March 2013

The Supreme Court of the United States issued its much-anticipated decision in Kirtsaeng v. John Wiley & Sons, Inc., holding that the “first sale” doctrine protects a buyer or other lawful owner of a copy of a copyrighted work that was lawfully made abroad, following a lawful first sale. The 6-3 decision resolves a contested issue of copyright law on which the Supreme Court had been equally divided 4-4 two Terms ago. Kirtsaeng may be relied upon to protect businesses such as retailers and technology companies that regularly sell copies of foreign goods that contain copyrighted materials.

BACKGROUND

John Wiley & Sons, Inc. is an academic textbook publisher that sells textbooks both in the United States and abroad. Each copy of its textbooks sold outside the United States contains a disclaimer that the copy may be sold only in a particular geographic region and may not be exported to the United States without permission. The contents of the American version and the foreign versions of the textbooks are essentially equivalent.

Supap Kirtsaeng is a citizen of Thailand who moved to the United States to attend undergraduate school. Kirtsaeng’s family and friends in Thailand purchased copies of foreign versions of Wiley textbooks in Thailand, where the textbooks were sold at lower prices than the American versions were sold in the United States, and sent them to Kirtsaeng. Kirtsaeng then resold the copies in the United States, making a profit for himself.

Wiley sued Kirtsaeng for copyright infringement, claiming that the importation into and resale of the textbooks in the United States constituted copyright infringement. Kirtsaeng claimed that his activities were protected under the “first sale” doctrine, 17 U.S.C. § 109(a).

Section 109(a) provides that “the owner of a particular copy or phonorecord lawfully made under this title … is entitled, without the authority of the copyright owner, to sell or otherwise dispose of the possession of that copy or phonorecord.”

A divided panel of the Second Circuit held that Kirtsaeng’s importation and resale infringed Wiley’s copyrights, holding that the “first sale” doctrine did not apply to copies of American copyrighted works manufactured abroad. The federal courts of appeals were divided over the question whether the “first sale” doctrine protects owners of copies of works that were made lawfully outside the United States. The Supreme Court previously had granted review in Costco Wholesale Corp. v. Omega, S.A., No. 08‑1423, to decide this question. In Costco, however, the Court was unable to resolve the issue because it was divided equally by a 4-4 vote. (Justice Kagan was recused in Costco because she had filed a brief in the case on behalf of the United States when she was Solicitor General, arguing that the Court should not grant review.)

THE SUPREME COURT’S DECISION

In a 6-3 decision, the Supreme Court held in Kirtsaeng that the “first sale” doctrine applies to copies of copyrighted works that were lawfully manufactured outside the United States. The Court explained that the “language of § 109(a) read literally” does not support a geographical limitation to the “first sale” doctrine. The phrase “lawfully made under this title,” the Court reasoned, does not mean lawfully made in the United States, but rather “in accordance with” or “in compliance with” the Copyright Act, wherever the copy was made.

Moreover, the Court believed “that Congress, when writing the present version of § 109(a), did not have geography in mind.” Section 109(a)’s predecessor statute referred to works that were “lawfully obtained.” The Court explained that Congress changed that wording to “lawfully made under this title” not to impose a geographic limitation but for other reasons, including to make clear that a lessee of a copy will not receive protection and to exclude copies that were pirated.

The Court also was concerned with implications for owners of copies of works, stating that “reliance upon the ‘first sale’ doctrine is deeply embedded in the practices of those, such as book sellers, libraries, museums, and retailers, who have long relied upon its protection.”

Justice Breyer delivered the Court’s opinion. Justice Kagan filed a separate concurring opinion, joined by Justice Alito, although both Justices fully joined the Court’s opinion.

Justice Ginsburg dissented, joined by Justice Kennedy in full and by Justice Scalia with respect to all but the discussion of legislative history. In their view, “Congress intended to grant copyright owners permission to segment international markets by barring the importation of foreign-made copies into the United States.”

