Header graphic for print


privacy. security. technology. media. advertising. intellectual property.

Alcohol Ads In the Digisphere – New-ish Guides In Town

Posted in Advertising Law, Apps, E-Commerce, Marketing, Mobile Apps, Privacy, Social Media, Standards
At the end of September, thirteen leading beer, wine and spirits producers published the Digital Guiding Principles (DGPs) as part of their global commitment to reducing harmful drinking.  These are self-regulatory guidelines — they are not law, although some of the principles track legal requirements in the U.S.  Moreover, these principles do not replace any other guidelines or codes applicable to alcohol advertising (e.g.the Beer Institute Advertising and Marketing Codethe Distilled Spirits Council’s Guidance Note on Responsible Digital Marketing Communications (DISCUS)).  Rather, they are meant to establish a worldwide policy on the subject of responsible alcohol advertising online, in social media and in apps.  Some of these global principles mirror Beer Institute and DISCUS guidance.  The principles are introduced with a statement on scope and expressly apply to both paid and unpaid alcohol beverage marketing communications.  The principles address 4 main topics:
  • Minors
  • Responsible Consumption
  • Transparency
  • Privacy


In connection with minors, the producers set forth three focus areas:

  • age-screening;
  • placement of marketing communications; and
  • content sharing (e.g., forward-to-a-friend).

The producers want alcohol beverage companies to implement an age-affirmation mechanism to check that a user is over the legal purchasing age whenever alcohol beverage marketing communications actively engage a user to directly interact with a brand.  Specifically, the producers want the age-affirmation mechanism to be based on a combination of DOB and country of residence.  The producers are open to the type of technology used to achieve age-affirmation, but a user who does not meet the set eligibility criteria should not be able to easily back click and re-enter a different DOB.  Presumably, a cookie based technology similar to what many companies employ for COPPA age-screening would suffice.  Many alcohol brands already implement a DOB screen on their web sites and other online features.

If the platform does not have an age-affirmation solution, the company should not engage in interactive marketing if 70% of the platform’s audience composition is not the legal purchasing age in the applicable country.  If the platform’s audience composition does meet the 70% requirement, the marketing communication should include an age disclaimer/statement explaining that the content is intended for users who are of the legal purchasing age and the platform should provide a mechanism to remove or moderate inappropriate user-generated content.  Note, the producers have made a commitment to work with platform providers on technology to achieve compliance with the principles.  For marketing communications that do not seek to have users directly interact with the brand, the communication should only be placed in media that can reasonably be expected to meet an audience composition where at least 70% of the audience is of the legal purchasing age.

For shareable content made available on a platform controlled by an alcohol beverage company, the producers want the company to display a “Forward Advice Notice” explaining that the content should not be forwarded to anyone under the legal purchase age in the country of viewing.  The producers indicate that the Forward Advice Notice can be displayed via a prominent link.  I note that this last focus area in connection with minors is limited to platforms controlled by the alcohol beverage company.  Query if a company page within a larger social media platform is considered to be controlled by the alcohol beverage company


The Responsible Consumption topic focusses on clearly posting a responsible drinking message within all digital communications and on an all platforms.  The topic all focusses on moderating user generated content.  The producers want individual companies’ marketing codes to include a statement indicating how often they monitor user generated content.  The producers also want companies to post a user generated content policy wherever they allow user generated content.


The producers are also concerned about transparency and do not want companies implying they are a consumer in connection with marketing communications.  Presumably, this comes up where brands and consumer are conversing in social media feeds and the like.


Finally, the principles address user privacy in a fairly broad stroke manner, but they do get specific on three issues: (1) the producers want all direct marketing communications (e.g., email) to be consent/opt-in based; (2) they want brands to provide an easy opt-out mechanism so recipients can opt-out of future marketing communications; and (3) companies should feature data privacy statements on the web sites they control and encourage users to reach the statements.

Justine Gottshall To Speak at BAA/PMA Annual Marketing Law Conference

Posted in Marketing, Privacy, Privacy Law

Attending the BAA Conference? Please join our partner, Justine Gottshall, as she leads a panel on Privacy by Design – A Cast of Characters: The Lawyer, the Marketer & the Organization. She will be joined by Susan Cooper from Facebook, Susan Goodhue from LinkedIn, and Michael McCullough from Macy’s. The session is on November 6, 2014 in Chicago. We hope you can join us!

