Header graphic for print

Socially Aware Blog

The Law and Business of Social Media

Social Links: Implications of Facebook’s algorithm change; branded emoji; free travel apps

Posted in Cyberbullying, Data Security, Employment Law, Litigation, Marketing

The Internet is abuzz over the Facebook algorithm change. Here are the implications for marketers and publishers and for regular users.

U.S. Customs wants to start collecting the social media accounts for foreign travelers.

Court: Woman fired for posting to her Facebook page that she would quit her job before doing “something stupid like bash in” her co-worker’s “brains with a baseball bat” is entitled to unemployment benefits.

Does artificial intelligence have a “white guy” problem?

It appears consumers have an appetite for branded emoji: Harper’s Bazaars emoji keyboard was downloaded 30,000 times in 24 hours.

Meet YesJulz, Snapchat royalty.

And here’s a list of several more impossibly popular social media celebs who you’ve likely never heard of.

Seven things everyone should know about cybersecurity and social media.

Do anonymity and social mix? An interesting Q&A with the founder of Secret, an anonymous social messaging platform that was valued at $100 million before it shuttered as a result of bullying.

Hitting the Tarmac this holiday weekend? Here’s a list of free or cheap travel apps worth downloading.

Brexit: Data Protection Implications

Posted in Data Security, European Union, Privacy, UK

iStock_91726351_600pxAs the entire world knows, the United Kingdom has voted by a narrow majority to leave the European Union (“Brexit”). But the Brexit process will take time, and the implications for businesses will also unfold over time. In this blog post, we take a look at the potential privacy and data security implications of Brexit.

No Changes in the Short Term

For the time being, the UK remains a member of the EU; and the Data Protection Directive (“Directive”) and e-Privacy Directive as currently implemented in UK law continue to apply. The Directive will be replaced by the EU General Data Protection Regulation (GDPR) in May 2018, and in the coming period the e-Privacy Directive will be updated to reflect the changes that the GDPR will bring. Given the time that will elapse before Brexit actually occurs, it may well be the case that the GDPR will come into force before the UK formally exits the EU.

As the GDPR has the form of an EU regulation, it will be directly applicable in all EU Member States, and no steps need to be taken by the UK for it to be implemented in the national law of the UK. Further, it may well be the case that the UK will have to implement the amended e-Privacy Directive into UK law before Brexit takes place. Until the UK formally exits the EU, data transfers between the UK and the other countries in the EU may continue to occur because the EU data transfer rules do not apply to transfers of personal data within the EU.

Changes After Brexit

The situation will change when UK leaves the EU. From that moment on, the GDPR will no longer be applicable in the UK. The national laws implementing EU directives (including the e-Privacy Directive) will, however, remain in force until they are amended or repealed. Thus, the UK will become a “third country” under the data transfer rules in the GDPR. In this case, personal data can only be exported by a business established in the EU to a third country, such as the UK, if there is an “adequate level of protection” for such data, unless certain conditions have been met.

There are three options under which the UK may obtain the required “adequacy status,” with the third being the most likely:

Becoming an EEA member: The UK may (like Norway, Liechtenstein and Iceland) become a member of the European Economic Area by becoming a signatory to the EEA Agreement. Under Article 7 of the EEA Agreement, the UK would still need to accept being bound directly by relevant EU laws relating to the four freedoms, including the GDPR. This option is unlikely to be pursued by the UK government in the form adopted by Norway, Liechtenstein and Iceland, in view of the fact that the UK would need to agree to be bound by many of the rules of the EU that have been unpopular with Brexit supporters, including the free movement of people.

The Swiss solution: Switzerland is not part of the EU or EEA (although it has bilateral agreements with the EU allowing access to the single market). Although not bound by it, Switzerland has fully implemented the Directive into its domestic legislation and, on that basis, has received an “adequacy finding” from the European Commission. Switzerland has already indicated its wish to update Swiss legislation to reflect the application of the GDPR and retain its adequacy status. Also, although Switzerland is not subject to the jurisdiction of the European Court of Justice (ECJ), the ECJ’s case law has had a significant influence on Swiss legislation.

For instance, after the ECJ struck down the EU-US Safe Harbor Decision of the Commission, the Swiss also declared that the Swiss-US Safe Harbor did not provide a sufficient legal basis for exporting data from Switzerland to the U.S. As with becoming a member of the EEA, the Swiss model would require the UK to adopt the GDPR as it stands now and any further EU legislation on data protection, without having any right to participate in EU rule-making. This option is unlikely to be pursued by the UK government in the form adopted by Switzerland because it would entail the UK agreeing to be bound by many of the rules of the EU which have been unpopular with Brexit supporters, including the free movement of people.

