Clicky

Header graphic for print

InfoLawGroup

privacy. security. technology. media. advertising. intellectual property.

Recent International Study Reports Delinquencies in App Privacy Disclosures

Posted in App developers, App Store, Apps, COPPA, Data Security, FTC, Information Security, Mobile Apps, Privacy

In a recently reported study released by the the Global Privacy Enforcement Network (“GPEN”), the GPEN found that a testing sample of 1,211 mobile apps accessed during May of this year failed to provide users with adequate privacy protections under current regulatory provisions in the United States and in other countries. The GPEN is a coalition of privacy officials from 19 countries, including the United States Federal Trade Commission (“FTC”).

The GPEN report concluded that 60% of mobile apps accessed raised significant privacy concerns based on the following criteria:

  • The apps failed to disclose how the apps used personally identifying information (“PII”);
  • The apps required users to provide more PII than necessary as a condition to downloading the apps; and
  • The privacy policies associated with the apps were provided in too small of a font to be read on the screens of mobile devices.

Of the apps examined, the GPEN found that 30% failed to provide sufficient information on how PII would be used by the app providers.  In fact, the GPEN report found that many of the apps tested provided no privacy information at all.

Additionally, another 31% of the apps the GPEN examined requested access to PII, including contacts, device ID location, calendar and call logs, in the absence of any indicated reason for why such information would be necessary to use the apps for their advertised purposes.  The GPEN report also showed that 43% of the apps failed to make the apps’ privacy policies readable on mobile devices’ smaller screens as compared to on computers.

The most common type of PII requested by the apps examined by the GPEN was users’ geographical locations. Specifically, the report indicated that 32% of the reviewed apps requested geolocation information as a prerequisite to downloading the mobile apps.

The names or providers of the apps the GPEN examined were not identified in its report.  Also, the GPEN report did not indicate how it selected the apps that it studied.

The GPEN’s report is significant because it demonstrates the common and growing disparity between legal requirements for privacy disclosures in the United States and elsewhere and how privacy policies for mobile apps should be disclosed. Moreover, the findings in the GPEN’s report likely foreshadow further regulatory enforcement here in the United States by the FTC, as well as action by regulatory bodies outside of the United States.

 

ALERT: Google’s Plan to Open Its Services to Children Could Changes Spur COPPA Enforcement

Posted in Behavioral Advertising, Children's Privacy, Data Privacy Law or Regulation, InfoLawGroup, Marketing, PII, Privacy Law

Recent reports indicate that Google is developing a program that would allow children under the age of 13 to obtain accounts on Google services such as Gmail and YouTube.  The Wall Street Journal  recently reported that “Google is trying to establish a new system that lets parents set up accounts for their kids, control how they use Google services and what information is collected about their offspring… Google wants to make the process easier and compliant with the rules.”  These accounts would allow children under the age of 13 to create their own Gmail accounts and access child-friendly YouTube channels.

Google currently employs an age-neutral verification mechanism, where account creators are simply asked to identify the day, month, and year of their birth (as opposed to, for example, directly asking “are you 13 or older?”).  The idea here is to not “tip off” account creators that age may be a limitation to one’s ability to open a Google account. Google also uses cookies during the account creation process to guard against people simply reverting their browsers to enter a different birthday to gain access and, ultimately, create an account.  Continue Reading

Ninth Circuit Finds Browsewrap Arbitration Clause Unenforceable Despite Conspicuous Link

Posted in E-Commerce, Lawsuit

A recent Ninth Circuit decision highlights the importance of obtaining affirmative user assent to online Terms of Use. In Nguyen v. Barnes & Noble Inc., 2014 WL 4056549 (Aug. 18, 2014), the Ninth Circuit concluded that a conspicuous link to the site’s Terms of Use posted throughout the site and in close proximity to a checkout button was insufficient to find an arbitration agreement enforceable in the absence of a user’s express agreement to the online Terms.