California Amends Data Breach Notification Law, Does Not Require Mandatory Offering of Credit Monitoring

Posted in Breach Notification, California, Identity Theft

California Governor Jerry Brown signed into law an amendment to California’s data breach notification law on Monday. Although at least one news outlet has reported that the law requires a company to offer credit monitoring services, this interpretation is misguided. Rather, the law only places restrictions on certain companies if they choose to offer identity theft prevention and mitigation services. In addition, the law also prohibits persons from selling (or advertising or offering to sell) any individual’s social security number, subject to certain exceptions.

Continue Reading

Recent International Study Reports Delinquencies in App Privacy Disclosures

Posted in App developers, App Store, Apps, COPPA, Data Security, FTC, Information Security, Mobile Apps, Privacy

In a recently reported study released by the the Global Privacy Enforcement Network (“GPEN”), the GPEN found that a testing sample of 1,211 mobile apps accessed during May of this year failed to provide users with adequate privacy protections under current regulatory provisions in the United States and in other countries. The GPEN is a coalition of privacy officials from 19 countries, including the United States Federal Trade Commission (“FTC”).

The GPEN report concluded that 60% of mobile apps accessed raised significant privacy concerns based on the following criteria:

  • The apps failed to disclose how the apps used personally identifying information (“PII”);
  • The apps required users to provide more PII than necessary as a condition to downloading the apps; and
  • The privacy policies associated with the apps were provided in too small of a font to be read on the screens of mobile devices.

Of the apps examined, the GPEN found that 30% failed to provide sufficient information on how PII would be used by the app providers.  In fact, the GPEN report found that many of the apps tested provided no privacy information at all.

Additionally, another 31% of the apps the GPEN examined requested access to PII, including contacts, device ID location, calendar and call logs, in the absence of any indicated reason for why such information would be necessary to use the apps for their advertised purposes.  The GPEN report also showed that 43% of the apps failed to make the apps’ privacy policies readable on mobile devices’ smaller screens as compared to on computers.

The most common type of PII requested by the apps examined by the GPEN was users’ geographical locations. Specifically, the report indicated that 32% of the reviewed apps requested geolocation information as a prerequisite to downloading the mobile apps.

The names or providers of the apps the GPEN examined were not identified in its report.  Also, the GPEN report did not indicate how it selected the apps that it studied.

The GPEN’s report is significant because it demonstrates the common and growing disparity between legal requirements for privacy disclosures in the United States and elsewhere and how privacy policies for mobile apps should be disclosed. Moreover, the findings in the GPEN’s report likely foreshadow further regulatory enforcement here in the United States by the FTC, as well as action by regulatory bodies outside of the United States.


ALERT: Google’s Plan to Open Its Services to Children Could Spur Changes to COPPA Enforcement

Posted in Behavioral Advertising, Children's Privacy, Data Privacy Law or Regulation, InfoLawGroup, Marketing, PII, Privacy Law

Recent reports indicate that Google is developing a program that would allow children under the age of 13 to obtain accounts on Google services such as Gmail and YouTube.  The Wall Street Journal  recently reported that “Google is trying to establish a new system that lets parents set up accounts for their kids, control how they use Google services and what information is collected about their offspring… Google wants to make the process easier and compliant with the rules.”  These accounts would allow children under the age of 13 to create their own Gmail accounts and access child-friendly YouTube channels.

Google currently employs an age-neutral verification mechanism, where account creators are simply asked to identify the day, month, and year of their birth (as opposed to, for example, directly asking “are you 13 or older?”).  The idea here is to not “tip off” account creators that age may be a limitation to one’s ability to open a Google account. Google also uses cookies during the account creation process to guard against people simply reverting their browsers to enter a different birthday to gain access and, ultimately, create an account.  Continue Reading

Ninth Circuit Finds Browsewrap Arbitration Clause Unenforceable Despite Conspicuous Link

Posted in E-Commerce, Lawsuit

A recent Ninth Circuit decision highlights the importance of obtaining affirmative user assent to online Terms of Use. In Nguyen v. Barnes & Noble Inc., 2014 WL 4056549 (Aug. 18, 2014), the Ninth Circuit concluded that a conspicuous link to the site’s Terms of Use posted throughout the site and in close proximity to a checkout button was insufficient to find an arbitration agreement enforceable in the absence of a user’s express agreement to the online Terms.