KIRTSAENG’S SIGNIFICANCE FOR BUSINESSES

Kirtsaeng provides a measure of assurance to businesses that distribute products containing components lawfully made abroad. The Court noted that many businesses rely extensively on the “first sale” doctrine to import and sell products that contain copyrighted components: “Technology companies tell us that ‘automobiles, microwaves, calculators, mobile phones, tablets, and personal computers’ contain copyrightable software programs or packaging.” A geographical limitation to the “first sale” doctrine “would prevent the resale of, say, a car, without the permission of the holder of each copyright on each piece of copyrighted automobile software.” Moreover, “over $2.3 trillion worth of foreign goods were imported in 2011,” many of which “bear, carry, or contain copyrighted” materials.

The Court’s holding also benefits businesses such as museums, as well as libraries. In reaching its decision, the Court considered the issue that a geographical interpretation of the phrase “lawfully made under this title” might require art museums that display foreign-produced works (e.g., paintings by Pablo Picasso) pursuant to Section 109(c)—which contains the same “lawfully made under this title” language as Section 109(a)—“to obtain permission from the copyright owners before they could display the work … even if the copyright owner has already sold or donated the work to a foreign museum.” Likewise, the Court observed that “library collections contain at least 200 million books published abroad,” and a geographic limitation to the “first sale” doctrine “will likely require the libraries to obtain permission … before circulating or otherwise distributing these books.” Kirtsaeng, as a result, protects these entities with respect to works lawfully made abroad, following a lawful first sale.

On the other hand, companies that price products differently across geographic markets may wish to revisit their pricing strategies in view of Kirtsaeng, and may seek to tailor products, where possible, to the needs of a particular region. The Kirtsaeng decision may also impact a company’s decision to distribute content electronically, rather than in print.

Finally, while the analysis in Kirtsaeng rests primarily on statutory interpretation of Section 109 of the Copyright Act, it is worth noting that the result in Kirtsaeng is markedly different from the Federal Circuit’s controversial precedent in the Jazz Photo cases on patent exhaustion and will likely reignite the debate in that area.

We have written before about cases involving disputes between employers and employees over work-related social media accounts, but a new case out of Arizona federal court raises issues that appear to be unlike those we have addressed previously.

In Castle Megastore Group, Inc. v. Wilson, plaintiff Castle Megastore Group (CMG), a retailer of novelty and adult-themed merchandise, brought suit against three former employees for various causes of action related to the employees’ alleged misuse of CMG’s confidential information. Among its allegations, CMG claimed that one of the defendants, Michael Flynn, uploaded a video of a confidential CMG managers’ meeting to Flynn’s private Vimeo account and shared access to this video with the other two defendants (who had both been fired from CMG prior to the sharing of the video). CMG also alleged that Flynn, after having been fired, changed the username and password of the Facebook page he created for CMG while employed as CMG’s Social Media Specialist.

CMG appears to have brought its social media-related claims solely under the Stored Communications Act (SCA), a federal statute that provides for a cause of action against anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided; or intentionally exceeds an authorization to access that facility, and thereby obtains . . . access to a wire or electronic communication while it is in electronic storage in such system.”

The SCA protects individuals’ privacy in their electronic communications by making it criminally punishable for hackers and other unauthorized individuals to obtain, alter or destroy such communications. The statute, however, also provides relief to aggrieved parties in civil causes of action. The SCA has, for instance, been invoked by employees whose employers have improperly accessed, and read messages from, the employees’ private email accounts.

CMG alleged that Flynn violated the SCA when he posted the managers’ meeting on his Vimeo account and when he shared access to the site with the other two defendants. CMG also alleged that the other two defendants violated the SCA when they accessed the posted video.

In its ruling on the defendants’ motions to dismiss, however, the court found that, while Vimeo might be an “electronic communication service” within the meaning of the SCA, CMG failed to allege that Flynn lacked authority to authorize others to view his Vimeo account, a required element for SCA liability. Accordingly, CMG failed to state a claim that the two former employees with whom Flynn shared access to the video violated the SCA. Further, while CMG alleged that Flynn was not authorized to have or to share the video, it did not allege that Flynn obtained the video through unauthorized access of an electronic communication service—also necessary to state a claim under the SCA. The court therefore dismissed CMG’s SCA claims related to the uploading and accessing of the managers’ meeting video.

