Technology & Marketing Law Blog: E-Commerce Archives

Technology & Marketing Law Blog

May 09, 2013

Yahoo's User Agreement Fails in Battle Over Dead User's Email Account--Ajemian v. Yahoo

Ajemian v. Yahoo!, 12-P-178 (Mass. Ct. App. May 7, 2013)

This is a very interesting dispute that raises the question of ownership over digital assets after a person’s death.

Plaintiffs, John Ajemian's (the decedent's) executors and siblings, sued to declare his estate owner of email messages he sent and received via his Yahoo! account. Prior to filing suit, they tried to negotiate with Yahoo! to get access to the account, among other things, to notify friends of John’s death and service arrangements, and to organize and administer John’s assets. Yahoo! co-operated in providing basic subscriber information as part of an initial lawsuit, but Yahoo took the position that the Stored Communications Act barred disclosure of the message contents. A probate judge dismissed the complaint, finding that the forum selection clause required the lawsuit to be brought in California. The appeals court reverses.

Were the contract provisions reasonably communicated to the end user: On the core question of whether the online agreement is enforceable, the court says that Yahoo!’s terms should be enforced under the standards of any other agreement. The key question is whether the terms had been reasonably communicated to the end user. The terms had been amended to add a no third-party beneficiary and a “no-survivorship” clause. The court says the record is unclear as to how the initial terms, and the revised terms, were communicated to users. Because of the lack of clarity in the record on this issue, Yahoo! is not entitled to dismissal based on the forum selection clause, or based on other terms that would limit the estate's rights vis-a-vis the account.

Is the forum selection clause enforceable against the administrators?: Even assuming the terms and revisions were adequately communicated to the decedent, the court says that it would be unreasonable to enforce the forum selection clause against his estate administrators. The administrators are not parties to the agreement, which references the singular “you” in describing the counter-party to Yahoo! The decedent was domiciled in Massachusetts, and probate courts in the State of Massachusetts have a strong interest in resolving ownership questions over a resident decedent’s assets. Because the lawsuit involves a narrow issue about the account contents of the account, Yahoo!’s interest in having the lawsuit resolved in California is not as strong as it otherwise might have been (e.g., if the lawsuit was about Yahoo!’s services). The court also says that the forum selection clause is overly broad, and as written requires any suit between a subscriber and Yahoo! to be brought in California.

(The probate judge concluded that Res Judicata barred the second complaint which sought the contents of the email; the appeals court reverses on this question as well.)

An interesting factual backdrop to the case is that as the court notes, one of the administrators actually helped the decedent set up the account and may have even “shared” the account with the decedent. (Unfortunately, he did not remember or have the password.)

The merits are a veritable thicket. Does the Stored Communications Act allow an estate to grant consent on behalf of the decedent? Earlier cases involving Facebook address the waiver issue, but none really resolve it. (Stored Communications Act Bars Disclosure of Facebook Records to Surviving Family Members in the UK; "Court Orders Facebooking Juror to Disclose Additional Facebook Posts--Juror No. 1 v. Superior Court".) There's also the distinction between copyrights in the communications and ownership of the account (i.e., the "chattel"). While the estate probably owns the copyrights to the account contents, this does not mean that it can force Yahoo! to provide access to the account itself.

It's worth looking at what (if anything) Yahoo! could have done differently here.

1. Better contract amendment process: It's tough to say definitively whether the terms of service may be vindicated down the road, but the court’s approach to the terms of service issue reflects a fair amount of skepticism towards online agreements. While the court pays lip service to the fact that online agreements should be treated the same as any other contract, the court engages in some judicial contortion to not enforce the contractual terms. I'm not sure Yahoo! could do much more on this front to change the result here. On the other hand, Yahoo!’s terms contain the unfortunate “we can amend this agreement without providing you notice” language that companies would be wise to avoid.

2. Interplead the contents: Could Yahoo! have deposited the emails in the court’s registry and just have abided by the court’s decision? I'm not sure the Stored Communications Act envisions this, but it's not a great alternative for Yahoo! anyway. On a long term basis, this would mean that it will have some administrative involvement in far-flung jurisdictions.

3. Create a mechanism to allow users to control the fate of their accounts post-death: Google recently offered an “Inactive Account Manager,” that lets people designate what happens to the accounts when they pass. (See Kash Hill’s post: “Will You Use Google's Death Manager To Let Loved Ones Read Your Email When You Die?”.) This sounds like a good solution, although it requires an investment of resources on Yahoo!'s part.

Yahoo! could have, per its terms of service, merely deleted the content altogether, but it took a relatively consumer-friendly approach and preserved the contents. Unfortunately, as a result, it's now embroiled in an ongoing dispute in probate court in Massachusetts.

[image credit: Shutterstock / JMiks - "Login Box"]

Posted by Venkat at 08:52 AM | E-Commerce , Licensing/Contracts , Privacy/Security

May 07, 2013

Crazy SOPA-Like Attempt to Hold International Banks Liable for Pharmacy Spam Fails on Jurisdiction Grounds--Unspam v. Chernuk

[By Venkat Balasubramani with comments from Eric Goldman]

Unspam Technologies, Inc. v. Chernuk, 2013 WL 1849080 (4th Cir. May 4, 2013)

We’ve mentioned “Project Honeypot,” the efforts of a company (founded by Matthew Prince) to track down and prosecute spammers. This lawsuit was ambitious in its scope and suitably quixotic. Like SOPA, it sought to attack pharmacy spam by going after the money.

Unspam (operator of Project Honeypot) and John Doe sued two individuals for pharmacy spam. They also named a slew of international banks who allegedly provided transaction processing services to pharmacy spammers. The banks submitted affidavits demonstrating that they had no activity or customers in the United States, and therefore they should not be subject to personal jurisdiction in the U.S. The district court agreed, granting the banks’ motion to dismiss on jurisdictional grounds. Unspam appealed to the Fourth Circuit.

Unspam fared no better on appeal. In a published opinion, the Fourth Circuit affirms the district court’s dismissal of the banks on jurisdictional grounds:

Not one of the banks directed its business to Virginia or aimed its commercial efforts at customers in Virginia. Indeed, there is no evidence that any drug transactions involving the plaintiffs were connected by intermediaries to these banks. Moreover, even if we were to assume that Doe's purchase was presented by some Internet “pharmacist” to one of the foreign banks for processing through the international Visa network, that transaction still would be too remote an act to justify jurisdiction in Virginia. The transaction would have occurred in the foreign country where the pharmacist presented the Visa charge to the bank, and thereafter, the bank would simply have collected the charge through the Visa network. The foreign bank's relevant activity would thus be localized to the foreign country where it did business, and its only conduct “aimed” from that location would be the transmittal of the transaction into the Visa network. The fact that the transaction ultimately rippled through other countries for the collection of monies would not indicate that the bank purposefully availed itself of the laws of the countries where subsequent transactions occurred..

Plaintiffs also argued that they need not establish jurisdictional facts over the banks because the banks were part of a conspiracy and were subject to jurisdiction based on the acts of co-conspirators. Plaintiffs argued, relying on “blog research and internet searches” that “Canadian Pharmacy” was a trade name for two of the defendants and that Chronopay [described as “the PayPal of Russia”] provided transaction processing services to defendants, with the defendant banks acting as links in the chain. The court says this is mere speculation, and there is no evidence or allegation regarding the transaction(s) involving the doe plaintiff.

Finally, plaintiffs tried to rely on Rule 4(k), which provides personal jurisdiction based on federal claims where the defendant may not be subject to jurisdiction in a particular state, but has minimum contacts with the U.S. as a whole. The court says that defendants do not have sufficient contacts with the United States as a whole for plaintiffs to invoke Rule 4(k) as a basis of jurisdiction.
_____

As mentioned in my post on the district court ruling (Is SOPA's "Follow the Money" Meme Infecting Anti-Spam Litigation? – Project Honey Pot v. Does), on the merits, plaintiffs' claims were a serious stretch. It’s not surprising that the plaintiffs got zero sympathy from the Fourth Circuit on the jurisdictional issues.
_____

Eric's Comments. The Fourth Circuit reached the logical result in this case. However, I view this lawsuit as a cautionary tale of how close we are to breaking the Internet.

The overzealous war against Internet pharmaceuticals has already taken a half-billion dollar toll on Google and another $40M toll on UPS (yes, the shipping company). In both cases, these intermediaries "agreed" (with the DOJ's axe ready to swing if they didn't acquiesce) to become the DOJ's deputies and police their customers more aggressively. The result is that we now have key cogs in the wheel making legal determinations about the legitimacy of their customers' activities, with zero due process or other oversight of any errors they make make against customers.

This problem only exacerbates as we continually expand the list of potential deputies who should be combating illicit activity online. There is no natural boundary for that witchhunt, and lots of defendants got tossed into the litigation mix and have to spend lots of money defending their conduct (even if legitimate). Worse, any vendor who might be deputized becomes adversarial to their customer base, with the inevitable waste of resources and chilled environment for innovation. For those of you who think that a narrow "follow the money" liability trail as an alternative to more draconian intermediary deputization, I encourage you to review this lawsuit and think carefully if this is the world you want. For more on this, see my six month retrospective of SOPA.
_____

Previous post:

Is SOPA's "Follow the Money" Meme Infecting Anti-Spam Litigation? – Project Honey Pot v. Does

[image credit: Shutterstock - Matthew Cole - "Illustration of a Honey Bee on a White Background"]

Posted by Venkat at 07:24 AM | Derivative Liability , E-Commerce , Evidence/Discovery , Spam

April 17, 2013

Why You'll Soon Be Paying Sales Taxes on All of Your Internet Purchases--Amazon v. NY Taxation Department (Forbes Cross-Post)

By Eric Goldman

In the 1992 case Quill v. North Dakota, the U.S. Supreme Court said an out-of-state retailer can't be obligated to collect sales taxes from buyers in states where the retailer lacks a physical presence. In those situations, buyers are required to self-report and pay a use tax; however, few buyers make these payments, so state tax revenues depend on getting sellers to collect sales taxes. In their never-ending quest to boost tax revenues, states have been experimenting with ways to work around Quill so the states can capture revenue from out-of-state sellers. A court ruling from New York recently blessed a tricky Quill workaround implemented by New York. That ruling, plus increasing Congressional interest in the issue, virtually ensures that you'll be paying sales tax on all of your Internet purchases soon.

The "Amazon Tax"

State tax officials have been gunning for Amazon for years due to its huge e-commerce revenues and strategic efforts to limit the number of states where it had a physical presence. Starting in 2008, some states have adopted the so-called "Amazon tax," though the tax applies to other similarly-situated online retailers. The tax targets online retailers' affiliate programs, such as Amazon's "Associates" program, where individuals and businesses refer customers to an online retailer in exchange for a share of the revenue generated by those referred customers. [Note: I have been an Amazon affiliate since 2007]. The Amazon tax says affiliates are the legal equivalent of a company's traveling salespeople; and a retailer has a physical presence in states where its traveling salespeople are located. With this nifty trick of redefining what constitutes a physical presence, the tax superficially satisfies the Quill requirements and allows the state to impose sales tax collection obligations on retailers outside the state.

Amazon didn't stand by idly as states started adopting the Amazon tax. In states that proposed an Amazon tax, Amazon threatened to terminate its affiliate program for those state residents; and Amazon carried through with its threat if the tax was enacted, which both defeated the states' efforts to force Amazon to collect sales tax and simultaneously reduced the income of state residents who were Amazon affiliates.

As a result, the Amazon tax isn't guaranteed to pay off for states adopting it. As one opinion piece argues, Illinois' implementation of an Amazon tax was disastrous--the state lost affiliates, companies fled the state, and the new tax generated only about 5% of its promised sales tax revenue. A different report recounts how states adopting the Amazon tax generate far less sales tax revenue from online commerce than they hoped. For example, California will generate a little over $100M/year in online sales tax revenue, not the $1.9 billion/year projected by analysts.

California's Amazon tax adoption proved to be an inflection point in the Amazon tax battles. Consistent with its threats and practices, Amazon initially tossed its California affiliates overboard (including me). Then, in a startlingly change of tune, Amazon committed to building a distribution facility in California. The distribution facility locks Amazon into a bona fide physical presence, obligating it to collect California sales tax regardless of the Amazon tax. After striking this deal, Amazon restored its affiliate program for California residents.

Why did Amazon flip? In part, it's because Amazon wants to offer same-day delivery. To do so, Amazon will rapidly and dramatically expand its network of distribution facilities, which ensures physical presence in those states and makes the Amazon tax in those states irrelevant to it.

The New York Legal Challenge

While Amazon was fighting state legislatures over the passage of Amazon taxes, Amazon and Overstock.com also fought back in court. In 2008, both companies challenged New York's implementation of an Amazon tax. Recently, the New York Court of Appeals (New York's highest state court) upheld the Amazon tax in Amazon.com, LLC and Overstock.com, Inc. v. New York State Department of Taxation and Finance. [The opinion] It's a terrible opinion that will make most advertising professionals cringe at its cluelessness.

So where do Amazon and Overstock go from here? Amazon and Overstock might appeal the case to the Supreme Court, but I doubt the Supreme Court would hear it. Alternatively, Amazon and Overstock could challenge other states' Amazon tax adoptions in other courts. The New York ruling isn't very convincing and doesn't bind other states; but other courts aren't likely to disagree with New York's highest court. Thus, for all practical purposes, I think the New York ruling probably ends the court battles nationwide.

