New York's High Court Weighs In On Scope of CDA 230 Defamation Immunity
Recently the New York Court of Appeals, New York's highest court, held in a 4-3 opinion, Christakis Shiamili, &c., v. The Real Estate Group of New York, Inc. et al., that CDA Section 230 immunity from defamation extends broadly to web sites that perform significant editorial functions on third-party provided allegedly defamatory content.
The decision marks the first time New York's highest court addressed the scope and sweep of Section 230 of the Communications Decency Act, 47 U.S.C. §230, immunity. Not surprising to New Yorkers who’ve dealt with NYC real estate matters or the stereotypical NYC rental agent, the case arose out of the Big Apple's real estate market.
What has surprised some, however, is how broadly NY’s high court apparently ruled CDA Sec. 230 immunity reaches – that websites can’t be held liable for the comments of users even if the host site edits, provides “editorial” heading and sub-headings, or even promotes the defamatory comment supplied by third parties into a stand-alone post for further third-party comment. For those who viewed the Ninth Circuit’s Roommates.com rather controversial decision (Fair Housing Council of San Fernando Valley v. Roommates.com, LLC, 521 F3d 1157 (9th Cir 2008)) as signalling a retreat from the previous the high water marks applying Section 230, New York's approach marks an affirmation of previous cases in thought and approach.
Background
In the NY trial court below, plaintiff Christakis Shiamili, founder and CEO of Ardor Realty Corp. (Ardor) filed a complaint claiming defamation and unfair competition by disparagement against the defendants, The Real Estate Group of New York, Inc. (TREGNY) and TREGNY’s COO and his assistant. Both parties are New York city-based apartment rental and sales companies and in direct competition with each in NYC’s highly-regulated rental market.
The driving cause behind the action was the defendant’s website/blog covering the New York City real estate market. Not unexpectedly in such a contentious industry, anonymous commentators frequently pulled out their long knives to slice at various characters, including the plaintiff. One poster, under the name of “Ardor Realty Sucks” alleged using racist and anti-Semetic terms that the plaintiff mistreated employees and other nefarious such dealings.
Where TREGNY managed to get itself on the hook for an online defamation lawsuit that survived the typical trial summary judgment phase of many a CDA 230-cabined case is that TREGNY moved Ardor Realty Sucks’ comment into a stand-alone post, gave it a heading of “Ardor Realty and Those People” with a sub-heading of “and now it’s time for your weekly dose of hate, brought to you unedited, once again, by ‘Ardor Realty Sucks’. [sic] and for the record, we are so. not. afraid” further prefaced by the editorial comment that “the following story came to use as a … comment, and we promoted it to a post.”
Other comments in the related discussion thread stemming from the now promoted Ardor Realty Sucks post added other allegedly defamatory statements: that Ardor was in financial trouble and that the plaintiff cheated on his wife, etc.
In response, the plaintiff posted his own detailed comment and contacted TREGNY’s blog administrator requesting the defamatory statements be removed – TREGNY refused. The underlying lawsuit followed and the defandant’s, not surprisingly, moved under application of NY State’s civil practice rules (CPLR 3211(a)(7)) to dismiss for failure to state a cause of action arguing TREGNY was the administrator and moderator of the website to which anyone could add commentary and not the source of the commentary.
The lower trial court rejected the motion to dismiss, holding Section 230(c)(1) of the CDA did not compel dismissal at that procedural stage of the action as discovery had not commenced and "information as to defendants' role, if any, in authoring or developing the content of the website is exclusively within their possession." Defendant’s appealed as of right to NY’s intermediate appellate court, which reversed the trial court unanimously and dismissed the complaint on the basis that CDA Section 230 immunity insulates online websites in the exercise of traditional publishing functions given TREGNY had not authored the defamatory content at issue. The plaintiff appealed to NY's highest court, which granted leave to appeal.
As the Court of Appeals noted: “Section 230 establishes that, ‘[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider’ (47 USC § 230 [c] [1]), and it preempts any state law -- including imposition of tort liability -- inconsistent with its protections (see 47 USC § 230 [e] [3]).”
After examining the Congressional intent behind Section 230 and various seminal CDA cases granting broad immunity in response (i.e., Zeran v. Am. Online, Inc., 129 F3d 327 (4th Cir. 1997)), the Court noted “Section 230 (c) (1) was meant to undo [] perverse incentives . . . which effectively penalized providers for monitoring content” and stating further “section 230 has ‘two parallel goals. The statute is designed at once 'to promote the free exchange of information and ideas over the Internet and to encourage voluntary monitoring for offensive or obscene material.'"