Full adequacy finding: Under this option, he UK would implement its own data protection laws and would then request the Commission to issue a decision that its legal regime is “adequate” when assessed against the standard set by EU data protection law. At first glance, this seems to be the preferred option because it enables the UK to relax some of the rules in order to facilitate trade (as it advocated in the negotiations over the GDPR). However, if the UK wishes to obtain a quick adequacy decision to continue to facilitate data transfers between the UK and the EU also upon exit, it will likely have to implement provisions that are close to the GDPR. Any other approach could set the UK back in getting a quick adequacy decision.

The EU may well be averse to any softening of the rules that would give the UK an advantage over EU Member States, or enable some sort of forum shopping. It is therefore not surprising that the UK Information Commissioner’s Office (ICO) has already issued a statement that UK data protection standards would have to be equivalent to the GDPR. We note that the UK has been a long-standing advocate of data protection (e.g., it had a law more than 10 years before the Directive was adopted) and there is solid public awareness of privacy laws. The UK has further ratified Convention 108 (which sets core principles for data protection) as well as the European Convention on Human Rights (“ECHR” – which, in article 8, provides for the right to privacy), and the UK is subject to the European Court of Human Right’s competence. The ICO is a member of the Global Privacy Enforcement Network (GPEN), intended to strengthen cross-border information sharing and co-operation in cross-border enforcement among privacy authorities around the world. This all seems to point into the direction of adequacy.

We highlight, however, that the recent Schrems judgment of the ECJ may also have implications for the UK. In the Schrems judgment, the ECJ invalidated the decision of the Commission that approved the Safe Harbor Framework facilitating data transfer to U.S. companies that adhered to this framework, because the privacy of European citizens was not considered to be adequately protected (in short) because the powers of the U.S. intelligence services went beyond what was strictly necessary and proportionate to the protection of national security and individuals did not have adequate means of judicial redress to protect their privacy. The concern that the intelligence services have overly broad surveillance powers may well also apply to the UK intelligence services. More clarity may come from three cases pending before the European Court of Human Rights, which were instigated by the UK Bureau of Investigative Journalism and a number of civil rights organizations, and claim that the generic surveillance powers of the UK intelligence services violate Article 8 of the European Convention on Human Rights.

Conclusions

In the short term, until the UK ceases to be a member of the EU, nothing changes and data transfers may continue as they currently do.

Whichever of the three options the UK ultimately follows to obtain adequacy status, the end result will be UK data protection legislation that is very much aligned with the upcoming GDPR and other EU privacy rules.

Next Steps for Businesses

• While it is expected that the Commission will eventually confirm “adequacy status” for whatever data protection laws the UK puts in place post-Brexit, it is possible that this may not have been done at the precise time of exit. This situation would require businesses to put in place alternative data transfer arrangements for transfers from within the EU to the UK, such as the entering into of standard contractual clauses (SCCs). Controllers and processors can also “adduce appropriate safeguards” for their intra-group transfers by adopting binding corporate rules (“BCRs”). In any case, in the aftermath of the Schrems judgement, we see a trend of companies moving to implement BCRs in order to be less dependent on the adequacy decisions of the Commission and the negotiations of the EU and US in respect of the terms of the new Privacy Shield.

• Given the lead time it takes to implement the GDPR requirements into business processes, businesses in the UK should continue their GDPR readiness programs. As indicated above, the rules that the UK will ultimately implement in all likelihood will closely resemble the GDPR. Note further that the GDPR may continue to apply to the data processing activities of UK companies where they offer goods or services to citizens in other EU countries, or otherwise monitor their behavior. The same will apply to UK companies with offices in other EU countries operating central data processing systems.

• The ICO has acted as the lead data protection authority (“DPA”) in approving BCRs in many instances. After the exit, the ICO will no longer be authorized to act as lead DPA. Companies with BCRs where the ICO is lead DPA will therefore have to approach another EU DPA to act as their lead DPA. Businesses applying for BCRs and having to select a lead DPA and co-leads should consider taking this into account.

 

*          *        *

For more insights regarding the potential legal implications of the recent Brexit vote, please see our MoFo Brexit Briefings page on the Morrison & Foerster website.

 

 

 

 

 

Social Links: Livestreaming goes mainstream; social-media-use guidance for judges; three years in jail for trolling?

Posted in Ethics, Livestreaming, Marketing, Protected Speech

Facebook signs more than $50 million worth of deals with media firms and celebrities to create videos for its live-streaming service.

Tumblr is jumping on the live video bandwagon, too—but via live-streaming platform partners, not through its own service.

C-Span picked up live feeds of the Democratic sit-in over gun-control legislation that representatives shot on Periscope, Facebook Live and other social platforms.

Twitter will now let you see when tweets are from a specific place, like a business, sports stadium, or music festival.

Is Snapchat on its way to becoming the first “social augmented reality platform”?

An Orlando prosecutor was fired for posting offensive statements about the city on social media shortly after the Pulse nightclub shooting.