Alternatively, the New York statute says online retailers can prove that their affiliates aren't like traveling salespeople through extensive documentation. Amazon and other online retailers might choose to gather that documentation, but Amazon and Overstock haven't signaled any intention to do so.

Meanwhile, now that the Amazon tax has survived a major court challenge, any state that hasn't already adopted it will likely do so, making the Amazon tax applicable nationwide. When this happens, Amazon and Overstock will have to collect sales tax nationwide, along with other online retailers with big affiliate programs. Eventually, I expect states to further lower the quantitative thresholds of what affiliates are the equivalent of traveling salespeople, such that most online retailers with affiliate programs will have to collect sales tax nationwide.

Online retailers still retain the nuclear option of killing their affiliate programs, just like Amazon killed it in California for a while. There's a decent chance that the New York ruling and the inevitable nationwide proliferation of the Amazon tax will prompt many online retailers to do so, which jeopardizes the entire affiliate marketing industry.

The Next Battleground: Congress

Meanwhile, e-commerce has become such a large share of the retailing pie that Congress can't ignore it. There has been renewed efforts in Congress to impose nationwide sales tax collection obligations for Internet retailers--see the Marketplace Fairness Act (S.336/H.R.684). (The Quill decision doesn't restrict Congress from taking such actions). The Senate recently passed a non-binding resolution supporting the law, and I think its passage is inevitable and increasingly imminent.

Once Congress imposes nationwide sales tax collection obligations, the Amazon tax becomes irrelevant. Just like Amazon restored its California affiliate program, online retailers won't need to shut down their affiliate program if they are already obligated to collect sales tax nationwide. As a result, rather than fight the Amazon tax state-by-state, the affiliate marketing industry might get behind a nation-wide tax collection obligation. Amazon has already endorsed the Marketplace Fairness Act (after all, it wants its competitors to bear the same costs it's incurring).

So who's left to oppose federal legislation imposing sales tax collection obligations? Offline retailers want to close the loophole that allows online retailers to undercut their prices, and Amazon and the affiliate marketing industry both have been coopted. There may be no more strong voices in opposition.

To be clear, the sales tax collection doesn't constitute a new tax. Buyers are legally obligated to pay use tax for items where the seller doesn't collect sales tax. But because so few buyers currently pay the use tax, the imposition of sales tax collection obligations will be the de facto equivalent of a new tax that online buyers--you and me--will pay.

[Photo Credit: Tax increase button on calculator // ShutterStock]

Posted by Eric at 09:02 AM | E-Commerce , Internet History | TrackBack

April 16, 2013

No Claim Based on Perez Hilton’s Publication of Unsolicited but Inflammatory Reader Email – Wargo v. Lavandeira

[Post by Venkat Balasubramani]

Wargo v. Lavandeira, JAMS Arbitration No. 1220041183 (Mar. 24, 2013)

Lavandeira runs the popular Perez Hilton website, which has been involved in its fair share of legal disputes.

In response to an item (presumably about Angelina Jolie—the dispute stems from an event in 2007!) posted by Perez, Wargo sent him the following email:

Perez you are a FAT GAY PIG! Angelina is a ugly whore! You love her because she is a Fag lover! Your brother is a gay little jerk just like your fat ugly ass! MANGELINA is a disgusting gross skank.

The subject line of the email read: “I Hate Skankelina the Homewrecker.” Screen Shot 2013-04-16 at 7.01.51 AM.png The opinion does not disclose any facts indicating that Wargo and Lavendeira had a business or other relationship. [What would prompt a stranger to send such an animated email to Perez left me scratching my head, but to each her own, I guess.]

Perez promptly published the email, along with Ms. Wargo’s email address. Unfortunately for Ms. Wargo, she had sent the above email using her work email address. As a result, executives at the company she worked at “received a flood of angry emails protesting [Ms. Wargo’s] comments.” Wargo’s employer turned around and fired her.

The dispute raised the question of whether Lavandeira’s publication of the email violated the terms of PerezHiton.com website.

PerezHilton.com’s Applicable Terms: The site’s terms provided that if users “post content or submit material” they grant the site a broad license to reproduce and use such content. Separately, the site had a privacy policy which stated that it

respects [the] privacy [of end users] and is committed to protecting it at all times.

A section of the policy talked about what “personal information” the site collected and what it did with such information. Reminiscent of IMDb’s privacy policy, PerezHilton’s policy broadly described information that users “enter on [the] website or give [the] site any other way.” A separate section talked about sharing, and as with IMDb stated that information would be “shared only with or for third-party service providers, business transfers, and to comply with the law, etc.” [This is the arbitrator’s description.]

Discussion: The arbitrator first says that no reasonable person would interpret the site terms to keep the content of the email confidential. Wargo’s email to Lavandeira is exactly what PerezHilton.com is in the business of publishing. Indeed, the terms grant a license to the site to broadly exploit any content submitted to it. Second, the arbitrator says that although the privacy policy provides for some protection for contact information, these protections are aimed at limiting when the site can disclose contact information for direct marketing purposes (i.e., to conform the policy to the requirements of California’s Shine the Light law). The policy also distinguishes between visitors and members of the site. Wargo was a visitor and not a member. Thus, her breach of contract claim fails.

The arbitrator also says that even if the policy somehow safeguarded her information, her breach of contract claim fails for causation. She was fired from her job for violating her employer’s network usage policy, and not for anything Lavandeira did. As a bonus, the court says that her own unclean hands also prevent her recovery.

Wargo brought a variety of other claims, including an invasion of privacy claim, and the arbitrator easily rejects these as well. She had no expectation of privacy in the material she submitted (including her name):

it is not reasonable for a visitor to a gossip website to expect privacy for gossipy submissions.

For similar reasons, Wargo’s claim for outrage and fraud fail as well.

Sigh. When will we learn that unsolicited emails you send people are not subject to some sort of magical audience-blogger privilege that allows the sender to restrict their publication? The arbitrator may have taken the route that the email was not subject to the privacy policy at all, but instead, he reads the policy to impose narrow limitations on what the site can do with contact information it collects.

It's worth noting that the privacy policy in this case was very similar to the policy in Hoang v. IMDb. Given how much legal documents get copied, this is not surprising. I'm not implying that either the lawyers for IMDb or Perez copied anyone else's documents, it's just that certain forms become the standard, and they end up being very widely used. Interestingly, I think the form policy could use some revising, particularly when it comes to distinguishing between various types of information and the various ways it can end up in a site operator's hands. [I'll save my thoughts on this for a separate post.]

This case is somewhat reminiscent of Moreno v. Hanford Sentinel and of course the recently concluded Hoang v. IMDb cases. Both long, drawn out battles involving privacy claims that went to juries where plaintiffs were awarded nothing. (In Moreno, the sole remaining claim that went to a jury was an infliction of emotional distress/outrage claim; still it was privacy-based.) Maybe the takeaway is that damages are tough to prove in these types of situations? If you voluntary put the information out there, it’s tough to muster up jury sympathy based on misuse of the information, at least where there are no clear restrictions in place?

It’s tempting to chalk this up to another loss for privacy plaintiffs but the claims here were unmoored from any sense of what the average person would find actionable. Perhaps I’m biased as a blogger, but it’s unreasonable to think that a blogger won’t share an unsolicited email, particularly one that is so inflammatory. Doubly unreasonable when that blogger is Perez Hilton!

Other coverage:

Eriq Gardner: Perez Hilton Wins 5-Year-Long Dispute Over Publishing Woman's Mean-Spirited E-Mail

Posted by Venkat at 07:11 AM | E-Commerce , Privacy/Security

March 29, 2013

FTC Warns Nordstrom Over Tweetup Freebies

[Post by Venkat Balasubramani]

The FTC conducted an investigation on Nordstrom's marketing and promotion in connection with a “tweetup” held in Boise. Apparently Nordstrom provided free gifts to “influencers”, including $50 gift cards to Nordstrom Rack. [Sadly, I did not receive an invitation to this event.]

The FTC says it was concerned that Nordstrom:

did not tell the social media influencers . . . that, when they posted or wrote about the event, they should disclose they had received gifts for attending.

Nevertheless, it declines to initiate an enforcement action based on a number of factors: (1) the event size; (2) the fact that influencers who posted about the event made appropriate disclosures; and (3) the fact that Nordstrom subsequently revised its social media policy.

Hard to draw much of a conclusion from this, except that the FTC’s watchful eye is always scanning the online landscape. Although the FTC has been active in tackling what it views as problematic endorsements, I’m not aware of an enforcement action involving social media and freebies. It's worth noting that the FTC has been perfectly clear about what it wants brands to do when they hold these types of events, but for some reason, big brands have been slow to grok this.

Other coverage (and h/t): "FTC Declines to “Rack” up Another Enforcement Action After Reviewing Nordstrom’s “TweetUp” Event"

Posted by Venkat at 08:59 AM | E-Commerce , Marketing

March 27, 2013

Judge Boots Privacy Lawsuit Against Pandora but Plaintiffs Can Replead – Yunker v. Pandora

[Post by Venkat Balasubramani]

Yunker v Pandora Media, Inc., 2013 US Dist LEXIS 42691 (N.D. Cal. Mar. 26, 2013)

Pandora has been sued before for allegedly revealing listening preferences, but this is a more run-of-the-mill privacy lawsuit against Pandora. Pandora represents to its users that it will not disclose personally identifiable information to third parties. (The representation is implied as the quoted portion of its privacy policy says that it would share non-PII to third parties.) Yunker claims that Pandora did not de-identify the PII and allowed advertisers to access end users’ PII. Predictably, plaintiff considered the PII to be his property and as having economic value. Separately, plaintiff also alleged that certain Pandora components ate up the memory on his device.

Standing: the court concludes about standing: (1) dimunition in the value of PII is not sufficient to confer standing; (2) the allegations regarding decrease in memory space are insufficient; (3) the prospect of future harm from non-anonyized PII is too speculative; and (4) he has standing to pursue violations of his constitutional privacy rights.

Wiretap Claim: the court dismisses Yunker’s wiretap claim on familiar grounds: (1) there is no interception of any communication (using a separate device); and (2) as the recipient of any communication, Pandora could divulge it without running afoul of the Wiretap Act.

Stored Communications Act: the SCA claim has similar definitional problems. Yunker does not identify anything in “storage” that was wrongly disclosed. Cookies don’t fall within the SCA’s protection for stored communications because they are temporary. Yunker also tried to argue that Pandora provided remote computing services but, other than parroting the statutory definition, he did not identify what Pandora offered that fit within this definition. Although he cited to the discovery ruling in the YouTube case, the court distinguishes this on the basis that, unlike YouTube, nothing is uploaded and stored to Pandora by the user.

CFAA claim: the CFAA claim fails due to Yunker’s failure to allege loss sufficient to satisfy the $5,000 jurisdictional threshold. The court says there are other problems with this claim, but dismisses on the basis of failure to satisfy this element.

State law claims: Yunker’s state law claims also suffer from a variety of deficiencies. He cannot advance a claim under the Unfair Competition Law because he has not lost “money or other property” (and PII is not property); Yunker is not a “consumer” under the CLRA because he has not leased or purchased anything; his contract claim is deficient because he fails to allege damages; his privacy claim fails because Pandora’s conduct does not constitute an “egregious breach of social norms”; his disclosure of private facts claims because no personal/intimate facts were disclosed to anyone; and finally, his trespass and conversion claims also fail.

Yunker has the chance to file an amended complaint, but given the skepticism expressed by the court, his chances of curing the deficiencies are fairly slim.

This is a fairly unsurprising result, and in line with numerous recent cases that have tried to assert claims against networks or companies for failing to anonymize information before disclosing to advertisers. As I mentioned in my post about Hoang v. IMDB, that’s a case where a plaintiff actually has some chance of proving harm. Unless plaintiff comes forward with an “Insider”esque smoking gun, these lawsuits are doomed to fail from the start.

Previous privacy lawsuit against Pandora: Judge Dismisses Claims Against Pandora for Violating Michigan’s Version of the VPPA – Deacon v. Pandora Media

[image credit: Shutterstock]

Posted by Venkat at 09:30 AM | E-Commerce , Privacy/Security

March 26, 2013

The Supreme Court's Kirtsaeng Ruling Is Good News for Consumers, but the First Sale Doctrine Is Still Doomed--Kirtsaeng v. John Wiley (Forbes Cross-Post)

By Eric Goldman

Kirtsaeng v. John Wiley & Sons, No. 11–697 (U.S. Supreme Court March 19, 2013). Prior blog post of the Second Circuit ruling in the case.

In Kirtsaeng v. John Wiley & Sons ($JW-A), the U.S. Supreme Court ruled that U.S. copyright law doesn't restrict the importation of legitimate copyrighted works manufactured and sold overseas. As a result, publishers cannot use U.S. copyright law to enforce their price discrimination schemes of pricing copyrighted works on a per-nation basis.

This ruling is a legal victory for U.S. consumers, who should see cheaper prices in the short run. This ruling is also a win for museums, libraries and other institutional collectors of copyrighted works, who face less risk now when acquiring copyrighted works (especially those initially sold overseas). Still, amidst the good news, it's impossible to ignore the rapid and probably irreversible demise of copyright's First Sale doctrine, meaning this legal victory is likely short-lived at best.