In Nguyen, an online retailer advertised a liquidation sale for certain discontinued products. The plaintiff purchased two products and received an email confirmation. The following day, the retailer canceled the order via email due to unexpectedly high demand. The plaintiff filed a putative class action, alleging that the retailer engaged in deceptive business practices and false advertising. The retailer moved to compel arbitration, pursuant to its website’s Terms of Use.  The plaintiff opposed, arguing that he never clicked on the “Terms of Use” hyperlink nor actually read the Terms of Use, and that he therefore could not be bound by the Terms. The trial court agreed with the Plaintiff and denied the retailer’s motion to compel arbitration.

The Ninth Circuit affirmed the district court’s decision and concluded that the plaintiff was not bound by the arbitration clause in the online Terms. Although the circuit court reached its decision under New York law, it noted that “both California and New York law dictate the same outcome.”

Continue Reading

Six Things to Know About Trademarks

Posted in Trademarks

Trademark use, protection and enforcement are key components to any enterprise, whether startup, growth stage or Fortune 100. Here are some key points that decision makers over marketing should keep in mind.

#1 – Trademark law protects the brand.

Trademarks are intellectual property. The different categories of intellectual property can be confusing, and as you are identifying and evaluating the different legal issues your business faces, you should seek to understand the role that each category plays. That way you can determine where you should focus your resources to cover the organization’s greatest needs.

Every business has trademark issues. Trademark law gives exclusive rights to providers of goods and services to use the company’s distinctive marks in connection with the company’s goods and services. A trademark (or a service mark, collectively “marks”) identifies the source of goods and services. So while the company is the one that may claim rights in the trademark, it is useful to remember that the ultimate reason for trademark protection is to keep members of the consuming public from being confused about where the goods or services come from.

Trademarks differ from other forms of intellectual property. Copyright protects the organization’s creative output. Patents protect inventions. Trade secrets protect commercial know-how that is kept confidential by the company.

#2 – Registration is not necessary, but it is a good idea.

At least in the U.S., trademark rights arise from using the mark in commerce. This means a couple of different things. For one, the law will provide your company with exclusive rights to use a certain mark in connection with certain goods or services by virtue of your having used the mark in commerce in connection with those goods or services. But there are limits to this protection — you can only claim that exclusivity in the geographic area in which you’ve actually used the mark.

Getting a registration with the United States Patent and Trademark Office (USPTO) helps you in this area. Once the USPTO awards your company a registration certificate for the mark, you are the presumed owner of the exclusive rights to that mark in connection with those goods and services anywhere in the United States, regardless of where you have actually done business. A registration carries with it other benefits as well — you can use the “circle R” designation with the mark, and your registration serves to help give notice to (i.e., warn) other companies who might consider adopting the same or similar mark.

#3 – Descriptive words and phrases generally cannot be trademarks.

Trademark law does not allow a company to claim exclusive rights on words or phrases that merely describe the product or some characteristic of it. This is a common issue that companies face when deciding on a mark for adoption and registration. Descriptive terms are good in that they convey to the consuming public what the product is all about. But descriptive terms are to be avoided in that they are not distinctive. Unless a mark is distinctive, the trademark laws do not recognize it as a trademark or service mark. A mark can be “inherently distinctive” in a number of ways. It may be a made up word (e.g., Kodak), “arbitrary” in that the original meaning of the word does not correspond with the products (e.g., Apple for computers), or “suggestive” – sort of describing the product but requiring a step in imagination (e.g., Beautyrest for mattresses). Or the mark can be a design. Descriptive words and phrases can become distinctive over time (usually after 5 years of use). This is known as “acquired distinctiveness.” Generic terms can never serve as trademarks.

#4 – Smart business owners do trademark clearance.