In Nguyen, an online retailer advertised a liquidation sale for certain discontinued products. The plaintiff purchased two products and received an email confirmation. The following day, the retailer canceled the order via email due to unexpectedly high demand. The plaintiff filed a putative class action, alleging that the retailer engaged in deceptive business practices and false advertising. The retailer moved to compel arbitration, pursuant to its website’s Terms of Use.  The plaintiff opposed, arguing that he never clicked on the “Terms of Use” hyperlink nor actually read the Terms of Use, and that he therefore could not be bound by the Terms. The trial court agreed with the Plaintiff and denied the retailer’s motion to compel arbitration.

The Ninth Circuit affirmed the district court’s decision and concluded that the plaintiff was not bound by the arbitration clause in the online Terms. Although the circuit court reached its decision under New York law, it noted that “both California and New York law dictate the same outcome.”

Continue Reading

Six Things to Know About Trademarks

Posted in Trademarks

Trademark use, protection and enforcement are key components to any enterprise, whether startup, growth stage or Fortune 100. Here are some key points that decision makers over marketing should keep in mind.

#1 – Trademark law protects the brand.

Trademarks are intellectual property. The different categories of intellectual property can be confusing, and as you are identifying and evaluating the different legal issues your business faces, you should seek to understand the role that each category plays. That way you can determine where you should focus your resources to cover the organization’s greatest needs.

Every business has trademark issues. Trademark law gives exclusive rights to providers of goods and services to use the company’s distinctive marks in connection with the company’s goods and services. A trademark (or a service mark, collectively “marks”) identifies the source of goods and services. So while the company is the one that may claim rights in the trademark, it is useful to remember that the ultimate reason for trademark protection is to keep members of the consuming public from being confused about where the goods or services come from.

Trademarks differ from other forms of intellectual property. Copyright protects the organization’s creative output. Patents protect inventions. Trade secrets protect commercial know-how that is kept confidential by the company.

#2 – Registration is not necessary, but it is a good idea.

At least in the U.S., trademark rights arise from using the mark in commerce. This means a couple of different things. For one, the law will provide your company with exclusive rights to use a certain mark in connection with certain goods or services by virtue of your having used the mark in commerce in connection with those goods or services. But there are limits to this protection — you can only claim that exclusivity in the geographic area in which you’ve actually used the mark.

Getting a registration with the United States Patent and Trademark Office (USPTO) helps you in this area. Once the USPTO awards your company a registration certificate for the mark, you are the presumed owner of the exclusive rights to that mark in connection with those goods and services anywhere in the United States, regardless of where you have actually done business. A registration carries with it other benefits as well — you can use the “circle R” designation with the mark, and your registration serves to help give notice to (i.e., warn) other companies who might consider adopting the same or similar mark.

#3 – Descriptive words and phrases generally cannot be trademarks.

Trademark law does not allow a company to claim exclusive rights on words or phrases that merely describe the product or some characteristic of it. This is a common issue that companies face when deciding on a mark for adoption and registration. Descriptive terms are good in that they convey to the consuming public what the product is all about. But descriptive terms are to be avoided in that they are not distinctive. Unless a mark is distinctive, the trademark laws do not recognize it as a trademark or service mark. A mark can be “inherently distinctive” in a number of ways. It may be a made up word (e.g., Kodak), “arbitrary” in that the original meaning of the word does not correspond with the products (e.g., Apple for computers), or “suggestive” – sort of describing the product but requiring a step in imagination (e.g., Beautyrest for mattresses). Or the mark can be a design. Descriptive words and phrases can become distinctive over time (usually after 5 years of use). This is known as “acquired distinctiveness.” Generic terms can never serve as trademarks.

#4 – Smart business owners do trademark clearance.

Trademark clearance is the process that a company goes through before actually using or seeking to register a mark. The goal is to become reasonably sure that the use of the proposed mark will not put you at high risk of infringing someone else’s mark. Clearance also helps prevent wasting resources on a trademark application that will get rejected by the USPTO because there is already a similar mark that someone else has applied for or registered.