What Happened

In 1998, the U.S. Supreme Court decided Quality King Distributors, Inc. v. L’anza Research Int’l, Inc., 523 U. S. 135 (1998), holding that a copyrighted item manufactured in the U.S. and initially sold outside the U.S. could be legally imported back into the U.S. pursuant to copyright's First Sale doctrine (17 U.S.C. 109) and without violating the copyright owner's importation right (17 U.S.C. 602). The Quality King court expressly declined to resolve the much more common situation where the copyrighted item was initially manufactured overseas and then imported into the U.S.

That well-known issue has remained legally ambiguous for 15 years. The 2010 Costco v. Omega case squarely raised the issue, but the court deadlocked at 4-4 (Judge Kagan recused) and didn't definitively resolve the issue, necessitating the court to revisit the issue just 3 years later. The legal interplay between the First Sale doctrine and the importation right vexes the courts because Congress' poor statutory drafting supports at least two different but equally plausible interpretations of its language. Courts often produce inconsistent results and split opinions in those situations.

The Kirtsaeng court concluded that Quality King didn't apply only to copyrighted goods manufactured domestically. Instead, copyright's First Sale doctrine--allowing the unrestricted resale of legitimate copyrighted goods after they are first sold into the market--applies regardless of where the goods are initial made or sold. This means copyright owners can't prevent goods sold in cheap markets from competing with the same goods sold in higher-priced markets. With the emergence of efficient online retail markets such as eBay ($EBAY), a textbook publisher who sells a low-priced book in Thailand won't be able to sell the same textbook in the U.S. market for a much higher price. The pricing gap will allow arbitragers to buy the books in Thailand, resell them via eBay or textbook e-tailers, and still make a profit even after shipping and taxes. Thus, a copyright owner's trans-border price competition with itself will jeopardize the now-common international price discrimination schemes.

Why the First Sale Victory Will Be Short-Lived

It's hard to be too sympathetic to publishers deploying international price discrimination. Culturally, U.S. consumers intuitively oppose price discrimination; and U.S. consumers are paying higher prices due to price discrimination against them. Still, to the extent that price discrimination helps put more money overall in publishers' hands, the current price discrimination schemes (in theory) have been encouraging publishers to publish more content, so without international price discrimination, at the margins some of that content will go unpublished. At least, that's the story copyright owners like to tell.

Don't cry for publishers just yet. Copyright's First Sale doctrine has become increasingly less useful to consumers over the past couple of decades due to changes in technology and business practices, and I anticipate this ruling will accelerate the trend. Some of the ways publishers may strike back without seeking any changes to the law:

Localization. Publishers can localize their offerings for local markets such that different countries' versions can't substitute for each other. For example, if John Wiley releases a Thai-language textbook, it won't be very interesting to most U.S. consumers. Publishers have numerous other ways of localizing copyrighted works (beyond translations) to restrict trans-border substitutability.

Versioning. Publishers can quickly issue new editions of their works that moot prior editions. We're already seeing this in the textbook market. Publishers are increasingly releasing new textbook editions on a 3-year (or even 2-year) schedule to eliminate competition with used books.

"Shrinkwrapping." Instead of relying on copyright law, publishers can try to impose and enforce contract restrictions on resale. It's clear that software can be sold subject to a contract that restricts transfer (see Vernor v. eBay), but it's less clear if the resale of other physical items containing copyrighted works--such as books, CDs or DVDs--can be restricted by copyright law. The seminal Supreme Court case Bobbs-Merrill Co. v. Straus, 210 U.S. 339 (1908) could be read to say that such shrinkwrapped contracts are ineffective, but I consider that issue legally unresolved.

Geographic Coding. Publishers can encode electronic media in geographic-specific technical formats. For example, DVDs currently have "region codes" that do not permit DVDs sold in one region to be played on equipment built for that region.

Tethering/DRM. Increasingly, physical versions of copyrighted works are "tethered," i.e., they require an interaction with a central server to operate. For example, with some videogames and software, consumers need to input an "unlock code" to access the game or software; and the unlock code can be limited to the initial buyer or to a particular machine in a way that restricts transfer. Even textbooks may be subject to tethering if they have an integrated online component, which is increasingly the case.

Even without any of those efforts, the long-term movement from publishing content in physical items to electronic publication has been effectively shrinking the importance of copyright's First Sale doctrine. There is no "digital" First Sale doctrine, meaning that a buyer of an electronic file cannot resell or transfer "possession" of that electronic file under the First Sale doctrine. So as consumers buy fewer physical copies of copyrighted works and more electronic versions, consumers implicitly forego the First Sale rights associated with the physical goods. Plus, as fewer physical goods enter the market, the copyright owner feels less price competition from them.

In addition, copyright owners might assault the First Sale doctrine legislatively. One possibility is that publishers will simply ask Congress to statutorily reverse the Kirtsaeng opinion. More likely, publishers will advance their interests via negotiations over international treaties or Free Trade Agreements (FTAs). Coordinated special interests can game international negotiations more easily than Congress--the publishers have direct financial payoffs from participating in the process, while the interests of consumers, libraries, museums and other "buyers" are more diffuse. Anticipate more publishers showing up at the negotiations, and don't be surprised if publishers overturn the Kirtsaeng decision without ever approaching Congress directly.

So, as a content consumer, enjoy the upcoming price competition while it lasts. The First Sale doctrine is dying rapidly, and we as consumers are becoming poorer as that happens.

Some Related Materials

* In 2010, the High Tech Law Institute at Santa Clara University School of Law held an all-day academic conference on the First Sale doctrine. See the associated symposium issue in the Santa Clara Law Review.

* In 2010-11, the Ninth Circuit issued a troika of First Sale doctrine cases: Vernor v. Autodesk, MDY v. Blizzard, and UMG v. Augusto. In my opinion, the net effect of these cases was irresolute.

[Photo credit: CD/DVD safely backed up by padlock // ShutterStock]

Posted by Eric at 11:18 AM | Copyright , E-Commerce , Licensing/Contracts | TrackBack

March 22, 2013

Another Credit Card Breach Lawsuit Fails – Willingham v. Global Payments

[Post by Venkat Balasubramani]

Willingham v. Global Payments, Inc., 12-CV-01157 (N.D. Ga. Feb 5, 2013) (case later dismissed by the parties)

This is a data breach lawsuit arising out of an incident in which credit card information was purloined from a payment processor. Global Payments, the defendant in the lawsuit, handled transaction processing for merchants. Two plaintiffs sued on their own behalf and on behalf of a putative class. Willingham alleged she noticed fraudulent charges made using her card totaling approximately $1,000. The Hieslers, the other named plaintiffs, made similar allegations. The plaintiffs did not allege whether they were able to get their credit card company to reverse the charge. Plaintiffs assert a variety of state and federal law claims. The court dismisses them all.

Standing: The court engages in a long but ultimately academic discussion on standing. The court says that injury-in-fact requires out-of-pocket loss, and even an unauthorized charge is not necessarily enough:

To sufficiently allege that identity theft actually occurred, a plaintiff must, allege more than fraudulent charges which were removed . . . some further factual allegation, such as that Plaintiff was not reimbursed for those charges or that she incurred fees or other expenses or financial consequences [is required] . . . .

If there is no injury-in-fact, plaintiff may find standing based on future harm only if it is “imminent.” The court says that plaintiffs’ allegations fall short, and also that they are speculative because they depend on the actions of a third party. (The court expresses disagreement with other cases that have held that the risk of future harm is sufficient for standing.) The court also says that plaintiffs’ personal information does not have “inherent monetary value.” (citing to the Facebook privacy litigation and RockYou)

After all this, the court says that it’s preferable to resolve the dispute on the merits than dismiss on the basis of standing.

Stored Communications Act: Plaintiffs argued that Global Payments violated the Stored Communications Act because it knowingly divulged plaintiffs’ credit card information to third parties, by having in place lax authority and allowing hackers to access it. The court debates the issue of whether Global Payments falls under the statute’s definitions of providing an electronic communications service or a remote computing service. Regardless of how this issue shakes out, the court says that Global Payments does not provide a service “to the public” (it deals with merchants). More importantly, it did not “knowingly” divulge any information. At best, it failed to take appropriate steps to safeguard the data, but this does not amount to “knowing” disclosure.

Fair Credit Reporting Act: Plaintiff also alleged that Global Payments willfully and negligently violated the FCRA by failing to implement reasonable security procedures to maintain the confidentiality of plaintiffs’ information. The court rejects this claim as well, saying that under the FCRA, liability in this context only attaches where the covered entity improperly “furnishes” a consumer report to third parties. Here, the court says, Global Payments did not “furnish” the information to anyone.

Georgia Unfair Trade Practices Act: Plaintiffs argued that Global Payments misrepresented the level of security provided and engaged in a deceptive trade practice. The court says that plaintiffs fail to allege reliance on any misrepresentations and failed to allege damages sufficient to support injunctive relief. Plaintiffs also argued that the are entitled to injunctive relief because defendant “farmed out” its obligation to provide adequate security to third parties. Plaintiffs tried to rely on the data breach notification provisions in further support of this argument, but the court says this doesn’t necessarily require notification when an entity delegates its obligations; and in any event, the obligation only applies to the information of residents of the state.

Negligence: A big problem with the negligence claim is that there’s no relationship between Global Papyments and plaintiffs (they are not direct customers). Thus, the court says there is no duty. Plaintiffs tried to rely on the “voluntary undertaking doctrine,” but the court says that the lack of bodily injury or physical harm renders this unavailable. Plaintiffs’ negligence claim was also barred by the economic loss doctrine which limits a party to contractual remedies (where there is a contract) and only allows negligence claims for certain exemplary damages or conduct.

Contract: Plaintiffs’ contract claims fail because they are not third party beneficiaries to the agreements between Global Payments and the merchants. The court also says that there’s no basis for an implied contract—any broad statements that Global Payments would safeguard the underlying data are insufficient to form an implied contract.

Plaintiffs are having a tougher and tougher time in data breach cases. Courts seem to require the allegations of out-of-pocket loss to be unequivocal, and here, the court says that even the allegation of an errant charge is insufficient, absent an accompanying allegation that they were not reimbursed or charged back. A stray case or two seemed to offer a glimmer of hope to these types of plaintiffs, but cases rejecting claims keep piling up. If you can't cobble together a claim when your credit card information has been compromised, I wouldn't be very optimistic, in general, as a data breach plaintiff.

Data breach notification laws also do not seem to offer much help to plaintiffs. Granted, plaintiffs only presented their claims under the data breach statute obliquely, in order to support their unfair competition claims, but I can’t think of many cases where consumers were able to recover damages based on an entity’s alleged failure to provide timely notice or otherwise comply with a notification statute.

Federal statutes similarly do not offer much help. From the beginning, early data breach plaintiffs have tried many different variations of federal privacy statutes, but none have really stuck. I thought plaintiffs were creative here with their invocation of the FCRA, but the court rejects this as well.

Although the results in these cases may make sense, courts do engage in some doctrinal contortion to get there. As such, appellate relief is possible. (Again, while a few cases have offered slight rays of sunshine to these types of plaintiffs, none have truly opened the door.)

Other coverage:

Magistrate recommends lawsuit against global payments should be dismissed

[image credit: Sutterstock/budiadiliansyah: a programmer work at night to be a cracker]

Posted by Venkat at 07:00 AM | E-Commerce , Privacy/Security

March 19, 2013

IMDB's Disclosure of Actress’s Age Will Go To Trial – Hoang v. Amazon

[Post by Venkat Balasubramani with a comment by Eric]

Hoang v. IMDb.com, C11-1709MJP (W.D. Wash. Mar. 18, 2013)

We’ve blogged about this dispute—involving an actress’s attempt to hold IMDb liable for publishing her age against her wishes—before. The court recently denied the parties’ motions for summary judgment, setting the case up for a trial.

Background: The court discusses some of the factual background on how IMDb decided to “disclose” Hoang’s age information, and this is somewhat damning to Hoang. Apparently, she signed up without including her age, but later used her friend’s account to submit an incorrect birthdate (1978 instead of 1971). She then decided that she no longer wanted this date on her profile and followed up with IMDb in an attempt to get this error fixed. She even sent IMDb a scanned copy of a fake Texas identification, but none of this had the intended effect. Eventually, she emailed IMDb and asked it to:

Go back on your files and see if you have any documentation, verification, or identification that [her] birthdate [was] in 1978.

In response to her email, a customer service manager accessed information from IMDb’s database containing “pro” registration details. He found Hoang’s legal name. He then searched for her name in “PrivateEye,” a public records database, and ascertained that her birthdate was in 1971. He directed IMDb to update her profile to include the correct birthdate.

Hoang continued to lobby IMDb to change the birthdate:

press[ing] ahead with her false information campaign, sending IMDb links to her fake passport to ‘collect/delete [her birthdate]' . . . .

She sought summary judgment on her then-remaining claims for breach of contract and violations of the consumer protection act. Amazon and IMDb both sought summary judgment as well.

Amazon is entitled to dismissal: The court dismisses Amazon because there is no evidence that it was involved in the decision-making of IMDb (a separate entity). Hoang asserted a variety of arguments, including that the customer service manager listed Amazon along with IMDb on his LinkedIn profile, but none were sufficient to overcome the general rule against holding a parent liable for the acts of its subsidiaries. The court notes there is no evidence that the two entitles shared databases.

