Socially Aware Blog - Page 3 of 13 | Social Media Lawyers

Thinking About Using Pictures Pulled From Twitter? Think Again, New York Court Warns

By J. Alexander Lawrence and Jamie Kitano on February 15th, 2013 Posted in Copyright, DMCA, IP, Litigation, Terms of Use

If you want to use those pictures you found on Twitter, beware. A federal judge in New York recently held that taking photos from Twitter to use for a commercial purpose infringes the photographer’s copyrights. On January 14, 2013, Judge Alison Nathan ruled that Agence France Presse (AFP), which provides subscribers with access to photos though an international wire and databank, and the Washington Post (“the Post”) infringed Daniel Morel’s copyrights to photos he posted on Twitter.

In January 2010, freelance photographer Daniel Morel uploaded to his TwitPic account a number of photos he took in Haiti in the immediate aftermath of the earthquake. An individual named Lisandro Suero took those photos from Morel’s Twitter account, reposted them to his own Twitter account, and tweeted that he had exclusive photos of the earthquake. AFP got the photos from Suero’s Twitter page, attributed the photos to Suero, and began distributing them to users of its wire and databank services. Getty Images (“Getty”) received the photos through AFP’s wire service. The Post received the photos from Getty. Getty and the Post published the photos on their websites, with captions that attributed them to Suero.

When Morel’s exclusive agent found out that AFP, Getty and the Post were using his photos, his agent complained. While at least some efforts were made by AFP, Getty and the Post to address Morel’s agent’s complaint, those efforts in most respects fell far short of what is required under the law.

In March 2010, AFP sought a declaratory judgment that it did not infringe Morel’s copyrights, and Morel counterclaimed for copyright infringement against AFP, Getty and the Post. During the course of the case, Morel moved for summary judgment on his copyright infringement counterclaim. In response, the defendants argued that pursuant to the Twitter Terms of Service (TOS), Morel provided them a license to use the photos by his very act of tweeting the photos.

Judge Nathan disagreed. Judge Nathan found that the Twitter TOS provides that users generally retain their rights to the content they post—with the exception of the license granted to Twitter and its partners. Twitter’s “Guidelines for Third Party Use of Tweets in Broadcast or Other Offline Media” further underscored that, while the Twitter TOS permit users to retweet posts, the Twitter TOS was not intended to let the “world-at-large” remove content from Twitter and commercially distribute it. Rebroadcasting tweets in their entirety is now a news program staple and actively encouraged by Twitter. Twitter’s TOS, however, do not permit media outlets to rip copyrighted material out of tweets and use it for some other purpose. Because AFP and the Post put forward no defense other than their license defense, Judge Nathan granted Morel’s motion for summary judgment and found them both liable for copyright infringement.

Unlike AFP and the Post, Getty argued that it was entitled to the benefit of the safe-harbor provisions of the Digital Millennium Copyright Act (DMCA) that protect service providers from liability for copyright infringement. Judge Nathan held, however, that genuine issues of fact existed as to whether Getty could take advantage of the DMCA safe harbor, noting that companies like Getty that are in the business of selling copyrighted material may not be shielded from copyright liability under the DMCA’s safe harbor. Thus, it remains to be seen whether Getty will also be found liable for copyright infringement.

In one bright spot for AFP and Getty, Judge Nathan granted summary judgment in their favor on the proper method for calculating statutory damages under the Copyright Act, which can result in awards of up to $150,000 per work infringed. Morel claimed that he was entitled to a statutory damage award “in the tens or hundreds of millions of dollars” against AFP and Getty. Morel argued that, because AFP and Getty distributed the photos to many of their subscribers, each downstream infringement by one of their subscribers would entitle him to an additional statutory damages award. Judge Nathan disagreed and held that any award of statutory damages against AFP and Getty could not be multiplied based on the number of infringers with whom they may be jointly and severally liable.

This decision clarifies that Twitter users do not lose ownership rights to their content by posting it to Twitter. Although you may have the right to retweet or publish tweets in their entirety, you don’t have the right to take someone else’s content and use it for commercial gain.

FTC Announces Important Settlement With Social Networking App and Releases New Mobile App Report

By Reed Freeman and Nicholas Datlowe on February 7th, 2013 Posted in FTC, Litigation, Privacy

The Federal Trade Commission (FTC) announced a potentially groundbreaking settlement with the social networking app Path and released an important new staff report on Mobile Privacy Disclosures late last week.