The Reasoning
With the background established the Court addressed its view of the scope of Section 230’s protections, and as if in response to those who have portrayed the Court’s holding as “sweeping,” stated:
“Today, we follow what may fairly be called the national consensus … and read section 230 as generally immunizing internet service providers from liability for third-party content wherever such liability depends on characterizing the provider as a 'publisher or speaker' of objectionable material. Consistent with this view, we read section 230 to bar "lawsuits seeking to hold a service provider liable for its exercise of a publisher's traditional editorial functions – such as deciding whether to publish, withdraw, postpone or alter content."
The Court did note the issue that “any piece of content can have multiple providers” complicating applying Section 230’s immunity at time since “[i]t may be difficult in certain cases to determine whether a service provider is also a content provider, particularly since the definition of ‘content provider’ is so elastic, and no consensus has emerged concerning what conduct constitutes ‘development’.”
Rejecting the plaintiff’s request that the Court adopt the Ninth Circuit’s Roommates.com’s approach - that a website is a content provider “if it contributes materially to the alleged illegality of the conduct" - the Court concluded it in fact didn’t need to decide whether to apply the Ninth’s Circuit broader view of “development” since while the statement were “unquestionably offensive and obnoxious” Section 230 never-the-less shielded the defendants from liability if the defendants hadn’t provided the content.
Having hacked the applicable law down to size, as it were, the Court then wrapped matters up on the remaining point of whether “the defamatory statements were ‘provided by another information content provider.’” Rejecting the plaintiff’s argument that the defendants should be deemed content providers by the fact that they ran a website that “implicitly encouraged users to post negative comments about the New York City real estate industry” the Court observed “there is no allegation that the defamatory comments were posted in response to any specific invitation for users to bash Shiamili or Ardor.”
As to the various headings, sub-heads, illustration and preface text, the Court concluded, in perhaps the key take away from this case, “[t]he complaint does not allege that the heading or sub-heading are actionable, but only that they ‘preceded’ and ‘prefaced’ the objectionable commentary,” and that there they were not in and of themselves defamatory as a matter of law.
The three judges in the dissent disagreed with the majority's reach, and given that the two parties were direct competitors, opined that while they did “not dispute the adoption of a broad approach to immunity for on-line service providers under the CDA, an interpretation that immunizes a business's complicity in defaming a direct competitor takes us so far afield from the purpose of the CDA as to make it unrecognizable.”
The Takeaway
The primary takeaway is that NY defamation cases against websites where third party comments have allegedly defamed the plaintiff and the CDA is operative are likely to be summarily dismissed, even if the website operators have performed a range of traditional "editorial" functions to the content. While not an iron clad "guarantee" of course, New York's high court has now positively signaled that the scope of Section 230 CDA immunity is to be applied liberally.
Court in Domain Hijacking Case, Reminds Parties: You Can't Contractually Limit Liability in NY for Willful or Grossly Negligence Conduct
As a big fan of the late Paul Harvey, who's signature closing catch-phrase was “and now you know the rest of the story,” there are times that posts analyzing cases, statutes or developments are held until additional information is in. The opinion early this year by U.S. Circuit Judge Denny Chin in the hijacked domain case of Baidu, Inc. et al v. Register.com, Inc., 2010 U.S. Dist. LEXIS 73905 (July 22, 2010) (1:10-cv-00444-DC), proved just such a situation and I waited to see what the defendant's Answer might hold followed by how the parties responded thereafter.
J. Chin's rejection of Register.com's summary judgment motion - allowing Baidu's action to proceed on its claims for breach of contract, gross negligence and recklessness - likely surprised many who've come to view the typical extremely broad limitations of liability language frequently found in today's contracts as near iron-clad protection.
But before examining why the Court reached its decision, a bit of quick background is needed to fully appreciate J. Chin's approach under New York law.
Background
Baidu, Inc. and its affiliate Beijing Baidu Netcom Science & Technology Co., Ltd. (“Baidu”) run the largest search engine in China with a claimed 70% share of Chinese-language search traffic. Baidu had registered the baidu.com domain name in 1999 with Register.com, an ICANN-accredited domain name register, as well as the trademark “Baidu.” All went apparently without incident until earlier this year, when, according to Baidu's complaint, Baidu's domain was hijacked and the domain's DNS info directed to a webpage “depicting an Iranian flag and a broken Star of David and proclaiming 'This site has been hijacked by the Iranian Cyber Army.'” Id.