Clearance usually has a couple steps. Many companies have their trademark counsel perform “knockout searches” to identify any obvious risks of conflict. This can be as simple as doing a web search and a search of the USPTO database for marks that look and sound the same and are for similar goods or services. Before going all out on adopting and seeking to register a mark, however, it is a good idea to have trademark counsel perform a comprehensive search and advise on the results. A number of parties offer comprehensive search services. The key question in trademark clearance is likelihood of confusion. A mark owner needs to be reasonably sure that using the proposed mark in commerce will not cause confusion among the confusing public as to the source of the goods or services offered under the mark.

#5 – Trademark fair use is a thing.

In some circumstances a company can use another company’s trademark without much risk of infringement. Generally this falls under the heading of “fair use.” Classic fair use is when one company uses another’s mark in just a descriptive sense. For example, a laundromat may say in the text of its advertising that it is next door to Wendy’s. In that case, the use of Wendy’s is probably not an infringement. Nominative fair use occurs when a company uses another mark to describe some characteristic of that mark. A commercial for Toyota, for example, may use the Honda trademark for purposes of comparing the two product lines.

#6 – Use it or lose it. Protect it or lose it.

Trademark rights come from the company’s use of the mark, and there is always a risk that those rights might be abandoned. If a company stops using a mark, a court may find that the organization has abandoned its rights, and another company would be free to adopt and use the mark. The USPTO requires that documents be filed every few years to ensure that marks that are listed as registered remain in use. If a company does not take appropriate steps to ensure its mark is distinctive in the marketplace, it can similarly be found to have abandoned its rights. So mark owners should do some “policing” to see that there no one else uses a confusingly similar mark on similar products. If the company discovers such use, it must be diligent in seeking to get the other party to stop, through sending a cease and desist letter or through litigation when appropriate.

“Like-Gated” Promotions No Longer Permissible on Facebook

Shannon Harell Posted in Advertising Law, Marketing, Social Media, Sweepstakes

Last week, Facebook, Inc. (“Facebook”) announced a major upcoming change, effective November 5, 2014, to its Platform Policies that will affect the vast majority of promotions run on the platform. The announcement introduces a significant restriction on use of the “Like” functionality in connection with promotions (including sweepstakes and contests). Facebook stated its intention is to “ensure quality connections and help businesses reach the people who matter to them” and that it “want[s] people to like [pages on Facebook] because [people] want to connect and hear from the business, not because of artificial incentives.” [i]

Specifically, the following previously permitted practices are no longer allowed as of November 5th:

  • “Like-gating” an app (i.e., requiring that an individual “like” a certain page on Facebook before he/she may access an app); or
  • Otherwise offering a reward (e.g., a promotion entry or some other tangible or intangible benefit) to incentivize an individual to “like” a page on Facebook.  This means that your app for a contest, for example, cannot require users to “like” your page on Facebook before they can access the entry form for the contest.

Marketers may still incentivize individuals to log-in to an app (without requiring that the individual “like” the app), check-in at a place (e.g., by offering a coupon for use at the establishment), or enter a promotion (i.e., by offering a prize in a promotion conducted via a sponsor page on Facebook).  This change does not affect other aspects of the Pages Terms that govern promotions. The Pages Terms still provide that promotions may be administered directly via a sponsor page on Facebook or within an app and may not be administered via personal timelines.

 


[i] Along with the prohibition on “like-gating”, Facebook also announced that “[g]ames which include mandatory or optional in-app charges must now disclose this in their app’s description, either on Facebook or other platforms it supports. . . to give people a clear indication that [a] game may charge people during gameplay.”

 

Ultra Records Sues YouTube Beauty Guru Michelle Phan

Benjamin Stein Posted in Copyright, Uncategorized

Last month, music label Ultra Records and its publisher, Ultra International Music Publishing (referred to generally in this post as “Ultra”), sued popular YouTube video blogger Michelle Phan for copyright infringement.  Ultra is a popular dance-music label and its roster of artists includes Kaskade, deadmau5, and Late Night Alumni.

Ms. Phan is a YouTube sensation whose channel currently boasts over 6.75 million subscribers.  Her videos offer makeup and beauty instruction, with the most popular installments garnering tens of millions of views. Phan has been featured in an advertising campaign for YouTube and, according to the complaint, has also monetized her YouTube channel in order to earn ad revenue.