A guy in Australia faces three years in jail for “criminal trolling.

After a judge running for re-election commented on a case he was presiding over on his campaign page on Facebook, the New Mexico Supreme Court issued guidance for judges on social media use.

Social Times explains why Lego’s social media marketing efforts are worth emulating.

Twitter launched a standalone app designed to help famous people interact with their fans and build a bigger following.

Speaking of celebrities, here’s a list of seven movie stars who refuse to participate in social media.

The Kirtsaeng Opinion: Supreme Court Guidance on Attorneys’ Fees Awards in Copyright Cases

Posted in Copyright, Litigation

Recently, in Kirtsaeng v. John Wiley & Sons, Inc., the U.S. Supreme Court provided substantial guidance in an unsettled area of law by holding that, when deciding whether to award attorneys’ fees under 17 U.S.C. §505, the Copyright Act’s fee-shifting provision, a court should give substantial weight to the objective reasonableness of the losing party’s position while still taking into account all other circumstances relevant to granting fees.

Background

This story begins with an enterprising college student buying foreign textbooks on the cheap to sell in the United States for a profit. Petitioner Supap Kirtsaeng came to the United States from Thailand to study math at Cornell University. Respondent John Wiley & Sons (“Wiley”), an academic publishing company, sells textbooks to students in U.S. and foreign markets. Kirtsaeng noticed an arbitrage opportunity: Wiley’s textbooks sold in Thailand were virtually identical to their
American counterparts, but much cheaper. Kirtsaeng asked family and friends to buy the foreign editions so that he could sell them to his fellow students for a profit.

Wiley discovered what Kirtsaeng was doing and sued him for copyright infringement, claiming that his activities violated Wiley’s exclusive right to distribute its copyrighted textbooks. Kirtsaeng invoked the first-sale doctrine as a defense. Under that doctrine, the lawful owner of a book or other copyrighted work is able to resell or otherwise dispose of the work as he sees fit. In short, Kirtsaeng argued that if he bought the book lawfully, he could sell it to whomever he wished.

But at the time Kirtsaeng raised the defense, lower courts were conflicted as to whether the first-sale doctrine applied to foreign-made books, and the Supreme Court ultimately divided four to four the first time it addressed the issue in Costco Wholesale Corp. v. Omega, S.A. in 2010. To settle the continuing conflict, the Court granted Kirtsaeng’s petition for certiorari on the issue and established that the first-sale doctrine allows the resale of foreign-made books, just as it does domestic ones. Kirtsaeng thus prevailed in defending against Wiley’s infringement claim.

To the Victor Goes the Spoils?

Returning victorious to the district court, Kirtsaeng invoked 17 U.S.C. §505 to seek more than $2 million in attorneys’ fees from Wiley. The district court denied his motion, and the Second Circuit affirmed. The Supreme Court granted certiorari because lower federal courts had followed a variety of different approaches when determining whether to award attorneys’ fees.

The Copyright Act’s fee-shifting provision states that a district court “may . . . award a reasonable attorney’s fee to the prevailing party.” It authorizes attorney fee-shifting but without specifying what standards or guideposts the courts should adopt in determining when such awards are appropriate. Quoting the Supreme Court’s 1994 opinion Fogerty v. Fantasy, Inc., the Court explained that the statutory language “connotes discretion” and lacks any “precise rule or formula” for awarding fees.

The Court acknowledged the limits that it has placed on a court’s discretion: A district court may not award attorneys’ fees as a matter of course but must instead make a case-by-case determination, and may not treat prevailing plaintiffs and prevailing defendants differently; litigants should be encouraged to litigate to the same extent whether they are plaintiffs or defendants. Additionally, several nonexclusive factors should inform a court’s decision: “frivolousness, motivation, objective unreasonableness[,] and the need in particular circumstances to advance considerations of compensation and deterrence.” But the Court recognized that there was “a need for some additional guidance” for lower courts.

The Supreme Court agreed with Wiley that, in deciding whether to award fees, a district court should give “substantial weight to the objective (un)reasonableness of a losing party’s litigating position.” In so ruling, the Court rejected Kirtsaeng’s argument that district courts should give special consideration to whether a lawsuit resolved an important and close legal issue and thus meaningfully clarified copyright law.

The Court reasoned that the objective-reasonableness approach advances the Copyright Act’s goals because it both encourages parties with strong legal positions to stand on their rights and deters ones from weak legal positions from proceeding with litigation. According to the Court, when a litigant is clearly correct, the likelihood that he or she will recover fees gives him or her an incentive to litigate all the way, even if the damages at stake are small.

The Court also explained that the objective-reasonableness approach is more administrable than the “important and close legal issue” approach supported by Kirtsaeng because it would be difficult for a court to know at the end of a case whether a newly decided issue will have critical, broad legal significance.

