overview of the January 8, 2019, San Francisco Forum
Stacey Schesser, the Supervising Deputy Attorney General for the AG’s Privacy Unit, provided opening remarks. Ms. Schesser confirmed that the AG’s office is at the very beginning of its rulemaking process. Although the AG’s office will solicit formal comments after it prepares proposed rules, the AG is interested in receiving detailed written comments from the public with proposed language during this informal period.
These forums appear to be designed to inform the AG’s rulemaking and potentially streamline the process, by allowing public input before rules are drafted. In this regard, Ms. Schesser clarified that she and other AG representatives in attendance at the San Francisco forum were there only to listen to the public comments and would not respond to questions or engage with speakers. As a result, if the remaining forums follow a similar approach, it is unlikely that the forums will elicit meaningful intelligence regarding the AG’s anticipated approach to, or the substance of, the anticipated rulemaking.
Also of note, at the outset of the forum, Ms. Schesser encouraged speakers to focus their oral and written comments on the specific rules that the Act directs the AG to issue:
(1) Categories of Personal Information (PI);
(2) Definition of Unique Identifiers;
(3) Exceptions to the Act;
(4) Submitting and Complying with Requirements;
(5) Uniform Opt-Out Logo/Button;
(6) Notices and Information to Consumers; and
(7) Verification of a Consumer’s Request.
It is not clear whether the AG’s encouraged focus for the public comments reflects the fact that the AG intends to limit rulemaking, at least initially, to only those issues where rules are directed by the Act, as opposed to rules under the AG’s general implementing authority.
Comments Made at the Forum
While the forum was well attended and a significant number of individuals pre-registered to speak, only 14 individuals made comments. Business and trade association representatives (including those from the California Chamber of Commerce, the Network Advertising Initiative, and the California Retailers Association) made ten comments while consumer advocates made four. Each speaker was given five minutes to speak.
Business representatives provided the following noteworthy comments regarding the AG’s rulemaking:
Responding to access requests. Multiple speakers expressed concern that businesses may need to collect more PI than they otherwise would to verify access requests. Speakers urged the AG to clarify how access requests apply to businesses that do not collect identifying information (or to except such businesses from responding to requests) and to confirm that businesses need not collect additional information or re-identify individuals in order to respond to an access request.
Clarifying key definitions. Multiple speakers asked the AG to clarify various definitions or phrases, including:
“Business.” The California Chamber of Commerce (CalChamber) expressed concern about the breadth of covered businesses, noting that any business with a website would likely collect PI related to 50,000 or more consumers, households, or devices. Another speaker requested clarification as to whether the $25 million gross revenue threshold will apply to global revenue or only California-derived revenue and asked the AG to consider a “ramp-up” period for compliance for businesses that previously fell below the revenue threshold but later met the requirement.
“Personal information.” One speaker suggested that the definition of PI should not include IP addresses because businesses could not identify a unique individual or identify individuals over time. Another speaker urged the AG to clarify or exclude information related to a particular “household” from the definition of PI.
“Specific pieces of PI.” Relevant to the Act’s access obligation, the CalChamber asked the AG to clarify what “specific pieces of information” means and to consider privacy and security issues raised by providing information in response to access requests.
“Consumer.” One speaker asked the AG to clarify whether the definition of “consumer” applies to employee and human resource data, noting that, while “consumer” means “California resident,” the legislative history suggests lawmakers were primarily concerned about customer rather than employee privacy.
“Sale.” The Network Advertising Initiative asked the AG to clarify the definition of “sale” and to confirm that interest-based advertising does not constitute a “sale” of PI under the Act.
Safe harbor provisions. Several speakers urged the AG to establish safe harbor provisions, such as a safe harbor for GDPR compliance or for businesses that use AG‑prescribed notices.
Non-discrimination requirements. Multiple speakers urged the AG to clarify the Act’s non-discrimination provision, and the California Retailers Association specifically requested clarification on how the provision impacts loyalty programs.
In addition, consumer advocates requested that the AG consider rulemaking on the following:
Categories of personal information. One speaker urged the AG not to limit the definition of PI and to confirm that the definition includes paper documents. Another individual asked the AG to confirm that businesses must include the inferences they draw about consumers in the list of “specific pieces” of PI provided in response to access requests and clarify how businesses should share inferences with consumers.
Non-discrimination provision. One speaker asked the AG to confirm that businesses cannot charge consumers for exercising opt-out rights, as doing so would disparately impact low-income consumers.
Dates and Locations of Upcoming Public Forums
The AG will hold two more forums, and information on the time and location can be found on the AG’s website:
Sacramento, Tuesday, February 5, 2019; and
Fresno, Wednesday, February 13, 2019.
The AG encourages those who wish to speak to pre-register here. Individuals can also submit written comments by email to firstname.lastname@example.org or by mail to California Department of Justice, ATTN: Privacy Regulations Coordinator, 300 S. Spring St., Los Angeles, CA 90013. Individuals can subscribe to the AG’s mailing list to receive notifications on CCPA rulemaking here.
We will continue to provide periodic updates on the forums, the AG’s rulemaking process, and other relevant CCPA developments. Stay tuned.