The FTC’s Settlement with Path suggests a new standard may be on the near-term horizon: out-of-policy, just-in-time notice and express consent for the collection of data that is not obvious to consumers in context. The FTC has long encouraged heightened notice and consent prior to the collection and use of sensitive data, such as health and financial information. This settlement, however, requires such notice and consent for the collection and use of information that is not inherently sensitive, but that, from the Commission’s perspective, at least, might surprise consumers based on the context of the collection. Only time will tell, but historically Order provisions like this have tended to become cemented as FTC common law. Moreover, although the Children’s Online Privacy Protection Act (COPPA) portions of the settlement do not break new ground, they do serve as a potent—and expensive—reminder that the FTC is highly focused on kids’ privacy online, particularly in the mobile space.

The FTC’s Report reinforces this sentiment by encouraging all the major players in the mobile ecosystem—including app developers, ad networks, and trade associations—to increase the transparency of the mobile ecosystem through clear, accessible disclosures about information collection and sharing at appropriate times.

To continue reading this post, click here.

You Can’t Make a Square Peg Fit in a Round Hole: California Supreme Court Holds Online Purchases of Electronically Downloadable Products Outside Scope of Song-Beverly Act

By David McDowell, Purvi Patel and Megan Low on February 7th, 2013 Posted in Litigation, Privacy

Handing a victory to online retailers, on February 4, 2013, the California Supreme Court held in a split decision that online transactions involving electronically downloadable products fall outside the scope of the Song-Beverly Credit Card Act (Apple v. Superior Court (Krescent), S199384). Despite acknowledging the unique fraud issues present in online transactions, the Court refused to decide the broader issue of whether the Act applies to online transactions that do not involve electronically downloadable products or to any other “card not present” transactions that do not involve in-person, face-to-face interaction between the purchasing customer and the retailer. That said, given the Court’s analysis, it is hard to imagine a different outcome for online transactions as a whole.

This opinion comes nearly two years after the California Supreme Court’s February 2011 decision in Pineda v. Williams-Sonoma Stores, Inc., which held that for purposes of the Song-Beverly Act, ZIP codes constitute “personal identification information” (PII). The Pineda decision opened a floodgate for lawsuits based on retailers’ collection of ZIP codes, resulting in hundreds of cases against brick-and-mortar retailers. Some online retailers were swept up in the post-Pineda litigation frenzy as well and, since then, online retailers and others involved in e-commerce have been waiting to see if the Act, which prohibits businesses from requesting and recording customers’ PII during credit card transactions, applies to online transactions. Although the majority explicitly limited its holding to online purchases of electronically downloadable products, the Court’s 4-3 decision is consistent with the trend in California trial courts (state and federal), which have concluded that online transactions are exempt from the Act.

The “electronically downloadable” transactions at issue in this case involved digital media, i.e., audio and video files customers can purchase and download from the Internet onto their personal computers. The Court held that “this type of transaction does not fit within the statutory scheme,” reasoning that the Legislature did not “intend[] to bring the enormous yet unforeseen advent of online commerce involving electronically downloadable products—and the novel challenges for privacy protection and fraud prevention that such commerce presents—within the coverage of the [Act].” The Court supported this reasoning through an extensive examination of the Act’s text, purpose, and history.

Initially, the Court found that the text was not decisive of the issue. Turning to the history and purpose of the Act, the Court explained that “while the Legislature indeed sought to protect consumer privacy, it did not intend to do so at the cost of creating an undue risk of credit card fraud.” For example, the Court focused on the safeguards against fraud provided by Section 1747.08(d) of the Act, which allows retailers to require customers to provide positive identification as a condition of accepting a credit card as payment. Section 1747.08(d) also permits retailers to record certain PII (the customer’s driver’s license number) in “card not present” transactions, which are transactions in which the customer does not make the credit card available for verification. These safeguards evidence the “Legislature’s concern that there be some mechanism by which retailers can verify that a person using a credit card is authorized to do so.” Because application of the Act to electronically downloadable products would provide no mechanism for online retailers to protect against fraud, the Court concluded that the Legislature could not have intended the Act to apply to such products.