Unclean hands: IMDb argued that Hoang should be barred by the doctrine of unclean hands. The court rejects this argument, noting that her unclean hands played no part in acquiring the rights at issue.

Breach of contract: The court rejects summary judgment on the key issue of whether IMDb breached the terms of the privacy policy by updating Hoang’s birthdate information. The privacy policy provided that IMDb would use “the information [end users] provide for such purposes as responding to [users’] requests.” The court says that a jury could conclude that IMDb was responding to her requests in searching its files and updating her information. The court cites to an (all caps) email from Hoang that exhorted IMDb to:

GO BACK ON YOUR FILES AND SEE IF YOU HAVE ANY DOCUMENTATION, VERIFICATION, OR IDENTIFICATION THAT MY BIRTHDATE IS IN 1978. IF YOU DO, PLEASE EMAIL IT TO ME BECAUSE I’M CURIOUS TO SEE WHAT YOU’RE GOING OFF OF. IF YOU DON’T FIND ANY PROOF ON RECORD, PLEASE DELETE IT BECAUSE I KNOW THAT 1978 ISN’T MY DATE OF BIRTH

Damages: The court addresses Hoang's damages.

First, the court nukes the limitation of damages contained in IMDb’s term of service. [Ouch.] Its terms of service excluded consequential and exemplary damages, and capped liability to the amount of any fees paid to IMDb in the year prior to the claim. These provisions operated only in favor of IMDb, and the court says these provisions effectively result in a situation where no attorney would want to take a case alleging a violation of IMDb terms.

Second, the court says that Hoang can seek the following damages: (1) nominal damages; (2) direct losses; and (3) career damages. Emotional distress damages are not available in contract cases. The court also rejects her attempt to claim damages in the form of diminution to the value of her property (her personal information). On the other hand, the court does reject IMDb’s argument that no reasonable jury could conclude she has been damaged.

CPA claim: The consumer protection act claim turned on whether this was part of a pattern or likely to recur. If it’s an isolated one-time dispute between these two parties, then there’s no public interest. As part of her argument that this was part of a pattern, Hoang presented evidence that IMDb accessed the PrivateEye database over 20 times. However, IMDb came forward with evidence that each of these instances of access involved searches based on public record or publicly available IMDb information.

This is a super interesting dispute. We should be excited at the prospect of trial. Unlike the numerous class action cases we blog about, this presents the situation where a single plaintiff has an opportunity to present evidence to a jury that a company’s misuse of her information has resulted in damages.

Of course, the court’s “unclean hands” discussion is not particularly flattering to Hoang, and the fact that all of this was precipitated by her initial inclusion of incorrect information and subsequent attempts to “correct” this information doesn’t make her look good. That’s setting aside the fact that she’s complaining about IMDb’s publication of her information that only disclosed her accurate date of birth to prospective employers. [We've seen another instance or two of privacy plaintiffs being subject to the harsh light of scrutiny, so this is not surprising.]

Other items of interest in the ruling:

- databases are a treasure trove of information, as demonstrated by the fact that IMDb obtained her birthdate from a public database
- it’s sort of a reminder of how de-anonymization isn’t always effective (or can often be circumvented or reverse-engineered)
- the PII as valuable information argument doesn’t seem to resonate
- it's always interesting to see a terms of use get axed by court--I would say a one-way limitation is fairly typical in these types of agreements, but the decision illustrates that they are by no means safe

I’m excited to see this case go to trial. I fear that the court’s ruling effectively steers the parties towards settlement, but if it goes to trial, I’ll make sure to attend and report back (since it’s in Seattle).
___

Eric's Comment. The court has nicely teed this case up for settlement. Without the contract risk provisions, IMDB doesn't want the damages exposure. And Hoang runs the real risk of a jury negatively reacting to her serial incidents of deception. A small check from IMDB to Hoang should be in both parties' interest.

Other coverage:

Actress' Lawsuit Against IMDb for Revealing Her Age to Proceed to Trial
Actress’s Suit Against IMDb for Publishing Her Actual Age Can Go to Trial

Previous post:

Actress Suing IMDB Can Assert Claim Based on Privacy Policy – Hoang v. Amazon.com, Inc.

Posts on data breach cases:

Posted by Venkat at 03:35 PM | E-Commerce , Privacy/Security

March 14, 2013

Court Rejects Attempt to Hold Software Company Liable for Surveillance Conducted by Its Customer – Luis v. Zang

[Post by Venkat Balasubramani]

Luis v. Zang, 12 cv 629 (S.D. Oh. Mar. 5, 2013)

Divorces have spawned some of the most interesting privacy disputes, such as the cases involving whether GPS surveillance of a vehicle violated one spouse’s privacy rights and whether accessing webmail using a shared computer constitutes a violation of privacy laws. This particular case involved the use of “WebWatcher” software that ostensibly allows people to monitor the computer-related activities of individuals. We blogged on a separate matter involving this divorce (see “Lawyer Who Advised Brother-in-Law Regarding the Use of Spyware on His Wife Disqualified in Ensuing Privacy Dispute”), but this particular lawsuit is one of a three lawsuits spawned out of the divorce; two of which were filed by Javier Luis (against a variety of defendants) relating to the monitoring of his communications with Cathy Zang:

[a]lthough Plaintiff alleges that he has never met Cathy Zang in person, he alleges that he virtually met her, via a "Metaphysics" internet chat room, in January or February 2009 (Doc. 39, P 15). Shortly thereafter, Plaintiff alleges that he began to have "daily" communications, in the course of a "caring relationship" with Ms. Zang via the telephone and computer.

[Zang filed a separate lawsuit as well.] The key question before the court is whether Access Technologies, maker of WebWatcher, can be held liable for the monitoring activities conducted by its customer.

Whether WebWatcher ‘Intercepts” Communications: The court struggles with several semantic questions surrounding whether there has been an ‘interception’ as defined by the wiretap statute: (1) is information captured instantaneously; (2) is the information captured transmitted locally; and (3) is the information re-routed. The court rejects Access’ argument that there has been no interception, noting that the facts at this stage indicate a near-instantaneous capture and re-routing of information to a remote location.

Can Access be held liable for its customers’ conduct: Even assuming an interception occurred, the court says Luis’s claims fall short because remedies are only available against the individuals that “intercepted, disclosed, or intentionally used” communications in violation of the statute. The court says that the statute does not contemplate imposing civil liability “on software manufacturers and distributors for the activities of third parties.” While there is a provision of the statute that prohibits the "[m]anufacture, distribution, possession, and advertising [of devices” that can be used for interception]," (and imposes criminal liability for this activity) the court says that the civil remedies provision does not extend to this part of the statute.

The court also dismisses the litany of state law claims brought against Access (invasion of privacy, infliction of emotional distress, “bullying and harassment”) on the basis that Access did not have any knowledge of Mr. Zang’s use of the product and was not a party to any agreement that involved unlawful interception of communications. (The court does not mention Section 230, but that sounds like a fairly plausible basis for rejecting the state law claims as well.)
__

Although the two cases analyzed slightly different statutory provisions, this dispute is reminiscent of the SpectorSoft case, where a federal district court in Tennessee held that an ex-spouse could not assert federal or state law claims against the company that made monitoring software. In SpectorSoft, the court focused on whether the disclosure of communications was knowing or intentional. In this case, the court says there was an interception, but says that liability for the interception does not extend to third parties. Either way, the result is the same: in the garden-variety case, it's difficult to hold the software developer liable for interceptions effected by customers and clients. This decision reaffirms what is a fairly helpful result for developers of these types of software providers.

As far as derivative liability goes, both with respect to the Wiretap Act and the Computer Fraud and Abuse Act, plaintiffs have fared poorly in holding third parties liable for the actions of the people who actually did the monitoring, intercepting, or accessing. Courts have been reluctant to extend the reach of these statutes to third parties who did not directly participate in the allegedly wrongful activities themselves.

It's worth flagging that in addition to lawsuits from private parties, these software providers also have to worry about FTC actions. As noted in this 2008 Wired article, the FTC shut down the websites of a company that sold 'DIY spyware'.

[image credit -- kar/shutterstock: eyeball spy catcher]

Posted by Venkat at 10:25 PM | Adware/Spyware , E-Commerce , Privacy/Security , Publicity/Privacy Rights

March 07, 2013

Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation

[Post by Venkat Balasubramani]

In re LinkedIn User Privacy Litigation, 2013 WL 844291 (N.D. Cal. Mar. 5, 2013) [pdf]

LinkedIn suffered a data breach in 2012. Someone allegedly posted 6.5 million passwords and email addresses from LinkedIn users on the internet. Screen Shot 2013-03-07 at 9.23.47 AM.jpg Shortly after the password dump, LinkedIn announced that it switched encryption and would store passwords in a more secure encrypted format.

Plaintiffs predictably sued. The two named plaintiffs (in a now-consolidated lawsuit) were LinkedIn “premium” users, which meant that they paid a monthly or yearly fee for upgraded services. One of the plaintiffs alleged that her password was posted online, but the other did not. They sued on behalf of a putative class, consisting of all premium account subscribers. They also asserted claims on behalf of a subclass consisting of individuals whose information was compromised by the data breach. Plaintiffs pointed to language in LinkedIn’s privacy policy as evidence that LinkedIn had misrepresented the level of security for the storage of user passwords:

All information that you provide will be protected with industry standard protocols and technology.

In a short 8 page order, Judge Davila says plaintiffs lack standing. Plaintiffs proceeded based on a “benefit of the bargain” theory because they were paying customers, but the court found several problems with this theory.

First, there is no plausible allegation that plaintiffs paid money to LinkedIn in exchange for any enhanced security services. In fact, the privacy policy and levels of security were expressly the same for paying and non-paying users. As the court notes, the purchase of a premium account is “actually for the advanced networking tools and capabilities to facilitate enhanced usage of LinkedIn’s services.”

Second, plaintiffs failed to allege reliance on any alleged misrepresentations—they did not allege that they read the privacy policy.

The court also says that the cases where plaintiffs asserted claims for insufficient performance have required plaintiffs to allege “something more” than merely overpaying. For example, damages based on identity theft would constitute something more, but neither plaintiff alleged any damages in this category.

One of the plaintiffs separately raised the argument that she suffered injury by virtue of her information being posted online, but the court also rejects this theory:

Plaintiff Wright fails to show how this amounts to a legally cognizable injury, such as, for example, identify theft or theft of her personally identifiable information.

Plaintiffs’ failure to sue on behalf of a subclass that actually suffered out-of-pocket loss as a result of their information being posted online is telling, and probably spells the end of this lawsuit. Although they have a chance to amend, the court appears fairly hostile to plaintiffs’ claims.

The lay of the land for data breach lawsuits has not changed much. The overwhelming majority of plaintiffs lose, either on the basis of standing or the merits. In either scenario, the underlying rationale is the same: no out-of-pocket losses equals no cognizable damages.

The plaintiffs here tried a different tack that a few other plaintiffs have also tried: as paying customers, they asserted contract-based claims and claims for misrepresentation. Like earlier plaintiffs, these plaintiffs were also unsuccessful, at least on the first round. Early indications from these cases are that the “benefit of the bargain” argument is unlikely to be successful in the typical data breach case.

It's worth noting that dodging a civil lawsuit does not mean that LinkedIn may not come under fire from the FTC for its representations. More than one company has gotten into trouble over flowery language in its privacy policy about security that did not match up with actual practices.

Other coverage:

(Threat Post): LinkedIn Data Breach Lawsuit Dismissed

Posted by Venkat at 09:31 AM | E-Commerce , Privacy/Security

March 01, 2013

Amazon's Merchandising of Its Search Results Doesn't Violate Trademark Law (Forbes Cross-Post)

By Eric Goldman

Multi Time Machine, Inc. v. Amazon.com, 2013 WL 638888 (C.D. Cal. Feb. 20, 2013). The complaint.

No retailer does a better job of cross-selling to its customers than Amazon.com ($AMZN). Amazon is quite effective at exposing customers to complementary—and competitive—goods along with the products a customer initially considers. Many of us have had the experience of going to Amazon to buy one thing but checking out with a huge shopping cart of items that we didn’t initially seek—or even know were available. Amazon’s merchandising often benefits Amazon’s customers, but trademark owners who lose sales to their competition due to it aren’t as thrilled. Fortunately for Amazon, a California federal court recently upheld Amazon’s merchandising practices in its internal search results.

The Case

The plaintiff is Multi Time Machine (MTM), which makes expensive "military and tactical" watches and tightly controls its distribution channel to prevent resales on Amazon. When Amazon customers searched within Amazon’s internal search engine for “mtm special ops” (the name of one of MTM’s watches), Amazon’s search results page didn’t contain any results for MTM watches due to MTM’s distribution control (see screen shot). Instead, the court says, “all of the watches retrieved by Amazon belong to MTM’s competitors, in particular Luminox and Chase-Durer.”

In other words, Amazon merchandises its customers. In this case, because it doesn’t carry the products requested by customers, it suggests alternative options. We could analogize Amazon’s search results to a retailer’s store shelves. Following this analogy, when a customer walks into Amazon's store and asks where MTM watches might be found, the only thing they find on the store shelves are watches that Amazon thinks are comparable to MTM watches.