But while the California Supreme Court’s decision is undoubtedly a significant development, it would be premature for Section 230 fans to break out the champagne; the “most important law protecting Internet speech” remains under attack from many directions, and this recent decision is far from definitive. But before getting into the details of the Hassell v. Bird opinion, let’s step back and consider the context in which the case arose.
Before Section 230: A Wild, Wild Web
A fundamental issue for social media platforms and other online intermediaries, including review sites like Yelp, is whether a company may be held liable when its customers engage in bad behavior, such as posting defamatory content or content that infringes the IP rights of third parties. Imagine if Facebook, Twitter, YouTube, and Yelp were potentially liable for defamation every time one of their users said something nasty (and untrue) about another user on their platforms. It would be hard to imagine the Internet as we currently know it existing if that were the case.
But that is where we were in the mid-1990s, based on some case law from that period. Think back to the early days of the interactive Web. Online services, like Prodigy and CompuServe were the first large-scale attempts to bring an interactive “social” online experience to the public. These services hosted online news forums and offered a safe moderated environment for social networking and discussions. But, of course, users did not always behave well on these platforms.
For example, in a New York state case from 1995, Stratton Oakmont v. Prodigy Services, a user of Prodigy’s Money Talk bulletin board created a post that claimed that Stratton Oakmont (a Long Island securities investment banking firm) and its president committed criminal and fraudulent acts in connection with an IPO. Stratton Oakmont sued Prodigy and the anonymous poster for defamation. The Stratton court held that Prodigy was liable as the publisher of the content created by its users because it exercised editorial control over the messages on its bulletin boards.
As you can imagine, this result—that an online service provider is liable as the publisher of defamatory content posted by its users—was alarming to the companies that provided such services. This led to the enactment of the Communications Decency Act, specifically Section 230, a statute that was at the heart of Hassell v. Bird.
Section 230 immunizes online service providers from liability stemming from the publication and filtering of content created by a third party. Section 230(c)(1) states that an “interactive computer service provider” (which covers essentially any online service provider) cannot be treated as a publisher or speaker of content provided by a separate “information content provider” (which is often a user). Many Section 230 cases involve defamation allegations against websites based on publication of user-generated content. Courts have generally held that Section 230 immunity applies in these cases and Section 230 is often interpreted broadly.
Section 230: The Early Days
The first major case to interpret Section 230 was a Fourth Circuit case, Zeran v. America Online in 1997. In Zeran, an anonymous post on an AOL bulletin board advertised the sale of t-shirts with slogans glorifying the Oklahoma City bombing (for those too young to remember, this was the domestic terrorist truck bombing of a federal office building in Oklahoma City that killed 168 people, including many children in a day care center).
The t-shirts displayed highly offensive slogans such as “Finally a day care center that keeps the kids quiet—Oklahoma 1995.” The post instructed readers to contact plaintiff Kenneth Zeran and listed his home phone number.
Zeran, in fact, had nothing to do with the post and was apparently randomly targeted as part of a prank. Zeran began receiving threatening calls. AOL removed the post at Zeran’s request, but similar posts appeared. Less than a week after the initial post, Zeran was receiving threatening calls every two minutes and his house was put under protective surveillance.
Zeran sued AOL, alleging that the company was negligent in failing to adequately respond to the posts after becoming aware that they were fraudulent. AOL claimed that it was protected by Section 230. Zeran, however, argued that AOL was not protected by Section 230 because it was a distributor of information, rather than a publisher.
The court rejected this distinction between distributors and publishers, holding that Section 230 provided immunity for both the distribution and publication of content and finding that AOL was immune from liability. Today, twenty years later, the Fourth Circuit’s holding in Zeran is still good law. It is not an overstatement to say that, at least from a legal point of view, the Fourth Circuit’s broad interpretation of Section 230 in this case was instrumental in the development of the commercial Internet in its early days.
So that is where Section 230 stood for many years—with relatively few exceptions, Section 230 was held to provide website owners with a broad immunity from a variety of claims based on content and information provided by users, even where the content at issue is extremely objectionable. For example, in Jones v. Dirty World Entertainment Recordings, the Sixth Circuit held that a gossip website known as “The Dirty” was immune from liability for defamation claims based on posts about Sarah Jones, a cheerleader for the Cincinnati Bengals. The posts included Jones’s picture and statements regarding her sex partners, as well as allegations that she had sexually transmitted diseases. In that case, Section 230 applied notwithstanding the distasteful nature of the content and the fact that the website operator seemingly encouraged the posting of such content.
Amid that environment in 2016, the California Court of Appeal’s Hassell v. Bird opinion landed with a thud. Decided in the wake of a series of cases that had already eroded Section 230’s protections, Hassell v. Bird was seen by the Internet law community not merely as a problematic outlier, but rather as the culmination of a disturbing trend already well underway. But now we are getting ahead of ourselves, so let’s go back and look at the details of Hassell v. Bird.
Back to Hassell v. Bird
In 2012, a San Francisco attorney named Dawn Hassell took on a client named Ava Bird in a personal injury case. At some point, the relationship went sour and Hassell withdrew from representing Bird. Bird then posted a review of Hassell’s firm on Yelp.com in January 2013, under the name “Birdzeye B. Los Angeles, CA.” She gave Hassell one star and included various complaints about Hassell’s work in her review. Upon seeing these reviews, Hassell contacted Bird and asked her to remove the reviews from Yelp. Bird refused.