The Court also rejected arguments that the 2011 amendment to the Act, which created an exception allowing gasoline retailers to collect ZIP codes in “pay-at-the-pump” transactions, somehow shows that the Act applies to online transactions. In particular, the Court rejected the notion that the narrow exception would be unnecessary surplusage if the Act was not intended to apply to remote (or “card not present”) transactions in the first place. Here, the Court focused on the specific problem the Legislature intended to address by amending the Act: to provide relief to gasoline retailers who had been collecting ZIP codes pre-Pineda for fraud prevention purposes. Finding the plaintiff’s view—that the Legislature would have created a fraud prevention exception for gasoline retailers while leaving online retailers unprotected—counterintuitive, the Court observed that online retailers “have at least as much if not more need for an exemption to protect themselves and consumers from fraud.”

Although online purchases of electronically delivered goods are unquestionably outside the scope of Song-Beverly, the Court declined to close the door—at least in this decision—to online transactions in general. The Court’s concerns about credit card fraud, however, are hardly unique to electronically downloadable products; the same analysis applies with equal force to online transactions generally (as well as other “card not present” transactions). While the logic of the decision suggests that these transactions should also be outside the scope of the Act, we expect that some enterprising plaintiff’s lawyer may take up the issue left undecided and pursue claims either against catalog merchants, telephone order companies, or even online retailers selling tangible goods. We think retailers have the stronger argument.

Watch What You Tweet: Proposed Social Media Guidance for Financial Institutions

By Nathan D. Taylor, Julie O'Neill and Andrew M. Smith on February 4th, 2013 Posted in Financial Institutions, Privacy

With the explosive growth of social media, consumers increasingly expect to be able to interact online with the companies from which they buy goods and services. As a result, financial institutions have begun to explore the use of social media, both to strengthen relationships with existing customers and to attract new ones. Financial institutions, however, have proceeded with extreme caution in using social media, in large part due to uncertainty as to the application of financial laws and regulations to social media and, to the extent they are applicable, how a financial institution can comply.

In response to industry requests for guidance on the use of social media, on January 23, 2013, the Federal Financial Institutions Examination Council (FFIEC) requested public comment on proposed guidance (“Proposed Guidance”) for financial institutions relating to the use of social media. The Proposed Guidance is intended to help financial institutions understand potential risks associated with the use of social media and to communicate the expectations of the agencies that make up the FFIEC for how financial institutions should manage these risks. The Proposed Guidance, however, largely does not address how a financial institution may comply with any particular requirement when using social media.

The following provides an overview of the Proposed Guidance, which may be found here. Comments on the Proposed Guidance must be submitted to the FFIEC by March 25, 2013.

Background on the FFIEC

The FFIEC is a formal interagency body that is authorized to prescribe uniform principles, standards and report forms for the examination of financial institutions by the federal banking agencies, the National Credit Union Administration (NCUA) and the Bureau of Consumer Financial Protection (CFPB) (collectively, the “Agencies”). Historically, banks were the main type of financial institutions to be the focus of FFIEC supervisory guidance; however, the Dodd-Frank Act expanded the membership of the FFIEC to include not only the federal banking agencies and the NCUA, but also the CFPB. As a result, FFIEC guidance now extends to any person supervised by the CFPB, including many types of non-bank financial institutions, such as mortgage brokers, payday lenders, consumer reporting agencies and debt collectors.

The Proposed Guidance

The Proposed Guidance is intended to help financial institutions understand potential risks associated with their use of social media, including compliance, reputation and operational risks, and to communicate the Agencies’ expectations for how financial institutions should manage these risks. Although the Proposed Guidance clarifies that, if finalized, it would not impose additional obligations on financial institutions, the Agencies each intend to issue any final guidance as supervisory guidance to the institutions that they supervise. As a result, financial institutions subject to the Agencies’ supervisory authority will be expected to use the guidance in their efforts to ensure that their risk management practices adequately address the risks associated with their use of social media, including those outlined in the finalized guidance.

“Social Media” Defined

The Proposed Guidance casts a wide net in defining “social media” as any “form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.” From the Agencies’ perspective, it is social media’s interactive nature that distinguishes it from other online media. The Proposed Guidance includes the following non-exhaustive examples of media that the Agencies believe to fall within the definition:

micro-blogging sites (e.g., Facebook and Twitter);
forums, blogs, customer review websites and bulletin boards (e.g., Yelp);
photo and video sites (e.g., Flickr and YouTube);
professional networking sites (e.g., LinkedIn);
virtual worlds (e.g., Second Life); and
social games (e.g., FarmVille).

