California Governor Jerry Brown signed into law an amendment to California’s data breach notification law on Monday. Although at least one news outlet has reported that the law requires a company to offer credit monitoring services, this interpretation is misguided. Rather, the law only places restrictions on certain companies if they choose to offer identity theft prevention and mitigation services. In addition, the law also prohibits persons from selling (or advertising or offering to sell) any individual’s social security number, subject to certain exceptions.
In a recently reported study released by the the Global Privacy Enforcement Network (“GPEN”), the GPEN found that a testing sample of 1,211 mobile apps accessed during May of this year failed to provide users with adequate privacy protections under current regulatory provisions in the United States and in other countries. The GPEN is a coalition of privacy officials from 19 countries, including the United States Federal Trade Commission (“FTC”).
The GPEN report concluded that 60% of mobile apps accessed raised significant privacy concerns based on the following criteria:
- The apps failed to disclose how the apps used personally identifying information (“PII”);
- The apps required users to provide more PII than necessary as a condition to downloading the apps; and
- The privacy policies associated with the apps were provided in too small of a font to be read on the screens of mobile devices.
Of the apps examined, the GPEN found that 30% failed to provide sufficient information on how PII would be used by the app providers. In fact, the GPEN report found that many of the apps tested provided no privacy information at all.
Additionally, another 31% of the apps the GPEN examined requested access to PII, including contacts, device ID location, calendar and call logs, in the absence of any indicated reason for why such information would be necessary to use the apps for their advertised purposes. The GPEN report also showed that 43% of the apps failed to make the apps’ privacy policies readable on mobile devices’ smaller screens as compared to on computers.
The most common type of PII requested by the apps examined by the GPEN was users’ geographical locations. Specifically, the report indicated that 32% of the reviewed apps requested geolocation information as a prerequisite to downloading the mobile apps.
The names or providers of the apps the GPEN examined were not identified in its report. Also, the GPEN report did not indicate how it selected the apps that it studied.
The GPEN’s report is significant because it demonstrates the common and growing disparity between legal requirements for privacy disclosures in the United States and elsewhere and how privacy policies for mobile apps should be disclosed. Moreover, the findings in the GPEN’s report likely foreshadow further regulatory enforcement here in the United States by the FTC, as well as action by regulatory bodies outside of the United States.
Recent reports indicate that Google is developing a program that would allow children under the age of 13 to obtain accounts on Google services such as Gmail and YouTube. The Wall Street Journal recently reported that “Google is trying to establish a new system that lets parents set up accounts for their kids, control how they use Google services and what information is collected about their offspring… Google wants to make the process easier and compliant with the rules.” These accounts would allow children under the age of 13 to create their own Gmail accounts and access child-friendly YouTube channels.
The Ninth Circuit affirmed the district court’s decision and concluded that the plaintiff was not bound by the arbitration clause in the online Terms. Although the circuit court reached its decision under New York law, it noted that “both California and New York law dictate the same outcome.”
Trademark use, protection and enforcement are key components to any enterprise, whether startup, growth stage or Fortune 100. Here are some key points that decision makers over marketing should keep in mind.
#1 – Trademark law protects the brand.
Trademarks are intellectual property. The different categories of intellectual property can be confusing, and as you are identifying and evaluating the different legal issues your business faces, you should seek to understand the role that each category plays. That way you can determine where you should focus your resources to cover the organization’s greatest needs.
Every business has trademark issues. Trademark law gives exclusive rights to providers of goods and services to use the company’s distinctive marks in connection with the company’s goods and services. A trademark (or a service mark, collectively “marks”) identifies the source of goods and services. So while the company is the one that may claim rights in the trademark, it is useful to remember that the ultimate reason for trademark protection is to keep members of the consuming public from being confused about where the goods or services come from.
Trademarks differ from other forms of intellectual property. Copyright protects the organization’s creative output. Patents protect inventions. Trade secrets protect commercial know-how that is kept confidential by the company.
#2 – Registration is not necessary, but it is a good idea.
At least in the U.S., trademark rights arise from using the mark in commerce. This means a couple of different things. For one, the law will provide your company with exclusive rights to use a certain mark in connection with certain goods or services by virtue of your having used the mark in commerce in connection with those goods or services. But there are limits to this protection — you can only claim that exclusivity in the geographic area in which you’ve actually used the mark.
Getting a registration with the United States Patent and Trademark Office (USPTO) helps you in this area. Once the USPTO awards your company a registration certificate for the mark, you are the presumed owner of the exclusive rights to that mark in connection with those goods and services anywhere in the United States, regardless of where you have actually done business. A registration carries with it other benefits as well — you can use the “circle R” designation with the mark, and your registration serves to help give notice to (i.e., warn) other companies who might consider adopting the same or similar mark.
#3 – Descriptive words and phrases generally cannot be trademarks.