Another negative one-star review of Hassell’s firm was posted the next month, this time under the name “J.D. Alameda, C.A.” Hassell had never represented a client with the initials J.D. and she suspected Bird had written this review as well based on similarities in the two reviews’ writing styles.
Hassell filed a complaint against Bird in April 2013, alleging that Bird’s negative reviews were defamatory and injurious to Hassell’s business reputation. Bird defaulted and the trial court awarded Hassell more than $500,000 in damages and issued an injunction ordering Bird to remove the Yelp reviews and refrain from posting any additional reviews of Hassell’s firm.
So far so good, but here is where the trouble started: The trial court’s injunction also ordered Yelp to remove Bird’s reviews, even though Yelp was not a party in the defamation case.
And why didn’t Bird name Yelp as a party? Think back to the Section 230 cases discussed above—Yelp would almost certainly have been able to get a defamation claim against it based on Bird’s reviews dismissed under Section 230. By not naming Yelp and getting a default judgment against Bird, however, Hassell managed to get the court to issue an injunction not only against Bird but also against Yelp, something Hassell would not likely have been able to achieve if she had sued Yelp directly.
In any event, when Yelp refused to remove the reviews, the case ended up in the Court of Appeal and, in June 2016, the court upheld the injunction requiring Yelp to remove the existing reviews. (The court did hold that the portion of the injunction that ordered Yelp to remove future reviews was an unconstitutional prior restraint.)
The Court of Appeal’s decision includes a lot of procedural detail about whether Yelp has standing to challenge the trial court’s judgment and whether a non-party may be bound by an injunction. The court also spends considerable time analyzing Yelp’s due process and First Amendment claims. I am not going to address most of the court’s discussion of those claims because, in this article, I’m focusing on the Section 230 issues. It is worth noting, however, that the Court of Appeal is very dismissive of Yelp’s First Amendment arguments because this dismissiveness seems to color the court’s approach to the Section 230 issues.
The Court of Appeal first disregards Yelp’s argument that it has a First Amendment interest in disseminating Bird’s speech as curator of content, similar to a publisher or a distributor of books or newspapers. The court says, in a conclusory fashion, that the injunction “does not treat Yelp as a publisher of Bird’s speech, but rather as the administrator of the forum that Bird utilized to publish her defamatory reviews.” This is a confusing statement because the court does not clearly explain either the difference between a publisher and an administrator of a forum, or why that should matter for First Amendment purposes.
The court then goes on to say that, even if Yelp is a publisher, it has no First Amendment interest in publishing Bird’s reviews because the reviews have already been determined to be defamatory and defamatory speech is not protected by the First Amendment. This ignores the fact that, due to the default judgment against Bird, the trial court never determined on the merits that the reviews were defamatory. And, in any event, certainly Yelp never had a chance to challenge that determination.
Despite the court’s determinations against Yelp on these issues, however, Section 230 could still save the day for Yelp. But, of course, it doesn’t. Instead, the Court of Appeal says that “[t]he removal order does not violate section 230 because it does not impose any liability on Yelp” and “[i]f an injunction is itself a form of liability, that liability was imposed on Bird, not Yelp.” Of course, Yelp could be subject to liability if it fails to comply with the injunction but, according to the court, “sanctioning Yelp for violating a court order would not implicate section 230 at all; it would not impose liability on Yelp as a publisher or distributor of third party content.”
There appears to be a bit of Section 230 sleight of hand going on here. Recall that Section 230 provides immunity against any claim that treats an online service provider as a publisher or speaker of content provided by someone else. Here, the court says, Yelp’s potential liability is not based on treating Yelp as a publisher or speaker of Bird’s reviews; rather the potential liability to Yelp is from being in contempt of court for failing to comply with the injunction. And Section 230, says the court, does not provide immunity from that liability.
The trouble with this reasoning, as many commentators noted, is that it opens up a huge loophole in Section 230. If an aggrieved person doesn’t like user content on a website, that person can sue the user. If the user does not appear—which is a pretty good bet, particularly if the suit is filed far from the user’s home—the plaintiff will get a default judgment, just as Hassell did. Then the plaintiff can take the default judgment to the website operator and force it to remove the content, thereby conveniently avoiding Section 230.
Yelp appealed to the California Supreme Court. In support of Yelp’s request, amici submitted 14 letters representing more than 40 organizations, including companies such as Google, Facebook, and Twitter, as well as various public interest groups and law professors.
The Supreme Court accepted the case and issued its decision on July 2, 2018, reversing the Court of Appeal’s judgment requiring Yelp to comply with the injunction. The Supreme Court voted 3-1-3, with a plurality opinion written by the Chief Justice and joined by Justices Chin and Corrigan, a concurring option written by Justice Kruger, and the remaining Justices dissenting in two separate opinions.
Because this article is already quite long, I won’t address all of the points that the writers of the plurality, concurring, and dissenting opinions discussed. Suffice it to say that the plurality opinion turned primarily on Section 230 issues, and did not reach some of the First Amendment, procedural, and due process issues that the lower courts addressed.