The steps that led up to the hijacking, as depicted in the complaint and accepted as required by the court's consideration of defendant's FRCP 12(b)(6) motion to dismiss paint quite a picture. In short, the hijaaker contacted a Register.com support agent, and requested that the email address on file (though it's not specified which email address, i.e., tech, billing or admin contact) for Baidu be changed. Register's agent is alleged in response to have asked the hijacker for the security verification information.
The verification information provided by the hijacker was wrong, but Register's agent emailed a verification code to Baidu's actual email address on file, which of course the hijacker could not access. Then, Register's agent asked the hijacker to repeat the code sent to the email address on file. The hijacker responded with a different and incorrect code but Register's agent went ahead and changed Baidu's email address on file to the one requested by the hijacker, antiwahabi2008@gmail.com, which the Court noted used the domain of Google's email, Google being a search engine competitor (implying another potential red flag should have been raised by the proffered email address).
At this point the hijacker was fully in charge of the domain, as once the email address had been change he was able to use the “forget password” feature of most sites (an increasing noted weakness) to have a change password link sent to the new changed email address. With the password changed the hijacker updated the DNS info to re-target traffic from Baidu's actual websites to the “Iranian Cyber Amy” (ICA) website.
As part of its complaint Baidu's alleges that it took more than two hours for Register to begin addressing the problem, and that traffic was fully re-routed to the ICA for five hours with Baidu's operations not fully restored until two days after the initial attack. The result, as the Court notes in echoing Baidu's complaint, is that “Baidu suffered 'serious and substantial injury to [its] reputation and business,' including 'millions' in lost revenue and out-of-pocket costs.” Baidu at *7.
In response to the beach and hijacking, Baidu filed suit against Register.com in federal court in the Southern District of New York claiming seven causes of action: (i) contributory trademark infringement; (ii) breach of contract; (iii) gross negligence; recklessness; (iv) tortious conversion; (v) aiding and abetting tortious conversion; (vi)aiding and abetting trespass; and (vii) breach of duty of bailment. Baidu also asked in its prayer for relief all actual damages, treble damages and punitive damages, in amounts to be determined at trial, along with associated costs, attorneys' fees and expenses.
The Limitation of Liability Clause
Register.com's limitation of liability clause should be very familiar to contracting professionals. Indeed, its language or rough equivalents can be commonly found in a large plurality, if not majority, of online service and other contracts. The actual applicable Master Services Agreement (“MSA”) language, as quoted by the Court, was:
“ You agree that [Register] will not be liable, under any circumstances, for any (a) termination, suspension, loss, or modification of your Services, (b) use of or the inability to use the Service(s), (c) interruption of business, (d) access delays or access interruptions to this site or a service (including, without limitation, to web site(s) accessed by the domain name registered in your name), . . . (f) events beyond [Register's]. . . reasonable control, . . . (j) transactions conducted on a user web site, including fraudulent transactions, (k) loss incurred in connection with your service(s) including in connection with e-commerce transactions, (1) unauthorized access to or alteration of your transmissions or data, (m) statements or conduct of any third party using your service(s), or (n) any other matter relating to your use of the Service(s). [Register] also will not be liable for any indirect, special, incidental, or consequential damages of any kind (including lost profits, goodwill, data, the cost of replacement goods or services, or other intangible losses) regardless of the form of action whether in contract, tort (including negligence), or otherwise, even if [Register] has been advised of the possibility of such damages. In no event shall [Register's] maximum aggregate liability exceed the total amount paid by you for the Services, but in no event greater than five hundred dollars ($ 500). Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, in such states, our liability is limited to the maximum extent permitted by law.”
At first glance this limitation of liability appears extremely strong. The lists of items to which no liability will adhere to in (a) through (n) is wide ranging, followed by a traditional limitation as to any indirect, special, incidental or consequential damages, all topped off by an aggregate maximum dollar limit for damages of $500. Register's language does include a passing head-nod that “some states do not allow the exclusion or limitation of liability for consequential or incidental damage.” Still, nothing in the language addressed potential liability in the face of wilfull acts or gross negligence, though each, arguably, and Register.com likely thought so, could be included in the “not be liable, under any circumstances” language. This said, the “under any circumstances” is, in reality, followed by the unwritten text of “unless prohibited by public policy,” as seen from J. Chin's decision and one that many contracting attorneys tend to forget in the day-to-day wrangling during negotiations over limitations of liability and indemnification language.