The Court made clear, however, that objective reasonableness, while an important factor, is not always controlling. In any given case, even when a party’s position is objectively reasonable, a court may still award attorneys’ fees based on other relevant factors; and it may deny fees even though the losing party made unreasonable arguments. “Although objective reasonableness carries significant weight, courts must view all the circumstances of a case on their own terms, in light of the Copyright Act’s essential goals.”

Wiley Seems Reasonable

Lower courts had concluded that Wiley’s position on the first sale doctrine was objectively reasonable, especially considering that several courts of appeals and four Justices of the Supreme Court had agreed that the first-sale doctrine did not apply to foreign-made works. The Court nevertheless remanded the case so the district court could again review Kirstaeng’s fee application—giving substantial weight to the reasonableness of Wiley’s litigating position but also taking into account all relevant factors.

*      *      *

For other Socially Aware blog posts regarding U.S. Supreme Court decisions addressing important issues of copyright law, please see the following:

Supreme Court Finds Laches Does Not Bar Copyright Infringement Claim: Petrella v. Metro-Goldwyn-Mayer, Inc.

Supreme Court Holds That “First Sale” Doctrine Applies to Copies of a Copyrighted Work Lawfully Made Abroad

Supreme Court Stifles Aereo, but Tries to Keep the Cloud Away

 

Social Links: The ramifications of Microsoft’s LinkedIn purchase; the brands using Snapchat; lawyers’ social media use

Posted in Advertising, Ethics, Marketing, Mobile, Online Promotions

Lots of press surrounding Microsoft’s purchase of LinkedIn: Will LinkedIn change as a result? Will the Microsoft purchase inspire a Twitter acquisition?

“Spam King” gets 30 months in jail for sending 27 million messages.

One columnist says you should stop measuring your social media marketing reach.

Twitter is now allowing brands to target ads to people based on their use of sentiment, food and passion emojis.

Entertainment streaming companies are tapping social media to learn what resonates with viewers.

Brands can now create their own ads on YouTube on the cheap using a smartphone.

Here’s an infographic illustrating how lawyers are using social media to market themselves.

Some insight into why influencer marketing works and best practices for teaming up with influencers online.

This article describes what kinds of brands are joining Snapchat, and what types of content they’re posting to the platform.

Snapchat aims to become a huge player in digital ads. Here’s how.

California Court of Appeal Rules That State Attorney General’s Privacy Suit Over Fly Delta Mobile App Is Preempted

Posted in Compliance, Litigation, Privacy

95486697_thumbnailIn the recently decided People ex rel. Harris v. Delta Air Lines, California’s Court of Appeal unanimously affirmed the dismissal of the State of California’s complaint against Delta Air Lines, Inc., which alleged that the company’s Fly Delta mobile application violated California’s privacy laws. The Court of Appeal held that the lawsuit was expressly preempted by the Airline Deregulation Act of 1978 (ADA). The holding is in line with other cases broadly applying the ADA’s preemption provision and limits the extent to which airlines may be required to comply with state privacy laws.

California’s Lawsuit

The California Attorney General (AG) brought the lawsuit against Delta to enforce California’s Online Privacy Protection Act of 2003 (CalOPPA), In pertinent part, CalOPPA requires an operator of a commercial website or online service to draft and post online a privacy policy informing consumers in California “of the Web site’s or online service’s information practices with regard to the consumers’ personally identifiable information[.]” CalOPPA also places certain other requirements on operators of websites or online services.

The AG argued that Delta violated CalOPPA in connection with the Fly Delta mobile app, which can be downloaded from the Internet and used on smart phones and other mobile devices (and therefore arguably makes Delta “an operator of online services” subject to CalOPPA). Users can do a variety of things on the app, including checking in for flights, viewing reservations for air travel, pricing and buying tickets, paying for and tracking checked baggage, and accessing their frequent flyer accounts. The app also purportedly allows users to send and receive information over the Internet, and collects certain personally identifiable information (PII) about individuals residing in California.

The AG alleged that Delta did not conspicuously post a privacy policy in connection with the app as required by CalOPPA. According to the complaint, app users allegedly were not informed that their PII was collected, how Delta used such information, or with whom that information was shared, disclosed, or sold. The AG first notified Delta that the app did not comply with CalOPPA in an October 2012 letter. Less than two months later, the AG filed its complaint alleging that the app “does not have a privacy policy conspicuously posted, i.e., reasonably accessible to consumers within the [mobile application.]” The AG’s complaint contained a single cause of action under California’s Business and Professions Code section 17200 (the “unfair competition law” or UCL), claiming that Delta’s CalOPPA violations were “unlawful, unfair, or fraudulent business acts and practices” under the UCL.