MTM sued Amazon for trademark infringement. Note that this is not a typical trademark lawsuit, where a trademark owner sues a competitor for copying its trademark too closely. Instead, this is a trademark owner-vs.-retailer lawsuit for merchandising competitors' items. Trademark law wasn’t built to handle lawsuits like this, and the typical multi-factor test courts use to evaluate consumer confusion doesn't make sense when applied to litigants at different levels of a distribution chain.

As I explain in my Brand Spillovers paper, we almost never see merchandising-related trademark owner-vs.-retailer lawsuit in the offline world, even though offline retailers engage in such activities frequently, such as:

* retailers often adopt vendor-submitted shelf design plans (a planogram) that shows the relative position of both the vendor's products and its competitors’ products;

* retailers charge vendors "slotting fees" to place their products on store shelves next to the competitors’ products;

* Catalina Marketing’s competitive couponing system monitors customers' buying activities and triggers competitors' coupons at the checkout stand.

In my research, I could find few—if any—lawsuits where trademark owners challenged these practices in the offline world. Yet, we regularly see legal challenges like this in the online world. Why the difference? In my Brand Spillovers paper, I argue it’s due to Internet exceptionalism.

Fortunately for Amazon and other online merchandisers, MTM’s lawsuit goes nowhere. The court sidesteps the thorny “use in commerce” question (compare Habush v. Cannon, which I blogged about yesterday) and instead rules that Amazon doesn’t create a likelihood of consumer confusion about the watches' source. The court hews closely to the Ninth Circuit’s important 2011 ruling in Network Automation v. Advanced Systems Concepts, another example of how that case has helped defendants.

The court’s central point is that Amazon’s search results page clearly explains what it’s doing to consumers. These labels and disclosures reduce the likelihood that consumers are confused when reviewing the results page. The court provides an illustrative analogy:

the instant situation does not appear to be a case of palming off in the traditional sense. It is akin to the consumer asking for a Coca-Cola and receiving a tray with unopened, labeled, authentic cans of Pepsi-Cola, RC Cola, Blue Sky Cola, Dr. Pepper, and Sprecher Root Beer, and a copy of Coca Kola: The Baddest Chick, by Nisa Santiago. This is a substitution, but given the context it is not infringing because it is not likely to confuse.

Implications

Because the opinion only deals with Amazon’s internal search engine, the court doesn’t explicitly address search results pages at general-purpose search engines like Google ($GOOG) or Bing. Still, this opinion probably applies to those pages as well. Google, Bing and other search engines routinely merchandise their customers by automatically reinterpreting search queries, suggesting other useful search terms (like a “Did you mean….?” prompt), displaying links to sister properties, and displaying sponsored links/ads such as Google AdWords. This case suggests that so long as viewers understand the relationship between their search query and the search results page, search engines should not suffer actionable trademark infringement based on those pages. Over the past decade, Google has largely achieved that legal conclusion via its many court battles, but this ruling will help if Google has to defend the likelihood of consumer confusion question again.

While trademark owners may be frustrated by the exposure their competitors get when retailers and other intermediaries merchandise their prospective customers to alternative offerings, we as consumers want—and expect—online intermediaries like Amazon and Google do such merchandising to help us achieve our goals. Although the court doesn’t get into the pro-consumer and pro-competition benefits of its ruling, undoubtedly the ruling is a win for both.

Posted by Eric at 07:38 AM | E-Commerce , Search Engines , Trademark | TrackBack

February 05, 2013

California Supreme Court: Retail Privacy Statute Doesn't Apply to Download Transactions – Apple v Superior Court (Krescent)

[Post by Venkat Balasubramani with comments from Eric]

Apple v. Superior Court ex rel Krescent, S199384 (Cal. Sup. Ct. Feb. 4, 2013)

In a divided ruling, the California Supreme Court held that California’s privacy statute restricting retailers from collecting personal information as part of credit card transactions (the Song-Beverly Credit Card Act) does not apply to online sales of downloadable materials.

Plaintiff was an apple customer who purchased digital goods. He alleged that Apple collected both a street address and a telephone number while accepting credit cards, and that neither data category fell under the statutory exception for the collection of information. The statutory scheme is set forth in section 1747, et seq., and had most recently been applied by the court in Pineda, where the court found that collection of a zip-code by a bricks and mortar retailer violated the statute. While the statute provides for several exceptions allowing the collection of some personal information during credit card transactions (certain types of transactions; when the retailer is “contractually obligated” to collect the information; transactions at the pump), none of those statutory exceptions explicitly applied to an online sale. The statute also provides for the collection of a driver’s license or “positive identification” but where the customer does not make the card available on request.

Majority opinion: the majority says that the statute—which pre-dated online commerce—does not provide a clear answer. However, the court says that the legislature was concerned with consumer privacy, but also built in flexibility to allow merchants to take fraud control measures. The court also says that fraud control mechanisms that are available to bricks and mortar retailers (e.g., inspecting the customer’s ID) are not available to online retailers. Accordingly, the court says:

[w]e cannot conclude that if the Legislature . . . had been prescient enough to anticipate online transactions involving electronically downloadable products, it would have intended section 1747.08(a)’s prohibitions to apply to such transactions despite the unavailability of section 1747.08(d)’s safeguards.

Plaintiff acknowledged that Apple could at least require his address as a verification mechanism and that Apple's collection of this information does not clearly fall under any statutory exception. In fact, the statute says that the address is a type of identification that retailers are not allowed to collect, unless incident to fulfilling the transaction (which does not apply when a download is involved and there is nothing to ship).

Plaintiff also argued that a 2011 amendment (excluding the collection of zip-codes in pay-at-the-pump transactions) shows that the statute overall applies to online transactions. According to plaintiff, this narrow exception would only be necessary if the statute applies to all remote transactions. The court says no. The amendment was enacted in response to Pineda, which held that zip-codes were personal information, and to insulate gas stations who had been collecting this information for ages, under the mistaken belief that it was not prohibited by the statute.

Finally, the court points to other legislation as adequately protecting plaintiffs. The California Online Privacy Protection Act is, according to the court, a good backstop for regulating the transfer of consumer information in online transactions. Similarly, the TCPA also offers some protection against unsolicited telephone calls.

In closing, the court says that in light of the legislative purpose and structure of the statute, it’s not clear that it applies to online sale of downloads. Obviously, if the legislature wants, it can revisit the issue.

Justice Kennard: Justice Kennard tees off on the majority’s internet exceptionalism and says this is what is driving the conclusion. He is particularly unpersuaded by the fact that the transaction should be treated differently because it is a “card not present” transaction, saying that these transactions (mail order) existed well before the internet, and the legislature did not build in any exceptions for mail or telephone into the statute. Justice Kennard also says that sellers of downloadable products can take preventative measures against fraud. They can record the buyer’s driver’s license number or other ID number. They can also collect personal identification if “contractually obligated” to do so.

Justice Baxter: Justice Baxter also dissents, saying that applicability of the statute to online retailers flows from the statute, isn’t absurd, and promotes the legislative objectives. Justice Baxter says that the purpose of the statute is to protect consumer privacy, and to the extent there is any anti-fraud purpose behind the statute, it’s to protect consumers, and not retailers, from fraud. Justice Baxter also focuses on mail order and telephone transactions and says that there’s no reason why the legislature would intend these transactions to not be excluded but somehow intend internet transactions to be excluded. He also says that whether the information was collected for fraud protection purposes is a factual matter anyway that shouldn’t be resolved against plaintiff on a demurrer. Finally, Justice Baxter says that California’s Online Privacy Protect Act does “nothing to restrict an online retailer’s use of a consumer’s personal identification information . . . .”
__

This lawsuit vaguely brings to mind the debate about FACTA's credit card receipt truncation requirements and whether these applied to online transactions (answer: no). As meritless as these lawsuits may seem, I have to admit that the dissents made some pretty good points. The majority's statutory interpretation seemed tortured. In particular, the fact that remote transactions have pre-dated the internet, would (to me) point to the fact that the lack of an express carve-out in the statute for online transactions means that these transactions would be presumed to be covered. Also persuasive was the argument that even if the address is justifiable as a fraud-prevention mechanism, the phone number not so much. (As a sidenote, online retailers deal with a set of byzantine rules when it comes to fraud prevention and for the most part are on the hook for fraudulent transactions.)

Interestingly, the majority cites to California's online privacy statutes as a backstop that offers protection to consumers, but judicial interpretations of harm, or lack thereof, have rendered those statutes as ineffectual weapons--at best--in the hands of consumers. (See, e.g., Boorstein v. Men's Journal.)

Although other federal courts and lower state courts have declined to apply the statute to online transactions as a whole, the court's opinion here repeatedly mentions downloadable transactions. It's interesting that the court did not take the extra step to just exclude online transactions as a whole. As Eric notes below, this is a fairly narrow holding.

I would chalk this decision up to a dose of internet exceptionalism coupled with distrust towards privacy class actions that are based on statutory causes of action. It puts the ball squarely in the legislature's court.
____

Eric's Comments

Although the dissents and the media coverage have tried to play up the importance of this ruling, it's actually a pretty narrow ruling. The majority opinion says that the Song-Beverly statute doesn't restrict the collection of personal information during credit card sales of downloadable files. That's all it does. Plus, the personal information in those transactions may be regulated by dozens of other statutes, legal doctrines, industry guidelines, contracts and technology. So saying this statute doesn't apply to these limited transactions hardly opens up a huge privacy hole. The majority opinion made this point and the dissents basically ignore it--to their detriment.

It's easy to criticize the California Supreme Court for its messy decisions here (their debates about technological facts were wince-inducing--they reminded me of their embarrassing Intel v. Hamidi debate about what an "intranet" is), but the California legislature is really the one to blame. Simply put, the Song-Beverly Act is a terrible piece of legislation. Among other reasons:

* the act was a specific solution to a specific problem. The act bans certain common retailer practices from the 1980s. But obviously retailer practices evolve over time, requiring constant legislative attention to address new practices. When that doesn't happen (i.e., always), those laws don't age well. This would have been a great statute to contain a sunset provision that forced the legislature to revisit it after a certain length of time.
* worse, the act encodes unexpressed assumptions about credit card technologies and retailer practices. Not surprisingly, judges have a tough time dealing with legislation like that.
* worst of all, the law has a private right of action, ensuring that lawyers would gang-tackle hyper-technical violations of the act where no consumer actually suffered any harm. Case in point: tell me exactly how Apple's consumers are harmed by providing their address/phone number when making an iTunes purchase? It's possible to come up with some make-weight arguments about possible future harm, such as an increased risk of identity theft, unwanted personal tracking, or possible future telemarketing/junk mail (but what does Apple say about this in its privacy policy?). But has anyone today experienced actual harm from the practices subject to the lawsuit? If not, why was this case brought?

Overall, I see Song-Beverly litigation as just one class in the superset of stupid privacy litigation, designed to advance the interests of the lawyers, not the interests of the class of consumers they purportedly represent. I've criticized this phenomenon in my The Irony of Privacy Class Action Litigation article.

____

Posted by Venkat at 02:45 PM | E-Commerce , Privacy/Security

January 11, 2013

Top Ten Internet Law Developments of 2012 (Forbes Cross-Post)

By Eric Goldman

I'm pleased to share my list of top 10 developments of 2012:

#10: The Push Towards Anti-Class Action Arbitration Clauses. In 2011, the U.S. Supreme Court ruled in AT&T Mobility v. Concepcion that businesses may be able to adopt mandatory arbitration clauses that ban customer class-action lawsuits. The ruling was hardly crystal-clear, but in its wake, many websites adopted such clauses. Nevertheless, as the Zappos decision points out, these clauses must be adopted according to the laws governing contract formation and amendment, or they will fail in court.

#9: General Patraeus/Paula Broadwell Imbroglio. On the surface, it's just your typical Washington DC sex scandal. However, it had several interesting cyberlaw angles, including the attempts to hide digital conversations and Ms. Broadwell's alleged cyberharassment of Jill Kelley. My biggest takeaway: If the CIA Director can't keep the FBI from reading his email, what chance do you or I have?

#8: Do-Not-Track Meltdown. Everyone hoped that industry would come up with a do-not-track (DNT) standard rather than kicking the issue to Congress or the FTC. Then, it all went to heck. Microsoft announced it would turn on DNT by default in its browser, which prompted Internet publishers to threaten to ignore Microsoft's DNT signal. Meanwhile, Internet publishers and others adopted a narrow definition of "do-not-track," arguing it meant no-tracking for advertising purposes, but tracking for other purposes was still OK. The effort then devolved into acrimonious recriminations and left open the possibility that government regulators will fill the gap--to everyone's detriment. (For what it's worth, I take a very dim view of technological do-not-track efforts for reasons I explain here).

#7: Social Media Exceptionalism. In 2012, regulators eagerly sought to "fix" social media through regulation, but their efforts will fail because no one can precisely define social media as a subset of Internet activity. For example, California's recent attempt to curb employers' attempts to obtain employees' social media passwords led to the astounding definition that "social media" means all digital data, whether online or off.

#6: Megaupload. The US government proudly touted its takedown of Megaupload as a victory for Internet copyright enforcement. Unfortunately, it appears that takedown involved an enforcement action where it appears the US government repeatedly ignored or broke the law.