Essentially, the Supreme Court recognized that the injunction was a way to end-run Section 230. The Court noted specifically that “Yelp could have promptly sought and received section 230 immunity had plaintiffs originally named it as a defendant in this case.” The Court goes on to say, “The question here is whether a different result should obtain because plaintiffs made the tactical decision not to name Yelp as a defendant. Put another way, we must decide whether plaintiffs’ litigation strategy allows them to accomplish indirectly what Congress has clearly forbidden them to achieve directly. We believe the answer is no…. an order that treats an Internet intermediary ‘as the publisher or speaker of any information provided by another information content provider’ nevertheless falls within the parameters of section 230(c)(1).”
The Court then makes the key point that an injunction against Yelp does, in fact, treat Yelp as a publisher for purposes of Section 230, noting that the injunction sought to overrule Yelp’s decision to publish Bird’s reviews. The Court goes on to say, “In substance, Yelp is being held to account for nothing more than its ongoing decision to publish the challenged reviews, and that “the duty that plaintiffs would impose on Yelp, in all material respects, wholly owes to and coincides with the company’s continuing role as a publisher of third party online content.” Because this is exactly what Section 230 prohibits, the injunction cannot stand.
This result was a relief for many, as noted above, and the plurality opinion has a lot of good language for supporters of Section 230. But given the fractured Supreme Court decision and the fact that Section 230 remains under attack from many other directions, it seems likely that the trend toward reining in the historically broad scope of Section 230 immunity will continue. In any event, we will be keeping a close eye on further Section 230 developments.
Just over a month after the EU General Data Protection Regulation (GDPR) took effect, California passed its own sweeping privacy legislation, the California Consumer Privacy Act of 2018.
The Act stands to affect countless global companies doing business in California, many of which recently devoted extensive time and resources to GDPR compliance. These companies must now determine what additional steps are necessary to comply with the Act by the time it takes effect on January 1, 2020.
Join Socially Aware contributors Christine Lyon and Julie O’Neill on Thursday, September 20, 2018, for a deep dive into the key similarities and differences between the GDPR and the Act, as well as practical steps companies can take to assess gaps and chart a path to compliance. The areas they expect to cover include:
Access and portability
If you are interested in attending this free webinar, please register here.
On July 19, 2018, in May, et al. v. Expedia Inc., U.S. Magistrate Judge Mark Lane issued a Report and Recommendation recommending that U.S. District Judge Robert Pitman for the Western District of Texas grant a motion to compel arbitration and dismiss a putative class action on the grounds that the plaintiff agreed to the defendants’ website’s Terms and Conditions, which contained a mandatory arbitration clause.
HomeAway User Files Putative Class Action
HomeAway is an online marketplace for vacation rental properties where property owners can list their properties for rent and travelers can book rental properties. HomeAway’s original business model was to charge owners a fee to list their properties (either on a one-year subscription or pay-per-booking basis) and to allow travelers to search and book rentals for free. HomeAway was acquired by Expedia in 2015 and changed its business model to charge travelers a fee to book rentals in mid-2016. Plaintiff James May had been a property owner who used HomeAway since 2013.
In November 2016, the plaintiff filed a putative class action against Expedia and HomeAway for breach of contract, fraud, fraudulent concealment, and Oregon and Texas state law claims based on HomeAway’s imposition of a “traveler fee” and its negative effect on owners who used HomeAway to rent properties. The defendants moved to compel the plaintiff to arbitrate his claims based on HomeAway’s 2016 Terms and Conditions, which contained a mandatory arbitration clause.
The defendants argued that the plaintiff agreed to the Terms and Conditions (and thus the arbitration clause incorporated therein) twice:
when he renewed his HomeAway subscription in September 2016; and
when he booked his property through HomeAway’s website in October 2016.
The plaintiff argued that he did not agree to the Terms and Conditions because:
he renewed his HomeAway subscription in his wife’s name;
he did not receive actual or constructive notice that he agreed to the Terms and Conditions when he clicked “Continue” during the booking process; and
any agreement to arbitrate is illusory and unenforceable.
Following the Fifth Circuit’s 2018 decision in Arnold v. HomeAway, Inc., the parties agreed that the plaintiff’s argument that the arbitration agreement is illusory is precluded and that the only issue before the court was whether the parties entered an arbitration agreement. Magistrate Judge Lane then issued his Report and Recommendation finding the plaintiff contractually bound to the 2016 Terms and Conditions based on his subscription renewal and booking his property through HomeAway.
HomeAway User’s Assignment of Account Not Enforceable
First, the magistrate judge rejected the plaintiff’s argument that, because he had purchased the renewal subscription in his wife’s name on her behalf and with her authorization, he had not agreed to the 2016 Terms and Conditions on his own behalf. Although the plaintiff specifically renewed the subscription in his wife’s name to avoid being bound by the 2016 Terms and Conditions, he offered no legal argument or basis to show that this had any legal effect.
The 2015 Terms and Conditions expressly did not allow the plaintiff to assign the Terms and Conditions absent HomeAway’s consent, and there was no evidence that HomeAway had consented to the purported assignment from the plaintiff to his wife.