Trademark law does not allow a company to claim exclusive rights on words or phrases that merely describe the product or some characteristic of it. This is a common issue that companies face when deciding on a mark for adoption and registration. Descriptive terms are good in that they convey to the consuming public what the product is all about. But descriptive terms are to be avoided in that they are not distinctive. Unless a mark is distinctive, the trademark laws do not recognize it as a trademark or service mark. A mark can be “inherently distinctive” in a number of ways. It may be a made up word (e.g., Kodak), “arbitrary” in that the original meaning of the word does not correspond with the products (e.g., Apple for computers), or “suggestive” – sort of describing the product but requiring a step in imagination (e.g., Beautyrest for mattresses). Or the mark can be a design. Descriptive words and phrases can become distinctive over time (usually after 5 years of use). This is known as “acquired distinctiveness.” Generic terms can never serve as trademarks.
#4 – Smart business owners do trademark clearance.
Trademark clearance is the process that a company goes through before actually using or seeking to register a mark. The goal is to become reasonably sure that the use of the proposed mark will not put you at high risk of infringing someone else’s mark. Clearance also helps prevent wasting resources on a trademark application that will get rejected by the USPTO because there is already a similar mark that someone else has applied for or registered.
Clearance usually has a couple steps. Many companies have their trademark counsel perform “knockout searches” to identify any obvious risks of conflict. This can be as simple as doing a web search and a search of the USPTO database for marks that look and sound the same and are for similar goods or services. Before going all out on adopting and seeking to register a mark, however, it is a good idea to have trademark counsel perform a comprehensive search and advise on the results. A number of parties offer comprehensive search services. The key question in trademark clearance is likelihood of confusion. A mark owner needs to be reasonably sure that using the proposed mark in commerce will not cause confusion among the confusing public as to the source of the goods or services offered under the mark.
#5 – Trademark fair use is a thing.
In some circumstances a company can use another company’s trademark without much risk of infringement. Generally this falls under the heading of “fair use.” Classic fair use is when one company uses another’s mark in just a descriptive sense. For example, a laundromat may say in the text of its advertising that it is next door to Wendy’s. In that case, the use of Wendy’s is probably not an infringement. Nominative fair use occurs when a company uses another mark to describe some characteristic of that mark. A commercial for Toyota, for example, may use the Honda trademark for purposes of comparing the two product lines.
#6 – Use it or lose it. Protect it or lose it.
Trademark rights come from the company’s use of the mark, and there is always a risk that those rights might be abandoned. If a company stops using a mark, a court may find that the organization has abandoned its rights, and another company would be free to adopt and use the mark. The USPTO requires that documents be filed every few years to ensure that marks that are listed as registered remain in use. If a company does not take appropriate steps to ensure its mark is distinctive in the marketplace, it can similarly be found to have abandoned its rights. So mark owners should do some “policing” to see that there no one else uses a confusingly similar mark on similar products. If the company discovers such use, it must be diligent in seeking to get the other party to stop, through sending a cease and desist letter or through litigation when appropriate.
Last week, Facebook, Inc. (“Facebook”) announced a major upcoming change, effective November 5, 2014, to its Platform Policies that will affect the vast majority of promotions run on the platform. The announcement introduces a significant restriction on use of the “Like” functionality in connection with promotions (including sweepstakes and contests). Facebook stated its intention is to “ensure quality connections and help businesses reach the people who matter to them” and that it “want[s] people to like [pages on Facebook] because [people] want to connect and hear from the business, not because of artificial incentives.” [i]
Specifically, the following previously permitted practices are no longer allowed as of November 5th:
- “Like-gating” an app (i.e., requiring that an individual “like” a certain page on Facebook before he/she may access an app); or
- Otherwise offering a reward (e.g., a promotion entry or some other tangible or intangible benefit) to incentivize an individual to “like” a page on Facebook. This means that your app for a contest, for example, cannot require users to “like” your page on Facebook before they can access the entry form for the contest.
Marketers may still incentivize individuals to log-in to an app (without requiring that the individual “like” the app), check-in at a place (e.g., by offering a coupon for use at the establishment), or enter a promotion (i.e., by offering a prize in a promotion conducted via a sponsor page on Facebook). This change does not affect other aspects of the Pages Terms that govern promotions. The Pages Terms still provide that promotions may be administered directly via a sponsor page on Facebook or within an app and may not be administered via personal timelines.
[i] Along with the prohibition on “like-gating”, Facebook also announced that “[g]ames which include mandatory or optional in-app charges must now disclose this in their app’s description, either on Facebook or other platforms it supports. . . to give people a clear indication that [a] game may charge people during gameplay.”
Last month, music label Ultra Records and its publisher, Ultra International Music Publishing (referred to generally in this post as “Ultra”), sued popular YouTube video blogger Michelle Phan for copyright infringement. Ultra is a popular dance-music label and its roster of artists includes Kaskade, deadmau5, and Late Night Alumni.
Ms. Phan is a YouTube sensation whose channel currently boasts over 6.75 million subscribers. Her videos offer makeup and beauty instruction, with the most popular installments garnering tens of millions of views. Phan has been featured in an advertising campaign for YouTube and, according to the complaint, has also monetized her YouTube channel in order to earn ad revenue.