Risk Management Programs

A cornerstone of the Proposed Guidance is the expectation that a financial institution will maintain a risk management program through which it identifies, measures, monitors and controls risks related to its use of social media. The Proposed Guidance provides that a financial institution’s risk management program should include the following seven components:

A governance structure with clear roles and responsibilities whereby the institution’s board or senior management directs how the use of social media contributes to the institution’s strategic goals and that establishes controls and ongoing risk assessments.
Policies and procedures regarding the use and monitoring of social media and compliance with applicable consumer protection laws.
An employee training program regarding the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities.
An oversight process for monitoring information posted to proprietary social media sites administered by, or on behalf of, the financial institution.
A due diligence process for selecting and managing third-party service provider relationships in connection with social media.
Audit and compliance functions to ensure ongoing compliance with internal policies and applicable law.
Parameters for reporting to the institution’s board or senior management that will enable periodic evaluations of the social media program.

As in other areas of financial law and regulation, the expectation would be that the size and complexity of a financial institution’s risk management program would be commensurate with the breadth of the institution’s involvement in social media. For example, a financial institution that relies heavily on social media should have a more detailed program than a financial institution that uses social media only in a limited manner. Nonetheless, the Proposed Guidance indicates that a financial institution that does not use social media should still be prepared to address the potential for negative comments or complaints related to the institution that may arise within social media and also to provide guidance for employee use of social media.

Risk Areas Generally

The majority of the Proposed Guidance focuses on identifying potential risks related to a financial institution’s use of social media, including risk of harm to consumers. In particular, the Proposed Guidance identifies potential risks within three broad categories: (1) compliance and legal risk; (2) reputational risk; and (3) operational risk. While the Proposed Guidance catalogs the many risks presented by the use of social media, the focus is on the risks associated with compliance with consumer protection requirements. Nonetheless, the lengthy identification of risk areas would put financial institutions on notice of the broad scope of their responsibilities with respect to the use of social media.

Compliance and Legal Risk Areas

Compliance and legal risk relates to the risks associated with the failure to comply with laws, rules, regulations, prescribed practices, internal policies and procedures, and ethical standards and the related exposure to enforcement actions and/or private rights of action. The Proposed Guidance cautions that these risks are “particularly pertinent” for an emerging medium like social media where a financial institution’s policies and procedures may not have kept pace with changes in the marketplace.

Although a financial institution would be expected to ensure that it periodically evaluates and controls its use of social media to ensure compliance with all applicable legal obligations, the Proposed Guidance identifies examples of more than 15 federal laws where a financial institution may be exposed to compliance and legal risk. These examples are broken down into five general categories: (1) privacy; (2) deposit and lending products; (3) payment systems; (4) anti-money laundering; and (5) community reinvestment. Of note, none of these includes any exception regarding the use of social media. As a result, the Proposed Guidance cautions that, to the extent a financial institution uses social media to engage in covered activity (e.g., advertising a credit product), it would be required to comply with any applicable legal requirement that may relate to that covered activity.

We highlight below certain compliance risks identified in the Proposed Guidance that may be relevant to many financial institutions:

Privacy

A financial institution using social media should clearly disclose its privacy policies where required by the Gramm-Leach-Bliley Act.
A financial institution maintaining its own social media site should ensure that it maintains and follows policies restricting access to the site to users 13 or older in a manner consistent with the Children’s Online Privacy Protection Act.
A financial institution should consider whether any unsolicited communication sent to consumers via social media complies with the limitations of the CAN-SPAM Act and the Telephone Consumer Protection Act.

Deposit and Lending Products

A lender should ensure that its use of social media does not violate the Equal Credit Opportunity Act prohibition on making statements in advertising that would discourage, on a prohibited basis, a reasonable person from applying for credit.
A lender that advertises credit products in any form of social media communication should ensure that it does so in a manner that complies with Regulation Z’s advertising requirements.
A debt collector must comply with Fair Debt Collection Practices Act limitations when conducting covered activities through social media, including, for example, being cognizant that that any social media communication does not disclose the existence of a debt or harass or embarrass consumers about their debts (e.g., a debt collector writing about a debt on a Facebook wall).

Payment Systems

A financial institution using social media to facilitate an electronic fund transfer for a consumer should consider whether it is required by Regulation E to, for example, provide any required disclosures to the consumer.

Anti-Money Laundering

Financial institutions should be aware of emerging areas of Bank Secrecy Act and anti-money laundering risk in connection with social media, including, for example, the fact that virtual world Internet games and digital currencies present a high risk for money laundering and terrorist financing and should be monitored accordingly.