HomeAway User Was on Notice of Agreement to the Terms and Conditions
Second, the magistrate judge rejected the plaintiff’s argument that, due to the placement and typeface of the hyperlink used by HomeAway, he had no notice that he was agreeing to the 2016 Terms and Conditions when he booked his property through HomeAway’s website.
Magistrate Judge Lane distinguished the 2014 opinion in Nguyen v. Barnes & Noble, Inc., which involved a hyperlink to the terms at the bottom of a webpage and did not require any affirmative action to demonstrate the user’s agreement to the terms. In contrast, HomeAway’s website presented the user with a notice directly above the “Continue” button that informed the user that he was agreeing to the hyperlinked Terms and Conditions by clicking the button to continue. A user could not complete the transaction without clicking the “Continue” button. This was sufficient to put the plaintiff on notice that he was agreeing to the hyperlinked Terms and Conditions by continuing the transaction.
HomeAway User Equitably Estopped From Arguing Not Bound
Finally, Magistrate Judge Lane noted that, if the plaintiff was not bound by the Terms and Conditions, the plaintiff could gain all of the benefits of his HomeAway account without being bound to terms he did not want to accept. Such a result dictates that even if the plaintiff was not contractually bound, he should be equitably estopped from contending that he is not bound by the Terms and Conditions.
Although Judge Pitman has not issued a final order granting or denying the motion to compel arbitration, Magistrate Judge Lane’s Report and Recommendation provides insights into how a website operator can help to ensure that its users are subject to its online contractual terms, even where a user intentionally seeks to avoid being bound by such terms.
An advertising executive who lost his job after being named on an anonymous Instagram account is suing the now-defunct account for defamation. The suit names as defendants not only the account—Diet Madison Avenue, which was intended to root out harassment and discrimination at ad agencies—but also (as “Jane Doe 1,” “Jane Doe 2,” et cetera) several of the anonymous people who ran it. Whether Instagram will ultimately have to turn over the identities of the users behind the account will turn on a couple of key legal issues.
A bill recently passed by the New York State Senate makes it a crime for “a caretaker to post a vulnerable elderly person on social media without their consent.” At least one tech columnist thinks the legislation is so broadly worded that it violates the U.S. Constitution. That might be so, but—in light of several news reports about this unfortunate form of elder abuse over the last few years—that same columnist may not be correct about the bill likely having been passed in response to a one-time incident.
A new law in Egypt that categorizes social media accounts and blogs with more than 5,000 followers as media outlets allows the government in that country to block those accounts and blogs for publishing fake news. Some critics aren’t buying the government’s explanation for the law’s implementation, however, and are suggesting it was inspired by a very different motivation.
In a criminal trial, social media posts may be used by both the prosecution and the defense to impeach a witness but—as with all impeachment evidence—the posts’ use and scope is entirely within the discretion of the trial court. The New York Law Journal’s cybercrime columnist explains.
Snapchat now allows users to unsend messages. Here’s how.
Employees of Burger King’s Russian division recently had to eat crow for a tasteless social media campaign that offered women a lifetime supply of Whoppers as well as three million Russian rubles ($47,000) in exchange for accomplishing a really crass feat.
We’ve all heard of drivers experiencing road rage, but how about members of the public experiencing robot rage? According to a company that supplies cooler-sized food-delivery robots, its’s a thing.
If a web server located outside the United States hosts video content that can be viewed by Internet users located in the United States, does a public performance result under U.S. copyright law?
This has been a topic of hot debate for a surprisingly long time, with little or no direct guidance from the courts—until now. A recent decision from the D.C. Circuit, Spanski Enterprises v. Telewizja Polska, addresses this issue head-on, with the court finding that the uploading of video content in which a party held exclusive U.S. public performance rights and the subsequent directing of the content to U.S. viewers upon their request to be an infringing “performance” under the U.S. Copyright Act.
Telewizja Polska (“Polska”) is Poland’s national TV broadcaster that owns, operates and creates content for several Polish TV channels. Polska and Spanski Enterprises (“Spanski”), a Canadian corporation, entered into a licensing agreement granting Spanski exclusive broadcasting rights in North and South America to TVP Polonia, one of Polska’s TV channels. Polska provides online access to its programming through a video-on-demand feature on its Poland-based website and, to protect Spanski’s rights, Polska used geoblocking technology to block North and South American IP addresses from accessing the copyrighted content. The territorial restrictions were either incorporated into the digital video formats of the episodes themselves or assigned through a content management system.
In late 2011, however, Spanski’s attorneys discovered 51 episodes were not properly geoblocked and thus were viewable by North American users, at least in part, on Polska’s website. Spanski then sued Polska in a U.S. district court for copyright infringement under U.S. law. The district court found Polska liable for its employees’ volitional actions in removing the episodes’ territorial restrictions and creating non-geoblocked digital formats of the episodes. Because the episodes at issue were viewed within the United States, the infringement was not found to be “wholly extraterritorial.” The court awarded statutory damages of $60,000 per episode for a total of $3,060,000 due to Polska’s willful and intentional infringement.