Delta responded with a demurrer in which it argued that the ADA expressly preempted the AG’s lawsuit. The ADA is a 1978 federal law intended to remove government control over fares, routes, and new carriers entering the market in the commercial aviation field. The ADA contains an express preemption provision  that prohibits the states from enacting or enforcing any law, regulation, or provision “related to a price, route, or service of an air carrier . . . ” The trial court agreed with Delta, sustaining the demurrer without leave to amend and dismissing the complaint with prejudice. The AG appealed.

The Court of Appeal’s Opinion

The Court of Appeal affirmed, holding that the ADA preempted California’s UCL claim against Delta. The court began by reiterating the “‘two cornerstones’ of federal preemption analysis”: First, that congressional intent is the focus of the analysis, and second, that there is a presumption against preemption.

Supreme Court Precedent

Applying those cornerstone principles here, the court was guided by three cases in which the U.S. Supreme Court addressed the reach of the ADA’s preemption provision: Morales v. Trans World Airlines, Inc. (1992), American Airlines, Inc. v. Wolens (1995), and Northwest, Inc. v. Ginsberg, 134 S. Ct. 1422 (2014).

In Morales, the Supreme Court held that the ADA preempted Travel Industry Enforcement Guidelines composed by the National Association of Attorneys General (NAAG). The NAAG guidelines purported to govern the content and format of airline fare advertising and were designed to stop allegedly deceptive airline advertisements. The Supreme Court interpreted the “relating to” language in the ADA preemption clause broadly, and held that the ADA preempted the NAAG guidelines because they were “related to” a price, route, or service of an air carrier.

The Court similarly found that the ADA preempted the plaintiffs’ claims in Wolens. In Wolens, the plaintiffs alleged American Airlines’ retroactive modification of its frequent flyer program violated Illinois’ Consumer Fraud and Deceptive Business Practices Act. The Supreme Court held that the claims related to American Airlines’ “‘[prices],’ i.e. American’s charges in the form of mileage credits for free tickets and upgrades, and . . . ‘services,’ i.e. access to flights and class‑of-service upgrades unlimited by retrospectively applied capacity controls and blackout dates.” Because they related to prices and services, the claims were preempted by the ADA.

In Ginsberg, the Supreme Court reaffirmed its broad interpretation of the ADA’s preemption provision. The Court concluded that the ADA preempted the plaintiffs’ claims for breach of the implied covenant of good faith and fair dealing stemming from allegations that the airline terminated their memberships to its frequent flyer program. The Court found that airline’s frequent flyer program was “related to” the airline’s prices and services, and thus that the claims were preempted by the ADA.

ADA Preemption, CalOPPA, and the Fly Delta App

Turning to California’s claim here, the court began by addressing a few issues that had been resolved by Morales and Wolens.

First, the court noted that, in assessing whether the ADA preempts the AG’s UCL action, the court would examine the underlying state law predicate—i.e., CalOPPA.

Second, the court explained that, in analyzing the preemption issue, it was not required to apply the presumption against preemption because the field governed by the ADA—air transportation—has long been regulated at the federal level.

Third, the court rejected the AG’s argument that the complaint did not “relate to” Delta’s service. The app was designed to facilitate access to the airline’s services, and the AG was trying to compel Delta to maintain the app in compliance with CalOPPA. Thus, the lawsuit “related to” Delta’s services. Notably, the court did not decide whether the app itself was a “service” within the meaning of the ADA.

The court then concluded that the ADA preempts California’s UCL/CalOPPA claim as applied to Fly Delta. The court explained that CalOPPA is not a mere “disclosure regimen” within which operators of online services may act with broad discretion. Rather, CalOPPA is similar to the consumer protection legislation at issue in Morales and Wolens, and has the potential to intrusively regulate airlines.

Moreover, as in Morales, the obligations imposed by CalOPPA would significantly affect the airline’s ability to market its product through the app, and would therefore have a meaningful impact on the fares Delta charges. As the court explained, quoting Morales: “If each AG were to require Delta to comply with its own version of CalOPPA, it would force Delta to design different mobile applications to meet the requirements of each state. And, indeed, enforcement of the CalOPPA’s privacy policy requirements might well make it impossible for an airline to use a mobile application as a marketing mechanism at all.”

Finally, the court rejected the AG’s argument that CalOPPA would have only “a peripheral effect on ticket prices, routes, or airline services.” CalOPPA would instead “require Delta to meet state standards regarding privacy policy requirements in place of the market forces currently dictating Delta’s selection and design of” Fly Delta.

Because the ADA preempted California’s UCL claim for violation of CalOPPA, the court upheld the dismissal of the complaint. And it did so without leave to amend, finding that there was no reasonable possibility that the AG could amend to avoid ADA preemption.