Some of Phan’s videos are set in part to music and Ultra alleges that it has identified over fifty videos in which Phan makes unauthorized use of musical compositions and recordings in which it owns copyright. Ultra alleges that the videos featuring its music have been viewed a combined total of more than 150 million times. Ultra is seeking an injunction and either a disgorgement of Phan’s profits and its actual damages or the maximum statutory damages of $150,000 per infringed work. While Ms. Phan has not yet filed a reply in court, her lawyers have claimed publicly that she had permission from Ultra to include its music in her videos.

Though this case is in its nascency, it is a reminder of some worthwhile lessons for those who produce or otherwise deal with content that is subject to copyright law:

Continue Reading

Mobile Apps: FTC Says Vague Privacy Policies and Lack of Terms a Problem

Posted in Apps, FTC, PII, Privacy Law, Reasonable Security
Last week, the FTC released a study it conducted in connection with price-comparison apps, deal apps and apps that allow people to pay for purchases using their mobile device while shopping in brick-and-mortar stores.  The newly released study is the latest commentary from the FTC in a long line of workshops and reports that started in 2012 on the issue of mobile apps, mobile payment mechanisms and related matters, such as mobile cramming and mobile security.  Here are the key takeaways from the latest study:
  • While the FTC found that most of the apps it reviewed had a privacy policy, those privacy policies were vague and reserved broad rights to collect, use and share data without meaningful information about how the apps actually use and share data.  The FTC is looking for less boilerplate and more real details to help consumers evaluate and compare data practices among apps before app installation.  This concept harkens back to the FTC’s report “Protecting Consumer Privacy In An Era Of Rapid Change” in which the FTC stated: “general statements in privacy policies…are not an appropriate tool to ensure [a reasonable limit on the collection of consumer data] because companies have an incentive to make vague promises that would permit them to do virtually anything with consumer data.”  In the current study, the FTC says that the use of broad language to address use and sharing of data “suggests that these app developers may not be evaluating whether they have a business need for the data they are collecting.”  The assessment the FTC alludes to here is part of the overall “privacy by design” concept that we have been discussing with clients for several years now.
  • The FTC is concerned that apps are not disclosing consumers’ rights in connection with payments made via mobile devices.  Specifically, apps that include the ability to accept or make payments need to disclose the process for resolving payment disputes and the consumers’ rights and liability limits for bad transactions (unauthorized, fraudulent, etc.).  The FTC says that consumers do not understand the difference between the automatic liability protections someone might have in connection with the use of their credit or debit card as opposed to lesser protections available for money that might be transferred to the app for use later (similar to a stored value account).  Indeed, the protections for unauthorized or fraudulent transactions between those two categories are likely different.  The Consumer Financial Protection Bureau is currently in the process of lobbying Congress to extend the legal protections afforded to credit and debit card transactions to gift card and similar transactions.  The FTC wants apps to disclose to consumers their potential liability for unauthorized transactions – especially if the liability is different from the normal expectation that most unauthorized credit and debit card transactions receive.
  • The FTC reiterated that strong data security promises (which it found in many of the app privacy policies it reviewed) must translate into strong data security practices.  Honoring the commitments you make in a privacy policy is not a new sentiment from the FTC.  The FTC did not include any results in its study that suggests the data security statements in the privacy policies were untrue.  In fact, for this study, the FTC did not test the actual security practices of any of the apps reviewed.

The FTC made several comments in the study indicating that it liked seeing that so many apps posted privacy policies.  Nonetheless, while that is a step in the right direction, making those policies meaningful is where the focus is now.  To that end, it bears repeating that there is no such thing as a template or boilerplate privacy policy.