Regarding Flynn’s alleged changing of the Facebook account password, the court held that CMG failed to allege facts about the company’s use of the Facebook page from which the court could conclude that the page was an electronic communication service under the SCA. The court therefore dismissed the claim, finding that “[t]he threadbare statement that Flynn changed the Facebook password . . . does not state a claim under the SCA.”

With the dismissal of the plaintiff’s SCA claims (the only federal law claims brought in the action), the court declined to exercise supplemental jurisdiction over the remaining state law claims, and granted the defendants’ motions to dismiss the action. In dismissing the case, however, the court granted CMG leave to file an amended complaint. Will CMG be able to re-state its SCA claims so as to address the court’s concerns?  Stay tuned.

According to a federal judge in Oklahoma in Pre-Paid Legal Services, Inc. v. Cahill, simply sharing information about a new job over social media does not mean that you are inviting former co-workers to come join you in violation of a non-solicitation agreement.

On February 12, 2013, U.S. District Court Judge James Payne of the Eastern District of Oklahoma adopted Magistrate Judge Steven Shreder’s report and recommendation on plaintiff Pre-Paid Legal Services, Inc.’s motion for preliminary injunction. Judge Shreder, among other things, rejected issuing an injunction against former employee Todd Cahill’s online activities. In doing so, the court held that general posts on a personal Facebook page about a new employer and invitations to former coworkers to join him on Twitter did not violate Cahill’s non-solicitation agreement.

Cahill was originally hired as a sales associate for Pre-Paid Legal Services, now known as LegalShield. Like Amway, LegalShield generates sales through its multi-level marketing program. Sales associates are rewarded not only for selling the product, but also for building their own team of junior sales associates. A percentage of every sale made by a recruit accrues to the associate who recruited them.

LegalShield tracks the contact information and performance statistics of each associate’s “downline,” the network of recruits, using a password-protected site. Cahill supplemented these resources with private Facebook pages of his own creation, to better communicate with the top sellers in his downline.

Cahill thrived at LegalShield, rising from sales associate to regional manager and eventually becoming a regional vice president. Upon promotion to regional manager, Cahill signed an agreement that included a non-solicitation provision.

In 2012, Cahill decided to leave LegalShield to work with a skin-care company called Nerium, also a multi-level sales firm. Notwithstanding his non-solicitation agreement, he met with other top-performing sales associates at LegalShield and urged them to join him when he left for Nerium. On August 10, 2012, Cahill called a meeting of high-ranking associates, told them of his imminent departure, and invited the curious to email him about his new plans.

The following day, Cahill emailed his resignation letter, and LegalShield cut off access to his downline through its site. With the exception of a final posting to the private Facebook pages that he had set up, Cahill’s relevant social media activity extended only to general updates on Facebook about his new job, and invitations to former coworkers to join Twitter.

In response to LegalShield’s request for a preliminary injunction, the court barred Cahill from direct contact with current LegalShield employees, as his in-person soliciting was undisputed. LegalShield, however, also requested that the court find that Cahill’s social media activity constituted impermissible solicitation.

The court examined Cahill’s activities in light of the defendants’ behavior in two other non-solicitation cases involving social media. In Enhanced Network Solutions Group, Inc. v. Hypersonic Technologies Corp., the court found that a job posting on a LinkedIn page did not constitute “solicitation” because the initial contact came through “a publicly available portal of LinkedIn.” The fact that the defendant, Hypersonic, had publicly posted a job listing that an Enhanced Network employee found did not rise to the level of solicitation.

Similarly, in Invidia, LLC v. DiFonzo, the court held that “friending” a former employer’s customers on Facebook did not constitute impermissible solicitation. There the court stated, “one can be Facebook friends with others without soliciting those friends to change [business].”

In the instant case, the court compared the facts of Invidia and Enhanced Network to Cahill’s behavior and found his actions were even more general. Cahill discussed his new employer in personal Facebook updates, which were directed to his friends at large, and invited former coworkers to sign up for Twitter. The court found that neither act was sufficiently direct to constitute solicitation, and LegalShield offered no evidence that Cahill’s posting would cause irreparable harm or had caused a LegalShield employee to change jobs.