What This Means

Delta reinforces the broad scope of the ADA’s preemption provision. As the case makes clear, airlines have a strong argument that state laws like CalOPPA, which apply across industries and seem to have only a remote effect on the airline’s prices, routes, or services, simply cannot be applied to them. But this does not mean that the airlines may operate unchecked in areas governed by CalOPPA and other preempted laws. As the Delta court noted, quoting Wolens, Morales, and Ginsberg: “[T]he DOT retains authority to investigate unfair and deceptive practices and unfair methods of competition by airlines, and may order an airline to cease and desist from such practices or methods of competition.” The court further stated that DOT appears to have “taken action” related to the collection of PII by air carriers, and privacy policies for the sharing and storage of that PII. To date, however, the DOT has issued no regulations governing the form and placement of privacy policies related to an airline’s mobile app. And until the DOT does, state privacy laws cannot fill the gap.

 

*      *      *

For more information regarding this subject, please see our November 2012 post California A.G. Makes Good on Promise to Pursue Apps That Don’t Comply With the State’s Privacy Policy Law.

 

 

Terms and Conditions Buried in Easily Ignored Scroll Box Don’t Cut It, the Seventh Circuit Holds

Posted in E-Commerce, Litigation, Terms of Use

terms and conditionAs we have noted before, if you want to increase the likelihood that your website terms of use are enforceable against users, you need to do two things. First, you need to display the terms to users in a conspicuous way, and second, you need to require users to affirmatively accept the terms. Sgouros v. Transunion Corporation, a recent Seventh Circuit case, demonstrates that half measures won’t cut it.

Gary Sgouros, the plaintiff in Sgouros, alleged that Transunion had sold him an inaccurate credit report through Transunion’s website. Transunion filed a motion to compel arbitration based on an arbitration provision contained in the website’s terms of use. In discussing whether that arbitration provision was enforceable against Sgouros, the court goes into considerable detail regarding the ordering process on Transunion’s site.

Specifically, to complete his purchase of a credit report on Transunion’s site, Sgouros was required to complete several steps:

  1. Click on a large “Click Here” button on the website’s homepage under the heading “Get Your Credit Score & Report.”
  2. Furnish identifying information, and click “yes” or “no” to Transunion’s offer to send offers from its “trusted partners,” and then click a large orange button labeled “Submit & Continue to Step 2.”
  3. Create a user account name and password, input credit card information and click a “yes” or “no” bubble in answer to a question about whether the user’s billing information is the same as his or her home address.
  4. Click a button stating: “You understand that by clicking on the ‘I Accept & Continue to Step 3’ button below, you are . . . authorizing TransUnion Interactive, Inc. to obtain information from your personal credit profile . . .”

That was all Sgouros needed to do to purchase the credit report—at no point was he required to review or expressly accept the website’s terms of use.

The “I Accept & Continue to Step 3” button was, however, located below a rectangular scroll window with the words “Service Agreement” at the top, and the small hyperlinked words “Printable Version” appeared beneath the scroll box. The 10-page printable version of the Service Agreement in the scroll box did mention the arbitration provision on its first page and did include that arbitration provision in full on its eighth page. But the scroll window allowed Sgouros to view only three lines of text at a time, and no mention of the arbitration provision appeared in the immediately visible text.

Most significantly, the “I Accept & Continue to Step 3” button did not require Sgouros to first click on the scroll box or to scroll down to view its complete contents, nor did it call Sgouros’s attention to the arbitration provision in any way. The court detailed the shortcomings of Transunion’s implementation as follows:

[T]he web pages on which Sgouros completed his purchase contained no clear statement that his purchase was subject to any terms and conditions of sale. The scroll box contained the visible words “Service Agreement” but said nothing about what the agreement regulated. The hyperlinked version of the Service Agreement was not labeled “Terms of Use” or “Purchase” or “Service Agreement,” but rather just “Printable Version.” And . . . the visible words “This Service Agreement . . . contains the terms and . . . conditions upon which you . . . may access and use . . . ” fall short of providing notice that the purchase of a consumer credit score is subject to the agreement.

On these facts, the Seventh Circuit held that Sgouros’s click on the “I Accept & Continue to Step 3” button did not bind Sgouros to the arbitration provision in the terms of use because “this type of electronic ‘click’ can suffice to signify the acceptance of a contract” only “as long as the layout and language of the site give the user reasonable notice that a click will manifest assent to an agreement.” The opinion also notes that “[n]o court has suggested that the presence of a scrollable window containing buried terms and conditions of purchase or use is, in itself, sufficient for the creation of a binding contract.”

Sgouros is not the first case to demonstrate how crucial it is to implement website terms of use in a way that clearly connects the user’s affirmative actions to acceptance of the terms. The user must know exactly what he or she is doing by clicking the button or checking the box. Transunion had a terms of use, and Transunion required the user to click a button. But Transunion’s implementation failed to clearly connect those two things:

[W]hat cinches the case for Sgouros is the fact that TransUnion’s site actively misleads the customer. The block of bold text below the scroll box told the user that clicking on the box constituted his authorization for TransUnion to obtain his personal information. It says nothing about contractual terms. No reasonable person would think that hidden within that disclosure was also the message that the same click constituted acceptance of the Service Agreement.