#5: Software Patents/Smartphone Wars. The smartphone industry has ushered in a glorious era of innovation, but it's also highlighted how patents can hinder, not spur, innovation. Smartphone players have spent (wasted?) billions of dollars on patents with the hope that they can operate without restriction from other players' patents, and many tens of millions of dollars have been spent (wasted?) on legal fees as the players sue each other for patent infringement and defend against interlopers with weak/bogus patents hoping for a little taste of the action. See my essay on software patents:

#4: Europe Hates Silicon Valley. I'm surprised whenever I read about a new European ruling that's adverse to a Silicon Valley company, because at this point I assume that everything Silicon Valley companies do in Europe is already illegal. Google, Facebook and other Silicon Valley players are under constant legal attack in Europe on countless fronts. Everyone might be happier if the Silicon Valley players just got out of Europe altogether.

#3: Google and Antitrust. The FTC largely dropped its antitrust investigation against Google, and dropped it completely with respect to Google's search engine practices. (Technically the denouement rolled out on January 3, 2013, but I'm still counting it as a 2012 development). This is an important development for several reasons. First, the FTC--which makes its living by bringing enforcement actions--admitted it had no reason to complain about Google's search engine practices. Second, the scuttlebutt all throughout the investigated suggested that the FTC was committed to busting Google, and Google turned that situation around 180 degrees. Third, not intervening into the operation of Google's search algorithm is a logical decision, but one still worth celebrating. This was a great resolution for Google, a complete rejection of the concerns raised by Microsoft and other Google-haters, and due to the FTC's non-involvement, ultimately a big win for Google's users.

#2: ITU/WCIT's Attempted Internet Takeover. I really didn't understand what happened in Dubai at the ITU/WCIT meeting. All I know is that nothing good could have happened there, so preserving the status quo is a win, as ironic as that sounds.

However, there has been some teeth-gnashing that the meeting exposed looming fault lines between pro-censorship and anti-censorship governments. I don't understand that angst for at least two reasons. First, all governments are pro-censorship, and that certainly includes the United States. Indeed, the US has exhibited some awkward duality as it rails against foreign attempts to censor the Internet even as both Congress and the Obama Administration exhibit a never-ending pursuit of controlling the Internet themselves.

Second, the Internet has already fractured into multiple "Internets." The Internet in the United States increasingly bears little resemblance to the Internet in foreign countries, both because local regulators simply block certain websites and because websites localize their services to accommodate local regulation. Plus, it's been proven that countries can simply "unplug" from the Internet. Thus, we don't have a single unified Internet; we have many partially-overlapping Internets. I will say more about this in a future post.

#1: SOPA's Failure. The failure of SOPA/PIPA is not the watershed event for our republican democracy that we wished it would be. Citizen-driven rejection of special-interest Internet legislation will not happen very often. But as a David-and-Goliath story--the uncoordinated and oft-ignored Internet user community rising up against a well-oiled and undefeated copyright lobby--it doesn't get any bigger than SOPA. Also, we learned something really important: American voters will acquiesce to a lot of bad and self-interested decisions by their elected officials, but voters will grab the torches and pitchforks if they think the Internet is threatened.

Honorable Mentions

Some other developments of note:

* despite the Fourth Circuit's rekindling of the Rosetta Stone case before it settled, the decade-long keyword advertising litigation battles against Google are basically over with a big win for Google and other keyword advertising vendors. I also think we'll see trademark owner-vs-advertiser lawsuits tapering off too.

* app cloning is a big business, and we're seeing increasing lawsuits in the area, including the EA v. Zynga and TripleTown cases.

* the application of the Computer Fraud & Abuse Act is being dialed back in the employment context (see the Nosal and WEC cases).

* Oracle v. Google gave us one of the cleanest rulings to date that software APIs are not copyrightable. The case was also interesting for the judge's investigation into the paid advocacy efforts of both Oracle and Google.

* the images of Marilyn Monroe and Albert Einstein are moving closer to the public domain.

* the IB v. Facebook ruling could be a watershed decision in spurring class action lawyers to make a buck in the name of "protecting the kids" in court.

* Web publishers can improve their defamation defenses by hyperlinking to original sources.

Most Interesting Cases

I read a lot of cases in 2012, and some of the most interesting cases I saw this year:

* Erickson v. Blake. Music composers can create copyrightable compositions by equating the digits of the number "pi" (π) to musical notes, but they can't stop others from creating their own musical compositions based on pi's digits.

* Bland v. Roberts. Two government employees "liked" their boss' opponent in an upcoming election; after the boss won reelection, the employees allegedly got fired for their divided loyalties. The court (mistakenly, in my opinion) said that "liking" an item on Facebook isn't constitutionally protected speech.

* Scott v. WorldStarHipHop. A classmate posted a video of Scott fighting with an ex-girlfriend. Scott obtained the copyright to the video from his classmate and, as the new copyright owner, sent copyright takedown notices in an effort to scrub the video from the Internet. This copyright acquisition scheme basically converts copyright law into a "right to forget." In 2013, expect to see even more plaintiffs acquire copyright ownership as a way to suppress/control unflattering content about them.

* In re Heartland Payment Systems. This is a settlement of a data security breach class action lawsuit with 130M class members. The parties spent $1.5M to encourage class members to tender damage claims and another $270k to process the tendered claims. A total of 290 claims were tendered, of which 11 were valid, with a maximum payout per valid claim of $175. So the parties incurred $1.75M in transaction costs to award about $2k in damages. Interesting.

* Augstein v. Leslie. If you post a YouTube video promising $1M for the return of your laptop, you could actually owe $1M if someone returns your laptop.

* Olson v. LaBrie. Facebook should bring families closer together, but in one family, photo tagging plus a snarky comment prompted a lawsuit for a restraining order.

Lists from Previous Years

Previous top 10 lists from 2011, 2010, 2009, 2008, 2007 and 2006. Before that, John Ottaviani and I put together a list of top Internet IP cases for 2005, 2004 and 2003.

[Photo Credit: Top Ten Key // ShutterStock]

Posted by Eric at 07:25 AM | Content Regulation , Copyright , Derivative Liability , E-Commerce , Internet History , Licensing/Contracts , Marketing , Patents , Privacy/Security , Publicity/Privacy Rights , Search Engines , Trademark , Trespass to Chattels | TrackBack

December 31, 2012

Google's Privacy Policy Integration Initially Defeats Legal Challenge -- In re Google Privacy Policy Litigation

[Post by Venkat Balasubramani with comments from Eric]

In re Google, Inc. Privacy Policy Litigation, C 12-01382 PSG (N.D. Cal.; Dec. 28, 2012)

In a decision that should be closely watched by the Instagram plaintiffs who are complaining about Instagram’s terms of use changes, Magistrate Judge Grewal initially rebuffed plaintiffs’ efforts to challenge Google’s privacy policy changes.

Plaintiffs are unhappy about Google combining its 70 odd privacy policies into a single policy, which Google explains has the following effects:

The main change is for consumers with Google Accounts . . . Our new Privacy Policy makes clear that, if you’re signed in, we may combine information that you've provided from one service with information from other services. In short, we’ll treat you as a single user across all our products, which will mean simpler, more intuitive Google experience.

The complaint alleges “violations of the Wiretap Act, 18 U.S.C. 2511 et seq., California’s Right of Publicity Statute, Cal. Civ. Code 3344, California’s Unfair Competition Law, Cal. Bus. & Prof. Code 17200 et seq., California’s Consumer Legal Remedies Act, Cal. Civ. Code 1750 et seq., common law breach of contract, common law intrusion upon seclusion, common law commercial misappropriation, and violation of consumer protection laws of the various states.”

The court does not get to the merits, and instead rebuffs plaintiffs on the basis that they do not satisfy the requisite (Article III) standards for standing.

The first argument for standing was that the privacy policy changes would force plaintiffs to replace their Android-powered devices. However, no plaintiff actually alleged that he or she actually was “forced” to replace their phone on the basis of the privacy policy changes.

Second, the court also takes issue that the combining of personal information by Google causes any (compensable) harm at all. Citing to Specific Media, a cookie case, the court says that vague ideas of “opportunity costs,” “value-for-value exchanges,” “consumer choice,” and “diminished performance,” are not enough for standing.

Finally, the court grapples with the issue of whether an alleged statutory violation is enough for standing. Although the court’s resolution of this issue is not entirely clear, the court expresses doubt regarding plaintiffs’ ability to get past a Rule 12b6 motion on at least two causes of action: the Wiretap Act and California’s right of publicity statute. The Wiretap Act claim probably fails because the definition of “device” excludes any equipment used by Google in the ordinary course of its business (and the statute contains a carve-out for interceptions by providers). The publicity rights claim fails because the plaintiffs simply do not allege any use of their “name, voice, signature, photograph, or likeness . . . .”

As I mentioned initially, Instagram plaintiffs take note! I think they will have an even harder time than the plaintiffs in this case, but they are sure to face an initial standing hurdle (regardless of how they fare on the merits).

Here is a big question that's left unaddressed, at least in the order: are Google's changes prospective only or do they apply to previously collected data. I'm guessing the answer has to be the latter, because it seems foolish to challenge a prospective-only change. A follow-up question would be whether Google gives people the ability to wipe their old data. I don't have a ton of confidence for the FTC to resolve these issues (although the confidence level is slightly higher than in the class action system), but this all makes you wonder whether these changes have to go through the FTC hoop. My understanding was that any material changes of privacy policies have to be submitted to the FTC (or something like this)?

It's interesting to see courts continue to grapple with the question of whether a statutory violation is enough to create standing.

Also interesting to see the continuing viability of the Specific Media opinion, which did a nice job of breaking down plaintiff's abstract contentions around the loss of value to personal information arguments. I wonder if other arguments will take their place (e.g., price discrimination based on tracking) but in any event, we've seen enough cases reject this argument to know its viability is seriously in doubt.
______

Eric's Comments

What a fitting way to end 2012, much like it began: with yet another bogus privacy lawsuit against an Internet company being tossed from court early. I don't know whether I'm heartened by the way the judicial system has handled the onslaught of privacy lawsuits in 2012, or saddened by the fact that privacy plaintiffs lawyers don't seem to be getting the message. Maybe that horse has left the barn; perhaps for the rest of our careers, we're destined to see a never-ending flow of bottom-feeding lawsuits every time an Internet company sneezes. Oh joy.

Even though Judge Grewal properly flushes this P.O.S. down the toilet, it's not all hugs and kisses to Google, especially when he says:

The court observes that Plaintiffs have raised serious questions regarding Google’s respect for consumers’ privacy.

He's right, and we should have an intelligent and cogent discussion about that. I sometimes wonder about Google's practices myself. Still, no matter how angry you are with Google's privacy practices, you should be even angrier about junk privacy lawsuits that aren't intended to, and won't, advance our interests as consumers.

Posted by Venkat at 09:51 AM | E-Commerce , Marketing , Privacy/Security , Publicity/Privacy Rights

December 27, 2012

Court Dismisses Class Action Against Apple Over Its App Developers’ Information Collection Practices – Pirozzi v. Apple

[Post by Venkat Balasubramani with comments from Eric]

Pirozzi v. Apple, 2012 WL 6652453 (N.D. Cal.; Dec. 20, 2012)

This is one of several putative class actions over the information collection practices of apps. I previously covered how the lawsuit against Path survived: “Class Action Against Path Over Cellphone Address Book Access Keeps Going”. Judge Koh also whittled down the lawsuit against Apple over its iPhone app privacy practices: “Judge Koh Whittles Down iPhone App Privacy Lawsuit.” This lawsuit seems to overlap with both and is dismissed, albeit with leave to amend.

Plaintiff brought claims under California’s unfair competition law, for false advertising, for violations of the Consumer Legal Remedies Act, for negligence and unjust enrichment. Although it's unclear what apps she is complaining about, the following apps are mentioned in the complaint: Path, Angry Birds, Cut-the-Rope, Twitter, Facebook, LinkedIn, Gowalla,Foodspotting, Instagram, Foursquare, Beluga, Yelp!, Hipster and Kik Messenger.

Standing: The court dismisses on the basis of standing, but there were two interesting aspects to the standing discussion.

First, plaintiff cited to a bunch of somewhat persuasive marketing copy about how Apple had adequate restrictions in place regarding the collection of information by app developers. However, it was unclear as to how exactly plaintiff was induced to make a purchase in reliance of these alleged promises. The court finds that the pleadings are unduly vague about what plaintiff was induced to purchase (or download) and what statements induced the purchases or downloads.

Second, the court also notes that the pleading suffers from deficiencies regarding harm. If information was improperly collected by app developers, so what? Citing to Hernandez v. Path and Krottner v. Starbucks, the court says that future risk of identity theft is insufficient to allege harm. This leaves economic harm, and here plaintiff’s allegations were again unduly vague. In a short sentence, the court notes that the “personal information as inherently valuable” argument will be unlikely to carry the day. Still, the court grants leave to amend.

Sidenote: WSJ recently published a story about merchants offering varying prices to individuals based on targeting. I wonder if this will surface in a future standing argument. I'm guessing it will.