The Games Advertisers Play: Heather Nolan to present this week on Gamification

Posted in Uncategorized

This Wednesday, Heather Nolan will discuss the legal issues related to Gamification. The session is part of the Brand Activation Association’s comprehensive, 6-part webinar series, which has been covering the A-Z must-knows of sweepstakes, contests and games. This week’s session will be helpful to business and legal team members who are interested in using game elements in their promotions. Content will be helpful to those who are new to gamification and need help understanding the basics, as well as those who are seasoned and just want to extend their knowledge. Developed and offered for the first time by BAA’s Sweepstakes, Contest & Games Council, the series pairs industry experts from law firms, agencies, and marketing companies to share their insights and experiences so you can maximize your promotion spending. This week’s session will take place online on Wednesday, July 30th at 2pm ET/1pm CT/11am PT. Click to register.

Massachusetts Continues Aggressive Information Security Enforcement Agenda

Posted in Breach Notification, Encryption, HIPAA, HITECH, Information Security, Massachusetts 210 CMR 17.00, Massachusetts Data Security Regulations

On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with Women & Infant’s Hospital of Rhode Island (“WIH”) to resolve allegations that it violated federal and state information security laws when it lost backup tapes.  The backup tapes, allegedly containing sensitive personal information and protected health information of 12,127 Massachusetts residents, were not encrypted.  As a result of the consent judgment, WIH will pay a civil penalty of $110,000, attorney fees of $25,000, and contribute $15,000 to funds organized by the Attorney General to support data security enforcement actions and education on the protection of sensitive personal information.

The Attorney General asserted that WIH failed to discover the breach in a reasonably timely fashion.  The backup tapes were allegedly transferred off-site during the summer of 2011 but their loss was not noticed until April 2012 and public notice was provided in November 2012.  The Attorney General claimed that the delay in detecting the loss resulted from inadequate inventory and tracking of sensitive personal information.  In addition, the Attorney General asserts that notification to consumers was delayed because of “deficient employee training and internal policies”.

The WIH consent judgment follows the recent pattern of litigation to implement the Massachusetts data security regulations, 201 C.M.R. 17.00, and the HITECH Act provisions empowering state attorneys general to enforce HIPAA.  This is consistent with the consent judgments entered into with Goldthwaite Associates in 2013 and South Shore Hospital in 2012.

Several important lessons may be learned from this recent sequence of enforcement actions.

  • The Massachusetts Attorney General will pursue actions under the Massachusetts data security regulations against out-of-state enterprises that handle the personal information of Massachusetts residents.  Prior enforcement actions have focused upon Massachusetts-based businesses.  Going forward, out-of-state businesses having sufficient minimum contacts with the Commonwealth of Massachusetts should evaluate their data protection practices in order to avoid running afoul of the Massachusetts data security regulations.
  • The U.S. Department of Health and Human Services (“HHS”) is cooperating with state attorneys general that wish to pursue compliance enforcement actions under HIPAA.  Accordingly, HIPAA covered entities and business associates across the country should note that the states may become a bigger factor in HIPAA enforcement in the future.
  • Businesses should maintain appropriate procedures to inventory and track the sensitive personal information that they collect and use.  Accurate data inventory can help businesses better identify their security risks and detect anomalous events in a timely fashion.
  • Businesses should also take steps to maintain comprehensive procedures for investigating and responding to data breaches.  Such procedures help businesses avoid the kinds of delays in public notification that may elevate the concerns of federal and state regulators.
  • While encryption is not a panacea for privacy and security issues, there are several circumstances where it can substantially reduce legal risks.  The inability to implement physical and other reliable access safeguards makes encryption particularly valuable for protecting electronic media transported outside company facilities.

New Connecticut Mini-TCPA Provides for Giant Penalties and Attorneys’ Fees

Posted in Advertising Law, Marketing, Mobile, TCPA

Companies sending text messages or conducting voice telemarketing in Connecticut beware! Connecticut has substantially amended its telemarketing law (the “mini-TCPA”), which now may regulate even more conduct than the federal TCPA – particularly, push notifications and in-app messages. In addition, the mini-TCPA provides for reasonable attorneys’ fees, which may present an incentive for plaintiffs to bring suit; and also authorizes large penalties recoverable by the government. The amended statute becomes effective on October 1, 2014. This article is intended to highlight some of the key differences between the new Connecticut law and the TCPA that are relevant to businesses that already comply with the TCPA.

Continue Reading