Polska appealed the lower court’s ruling, arguing that only the end user of a fully automated video-on-demand service can be held liable for copyright infringement, and not the party hosting the service from outside the country. Polska also argued that because the conduct occurred exclusively in Poland, the lower court’s decision was an impermissible extraterritorial application of the U.S. Copyright Act.
On appeal, the D.C. Circuit relied on U.S. Supreme Court precedent in American Broadcasting Companies v. Aereo to confirm that Polska had committed an infringing public performance. In the decision, Aereo had offered paying subscribers broadcast TV programming over the Internet virtually as the programming was being aired, but did not own copyrights in or hold licenses to the works. Customers could select the programming they wished to view, and Aereo would tune a dedicated antenna to the relevant station, capture the signal and retransmit the signal to the requesting customer. The Supreme Court found that because Aereo’s activities were substantially similar to those of cable television companies, which the Transmit Clause (17 U.S.C. §101) was added by Congress to specifically cover, Aereo “performed” or “transmitted” the programming. Regardless of whether Aereo transmitted the same or separate private copies to each user, it performed the same work and its subscribers constituted “the public.” The Supreme Court’s holding established an exception to the bright-line volitional conduct test that is traditionally applied, which requires a provider to act as an agent or independently make choices about what to transmit. The Supreme Court, however, left open the question of when to apply the Aereo test, and many read the decision as a narrow holding only applicable to cable TV lookalikes.
In the Spanski dispute, the D.C. Circuit declined to read Aereo so narrowly, and pointed to the basic legal principle every law student learns that judicial opinions establish “precedential principles that apply to materially similar factual scenarios arising in future cases.” In this case, the court found that the Aereo principle that a viewer’s decision to access an infringing television program does not relieve a broadcaster from liability for showing the program’s images and making the program’s sounds audible also applied to Spanski. Both Polska, the broadcaster and the viewer can be liable for the same performance.
The court reasoned that, if Aereo’s indiscriminate retransmission of third-party content upon a user’s request resulted in an infringing public performance by Aereo, Polska’s transmission of copyrighted episodes that were purposely selected and uploaded to its web server must also result in an infringing public performance, especially given Polska’s more active role in selecting the content available for transmission.
In response to the possibility of sweeping liability resulting from its decision, the D.C. Circuit pointed to statutory protections such as Section 512 of the U.S. Copyright Act (the so-called “DMCA safe harbors”), and declined to follow the lead of other courts in reading a volitional conduct or proximate cause requirement into the U.S. Copyright Act. No matter what the scope of Aereo’s requirement may be, the court concluded, Polska’s conduct constituted copyright infringement under U.S. law, violating Spanski’s exclusive rights within the United States (rights which, ironically, it had received from Polska).
In addressing the extraterritoriality issue, the court looked to the test established in RJR Nabisco, Inc. v. European Community: “If the conduct relevant to the statute’s focus occurs in the U.S., then the case involves a permissible domestic application even if other conduct occurred abroad.” To determine the Copyright Act’s “focus,” the court followed the U.S. Supreme Court’s approach in Morrison v. National Australian Bank Ltd. to determine the U.S. Copyright Act’s focus of “protecting the exclusivity of the rights it guarantees.” Although Polska uploaded and digitally formatted the episodes in Poland, the infringing performances (and relevant conduct) “occurred on the computer screens in the United States” and were thus actionable in the United States. The court noted that, were it to hold otherwise, large-scale criminal copyright pirates could avoid U.S. copyright liability simply by locating their servers outside the United States. Accordingly, Congress could not have meant to prevent domestic copyright holders from enforcing their rights against foreign broadcasters who transmit infringing performances into the United States.
While the D.C. Circuit’s Spanski decision makes clear that storing infringing content on foreign servers does not necessarily shield an Internet actor from liability if the content is ultimately transmitted to and viewed in the United States, the court left open the question of whether geoblocking of U.S. IP addresses can protect a provider like Polska from liability. In the wake of the decision, geoblocking may now be a best practice for foreign website operators seeking to reduce their U.S. copyright liability exposure, although it may not be sufficient to avoid infringement, as some commentators have noted.
While Polska deliberately halted its geoblocking efforts, in its appeal, it did raise the hypothetical of an American user circumventing a foreign website operator’s territorial restrictions to view content domestically. The court refused to “prejudge such situations,” but noted that, in such situations, a foreign web operator may have alternative defenses against liability, such as lack of personal jurisdiction. Such an approach is supported by recent holdings in Triple Up Limited v. Youku Tudou Inc. and Carsey-Werner Company, LLC v. BBC, which relied on a website’s “affirmative geoblocking efforts” to “weigh against the exercise of personal jurisdiction.”
Going forward, we will have to see how courts clarify the full impact of geoblocking with respect to copyright liability under U.S. law. Foreign website operators that host and stream content for which they do not have U.S. public performance rights, and that choose not to geoblock access by U.S. IP addresses to such content, will want to carefully review the Spanksi decision and potentially available liability defenses under U.S. copyright law.
Authored by Chief Justice John Roberts, the 5-4 opinion immediately enshrines greater protections for certain forms of location data assembled by third parties. It also represents the Court’s growing discomfort with the so-called “third-party doctrine”—a line of cases holding that a person does not have a reasonable expectation of privacy in records that he or she voluntarily discloses to a third party. In the longer run, there will likely be further litigation over whether the same logic should extend Fourth Amendment protections to other types of sensitive information in the hands of third parties as courts grapple with applying these principles in the digital age.