The court did not say that the use of social media—as opposed to traditional means of communication—can never be a means of solicitation. The court left open the possibility that social media behavior that had the effect of targeting or soliciting employees, even absent direct messaging, could be prohibited. It remains possible that impermissible solicitation may be only a tweet away.

Massachusetts appears to have followed California’s lead in opening a litigation floodgate over ZIP code collection at the point of sale. In 2011, the California Supreme Court held in Pineda v. Williams-Sonoma Stores, Inc., 246 P.3d 612 (Cal. 2011), that a retailer illegally collects personal identification information (PII) when it requests and records ZIP codes from customers paying by credit card. More than 240 class action lawsuits followed.

The Massachusetts Supreme Judicial Court’s recent opinion in Tyler v. Michaels Stores, Inc. (No. SJC-11145) could bring a similar wave of litigation. The Tyler opinion strongly suggests retailers operating in Massachusetts should end the practice of collecting ZIP codes during credit card transactions, and foreshadows future litigation based on this practice. Like the Pineda court, the Massachusetts Supreme Court concluded that a ZIP code constitutes PII under Massachusetts’s credit card PII statute, G.L. c. 93, § 105(a) (“the Credit Card law”). More important for retailers, however, is the Court’s ruling that a plaintiff may bring an action for violation of privacy rights absent identity fraud. This ruling could make Massachusetts the next venue for an explosion of “ZIP code” litigation, and, as we note below, provide reason for retailers to review PII collection policies nationwide.

Massachusetts’s Credit Card law, which closely tracks California’s Song-Beverly Act, prohibits businesses “that accept[] a credit card for a business transaction” to “write, cause to be written or require that a credit card holder write [PII], not required by the credit card issuer, on the credit card transaction form.” PII is defined as including, but is not limited to, a credit card holder’s address or telephone number. Similar to California’s statute, the Credit Card law does not apply where a business asks for PII for “shipping, delivery or installation of purchased merchandise or services or for a warranty when such information is provided voluntarily.” A violation of the Credit Card law constitutes an unfair and deceptive trade practice, as defined in G.L. c. 93A, § 2.

The March 11, 2013 opinion came in response to three questions certified by the United States District Court for the District of Massachusetts, where the Tyler case was pending. Plaintiff Melissa Tyler brought the putative class action claiming, among other things, that Michaels collected her ZIP code and then used her name and ZIP code to figure out her address for marketing purposes. While the district court granted Michaels’s motion to dismiss, the court agreed to certify three questions to the Massachusetts Supreme Court:

  1. Does a ZIP code constitute PII under the Credit Card law?
  2. Can a plaintiff bring an action for such a privacy right violation absent identity fraud under the Credit Card law?
  3. Do the words “credit card transaction form” refer equally to an electronic or paper transaction form under the Credit Card law?

Looking at the text of the statute and its legislative history, the Massachusetts Supreme Court determined that the principal purpose of the Credit Card law “is to guard consumer privacy in credit card transactions,” and answered all three certified questions in the affirmative (Slip Opn. At 4,6). Like the California Supreme Court in Pineda, the Massachusetts Supreme Court reasoned that a ZIP code is PII because a ZIP code, when combined with the consumer’s name, provides retailers with enough information to identify the consumer’s address or telephone number, “the very information [the law] expressly [prohibits]”(Id. at 4).

The Massachusetts Supreme Court’s answer that a plaintiff may bring an action for violation of the Credit Card law absent identity fraud is important for retailers, as it opens the door to litigation based on a wide range of injuries (or lack of actual injuries). To bring a claim, the Court instructed plaintiffs to allege a “separate and identifiable ‘injury’ resulting from the allegedly unfair or deceptive conduct,” and provided two examples of such injuries: (1) “actual receipt by a consumer of unwanted marketing materials as a result of the merchant’s unlawful collection of the consumer’s [PII]” and (2) “the merchant’s sale of a customer’s [PII] or the data obtained from that information to a third party”(Id. at 5-6). These examples flowed directly from the Court’s conclusion that the primary purpose of the statute is to protect consumer privacy, not to protect against identity fraud.