Community Reinvestment

A depository institution subject to the Community Reinvestment Act should ensure that its policies and procedures for its own social media properties address the appropriate monitoring of public comments.

Reputational Risk Areas

For purposes of the Proposed Guidance, reputational risk relates to the risks arising from negative public opinion. A financial institution engaged in social media activities would be expected to be sensitive to and properly manage the reputational risks that may arise from its social media activities. The Proposed Guidance provides a number of considerations for financial institutions related to reputational risk in the context of social media use, including that a financial institution should:

have appropriate policies in place to monitor and address in a timely manner the fraudulent use of its brand, such as through phishing or spoofing attacks;
have procedures to address risks associated with members of the public posting confidential or sensitive information (e.g., an account number) on the institution’s social media page or site;
weigh the risks and the benefits of using a third party to conduct social media activities, including, for example, the ability of a financial institution to control content on a site owned or administered by a third party; and
consider the feasibility of monitoring question and complaint forums on social media sites to ensure that customer inquiries, complaints or comments are addressed in a timely and appropriate manner.

Operational Risk Areas

For purposes of the Proposed Guidance, operational risk relates to the risk of loss resulting from inadequate or failed processes, people or systems. These include the risks posed by a financial institution’s use of information technology, including social media. In light of the vulnerability of social media platforms, the Proposed Guidance indicates that a financial institution should ensure that its internal controls designed to protect its information technology systems and to safeguard customer information from malicious software adequately address social media usage. And, in a related point, a financial institution’s incident response program should extend to security incidents involving social media.

* * * *

If the FFIEC finalizes the Proposed Guidance, financial institutions should expect that the Agencies will independently issue the finalized guidance as supervisory guidance to the institutions that they supervise. In such a case, financial institutions will be expected to use the guidance as part of their efforts to address the risks associated with the use of social media and to ensure that their risk management programs provide effective oversight and controls related to the use of social media. Until final guidance is in place, it is important for financial institutions to be cognizant of and consider the extent of their usage of social media and the risks associated with that use and whether existing controls address the types of risks identified in the Proposed Guidance. Finally, financial institutions may also wish to consider whether they will provide comments to the FFIEC on the Proposed Guidance, including, for example, identifying any technological or other impediments to compliance with otherwise applicable law when using social media.

Socially Aware Looks Back: The Social Media Law Year in Review

By John Delaney and Jesse Soslow on February 4th, 2013 Posted in Employment Law, Litigation, Privacy

2012 was a momentous year for social media law. We’ve combed through the court decisions, the legislative initiatives, the regulatory actions and the corporate trends to identify what we believe to be the ten most significant social media law developments of the past year–here they are, in no particular order:

Bland v. Roberts – A Facebook “like” is not constitutionally protected speech

Former employees of the Hampton Sheriff’s Office in Virginia who were fired by Sheriff B.J. Roberts, sued claiming they were fired for having supported an opposing candidate in a local election. Two of the plaintiffs had “liked” the opposing candidate’s Facebook page, which they claimed was an act of constitutionally protected speech. A federal district court in Virginia, however, ruled that a Facebook “like” “…is insufficient speech to merit constitutional protection”; according to the court, “liking” involves no actual statement, and constitutionally protected speech could not be inferred from “one click of a button.”

This case explored the increasingly-important intersection of free speech and social media, with the court finding that a “like” was insufficient to warrant constitutional protection. The decision has provoked much criticism, and it will be interesting to see whether other courts will follow the Bland court’s lead or take a different approach.

New York v. Harris – Twitter required to turn over user’s information and tweets

In early 2012, the New York City District Attorney’s Office subpoenaed Twitter to produce information and tweets related to the account of Malcolm Harris, an Occupy Wall Street protester who was arrested while protesting on the Brooklyn Bridge. Harris first sought to quash the subpoena, but the court denied the motion, finding that Harris had no proprietary interest in the tweets and therefore did not have standing to quash the subpoena. Twitter then filed a motion to quash, but the court also denied its motion, finding that Harris had no reasonable expectation of privacy in his tweets, and that, for the majority of the information sought, no search warrant was required.

This case set an important precedent for production of information related to social media accounts in criminal suits. Under the Harris court’s ruling, in certain circumstances, a criminal defendant has no ability to challenge a subpoena that seeks certain social media account information and posts.