Anytime a cell phone uses its network, it must connect to the network through a “cell site.” Whenever cell sites make a connection, they create and record Cell Site Location Information (CSLI). Cell phones may create hundreds of data points in a normal day, and providers collect and store CSLI to spot weak coverage areas and perform other business functions.
Obtaining CSLI records is a fairly common law enforcement tool, and—until now—such information could typically be obtained by court orders issued under the Stored Communications Act. Those orders require the government to make certain types of showings to a court, but they are not warrants and do not require probable cause.
The Supreme Court’s review of this practice stemmed from the arrest and conviction of Timothy Carpenter for (ironically) his involvement in several robberies of cell phone stores. Without obtaining a warrant, the FBI sought and obtained orders directing MetroPCS and Sprint to hand over 152 days of Carpenter’s CSLI records generated when his phone placed, received, or ended a call, as well as seven days of overall CSLI records. This evidence was used to help convict Carpenter of various robbery charges.
Carpenter’s case reached the Supreme Court as part of a broader dispute over whether and in what circumstances an individual’s location data is protected by the Fourth Amendment’s warrant requirement. In a 2012 decision involving the use of a GPS tracking device affixed to a vehicle, five Justices had suggested that people generally have a reasonable expectation of privacy in information that would reveal their location and movements over time, but the Court’s majority opinion in that case had not squarely resolved the issue. The key question in Carpenter turned on the applicability of the third-party doctrine: Do customers have a reasonable expectation of privacy in their location information when, through their phones, they disclose that information to cellular providers?
The government argued that cell phone users voluntarily “share” their location information by using cell phones that connect with cell sites. As such, it argued that CSLI records should be treated in the same way as phone records in the hands of a telephone company or bank records in the hands of a financial institution—both of which the Supreme Court has held can be obtained through a subpoena and without a warrant. The American Civil Liberties Union (ACLU), representing Carpenter, argued that warrantless access to historical CSLI records permitted the government to obtain a tremendous amount of revealing information, incomparable to what previous circumstances allowed. The ACLU argued that access to this type of information violates the basic “reasonable expectation of privacy” test.
The Court ruled for Carpenter, holding that individuals have a legitimate expectation of privacy in their locations as captured by CSLI. As such, a warrant based on probable cause is required in order to obtain these records. The opinion made several key observations:
The Fourth Amendment is not static. As technological changes make some searches easier or lead to entirely new techniques, Fourth Amendment protections must keep pace. For that reason, rules like the third-party doctrine cannot be “mechanically” applied regardless of the circumstances or the type of information that the government seeks to obtain.
People have a reasonable expectation of privacy in their location as captured by CSLI records. Even though people can expect to be observed as they move about in public, they have an expectation that they are not being continuously monitored. And because almost everyone “compulsively carr[ies] cell phones with them all the time,” CLSI offers “near perfect surveillance.”
The third-party doctrine does not apply to CSLI. The Court distinguished CSLI records from the types of business records at issue in prior cases, concluding that bank records and phone records do not contain information that is as personal or invasive as continuous location information. The Court also noted that CSLI is not voluntarily shared in any meaningful sense: just by being on, cell phones continually “ping” cell towers and generate this data.
The Court stated that its opinion reaches only historical CSLI compiled for a period of at least seven days. It did not address CSLI records obtained on a real-time basis, or any other type of information obtained through a subpoena. The Court also noted that existing exceptions to the warrant requirement—such as exigent circumstances—could apply to historical CSLI records where appropriate.
Most obviously, in light of Carpenter, a mobile communications provider should ask to see a warrant if the government requests historical CSLI records covering a period of a week or more. (And, undoubtedly, law enforcement agencies will be updating their protocols accordingly.) Slightly less obviously, businesses that possess other types of customer location information (e.g., through GPS tracking) may also expect to see a warrant—or may be able to argue that a warrant is required—if they are asked to turn over such information to law enforcement in aid of an investigation. In fact, the Carpenter decision generally describes GPS data as more precise and therefore more potentially invasive than CSLI.
While the ruling will create some uncertainty, service providers can take some comfort in the fact that the Stored Communications Act precludes plaintiffs from suing providers who comply with court orders or subpoenas. So businesses are unlikely to be successfully sued simply for having complied with a subpoena or court order requesting this type of information.
More broadly, Carpenter continues a trend of recent Supreme Court cases adapting Fourth Amendment rules to account for changing technology. A key refrain throughout the opinion is the ease of compiling CSLI records and the sheer volume of data at stake. The Court’s practical focus on the type and volume of data being obtained creates doubts about the third-party doctrine and its application in other circumstances. Carpenter suggests that this rule cannot function like an on/off switch, eliminating all expectations of privacy if something is shared with a third party.
Notably, several prominent technology companies similarly advocated in an amicus brief for a more practical and less rigid approach—in part because many types of technology require users to “share” data (including sensitive data) with technology companies in order to function. Although the Court’s opinion attempted to limit itself to historical CSLI records, emphasizing collection of location information over a week or more at a time, there will almost certainly be future litigation on collections of other types of information, potentially including real-time location information as well as subpoena requests for other types of arguably sensitive data.