While these types of injuries may now suffice to justify actions in Massachusetts state court, it remains to be seen whether they will satisfy Article III, which governs standing in federal court. Regardless, the Tyler decision creates a definite litigation risk for retailers in Massachusetts for alleged violations of the Credit Card law, which provides for damages and reasonable attorneys’ fees to successful plaintiffs. Even if the aftermath of Tyler puts retailers in the same position as Pineda put retailers in California, there are strategies under Massachusetts law that retailers can deploy to minimize exposure.

While two state decisions hardly make for a trend, the writing certainly appears to be on the wall that courts may view ZIP codes as PII, particularly given the rise of privacy litigation in recent years. Because many states have statutes on the books like California’s Song-Beverly Act and Massachusetts’s Credit Card law, the time may be right for retailers and other businesses to review ZIP code (or PII) collection policies more widely.

As social media matures and users become more concerned about the privacy of the information they publish online, New Zealand-based search engine app company Profile Technology, Inc. and Facebook are engaged in a legal battle stemming from a dispute over the right to use certain user data. The story first came to light in October 2012, when Profile Technology filed a complaint against Facebook alleging that the social media giant had, after entering into a contract with Profile Technology, breached the contract; interfered with Profile Technology’s business relationships; defamed Profile Technology; and committed unlawful, unfair and fraudulent business practices.

Profile Technology’s complaint sets forth a narrative beginning in 2008, when Facebook and Profile Technology entered into a contract that, according to Profile Technology, was partially written and partially implied by the conduct of the parties. This contract allowed Profile Technology to “crawl” Facebook’s public data in order to create what eventually became “Profile Engine,” a website that allows users to scan through public data of over 420 million Facebook users (making it, according to Profile Technology, “the second-largest social media network in the world”). Profile Technology’s “about” section of the site notes that, on Profile Engine, you can “chat to Facebook friends, browse your newsfeed, meet new people or find a date, all while listening to your favourite music and your friends’ playlists, completely free of charge!”

Profile Technology claims that, around October 13, 2010, Facebook terminated Profile Technology’s contract without notice; cut off Profile Engine’s access to Facebook data; and even de-friended Profile Technology’s founder, Christopher Claydon, from Facebook. This caused Profile Technology to lose business and lose value in the eyes of potential investors. The complaint alleges that Facebook’s actions were part of Facebook’s plan (with several other unnamed defendants) to “impede, interfere with, and expropriate the benefits of the Profile Engine developed by Plaintiffs without regard to Plaintiffs’ legal rights and to exclude Plaintiffs from their use and profit therefrom.” Profile Technology also claimed that Facebook defamed the company by telling Facebook users that links to Profile Engine were “spammy and unsafe,” adding that “Plaintiffs’ Profile Engine is safe and has nothing to do with spam and Facebook knows it.”

In February 2013, Facebook countered with a complaint of its own, which filled in some of the gaps missing from Profile Technology’s otherwise epic tale, and explained some of the facts from a different point of view. In Facebook’s complaint, Facebook notes that Profile Technology agreed to Facebook’s terms of use for both Facebook users and developers (there is no mention of any “implied” contracts). Further, Facebook does not mention terminating Profile Technology’s access in October 2010, but rather points out that Profile Technology claimed to have stopped accessing Facebook’s development platform at that time, due to a refusal to agree to a modification of Facebook’s developer terms of use concerning automated data collection. Facebook points out that, despite this claim, the Profile Engine has posted Facebook user data retrieved subsequent to October 2011. Facebook also notes that after October 2011, Profile Technology continued to make available to the public outdated Facebook user data, which is a violation of Facebook’s terms of use.

As Facebook describes, Profile Technology, while publishing Facebook user data, was not keeping this data current. This meant that pictures a user had deleted from Facebook remained viewable to any Internet user, links to websites with which users no longer wanted to be affiliated remained posted on users’ Profile Engine pages, and certain postings that users had wanted to erase from the Facebook world were memorialized forever. In November 2011, after receiving complaints from its users, Facebook revoked Profile Technology’s license to Facebook and demanded the deletion of all Facebook user information in its possession. As of the date of Facebook’s complaint over a year later, Profile Technology had yet to remove the outdated Facebook user information from its website, causing Facebook to seek an injunction for such removal.