Section 230: I am sure Prof. Goldman will have more to say about the Section 230 issue, but here’s my take. To the extent plaintiff tries to hold Apple liable for any harm effected via apps, this will run squarely into Section 230. Apple’s only role in making the apps available is a publisher or distributor. (See for example, Green v. AOL, where claims based on transmission of a virus via chatroom was held to be immunized by Section 230.) There is, of course, the promissory estoppel (contractual) carveout to Section 230 as recognized in Barnes v. Yahoo!. The claims allowed by the 9th Circuit in Barnes were fairly narrow, and it’s unclear as to whether any alleged contractual representations by Apple should open the door to things like CLRA claims. At least some of plaintiff’s claims should have been dismissed under Section 230 (the negligence and negligent misrepresentation claims). As to the statutory claims centered around misrepresentation, I suspect they are a bit trickier. Although the misrepresentation claims may have problems on the merits on their own, the applicability of Section 230 to those claims is a bit tougher in my estimation.

Issues on the Merits: The court also points out a few other issues with the pleadings:

1. Any claims alleging misrepresentation (unfair competition; false advertising; consumer legal remedies act) sound in fraud and therefore have to be pled with particularity. Plaintiff fails to do so.
2. Her CLRA claims are unclear as to whether they are directed at the services (the apps or the app store) or the goods (the devices). The court dismisses but with leave to amend. Applicability of the CLRA to the app store is less than clear, and the plaintiff has obvious problems alleging CLRA claims with respect to the devices (which on their own, functioned as promised).
3. The negligence claims fails. As articulated in Judge Koh’s ruling: there is no duty to protect someone’s information vis a vis third parties, absent a special relationship. (Again, this would have been a good candidate to nuke on Section 230 grounds.)
4. The court also says that the unjust enrichment claim fails because plaintiff does not identify how exactly Apple has been enriched by the information collection practices of the app developers.
__

In theory, plaintiff should have a hard time holding Apple liable for the information collection practices of its developers. The fact that the apps in question are free should make it particularly difficult. Because the apps are free, it's difficult to demonstrate economic harm based on download of the apps, and plaintiff is left to argue informational harm, which hasn't gained much traction in courts (absent misuse of the data that results in economic harm). With respect to misrepresentations that induced plaintiff to purchase any devices, plaintiff's qualm isn't really with the devices--it's with the app store. I don't know that the law permits you to argue you are entitled to a refund of the price of your device just because a rogue app or two happened to be out there.

On the other hand, there's some troubling marketing copy that ended up out there. It may have been wise for Apple to issue disclaimers regarding its inability to control the conduct of app developers who use its platform. As to whether it could stretch the case out, it's tough to tell, but the absence of that language would certainly have made the lawsuit an easier battle for Apple.

Related posts:

Eric's Comments

The plaintiffs allege that Apple offers a certification program for apps in its app store, so I understand in concept how Apple might be responsible for failed certifications. Still, I get nervous every time I see plaintiffs use a defendant's marketing representations or site disclosures as a way of getting around what should fundamentally be a 47 USC 230 immunity. The doctrinal interplays between first-party marketing representations and liability for third-party conduct under 47 USC 230 remains a legally chaotic one, and I hope the judge understands the problems with Section 230 workarounds and is appropriately sensitive to that issue.

The opinion only references 47 USC 230(c)(1), even though this seems more like a 230(c)(2) case. The plaintiffs are suing Apple for doing a poor job of filtering apps out of its app store, and that's exactly what 230(c)(2) covers.

Posted by Venkat at 11:56 AM | Content Regulation , Derivative Liability , E-Commerce , Privacy/Security

December 26, 2012

Lawsuit Against Instagram Over Terms of Service Changes Looks Flimsy -- Funes v. Instagram

[Venkat Balasubramani with a comment by Eric]

Funes v. Instagram, 12-6482 (N.D. Cal. complaint filed Dec. 21, 2012)

Eric and I posted about Instagram’s recent TOS rev. Neither of us were particularly enthusiastic about the changes. (See Facebook's Proposed Amended Sponsored Stories Settlement and Instagram's Revised TOS.) Not surprisingly given the privacy bar's affection for suing Internet companies, the changes sparked a lawsuit. But, the lawsuit is not a winner. In fact, it’s borderline frivolous.

The lawsuit asserts claims for breach of contract; violation of California’s publicity rights statute; breach of bailment (creative!); unfair competition. Plaintiff also asks for declaratory relief.

Courts have held that the imposition of a revised terms of service is not sufficient grounds for a lawsuit. (See Fineman v. Sony Network. Fineman is highly relevant, and involved similar arguments against a paid service.) An even bigger problem is that the revised terms are not in effect yet. Not only can the currently proposed terms be changed by Instagram (Instagram indeed made a few revisions in response to user outcry), the users can remedy any problems themselves—they can exercise self-help and leave the network before the new terms apply. In the event plaintiff does not withdraw its lawsuit (and she really should), I’m sure the many arguments will be fleshed out in Instagram’s motion to dismiss. In any event, here’s my initial summary.

Breach of contract: There’s nothing wrong with Instagram changing contractual terms on a prospective basis. To the extent plaintiff claims that the revised terms “interfere[] with and frustrate[] Plaintiff and the Class' use of the Instagram's service,” this is something Instagram is perfectly entitled to do.

Section 3344 claim: This is the personality rights statute that was at issue in Fraley. As I mentioned in my initial blog post about Instagram’s terms, I don’t believe the revisions really effected a material change. This language around sponsored stories was likely protective in nature, and brought about as a result of the Fraley settlement. In any event, Instagram’s blog post following the uproar expressly disclaimed its intent to broadly exploit user content in this manner.

Bailment: I don’t know what to make of the bailment claim. Query as to whether bailment applies to digital materials at all. [Eric's comment: it doesn't]. In any event, Instagram’s initial terms of service I’m sure allows it to retain any photographs uploaded to its service. Query as to whether Instagram can change the terms and have the terms apply to old content and not allow users to delete or disable the old content. It’s unclear as to whether Instagram allows users to delete their accounts or photos. In any event, this question is premature.

Section 17220 claim: Damages are limited under this section to money that has been paid by plaintiffs. In this case: zero dollars. Injunctive relief may be available, but again this is premature.
__

Instagram’s TOS rollout was clunky, mostly because it did not anticipate user reaction around the key question of whether users could control monetization or off-platform use of their photos. FWIW, Instagram’s various public statements still do not adequately address this issue!

As to whether the revisions warranted a lawsuit the answer is obviously no. This is a classic example of lawsuits against social networks gone completely amok. For the most part, when a change is effected prospectively, plaintiffs will be left to argue unconscionability. As numerous cases make clear, this is an extremely difficult argument to make.

As Eric noted elsewhere, Section 3344 has a mandatory fee-shift, and could result in plaintiff having to write a check to Instagram.
___

Eric's Comment I can't say I'm a fan of Instagram's recent behavior, but I'm even less of a fan of publicity-seeking throw-lots-of-garbage-into-a-complaint-and-hope-something-sticks lawsuits like this one. It's a sign of a slow news week (and a season when reporters have difficulty finding credible sources) when a bogus lawsuit like this gets any press coverage at all--other than the loud and mocking guffaw it deserves.

Posted by Venkat at 05:42 AM | Copyright , E-Commerce , Licensing/Contracts , Publicity/Privacy Rights

December 16, 2012

Minors’ Suit Over Facebook Credits Survives in Part – I.B. v. Facebook

[Post by Venkat Balasubramani with comments by Eric]

I.B. v. Facebook, C 12 1894 CW (N.D. Cal. Oct. 25, 2012)

Eric posted before about a Facebook sponsored stories lawsuit that was brought on behalf of minors. There, Facebook was confronted with an important issue: are transactions with minors on the same footing as transactions involving adults? ("Facebook's 'Browsewrap' Enforced Against Kids--EKD v. Facebook." That lawsuit is proceeding in the Northern District, and Facebook won a preliminary victory on the enforceability of the venue clause in its terms of service.) This lawsuit over Facebook credits is in the same vein. Although Facebook gets some of the claims dismissed, some survive, and this could turn out to be a painful issue to resolve for Facebook.

This lawsuit involves minors who created accounts on their own behalf (and where the account information reflects minor status). One of the minors asked his mother for permission to buy $20 of Facebook credits for use in "Ninja Saga." After buying these credits, he went on to make other “in-game purchases” and rang up a bill for several hundred dollars.
The other minor took his parents’ debit card without permission and made 20 or so charges that exceeded $1,000. Parents of both kids tried to get refunds and were not successful. They brought putative class claims.

Disaffirmance: The big question was whether the minors’ contract to purchase the Facebook credits were void or voidable.

California Family Code Section 6701 describes classes of agreements with minors that are void: contracts involving (1) a “delegation of power”; (2) real property; or (3) personal property not in the possession or control of the minor. The court agrees with Facebook that the credits transaction did not involve a delegation of power. However, the court disagrees with Facebook as to whether the agreements relate to personal property not in the immediate possession or control of the minor. The court says that the funds used to pay for the credits were not in the possession or control of the minor, and therefore the transaction could come within this prong.

The court also says that the minors may potentially disaffirm the contracts (i.e., they are voidable). Facebook argued that the minors could not disaffirm because they received the benefits, but the court says that if the minors want to disaffirm the entire contracts they can do so (distinguishing E.K.D. v. Facebook, where the court said that minors could not selectively disaffirm certain provisions or continue to accept the benefits but disclaim the burdens). The court also disagrees with Facebook that the minors can’t disaffirm and recover consideration paid by third parties (i.e., their parents). The situations where minors were not entitled to recover amounts paid by their parents all involved situations where the parents made separate guarantees or otherwise agreed to pay the amounts in question.

EFTA: Plaintiffs argued that the transactions violated the Electronic Funds Transfer Act. The court says that plaintiffs do not identify which specific provision of the statute Facebook violated that is applicable to non-financial institutions. The court dismisses with leave to amend this claim.

Consumer Legal Remedies Act: The parties disagreed as to whether the transactions were subject to the CLRA, which applies to sales or leases of “goods or services.” The court (citing to Ferrington v. McAfee) agrees with Facebook that credits were not goods or services and therefore not subject to the CLRA.

Unfair Competition Claims: Plaintiffs argued that the transactions were an unlawful or unfair business practices, relying on violations of the CLRA, EFTA, and the “Money Transaction Act.” The Money Transactions Act does not apply to “closed loop” cards that are only redeemable for goods or services provided by the issuer or its affiliate (e.g., a Starbucks card). The court agrees with Facebook and says that Facebook credits are excluded from the MTA since they can only be used to buy stuff provided by the issuer or its affiliate. With respect to unfair competition based on the CLRA and EFTA claims, the court dismisses but grants leave as to unfair competition based on EFTA violations. The court also allows the unfair competition claim to go forward to the extent it’s based on plaintiffs’ claim that Facebook made statements that all transactions were final, notwithstanding the minors’ right to disaffirm. Finally, the court says that the UCL claims based on the “fraudulent” prong of the statute are not pled with sufficient specificity. Plaintiffs have to go back and plead the what, where, how, and when of the allegedly fraudulent conduct.

Yikes. Facebook gets the court to cut down portions of this lawsuit, but this could turn out to be a problem! It’s one that Facebook should have anticipated, at least as to minors whose profiles indicated minor status, so it’s hard to have much sympathy.

The court reaches a roughly similar result to the one reached in the Apple in-app purchase case: “Parents' Lawsuit Against Apple for In-App Purchases by Minor Children Moves Forward -- In re Apple In-App Purchase Litigation.” It’s interesting how the court sidesteps the issue of whether the minor should be able to disaffirm notwithstanding the fact that the minor has already been conferred (or has consumed) the benefit at issue. (See E.K.D. v. Facebook and the A.V. v. iParadigms posts for discussion of this issue.) It's also interesting that the court does not discuss the possibility of the parents being forced to pursue their rights under Reg Z or under the banking institution's rules (under which they may be limited in the amount of their liability for unauthorized charges). I would think there's some sort of offset possibility here.

Perhaps a possible solution from the merchant’s standpoint is to shift everything to the password level, and require the password to be entered each time a purchase is made? A merchant who does this may be able to take advantage of provisions in its terms that require users to bear all risk of loss from any misuse of passwords. An alternative would be to include a disclaimer directed to parents when dealing with purchases through the accounts or minors (i.e., "once you let someone else make a purchase, they may continue to ring up charges")? I don’t know if either of these would offer any certainty to the merchant, since they underlying contractual relationship is between the minor and Facebook; the parent is arguably a stranger to this transaction.

Maybe Facebook is too big to care, or these types of transactions are fairly small in its overall bucket of revenues, but I'm constantly surprised at how brazenly Facebook pushes the envelope on grey area legal issues.

Related: see this recently filed complaint against Google for allegedly intercepting the gmail communications of minors (A.K. v. Google). I'm a bit more skeptical about this lawsuit, but thought it was worth flagging.

Eric's Comments. This case implicates one of the most enduring problems of cyberlaw: how can websites form legally binding obligations with kids when the websites aren't sure who's a kid and who isn't. In theory, every website's user agreement is vulnerable to collateral attack by the cohort of kids who have "agreed" to it but can treat the contract as voidable. The logical implications of this problem lead us to dark places: either websites are always vulnerable to class action lawsuits "on behalf of the kids" (I put it in quotes because class action lawyers are the real beneficiaries of the lawsuits, not the kids), or websites will have to impose meaningful age verification, with the resulting costs and privacy issues.