The Claims; The Analysis; The Result
As a preliminary point, it's interesting to note in passing that Baidu viewed its primary claim going into the case as one of contributory trademark infringement. The available docket in PACER slugs the plaintiff's Cause [of action] as “15:44 Trademark Infringement,” the Nature of Suit as “840 Trademark,” and the trademark issue was front and center as claim one in its complaint. Obviously strategic decisions in litigation as to what claims to bring, ordering and strength are easily second-guessed by those not on the front line. Yet, J. Chin methodically and in a rather straightforward manner – except for one twist – chopped the contributory trademark infringement count down and dismissed it completely.
The twist is that 15 U.S.C. 1114(2)(D)(iii) provides that a “domain name registrar . . . shall not be liable for damages under this section for the registration or maintenance of a domain name for another absent a showing of bad faith intent to profit from such registration or maintenance of the domain name.” Access to domain name controls could arguably be said to come within “maintenance of a domain name,” but J. Chin said not so fast - drawing distinction between Baidu's account overall and the Baidu.com domain name. Instead he found “while Register's actions arguably concerned the maintenance of Baidu's account with Register, they did not concern the maintenance of Baidu's domain name. Rather, the alleged malfeasance occurred in the context of security protocols and access to an account.” Id. at *21.
Gross Negligence and Recklessness
As to the beach of contract, gross negligence and recklessness claims and Register's limitation of liability defense, J. Chin acknowledged both parties rely on New York law controlling, as provided in the MSA. Under New York law it's settled doctrine that “contractual provisions that 'clearly, directly and absolutely' limit liability for 'any act or omission' are enforceable, 'especially when entered into at arm's length by sophisticated contracting parties.'” Id. at *10 (citations omitted). The Court further recognized that New York courts “generally enforce contractual waivers or limitations of liability.” Id.
However, the New York Court of Appeals (NY's highest court), in a 4-3 decision cited by J. Chin as controlling, affirmed in Kalisch-Jarcho, Inc. v. City of New York, 58 N.Y.2d 377 (1983), available at http://tinyurl.com/3acdj5x, that “an exculpatory agreement, no matter how flat and unqualified its terms, will not exonerate a party from liability under all circumstances. Under announced public policy, it will not apply to exemption of willful or grossly negligent acts.” Id. at 384-85. Moreover, even if such conduct was within the parties' actual or foreseeable contemplation and reflected in the limitation language, the Kalisch court noted that “the policy which condemns such conduct is firm” that any attempted exculpatory language “will be unenforceable.” Id. At 385.
J. Chin noted that later cases have required that “a more exacting standard of gross negligence must be satisfied” when both parties are sophisticated commercial parties, and that intervening criminal action will not, per blackletter law, act as a superseding intervening cause to absolve a party from liability unless unforeseeable. The hijackers alleged acts were not only foreseeable, but key in J. Chin's analysis, who noted that “it was precisely because these cyber attacks are foreseeable that the security measures were adopted [by Register.com].” As a result if Baidu proves gross negligence or recklessness as the case proceeds, the MSA's limitation of liability clause will not bar Baidu's recovery for consequential, indirect, punitive and other damages.
The Take Away
This case is one we'll follow to resolution given the intersection of traditional contract law, negligence, domain name registrars and the reminder, too often forgotten, that relied upon key contract language may be void for public policy reasons under certain circumstances.
The other lessons to take away from the case to date are:
- Carefully check the conduct and circumstances. Whenever faced with a claim, either as a plaintiff or defendant, that may seemingly be short-circuited by broad limitation of liability language review the facts and circumstances carefully. If there's any chance the conduct could be viewed as willfull conduct, grossly negligent or display a reckless disregard for the rights of others under your state's applicable caselaw, be prepared to press or defend the issue that such actions serve to negate the limitation of liability;
- Following procedures is crucial. As the legal defensibility approach spreads (see INFOLAWGROUP partner, Dave Navetta's article The Legal Defnsibility Era is Upon Us), an excessively stringent security procedure could work against you if it's not carefully followed. The recommendation on this issue is to not overpromise when it comes to the processes and procedures that are part of your security program.
We'll continue to watch this case so we get “the rest of the story” and can make sure to bring any interesting points to the fore that you can factor into your own applications. Stay tuned.