Trademark clearance is the process that a company goes through before actually using or seeking to register a mark. The goal is to become reasonably sure that the use of the proposed mark will not put you at high risk of infringing someone else’s mark. Clearance also helps prevent wasting resources on a trademark application that will get rejected by the USPTO because there is already a similar mark that someone else has applied for or registered.

Clearance usually has a couple steps. Many companies have their trademark counsel perform “knockout searches” to identify any obvious risks of conflict. This can be as simple as doing a web search and a search of the USPTO database for marks that look and sound the same and are for similar goods or services. Before going all out on adopting and seeking to register a mark, however, it is a good idea to have trademark counsel perform a comprehensive search and advise on the results. A number of parties offer comprehensive search services. The key question in trademark clearance is likelihood of confusion. A mark owner needs to be reasonably sure that using the proposed mark in commerce will not cause confusion among the confusing public as to the source of the goods or services offered under the mark.

#5 – Trademark fair use is a thing.

In some circumstances a company can use another company’s trademark without much risk of infringement. Generally this falls under the heading of “fair use.” Classic fair use is when one company uses another’s mark in just a descriptive sense. For example, a laundromat may say in the text of its advertising that it is next door to Wendy’s. In that case, the use of Wendy’s is probably not an infringement. Nominative fair use occurs when a company uses another mark to describe some characteristic of that mark. A commercial for Toyota, for example, may use the Honda trademark for purposes of comparing the two product lines.

#6 – Use it or lose it. Protect it or lose it.

Trademark rights come from the company’s use of the mark, and there is always a risk that those rights might be abandoned. If a company stops using a mark, a court may find that the organization has abandoned its rights, and another company would be free to adopt and use the mark. The USPTO requires that documents be filed every few years to ensure that marks that are listed as registered remain in use. If a company does not take appropriate steps to ensure its mark is distinctive in the marketplace, it can similarly be found to have abandoned its rights. So mark owners should do some “policing” to see that there no one else uses a confusingly similar mark on similar products. If the company discovers such use, it must be diligent in seeking to get the other party to stop, through sending a cease and desist letter or through litigation when appropriate.

“Like-Gated” Promotions No Longer Permissible on Facebook

Shannon Harell Posted in Advertising Law, Marketing, Social Media, Sweepstakes

Last week, Facebook, Inc. (“Facebook”) announced a major upcoming change, effective November 5, 2014, to its Platform Policies that will affect the vast majority of promotions run on the platform. The announcement introduces a significant restriction on use of the “Like” functionality in connection with promotions (including sweepstakes and contests). Facebook stated its intention is to “ensure quality connections and help businesses reach the people who matter to them” and that it “want[s] people to like [pages on Facebook] because [people] want to connect and hear from the business, not because of artificial incentives.” [i]

Specifically, the following previously permitted practices are no longer allowed as of November 5th:

  • “Like-gating” an app (i.e., requiring that an individual “like” a certain page on Facebook before he/she may access an app); or
  • Otherwise offering a reward (e.g., a promotion entry or some other tangible or intangible benefit) to incentivize an individual to “like” a page on Facebook.  This means that your app for a contest, for example, cannot require users to “like” your page on Facebook before they can access the entry form for the contest.

Marketers may still incentivize individuals to log-in to an app (without requiring that the individual “like” the app), check-in at a place (e.g., by offering a coupon for use at the establishment), or enter a promotion (i.e., by offering a prize in a promotion conducted via a sponsor page on Facebook).  This change does not affect other aspects of the Pages Terms that govern promotions. The Pages Terms still provide that promotions may be administered directly via a sponsor page on Facebook or within an app and may not be administered via personal timelines.


[i] Along with the prohibition on “like-gating”, Facebook also announced that “[g]ames which include mandatory or optional in-app charges must now disclose this in their app’s description, either on Facebook or other platforms it supports. . . to give people a clear indication that [a] game may charge people during gameplay.”


Ultra Records Sues YouTube Beauty Guru Michelle Phan

Benjamin Stein Posted in Copyright, Uncategorized

Last month, music label Ultra Records and its publisher, Ultra International Music Publishing (referred to generally in this post as “Ultra”), sued popular YouTube video blogger Michelle Phan for copyright infringement.  Ultra is a popular dance-music label and its roster of artists includes Kaskade, deadmau5, and Late Night Alumni.