Accordingly, the court denied Transunion’s motion to compel arbitration, adding one more entry to the list of companies that have lost the protection of their carefully crafted terms of use solely due to a poorly-implemented website checkout process.

*      *      *

For more on website Terms of Use, please see the following Socially Aware posts:

Three Steps to Help Ensure the Enforceability of Your Website’s Terms of Use

Implementing and Enforcing Online Terms of Use

Please also check out Aaron Rubin’s video series regarding online Terms of Use:

Website Terms of Use: Are They Really Necessary?

Website Terms of Use: Check That Box!

Website Terms of Use: Out With the Old

Social Links: Social’s potential to upend the investment industry; online ad fraud; a proposal to fix Twitter

Posted in Advertising, Compliance, Digital Content, Disappearing Content, Endorsement Guides, Ethics, Fraud, FTC, Marketing

Social media has upended a number of industries. Is Wall Street next?

Facebook is getting into the video game live-streaming business.

Steven Avery’s defense attorney is keeping her 163,000 Twitter followers abreast of her ongoing defense work on behalf of the “Making a Murderer” documentary subject, and some lawyers think it’s a bad idea.

Five quick and easy ways to double your social media following.

Fake Internet traffic schemes will become the second-largest market for criminal organizations behind cocaine and opiate trafficking.

Bots and fraudsters are feasting on political ad dollars.

People are spending less time on social media apps these days? With Snapchat on pace to have more than 58 million active users this year, we’re skeptical.

The man who created the Internet wants to create a less centralized web with more privacy and less government and corporate control.

Should Twitter limit the number of tweets users can send each day? Other platforms see the value in limiting posts.

In the UK the number of arrests over offensive social media posts is soaring.

Research shows an alarming number of people in the UK can’t distinguish between marketing and non-commercial content on social media, indicating potential breaches of the CAP Code (the UK’s version of the FTC’s Endorsement Guides). Here’s how social media marketers in the UK can stay on the right side of the law.

Google co-founder Larry Page is secretly building flying cars.

Our attention spans are decreasing. Here’s how that should affect your brand’s website and social media strategy.

In a massive recent theft of Twitter usernames and passwords, “123456” was the most commonly used passcode by far. Sigh.

 

Social Links: The rise of social news; how technology hijacks our attention; are websites a dying business?

Posted in Compliance, Cyberbullying, Digital Content, Disappearing Content, European Union

In a fascinating, must-read article, a Google design ethicist explains the techniques that engineers and entrepreneurs employ to keep us hooked on the web.

A majority of U.S. adults—62%—now get their news on social media.

An apartment complex in Utah is trying to force its residents to “friend” the complex.

Will the next head of state take over the vast online infrastructure that the Obama administration created as the first administration to digitally engage with its constituency?

Get ready for 74 new emojis.

Tired of being reminded about potentially painful past social media posts? Here’s how to turn off Facebook’s “On This Day” notifications.

Texas inmates are now barred from using social media.

Participating in online social networks in Russia has become risky business.

To comply with a new code of conduct in the European Union, the biggest social media platforms have agreed to remove hate speech within 24 hours.

Are websites a dying business?

Instagram’s mobile app has a new dashboard that allows small businesses to measure the reach of their posts.

Periscope users can now moderate comments during their broadcasts.

Stop telling people there’s a dot in your Gmail address—it doesn’t matter.

Hootsuite CEO Ryan Holmes says it’s important to hop on the Snapchat bandwagon, no matter how old you are. Here’s why.

Big Data Can Lead to Big Legal Problems For Companies

Posted in Big Data, Compliance, Employment Law, FTC, Litigation

lines of binary codes traveling through the virtual tunnel

Deluged with an unprecedented amount of information available for analysis, companies in just about every industry are discovering increasingly sophisticated ways to make market observations, predictions and evaluations. Big Data can help companies make decisions ranging from which candidates to hire to which consumers should receive a special promotional offer. As a powerful tool for social good, Big Data can bring new opportunities for advancement to underserved populations, increase productivity and make markets more efficient.

But if it’s not handled with care, Big Data has the potential to turn into a big problem. Increasingly, regulators like the Federal Trade Commission (FTC) are cautioning that the use of Big Data might perpetuate and even amplify societal biases by screening out certain groups from opportunities for employment, credit or other forms of advancement. To achieve the full potential of Big Data, and mitigate the risks, it is important to address the potential for “disparate impact.”