New York's Electronic Equipment Recycling and Reuse Act
Little covered other than by environmental and waste industry trade journals, New York's legislature earlier this year passed the NYS Electronic Equipment Recycling and Reuse Act (the “Act”), which was signed into law by Governor Paterson. The Act amended various provisions of the NY Tax Law as well as adding Article 27, Title 26, Electronic Equipment Recycling and Reuse, to New York's Environmental Conservation Law. It contains some potential surprises for manufacturers, retailers and consumers of "covered electronic equipment." The manufacturer's internet website must, in addition to any other required information, provide a listing of locations within New York where consumers may return electronic waste as part of the manufacturer's electronic waste acceptance program. Further, those manufacturers providing computers, hard drives and other "covered electronic equipment" containing internal memory where personal or other confidential data can be stored, must provide consumers with instructions for destroying such data before they surrender the product for reuse or recycling.
The bulk of the Act, effective as of April 1, 2011, serves to impose various new mandates on “manufacturers” [ECL §27-2601(11)] and ”retailers” [ECL §27-2601(16)] geared toward increasingly stringent goals for recycling of “covered electronic equipment” (“CEE”) [ECL §27-2601(5)] , as well creation of associated systems for the collection and recycling/reuse of electronic waste at no cost from consumers under NYS Department of Environmental Conversation ("DEC") oversight. To this end ECL §27-2605 requires manufacturers to register with the DEC, at a one-time cost of $5,000, and supply detailed information on the sales and total weight of CEE sold by the manufacturer in New York.
Manufacturer Requirements:
The Act defines “manufacturers” broadly to include any person or entity that: "(a) assembles or substantially assembles covered electronic equipment for sale in the state; (b) manufactures covered electronic equipment under its own brand name or under any other brand name for sale in the state; (c) sells, under its own brand name, covered electronic equipment sold in the state; (d) owns a brand name that it licenses to another person for use on covered electronic equipment sold in the state; (e) imports covered electronic equipment for sale in the state; or (f) manufactures covered electronic equipment for sale in the state without affixing a brand name.” ECL §27-2601(11).
Excluded from the sweep of "manufacturer" are those persons and entities who sell “less than one thousand units of covered electronic equipment annually” in New York or “whose primary business is the sale of covered electronic equipment which is comprised primarily of rebuilt, refurbished or used components.”
The Act also imposes joint and several responsibility and liability on those that jointly manufacture a product qualifying as a CEE, noting “any such person may assume responsibility for obligations of a manufacturer of that brand under this title. If none of those persons assumes responsibility for the obligations of a manufacturer under this title, any and all such persons jointly and severally may be considered to be the responsible manufacturer of that brand for purposes of this title.” ECL §27-2601(11).
In addition, ECL §27-2605(5)(b) requires a manufacturer, as part of its required electronic waste acceptance program (“EWAP”), to provide “information on how consumers can destroy all data on any electronic waste, either through physical destruction of the hard drive or through data wiping,” while ECL §27-2605(5)(c) mandates as part of the EWAP a public education program to inform consumers about the manufacturer's electronic waste acceptance program, including at a minimum:
"an internet website and a toll-free telephone number and written information included in the product manual for, or at the time of sale of, covered electronic equipment that provides sufficient information to allow a consumer of covered electronic equipment to learn how to return the covered equipment for recycling or reuse, and in the case of manufacturers of computers, hard drives and other covered electronic equipment that have internal memory on which personal or other confidential data can be stored, such website shall provide instructions for how consumers can destroy such data before surrendering the products for recycling or reuse.”
The manufacturer's internet website must also, in addition to any other required information required above, provide a listing of locations within New York where consumers may return electronic waste as part of the manufacturer's EWAP.
Lastly, manufacturers must also maintain records on site to demonstrate compliance with the Act, and make them available upon request by the DEC for a period of three years. See www.dec.ny.gov/chemical/66845.html
For purposes of the Act, “personal or other confidential data” is not expressly defined in the otherwise very detailed definitions section. For example, the definition of “covered electronic equipment” under ECL §27-2601(5), includes a wide variety of equipment, notably all of the following:
- computers [as further defined at ECL §27-2601(2)];
- computer peripherals [as further defined at ECL §27-2601(3)];
- small electronic equipment [as further defined at ECL §27-2601(19)];
- small-scale servers [as further defined at ECL §27-2601(20)];
- cathode ray tubes [as further defined at ECL §27-2601(1)]; and
- televisions [as further defined at ECL §27-2601(21)].