As of this writing, neither case has been dismissed, although the parties may be negotiating a settlement. Whatever the outcome of the cases, it should come as some comfort to Facebook users that the company is fighting to keep its users’ private data out of the public realm. Nonetheless, cases such as this reinforce what should now be ubiquitous advice from parents, teachers and friends: don’t post anything online unless you want the entire world to be able to access it forever. After all, it should come as no surprise how few people and companies actually read and abide by online terms of use.

On March 12, 2013, the Federal Trade Commission (FTC) issued an important update to its “Dot Com Disclosures” guide to advertisers on making effective online disclosures. In doing so, the FTC has driven home the points that:

  • The consumer protection laws apply to all advertisers, regardless of the medium used—and including social media, even where there is limited space;
  • Disclosures required to avoid deception or to otherwise comply with the law must be presented in a clear and conspicuous manner;
  • Advertisers need to understand how their ads—including any disclosures required to avoid deception or to otherwise comply with the law—will actually display in the medium or media in which they appear; and
  • If an advertiser cannot make a required disclosure effectively in a particular medium, then it should not run the ad in that medium.

The FTC issued the original Dot Com Disclosures in 2000, and the recent revision provides guidance with respect to technologies that have emerged since then. Although the fundamental rules have not changed, the guidance provides useful information on how the FTC believes advertisers should comply with the law when making claims in various media.

Continue Reading FTC Updates Its “Dot Com Disclosures” With a Focus on Social Media Advertising

Facebook may be gaining ground in its struggle against German authorities. In a preliminary ruling, the state of Schleswig-Holstein’s Administrative Court has rejected penalties against Facebook Inc. and Facebook Ireland, stating that the social network is not subject to German law. The Schleswig-Holstein state data protection authority (the ULD) started enforcement proceedings against the social media giant in December 2012, when the ULD ordered Facebook to stop enforcing its real-name policy and to allow users to sign up using pseudonyms. The ULD argued that Facebook’s real-name policy violates the data protection provisions of the Telemedia Act (TMG), which provide a right to use electronic information and communication services anonymously, and threatened EUR 200,000 fines (approx. $260,140). Facebook opposed the fines.

In preliminary hearings, the court accepted Facebook’s argument that Facebook’s policies were subject to Irish, not German law. First, the court stated that the choice of German law in the Facebook terms of use did not result in the application of German data protection law. The court also ruled that the fact that Facebook was incorporated in Germany did not trigger application of German law because Facebook Germany GmbH was a mere marketing agent and not involved in the processing of the user data in question. The court concluded that Irish law applied because user data were processed through Facebook’s subsidiary in Ireland.

The court’s holding is in contrast to the December 2011 Opinion of the Düsseldorfer Kreis, Germany’s consortium of state data protection regulators. The Düsseldorfer Kreis held that online social networks that target users in Germany are subject to German law. In particular, social networks that target and collect personal data from users located in Germany via computers and devices located in Germany must comply with German law. Based on the language in the German Federal Data Protection Act, the December 2011 Opinion stated that another European Economic Area (EEA) member state’s law may not take precedence over German law unless there is a sole data controller in the other EEA state.

The Schleswig-Holstein’s Administrative Court, however, drew different conclusions and ruled that the applicable law rules in the German data protection law had to be interpreted in light of the Data Protection Directive. Consistent with the Irish Data Protection Commissioner’s assessments, the court concluded that Facebook had a permanent establishment in Ireland and that the Irish subsidiary was processing the user data (the “other” controller). German law did not apply where there is another controller in the EEA processing the data in question, and where there was no processing of the data through an establishment in Germany. Rather, Irish law applied, even where Facebook Inc. acted as a joint or sole controller, and even where the data were hostedi.e., physically locatedin the U.S.

The court went on to hold that the ULD did have enforcement rights to ensure Facebook’s compliance with the applicable Irish data protection laws, but noted that there was no equivalent, explicit right to anonymous use of electronic information and communication services in Ireland, in contrast to Section 13 of the TMG which establishes that explicit right for citizens in Germany.

In a February 15 press release, ULD president Thilo Wichert objected vociferously to the court’s decision. The ULD plans to challenge the finding in the full proceedings following the preliminary ruling.