The National Labor Relations Board (NLRB) issued its third guidance document on workplace social media policies

The NLRB issued guidance regarding its interpretation of the National Labor Relations Act (NLRA) and its application to employer social media policies. In its guidance document, the NLRB stated that certain types of provisions should not be included in social media policies, including: prohibitions on disclosure of confidential information where there are no carve-outs for discussion of an employer’s labor policies and its treatment of employees; prohibitions on disclosures of an individual’s personal information via social media where such prohibitions could be construed as limiting an employee’s ability to discuss wages and working conditions; discouragements of “friending” and sending unsolicited messages to one’s co-workers; and prohibitions on comments regarding pending legal matters to the degree such prohibitions might restrict employees from discussing potential claims against their employer.

The NLRB’s third guidance document illustrates the growing importance of social media policies in the workplace. With social media becoming an ever-increasing means of expression, employers must take care to craft social media policies that do not hinder their employees’ rights. If your company has not updated its social media policy in the past year, it is likely to be outdated.

Fteja v. Facebook, Inc. and Twitter, Inc. v. Skootle Corp. – Courts ruled that the forum selection clauses in Facebook’s and Twitter’s terms of service are enforceable

In the Fteja case, a New York federal court held that a forum selection clause contained in Facebook’s Statement of Rights and Responsibilities (its “Terms”) was enforceable. Facebook sought to transfer a suit filed against it from a New York federal court to one in Northern California, citing the forum selection clause in the Terms. The court found that the plaintiff’s clicking of the “I accept” button when registering for Facebook constituted his assent to the Terms even though he may not have actually reviewed the Terms, which were made available via hyperlink during registration.

In the Skootle case, Twitter brought suit in the Northern District of California against various defendants for their spamming activities on Twitter’s service. One defendant, Garland Harris, who was a resident of Florida, brought a motion to dismiss, claiming lack of personal jurisdiction and improper venue. The court denied Harris’s motion, finding that the forum selection clause in Twitter’s terms of service applied. The court, however, specifically noted that it was not finding that forum selection clauses in “clickwrap” agreements are generally enforceable, but rather “only that on the allegations in this case, it is not unreasonable to enforce the clause here.”

Fteja and Skootle highlight that potentially burdensome provisions in online agreements may be enforceable even as to consumers; in both cases, a consumer seeking to pursue or defend a claim against a social media platform provider was required to do so in the provider’s forum. Both consumers and businesses need to be mindful of what they are agreeing to when signing up for online services.

Six states passed legislation regarding employers’ access to employee/applicant social media accounts

California, Delaware, Illinois, Maryland, Michigan and New Jersey enacted legislation that prohibits an employer from requesting or requiring an employee or applicant to disclose a user name or password for his or her personal social media account.

Such legislation will likely become more prevalent in 2013; Texas has a similar proposed bill, and California has a proposed bill that would expand its current protections for private employees to also include public employees.

Facebook goes public

Facebook raised over $16 billion in its initial public offering, which was one of the most highly anticipated IPOs in recent history and the largest tech IPO in U.S. history. Facebook’s peak share price during the first day of trading hit $45 per share, but with a rocky first few months fell to approximately $18—sparking shareholder lawsuits. By the end of 2012, however, Facebook had rebounded to over $26 per share.

Facebook’s IPO was not only a big event for Facebook and its investors, but also for other social media services and technology startups generally. Many viewed, and continue to view, Facebook’s success or failure as a bellwether for the viability of social media and technology startup valuations.

Employer-employee litigation over ownership of social media accounts

2012 saw the settlement of one case, and continued litigation in two other cases, all involving the ownership of business-related social media accounts maintained by current or former employees.

In the settled case of PhoneDog LLC v. Noah Kravitz, employer sued employee after the employee left the company but retained a Twitter account (and its 17,000 followers) that he had maintained while working for the employer. The terms of the settlement are confidential, but news reports indicated that the settlement allowed the employee to keep the account and its followers.

In two other pending cases, Eagle v. Edcomm and Maremont v. Susan Fredman Design Group LTD, social media accounts originally created by employees were later altered or used by the employer without the employees’ consent.

These cases are reminders that, with the growing prevalence of business-related social media, employers need to create clear policies regarding the treatment of work-related social media accounts.

California’s Attorney General went after companies whose mobile apps allegedly did not have adequate privacy policies

Starting in late October 2012, California’s Attorney General gave notice to developers of approximately 100 mobile apps that they were in violation of California’s Online Privacy Protection Act (OPPA), a law that, among other things, requires developers of mobile apps that collect personally identifiable information to “conspicuously post” a privacy policy. Then, in December 2012, California’s Attorney General filed its first suit under OPPA against Delta, for failing to have a privacy policy that specifically mentioned one of its mobile apps and for failing to have a privacy policy that was sufficiently accessible to consumers of that app.