The definition of "covered electronic equipment" expressly excludes a:
“motor vehicle or any part thereof; camera or video camera; portable or stationary radio; household appliances such as clothes washers, clothes dryers, refrigerators, freezers, microwave ovens, ovens, ranges or dishwashers; equipment that is functionally or physically part of a larger piece of equipment intended for use in an industrial, research and development or commercial setting; security or anti-terrorism equipment; monitoring and control instrument or system; thermostat; hand-held transceiver; telephone of any type; portable digital assistant or similar device; calculator; global positioning system (GPS) receiver or similar navigation device; a server other than a small-scale server; a cash register or retail self checkout system; a stand-alone storage product intended for use in industrial, research and development or commercial settings; commercial medical equipment that contains within it a cathode ray tube, a flat panel display or similar video display device, and is not separate from the larger piece of equipment; or other medical devices as that term is defined under the Federal Food, Drug and Cosmetic Act.”
Interestingly, as can be seen above, “telephone[s] of any type” and “portable digital assistant[s] or similar device[s]” are expressly exempted from the definition of CEE. As a result, the mandates of the Act do not apply to any PDAs, cellphones or smartphones, all of today generally can and do contain gigabytes of personal and potentially confidential data. Such devices are, however, otherwise within the scope of the New York State Wireless Recycling Act, effective January 1, 2007, which specifies that all wireless telephone service providers offering cell phones for sale in New York are required to accept at no charge to consumers cell phones for reuse or recycling.
Retailer Requirements:
A different section of the Act, ECL §26-2607, imposes new requirements on "retailers," as defined under ECL §26-2601(16). As of April 1, 2011, retailers of CEE must “at the location of sale” provide buyers of CEE information “about opportunities for the return of electronic waste that has been provided to the retailer by a manufacturer.” ECL §26-2607(1).
All New York “retailers” are flat-out banned by this new section 26-2607 from the sale or offer for sale in New York of any CEE unless the “the manufacturer and the manufacturer's brands are registered with the NY Department of Environmental Conservation” as specified in ECL §27-2605. This is a significant and burdensome requirement on retailers, who have no ability to force manufacturers to conform with the mandates of the new Title 26 of Article 27, other than as may be specified in the parties' supply contracts or purchase order terms and conditions.
In partial recognition of the onerous results that may befall retailers due to this section, sub-section (2) provides a safe harbor of sorts where any CEE purchased by a retailer from a manufacturer who “fails to register by [] [Jan. 1, 2011], or prior to the date the manufacturer withdrew its registration or the registration was revoked by the department” may continue to be sold until 180 days after April 1, 2011 or 180 days from date the manufacturer's registration was withdrawn or revoked. Continued sales of CEE, that may not otherwise be offered for sale in New York pursuant to this section, to retailers or others outside of New York are arguably not effected, as such a blanket ban applied to non-New York parties in interstate commerce could potentially implicate dormant commerce clause issues beyond the scope of this posting.
Penalties:
According to the DEC, the Act “except to the extent otherwise required by law” immunizes manufacturers and the owners/operators of any electronic waste collection site, electronic waste consolidation facility or electronic waste recycling facility from “any responsibility or liability for any data in any form stored on electronic waste surrendered for recycling or reuse, unless such person misuses or knowingly and intentionally, or with gross negligence, discloses the data.” http://www.dec.ny.gov/chemical/66845.html
Manufacturers: However, manufacturers that fail to comply with the data security notification requirements in the Act may receive a civil penalty of up to $1,000 for a first violation; up to $2,500 for a second violation; and up to $5,000 for the third and any following violations within a 12-month period. §71-2729(1)(c)(ii). Manufacturers are also potentially subject to a separate fine of $1,000 per day for any failures to submit required reports, registrations, fees or surcharges. §71-2729(1)(c)(i).
Retailers: Retailers that violate the Act may be fined up to $250 for a first offense; $500 for a second offense; and up to $1,000 for a third and any additional offense within a 12-month period. §71-2729(1)(d).
Owners/operators of a electronic waste collection site, electronic waste consolidation facility or electronic waste recycling facility are liable to $250 fines for each offense of the Act, with no maximum aggregate fine. §71-2729(1)(b).
Finally, consumers who violate the provisions of the Act are subject to a civil penalty up to $100 maximum for each violation. §71-2729(1)(a).