Ms. Phan is a YouTube sensation whose channel currently boasts over 6.75 million subscribers.  Her videos offer makeup and beauty instruction, with the most popular installments garnering tens of millions of views. Phan has been featured in an advertising campaign for YouTube and, according to the complaint, has also monetized her YouTube channel in order to earn ad revenue.

Some of Phan’s videos are set in part to music and Ultra alleges that it has identified over fifty videos in which Phan makes unauthorized use of musical compositions and recordings in which it owns copyright. Ultra alleges that the videos featuring its music have been viewed a combined total of more than 150 million times. Ultra is seeking an injunction and either a disgorgement of Phan’s profits and its actual damages or the maximum statutory damages of $150,000 per infringed work. While Ms. Phan has not yet filed a reply in court, her lawyers have claimed publicly that she had permission from Ultra to include its music in her videos.

Though this case is in its nascency, it is a reminder of some worthwhile lessons for those who produce or otherwise deal with content that is subject to copyright law:

Continue Reading

Mobile Apps: FTC Says Vague Privacy Policies and Lack of Terms a Problem

Posted in Apps, FTC, PII, Privacy Law, Reasonable Security
Last week, the FTC released a study it conducted in connection with price-comparison apps, deal apps and apps that allow people to pay for purchases using their mobile device while shopping in brick-and-mortar stores.  The newly released study is the latest commentary from the FTC in a long line of workshops and reports that started in 2012 on the issue of mobile apps, mobile payment mechanisms and related matters, such as mobile cramming and mobile security.  Here are the key takeaways from the latest study:
  • While the FTC found that most of the apps it reviewed had a privacy policy, those privacy policies were vague and reserved broad rights to collect, use and share data without meaningful information about how the apps actually use and share data.  The FTC is looking for less boilerplate and more real details to help consumers evaluate and compare data practices among apps before app installation.  This concept harkens back to the FTC’s report “Protecting Consumer Privacy In An Era Of Rapid Change” in which the FTC stated: “general statements in privacy policies…are not an appropriate tool to ensure [a reasonable limit on the collection of consumer data] because companies have an incentive to make vague promises that would permit them to do virtually anything with consumer data.”  In the current study, the FTC says that the use of broad language to address use and sharing of data “suggests that these app developers may not be evaluating whether they have a business need for the data they are collecting.”  The assessment the FTC alludes to here is part of the overall “privacy by design” concept that we have been discussing with clients for several years now.
  • The FTC is concerned that apps are not disclosing consumers’ rights in connection with payments made via mobile devices.  Specifically, apps that include the ability to accept or make payments need to disclose the process for resolving payment disputes and the consumers’ rights and liability limits for bad transactions (unauthorized, fraudulent, etc.).  The FTC says that consumers do not understand the difference between the automatic liability protections someone might have in connection with the use of their credit or debit card as opposed to lesser protections available for money that might be transferred to the app for use later (similar to a stored value account).  Indeed, the protections for unauthorized or fraudulent transactions between those two categories are likely different.  The Consumer Financial Protection Bureau is currently in the process of lobbying Congress to extend the legal protections afforded to credit and debit card transactions to gift card and similar transactions.  The FTC wants apps to disclose to consumers their potential liability for unauthorized transactions – especially if the liability is different from the normal expectation that most unauthorized credit and debit card transactions receive.
  • The FTC reiterated that strong data security promises (which it found in many of the app privacy policies it reviewed) must translate into strong data security practices.  Honoring the commitments you make in a privacy policy is not a new sentiment from the FTC.  The FTC did not include any results in its study that suggests the data security statements in the privacy policies were untrue.  In fact, for this study, the FTC did not test the actual security practices of any of the apps reviewed.

The FTC made several comments in the study indicating that it liked seeing that so many apps posted privacy policies.  Nonetheless, while that is a step in the right direction, making those policies meaningful is where the focus is now.  To that end, it bears repeating that there is no such thing as a template or boilerplate privacy policy.