Computer scientist and legal scholar Nick Szabo first proposed the idea of “smart contracts” in 1996. Szabo published his initial paper on the topic in a publication called Extropy, a journal of transhumanism, a movement seeking to enhance human intellect and physiology by means of sophisticated technologies. At the time, the idea was nothing if not futuristic.
Fast forward 22 years, and even if the actual use of smart legal contracts remains largely in the future, the idea of them has gone mainstream. What follows is our list of the top five things you need to know about this quickly evolving area.
Their Name Is Somewhat Confusing
When lawyers speak of contracts, they generally mean agreements that are intended to be legally enforceable. In contrast, when most people use the term “smart contract” they’re not referring to a contract in the legal sense, but instead to computer coding that may effectuate specified results based on “if, then” logic.
Advocates of smart legal contracts envision a day when coding will automatically exercise real-world remedies if one of the parties to a smart contract fails to perform.. For example, if an automotive borrower were to fail to make a car payment, coding within the smart loan agreement could automatically trigger a computer controlling the relevant car to prevent the borrower from driving it, or could cause the car to drive autonomously to the lender’s garage.
Even then, whether coding itself could ever satisfy the requirements of a legally binding contract is up for debate.
They Are Works in Progress, But Hopes Are High
Smart contracts also aren’t particularly smart. For one thing, the “if, then” logic of their coding typically relies on an external source of information, a so-called “oracle,” to state whether a certain event has occurred and a prescribed remedy should thus ensue. In most cases, connections between the coding and the oracles are works in progress. Likewise, connections between smart contracts and the means to exercise real-world remedies for nonperformance are still being built.
Smart contracts’ relatively early stage of development has not dimmed hopes that they will ultimately play a large, even central, role in much commerce. Some proponents have claimed that they will revolutionize business arrangements by offering a more efficient alternative to conventional contracts, dramatically lessening enforcement costs while limiting the government’s role in contract enforcement.
Major Projects Are Percolating
Work on smart contracts has begun in earnest. For example, a smart-contracts consortium, the Accord Project, has begun work to develop “techno-legal standards” and open-source software tools for smart contracts. And a syndicated loan industry group, the Loan Syndications and Trading Association, has released a detailed white paper exploring how smart contracts might allow parties to transact more efficiently and securely.
They Will Likely Rely on Distributed-Ledger Technology
Smart contracts are distinct from distributed-ledger technology, such as the blockchain system, but are often discussed in the context of that technology, which permits the sharing of synchronized digital data geographically over multiple sites without any central administrator. Distributed-ledger technology is expected to facilitate the use of smart contracts by permitting the relevant coding to be embedded in the shared ledger while preventing either party from altering that coding.
Regulation May Be on the Way
While certain proponents of smart contracts may wish to limit governmental involvement in the realm of private contracts, it nonetheless seems likely that smart contracts will engender their own regulation. From a legal perspective, much of the novelty of smart contracts is the automatic nature of the exercise of remedies for breach. Legislators and regulators may well wish to limit the remedies that may be agreed in advance or exercised without human intervention.
* * *
For more information about smart contracts and other blockchain-related developments, please visit Morrison & Foerster’s Blockchain Resource Center.
Most companies are familiar with the Children’s Online Privacy Protection Act (COPPA) and its requirement to obtain parental consent before collecting personal information online from children under 13. Yet COPPA also includes an information deletion requirement of which companies may be unaware. On May 31, 2018, the Federal Trade Commission (FTC) published a blog post addressing this requirement, clarifying (i) when children’s personal information must be deleted and (ii) how the requirement applies, as well as (iii) recommending that covered companies review their information retention policies to ensure they are in compliance.
(i) COPPA’s information deletion requirement. The FTC clarifies that, under Section 312.10 of COPPA, companies may retain children’s personal information “for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.” After that, a company must use reasonable measures to ensure such personal information is securely destroyed.
(ii) Application of the deletion requirement to children’s outdated subscription information. In its post, the FTC applies the deletion requirement to the example of a subscription-based app directed to children under 13. If the subscription period ends, and a parent decides not to renew the service, can the company keep the child’s personal information? The answer, the FTC confirms, is “no”: the information is no longer “reasonably necessary” to provide the app’s services, so it must be deleted. This is true regardless of whether a parent affirmatively requests deletion.
(ii) Recommendation to review information retention policies in light of the deletion requirement. The FTC recommends that companies review their information retention policies with COPPA’s deletion requirement in mind. It lists questions to help guide companies as they navigate this requirement:
What types of personal information are you collecting from children?
What is your stated purpose for collecting the information?
How long do you need to hold onto the information to fulfill the purpose for which it was initially collected? For example, do you still need information you collected a year ago?
Does the purpose for using the information end with an account deletion, subscription cancellation, or account inactivity?
When it’s time to delete information, are you doing it securely?
Key takeaway. If a company possesses personal information collected online from a child under 13, and the information no longer serves the purpose for which it was collected, the company must delete it. Companies should review their information retention policies to ensure compliance with this COPPA requirement.