Privacy policies for mobile applications continue to become more important as the use of apps becomes more widespread. California’s OPPA has led the charge, but other states and the federal government may follow. In September, for instance, Representative Ed Markey of Massachusetts introduced The Mobile Device Privacy Act in the U.S. House of Representatives, which in some ways would have similar notice requirements as California’s OPPA.

Changes to Instagram’s online terms of service and privacy policy created user backlash

In mid-December 2012, Instagram released an updated version of its online terms of service and privacy policy (collectively, “Terms”). The updated Terms would have allowed Instagram to use a user’s likeness and photographs in advertisements without compensation. There was a strong backlash from users over the updated Terms, which ultimately led to Instagram apologizing to its users for the advertisement-related changes, and reverting to its previous language regarding advertisements.

Instagram’s changes to its Terms, and subsequent reversal, are reminders of how monetizing social media services is often a difficult balancing act. Although social media services need to figure out how they can be profitable, they also need to pay attention to their users’ concerns.

The defeat of the Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA)

Two bills, SOPA and PIPA—which were introduced in the U.S. House of Representatives and U.S. Senate, respectively, in late 2011—would have given additional tools to the U.S. Attorney General and intellectual property rights holders to combat online intellectual property infringement. A strong outcry, however, arose against the bills from various Internet, technology and social media companies. The opponents of the bills, who claimed the proposed legislation threatened free speech and innovation, engaged in various protests that included “blacking out” websites for a day. These protests ultimately resulted in the defeat of these bills in January 2012.

The opposition to and subsequent defeat of SOPA and PIPA demonstrated the power of Internet and social media services to shape the national debate and sway lawmakers. With prominent social media services such as Facebook, YouTube, Twitter, LinkedIn and Tumblr opposed to the bills, significant public and, ultimately, congressional opposition followed. Now that we’ve witnessed the power that these services wield when acting in unison, it will be interesting to see what issues unite them in the future.

New Issue of the Socially Aware Newsletter Now Available

By John Delaney, Gabriel Meister and Aaron Rubin on January 31st, 2013 Posted in Employment Law, FCC, FTC, IP, Litigation, Privacy, Section 230 Safe Harbor, Statistics, Terms of Use, Trademark

In the latest issue of Socially Aware, our Burton Award-winning guide to the law and business of social media, we look at recent First Amendment, intellectual property, labor and privacy law developments affecting corporate users of social media and the Internet. We also recap major events from 2012 that have had a substantial impact on social media law, and we take a look at some of the big numbers racked up by social media companies over the past year.

To read the latest issue of our newsletter, click here.

For an archive of previous issues of Socially Aware, click here.

Be Wary of Sharing: Anonymous P2P User’s Motion to Quash Subpoena Denied

By J. Alexander Lawrence and Matthew Galeotti on January 24th, 2013 Posted in Copyright, IP, Litigation, Privacy, Trademark

BitTorrent, the peer-to-peer (P2P) file-sharing system that enables the quick downloading of large files, has sparked another novel controversy stemming from copyright-infringement claims brought against its users. Users take advantage of the BitTorrent sharing system to anonymously access popular media such as books and movies. That anonymity is unlikely to last long for users who are alleged to have downloaded copyrighted material. Last month, Judge Sweet, a federal judge in the Southern District of New York (SDNY), held that an anonymous P2P user has no First Amendment right to quash a subpoena seeking her identity where the plaintiff had no other means to effectively identify the defendant.

In John Wiley & Sons Inc. v. Does Nos. 1-35, the plaintiff (Wiley), a publisher of books and journal articles, alleged that unidentified “John Does” used BitTorrent to illegally copy and distribute Wiley’s copyrighted works and infringe on Wiley’s trademarks. Wiley sued 35 defendants known only by their “John Doe Numbers” and Internet Protocol (IP) addresses. Seeking to identify the Does, Wiley moved for court-issued subpoenas to be served on various Internet service providers (ISPs), ordering them to supply identifying information corresponding to the Does’ IP addresses. In an attempt to maintain her anonymity and avoid liability, one of the 35 Does, then known only as John Doe No. 25 (“Doe 25”) or IP Address 74.68.143.193, moved to quash a subpoena served on her ISP, Time Warner Cable.