Disparate impact is a well-established legal theory under which companies can be held liable for discrimination for what might seem like neutral business practices, such as methods of screening candidates or consumers. If these practices have a disproportionate adverse impact on individuals based on race, age, gender or other protected characteristics, a company may find itself liable for unlawful discrimination even if it had no idea that its practices were discriminatory. In cases involving disparate impact, plaintiffs do not have to show that a defendant company intended to discriminate—just that its policies or actions had the discriminatory effect of excluding protected classes of people from key opportunities.

As the era of Big Data progresses, companies could expose themselves to discrimination claims if they are not on high alert for Big Data’s potential pitfalls. More than ever, now is the time for companies to adopt a more rigorous and thoughtful approach to data.

Consider a simple hypothetical: Based on internal research showing that employees who live closer to work stay at the company longer, a company formulates a policy to screen potential employees by their zip code. If the effect of the policy disproportionately excludes classes of people based on, say, their race—and if there is not another means to achieve the same goal with a smaller disparate impact—that policy might trigger claims of discrimination.

Making matters more complex, companies have to be increasingly aware of the implications of using data they buy from third parties. A company that buys data to verify the creditworthiness of consumers, for example, might be held liable if it uses the data in a way that has a disparate impact on protected classes of people.

Expanding Uses of Disparate Impact

For decades, disparate-impact theories have been used to challenge policies that excluded classes of people in high-stakes areas such as employment and credit. The Supreme Court embraced the theory for the first time in a 1971 employment case called Griggs v. Duke Power Co., which challenged the company’s requirement that workers pass intelligence tests and have high school diplomas. The court found that the requirement violated Title VII of the Civil Rights Act of 1964 because it effectively excluded African-Americans and there was not a genuine business need for it. In addition, courts have allowed the disparate-impact theory in cases brought under the Americans with Disabilities Act and the Age Discrimination in Employment Act.

The theory is actively litigated today and has been expanding into new areas. Last year, for example, the Supreme Court held that claims using the disparate-impact theory can be brought under the Fair Housing Act.

In recent years, the FTC has brought several actions under the disparate-impact theory to address inequities in the consumer-credit markets. In 2008, for example, the agency challenged the policies of a home-mortgage lender, Gateway Funding Diversified Mortgage Services, which gave its loan officers autonomy to charge applicants discretionary overages. The policy, according to the FTC, had a disparate impact on African-American and Hispanic applicants, who were charged higher overages than whites, in violation of the Federal Trade Commission Act and the Equal Credit Opportunity Act.

The Good and Bad Impact of Big Data

As the amount of data about individuals continues to increase exponentially, and companies continue to find new ways to use that data, regulators suggest that more claims of disparate impact could arise. In a report issued in January, the FTC expressed concerns about how data is collected and used. Specifically, it warned companies to consider the representativeness of their data and the hidden biases in their data sets and algorithms.

Similarly, the White House has also shown concern about Big Data’s use. In a report issued last year on Big Data and its impact on differential pricing—the practice of selling the same product to different customers at different prices—President Barack Obama’s Council of Economic Advisers warned: “Big Data could lead to disparate impacts by providing sellers with more variables to choose from, some of which will be correlated with membership in a protected class.”

Meanwhile, the European Union’s Article 29 Data Protection Working Party has cautioned that Big Data practices raise important social, legal and ethical questions related to the protection of individual rights.

To be sure, government officials also acknowledge the benefits that Big Data can bring. The FTC in its report noted that companies have used data to bring more credit opportunities to low-income people, to make workforces more diverse and provide specialized health care to underserved communities.

And in its report, the Council of Economic Advisers acknowledged that Big Data “provides new tools for detecting problems, both before and perhaps after a discriminatory algorithm is used on real consumers.”

Indeed, in the FTC’s action brought against the mortgage lending company Gateway Funding Diversified Mortgage Services, the agency said the company had failed to “review, monitor, examine or analyze the loan prices, including overages, charged to African-American and Hispanic applicants compared to non-Hispanic white applicants.” In other words, Big Data could have helped the company spot the problem.

Policy Balancing Act

The policy challenge of Big Data, as many see it, is to root out discriminatory effects without discouraging companies from innovating and finding new and better ways to provide services and make smarter decisions about their business.

Regulators will have to decide which Big Data practices they consider to be harmful. There will inevitably be some gray areas. In its report, the FTC suggested advertising by lenders could be one example. It noted that a credit offer targeted at a specific community that is open to all will not likely trigger violations of the law. But it also observed that advertising campaigns can affect lending patterns, and the Department of Justice in the past has cited a creditor’s advertising choices as evidence of discrimination. As a result, the FTC advised lenders to “proceed with caution.”

As the era of Big Data gets under way, it’s not bad advice for all companies.

*    *    *

This post originally appeared as an op-ed piece in MarketWatch.

For more on potential legal issues raised by Big Data usage, please see our Socially Aware post, Big Data, Big Challenges: FTC Report Warns of Potential Discriminatory Effects of Big Data.