Some of Phan’s videos are set in part to music and Ultra alleges that it has identified over fifty videos in which Phan makes unauthorized use of musical compositions and recordings in which it owns copyright. Ultra alleges that the videos featuring its music have been viewed a combined total of more than 150 million times. Ultra is seeking an injunction and either a disgorgement of Phan’s profits and its actual damages or the maximum statutory damages of $150,000 per infringed work. While Ms. Phan has not yet filed a reply in court, her lawyers have claimed publicly that she had permission from Ultra to include its music in her videos.
Though this case is in its nascency, it is a reminder of some worthwhile lessons for those who produce or otherwise deal with content that is subject to copyright law:
- The FTC is concerned that apps are not disclosing consumers’ rights in connection with payments made via mobile devices. Specifically, apps that include the ability to accept or make payments need to disclose the process for resolving payment disputes and the consumers’ rights and liability limits for bad transactions (unauthorized, fraudulent, etc.). The FTC says that consumers do not understand the difference between the automatic liability protections someone might have in connection with the use of their credit or debit card as opposed to lesser protections available for money that might be transferred to the app for use later (similar to a stored value account). Indeed, the protections for unauthorized or fraudulent transactions between those two categories are likely different. The Consumer Financial Protection Bureau is currently in the process of lobbying Congress to extend the legal protections afforded to credit and debit card transactions to gift card and similar transactions. The FTC wants apps to disclose to consumers their potential liability for unauthorized transactions – especially if the liability is different from the normal expectation that most unauthorized credit and debit card transactions receive.
This Wednesday, Heather Nolan will discuss the legal issues related to Gamification. The session is part of the Brand Activation Association’s comprehensive, 6-part webinar series, which has been covering the A-Z must-knows of sweepstakes, contests and games. This week’s session will be helpful to business and legal team members who are interested in using game elements in their promotions. Content will be helpful to those who are new to gamification and need help understanding the basics, as well as those who are seasoned and just want to extend their knowledge. Developed and offered for the first time by BAA’s Sweepstakes, Contest & Games Council, the series pairs industry experts from law firms, agencies, and marketing companies to share their insights and experiences so you can maximize your promotion spending. This week’s session will take place online on Wednesday, July 30th at 2pm ET/1pm CT/11am PT. Click to register.
On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with Women & Infant’s Hospital of Rhode Island (“WIH”) to resolve allegations that it violated federal and state information security laws when it lost backup tapes. The backup tapes, allegedly containing sensitive personal information and protected health information of 12,127 Massachusetts residents, were not encrypted. As a result of the consent judgment, WIH will pay a civil penalty of $110,000, attorney fees of $25,000, and contribute $15,000 to funds organized by the Attorney General to support data security enforcement actions and education on the protection of sensitive personal information.
The Attorney General asserted that WIH failed to discover the breach in a reasonably timely fashion. The backup tapes were allegedly transferred off-site during the summer of 2011 but their loss was not noticed until April 2012 and public notice was provided in November 2012. The Attorney General claimed that the delay in detecting the loss resulted from inadequate inventory and tracking of sensitive personal information. In addition, the Attorney General asserts that notification to consumers was delayed because of “deficient employee training and internal policies”.
The WIH consent judgment follows the recent pattern of litigation to implement the Massachusetts data security regulations, 201 C.M.R. 17.00, and the HITECH Act provisions empowering state attorneys general to enforce HIPAA. This is consistent with the consent judgments entered into with Goldthwaite Associates in 2013 and South Shore Hospital in 2012.
Several important lessons may be learned from this recent sequence of enforcement actions.
- The Massachusetts Attorney General will pursue actions under the Massachusetts data security regulations against out-of-state enterprises that handle the personal information of Massachusetts residents. Prior enforcement actions have focused upon Massachusetts-based businesses. Going forward, out-of-state businesses having sufficient minimum contacts with the Commonwealth of Massachusetts should evaluate their data protection practices in order to avoid running afoul of the Massachusetts data security regulations.
- The U.S. Department of Health and Human Services (“HHS”) is cooperating with state attorneys general that wish to pursue compliance enforcement actions under HIPAA. Accordingly, HIPAA covered entities and business associates across the country should note that the states may become a bigger factor in HIPAA enforcement in the future.
- Businesses should maintain appropriate procedures to inventory and track the sensitive personal information that they collect and use. Accurate data inventory can help businesses better identify their security risks and detect anomalous events in a timely fashion.
- Businesses should also take steps to maintain comprehensive procedures for investigating and responding to data breaches. Such procedures help businesses avoid the kinds of delays in public notification that may elevate the concerns of federal and state regulators.
- While encryption is not a panacea for privacy and security issues, there are several circumstances where it can substantially reduce legal risks. The inability to implement physical and other reliable access safeguards makes encryption particularly valuable for protecting electronic media transported outside company facilities.