Wiley reflects a new wave of litigation in which copyright holders have shifted from suing host sites to focusing on individual users of P2P networks. The mere fact that copyrighted material is downloaded from a particular IP address may be insufficient to prove that the P2P network user is the infringer. An IP address typically provides only the location at which one of any number of devices may be used by any number of individuals (in fact, Doe No. 25 contended that her ex-husband, not she, downloaded the infringing works). If a motion to quash is granted, the account holder’s identity is not revealed, and the claim is effectively dead.

In considering whether to grant an anonymous account holder’s motion to quash a subpoena, courts balance the user’s First Amendment right to act anonymously with the plaintiff’s right to pursue its claims.

Anonymous users can rely on a line of precedent that extends the First Amendment’s protections to online expression. And under Rule 45 of the Federal Rules of Civil Procedure, a court must quash a subpoena if it requires disclosure of protected matter. Thus, to the extent that anonymity is protected by the First Amendment, courts will quash subpoenas designed to breach anonymity.

On the other hand, plaintiffs pursuing their claims can point to precedent holding that the First Amendment may not be used to encroach upon the intellectual property rights of others.

To balance these competing principles and determine whether certain actions trigger First Amendment protection, courts weigh the five factors set out in Sony Music Entertainment Inc. v. Does 1-40:

whether the plaintiff has made a concrete showing of actionable harm;
the specificity of the discovery request;
the absence of alternative means by which to obtain the subpoenaed information;
a central need for the data; and
the party’s expectation of privacy.

In Wiley, each of these five factors weighed in favor of disclosure of the defendant’s identity. Wiley pled a sufficiently specific claim of copyright infringement, and, without a subpoena, Wiley would have no other effective way to identify potential infringers of Wiley’s intellectual property rights.

At least five other courts within the SDNY have denied motions to quash in similar litigations involving defendants accused of infringing Wiley’s copyrights via BitTorrent. Going forward, so long as copyright holders can satisfy the Sony five-factor test, they will be able to rely on cases like Wiley to ferret out copyright infringers.

Jailbreak: U.S. Google Executives’ Italian Convictions Overturned

By Karin Retzer on January 17th, 2013 Posted in Litigation, Privacy

On December 21, 2012, the third Milan appeals court acquitted three U.S.-based Google executives who had previously been convicted for breaches of Italian data protection law after Google failed to remove an abusive video from its Google Video site. The video, which showed schoolboys bullying a child with Down syndrome, remained on the Google Video site for almost two months in spite of complaints from users. Google only removed the video in response to a police investigation, after the organization Vivi Down, which advocates for people with Down syndrome, filed a report with the Italian police. Vivi Down subsequently took Google to court, which resulted in six-month suspended prison sentences for Google’s Chief Privacy Counsel Peter Fleischer, Chief Legal Officer David Drummond and Chief Financial Officer George Reyes (now retired).

As reported in our earlier client alert on this subject, the convictions followed Milan Judge Oscar Magi’s February 2010 ruling that, although Google had no obligation to monitor user-generated content uploaded to its video site, Google controlled the data on the site and thus had obligations as a data controller under applicable data protection laws. In the first ruling in Europe to find a web operator liable for user-generated content, Judge Magi held that Google violated such laws when it failed to provide users with sufficient notice about how their personal data would be collected and processed or to obtain their consent (including for processing sensitive data revealing the child’s health condition). Further, the court determined that the Internet giant’s failure to remove the abusive video, even after receiving complaints from users, was motivated by profit because advertising revenues were generated each time the video was viewed.

Prior to the appeals hearing, Milan public prosecutor Laura Bertole Viale called for the jail sentences to be upheld, observing that “not only has the privacy of minors been violated but lessons of cruelty have been given to 5,500 visitors.” The panel of judges at the appeals court, however, overturned the Magi ruling based on Google’s argument that it had not breached any privacy or other laws. Google said that it did not offer an editorial function, and that it could not be held responsible for the content as it was not possible for Google to continuously monitor the Google Video site. Google noted that it had swiftly removed the video in response to the police investigation, and had fully cooperated with the police investigation. Further, none of the targeted Google executives was directly involved in the posting of the video. Indeed, many observers had expected that the Google executives’ appeal would be successful, given that the practices seemingly required by Judge Magi’s ruling are not followed by most web operators. None of the Google executives, all based outside Italy, has served any jail time because each sentence had been suspended pending appeal. The full court judgment will be published soon.