Amazingly, we've largely avoided these legal issues for the past two decades. We've seen only a few lawsuits on behalf of the kids, and through various doctrinal machinations, cases like Turnitin and EKD have found ways to avoid ripping open a big hole in cyberlaw.

In contrast, this opinion provides plaintiff lawyers with a number of possible ways to attack websites on behalf of the kids. It remains to be seen if that will happen, because this ruling depends in part on the specific mechanics of Facebook credits. Still, there's a small possibility we'll look back 5 years from now and view this case as a key turning point that structurally changed the web as we know it today--probably not for the better.

Posted by Venkat at 05:00 PM | E-Commerce , Licensing/Contracts

December 06, 2012

Useful Article on the First Sale Doctrine in Trademark Law (Guest Blog Post)

By Guest Blogger Yvette Joy Liebesman

[Eric's Note: We've repeatedly blogged on first sale/exhaustion principles on the blog, usually lamenting how easily circumscribed they are (see, e.g,. the posts about Mary Kay v. Weber and the Beltronics case) and the potential deleterious implications for e-commerce marketplaces like eBay. You may even recall the 2010 conference we had on the topic at SCU. Prof. Liebesman, who has guest-blogged here before a couple of times, put together a helpful article on this key topic. The article recounts and rationalizes the loose doctrinal threads contributing to the confusion over trademark exhaustion/first sale. This blog post helps explain why you should check out the entire article.]

Yvette Joy Liebesman and Benjamin Wilson, The Mark of a Resold Good, 20 George Mason L. Rev. 157 (2012)

Our article, recently published in the George Mason Law Review, concerns mark owners’ attempts at stifling the online resale of their goods. Over the past ten years, casual resellers have migrated from garage sales, swap meets and consignment stores to online sites such as eBay and Craigslist. What were once minor side hobbies have, in many instances, become lucrative businesses. Today, there are hundreds of books available about selling goods online, every month 30 million new ads are posted on Craigslist, and every day six million new listings are published on eBay. These goods—when genuine― should be protected by the first sale doctrine, a well-known defense to infringement claims that applies across patent, copyright, and trademark law. Simply stated, once a manufacturer sells a product, it may not interfere with future sales of that particular good.

As one can imagine, this explosive growth of online resales has negatively affected the market for new goods, leading manufacturers to try to stifle independent resellers. Encouraged by expansion of trademark protection in the courts, mark owners have become increasingly aggressive in policing their marks, often relying on spurious claims of trademark infringement. Specifically, mark owners will claim that the reseller is causing initial source or sponsorship confusion based on the distribution channel, even though there is no confusion as to the source of the genuine good. They have also taken their fight to Internet service providers and online auction sites, alleging contributory infringement based on resellers’ use of these sites to advertise the goods. Courts have aided manufacturers by ignoring the lack of confusion as to a good’s source and finding that online initial interest confusion as to sponsorship or affiliation of the distribution channel constitutes infringement. These courts’ reasoning is even contradicted by strong evidence showing that many consumers visit sites like eBay and Craigslist for the purpose of finding genuine goods at lower costs than they would find buying directly from the mark owner or authorized retailer, and are therefore not confused as to affiliation regarding distribution channel. Small resellers, however, are faced with either defending themselves in court (where a successful defense is becoming increasingly uncertain) or ceasing operations.

Marks can be inextricably bound to the goods to which they are attached. For example, when one buys a Waterford crystal vase, the Waterford mark remains associated with the vase. No matter how many times that vase is sold, traded, gifted, regifted, or bequeathed, it forever is identified as a Waterford vase, which is one of trademark law’s chief functions: identifying the source of the vase. A claim of confusion based on this unbreakable association is neither the goal nor the intention of trademark protection. Merely because the Waterford mark remains linked to its vases as a source indicator does not and should not allow Waterford to control sales of their goods that take place outside their own distribution chains. Such an outcome would eviscerate the very purpose of the first sale doctrine.

In our article, Mr. Wilson and I argue that, in the context of the Internet secondary market, whether the distributor is affiliated with the manufacturer is irrelevant as long as the goods are genuine. Courts should apply a presumption of no affiliation between the reseller and the manufacturer, and for any successful Lanham Act claim, actual deception regarding this affiliation should be required. We also propose the elimination of initial interest confusion as a cause of action under the Lanham Act, as well as legislatively strengthening trademark first sale and nominative fair use doctrines, so that making use of those defenses does not create a higher bar to scale when the resale occurs online versus in a brick-and-mortar setting.

Our call for an end to spurious claims of confusion is in accord with the work of other scholars regarding irrelevant confusion, the weak state of trademark fair use, and the inadequacy of trademark defenses. As with those arguments, our article contends that mark owners’ attempts to increase the scope of their control over distribution channels thwart competition while doing little to protect consumers from deception. Our suggestions would protect the lawful sale of goods in the secondary market while allowing manufacturers to prevent counterfeit products from being sold online. These proposals would provide resellers and auction websites guidance in navigating the minefield of rights and duties with regard to Internet secondary-market sales.

Policies that advance the mark owner’s ability to control all distribution channels would harm consumers and disincentivize competition; manufacturers would have less motivation to innovate and improve their product when they control all distribution of goods beyond their first sale. Conversely, protecting the resale market increases consumer choice and spurs mark owners to innovate and develop new and improved products.

[Photo Credit: "e-commerce concept. hand reaches out of a laptop with a shopping cart" // ShutterStock]

Posted by Eric at 10:20 AM | E-Commerce , Trademark | TrackBack

November 30, 2012

Court Says Plaintiff Lacks Standing to Pursue Failure-to-Purge Claim Under the VPPA – Sterk v. Best Buy

[Post by Venkat Balasubramani]

Sterk v. Best Buy, 11 C 1894 (N.D. Ill. Oct. 17, 2012)

The VPPA has spawned a lot of litigation over the past couple of years. One hot button area has been the applicability of the statute to online streaming services. (Netflix; Hulu). Another has been lawsuits brought to plaintiffs seeking to enforce the purging requirement imposed by the VPPA. (Redbox; Netflix). [A proposed update to the statute's consent provisions is winding its way through. See: "Why Netflix Getting What it Wants From Congress Means Your Email Will Get Warrant Protection."]

This lawsuit is a putative class action alleging that plaintiff purchased DVDs from Best Buy, and that Best Buy: (1) retained the purchase history for over a year; and (2) disclosed this information to an affiliated entity (Best Buy Co., Inc.).

No private right of action for improper retention of personal information: Section 2710(e) is a poorly worded provision that requires covered entities to purge personally identifiable information “as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected.” The Seventh Circuit in Sterk v. Redbox (same plaintiff/counsel as in this case) held that section 2710(c) does not provide for a private right of action under 2710(e): “Seventh Circuit: No Private Cause of Action Under the Video Privacy Protection Act for Failure to Purge Information.” Given that this court is clearly bound by this ruling, plaintiff tried to get creative and argue that he could assert a claim under the Stored Communications Act which is part of the same chapter as the VPPA. Judge Kennelly considered and rejected plaintiff’s argument in Sterk v. Redbox (on remand), and the court follows suit here. Another court in the Northern District of California recently came to the same conclusion: Rodriguez v. Sony Computer Entertainment.

Plaintiffs lack standing to pursue injunctive relief: Plaintiffs also sought injunctive relief, which required the court to address the issue of standing. The court runs through the classic test for standing, but importantly says that Congress cannot create standing for injuries that do not satisfy Article III’s minimum standing requirement. The court also notes (citing to the Seventh Circuit’s opinion in Sterk, and to Van Alstyne v. Elec. Scriptorium, an email privacy case) that only plaintiffs that are “aggrieved” may seek relief under the VPPA. Here, any injury from retention is meager at best and shouldn’t support standing. Plaintiffs’ disclosure claim similarly did nothing to establish injury—the data was being disclosed to a 100% parent corporation. Plaintiffs also tried to rely on the diminution of value of their information and the fact that they allegedly overpaid for the services provided by Best Buy, but the court easily rejects these arguments.

Plaintiffs also brought a breach of contract claim. The court says that claims based on older purchases were time-barred. Claims based on later purchases were dismissed due to lack of alleged damages. Plaintiffs are permitted to replead these.

Claims alleging failure to purge under the VPPA represent the far extreme of privacy lawsuits. As the Seventh Circuit’s ruling from Sterk, as well as the rulings in Rodriguez and this case demonstrate, courts will not be very enthusiastic about these claims.

It’s interesting to see the court cite to the Supreme Court’s decision in First American Finance Corp. v. Edwards. Although this case dealt with standing to sue under the Real Estate Settlement Procedures Act, in advance of the ruling, many thought this case would alter the landscape for privacy lawsuits and standing. I thought it fizzled out in this regard, but maybe it has more vitality than originally thought.

[cross-posted at IAPP's Privacy Advisor]

Posted by Venkat at 09:38 AM | E-Commerce , Licensing/Contracts , Privacy/Security

November 28, 2012

Lawsuit Over "Google Tags" Dismissed--Frezza v. Google

By Eric Goldman

Frezza v. Google, 2012 WL 5877587 (N.D. Cal. Nov. 20, 2012)

In Feb. 2010, Google introduced Google Tags, an advertising option in Google Places. Google Tags is now dead, but Google's still dealing with the aftermath. To spur adoption, Google offered free tags to Google Places merchants. There is a dispute about the offering terms. The plaintiffs thought they could get one month of unlimited tags for free; Google says the offer was for $25 off (the amount of one tag for a month). The plaintiffs are also grousy that Google allegedly didn't delete their credit card numbers after they terminated their Tags accounts.

The court dismisses all of the plaintiffs' claims, but gives them a second chance at more futility. I assume the plaintiffs will try again. The court's specific discussions:

Breach of Contract. This claim fails because the plaintiffs didn't quote the written contract terms they think bind Google.

Unjust enrichment. This claim is dependent upon, and therefore merges into, the contract breach claim.

CLRA. This is one of California's consumer protection statutes, and the plaintiffs don't qualify because they are businesses, not consumers.

Breach of Implied Contract. Plaintiffs claim they had an implied contract with Google to flush their credit card numbers. But what contract? The plaintiffs say industry standard is the Data Security Standards ("DSS") promulgated by the Payment Card Industry Security Standards Council, but the plaintiffs don't assert that Google agreed to comply with the DSS.

The court addresses a second argument:

If, as plaintiffs argue in their opposition, Google simply agreed to "handle its customers' credit card information responsibly," Dkt. No. 13, the claim still fails. Plaintiffs contend that Google breached the implied contract because it has retained the credit card information of plaintiffs after they have cancelled their subscription to Google Tags. See Compl. P 60. However, retaining information does not amount to handling it irresponsibly. Without more, plaintiffs have not sufficiently alleged that Google breached a general obligation to reasonably safeguard customer information.

Customer Records Act. Finally, the plaintiffs asserted that Google breached a California statute saying a "business shall take all reasonable steps to dispose, or arrange for the disposal, of customer records within its custody or control containing personal information when the records are no longer to be retained by the business." The court says this statute doesn't require the disposal of customer records at any specific time; it simply applies once a business has decided to make the disposal.

[Photo credit: "Crisis" // ShutterStock]

Posted by Eric at 04:22 PM | E-Commerce , Licensing/Contracts , Marketing , Privacy/Security , Search Engines | TrackBack

November 25, 2012

Online Data Broker Need not Comply With Licensing Requirements for Private Investigators – Brown v. Intelius

[Post by Venkat Balasubramani with a comment by Eric]

Brown v. Intelius, 4:12cv00852 AGF (E.D. Miss. Nov. 21, 2012)

Intelius brokers data about individuals. The information comes from a variety of sources, including public sources. Plaintiff paid a fee and obtained from Intelius the following information regarding certain individuals:

their current whereabouts, criminal history, property ownership, social networking history, and relatives.

Plaintiff sued Intelius, including an allegation that Intelius was an unlicensed “private investigator” in violation of Missouri law (section 324.1104). The law in question (section 1000) defined the PI business as follows:

the furnishing of, making of, or agreeing to make, any investigation for the purpose of obtaining information pertaining to . . . the identity, habits, conduct, business, occupation, honesty, integrity, credibility, knowledge, trustworthiness, efficiency, loyalty, activity, movement, whereabouts, affiliations, associations, transactions, acts, reputation, or character of any person.

Intelius raised several defenses, including its user agreement and Section 230, but ultimately the court interprets the plain meaning of the word "investigate" such that Intelius' services don't fit the bill (“to observe or study closely”; “detailed examination . . . study . . . research . . . official probe”). Plaintiff did not pay Intelius to study or research specific individuals—Intelius merely made information accessible to Plaintiff that was available in the databases of Intelius or its third party partners.

The court also says that plaintiff's claim has serious problems with his damages allegations. There’s no allegation that the information provided by Intelius was incorrect, and there is no authority for the proposition that plaintiff should recover (or be able to rescind the agreement) merely because Intelius hasn’t complied with local licensing laws.

In passing, the court says that Section 230 likely doesn’t apply because the claims may not relate to third party content. The court also irresolutely mentions that the statute may not provide for a cause of action. (The order does not mention First Amendment or Dormant Commerce Clause defenses, but these seemed like possibilities as well.)

I’m not sure what to say about this one. The least the plaintiff could have done was to be able to allege that the information provided was materially incorrect and this somehow led plaintiff astray on his investigation and resulted in a parade of horribles. Leaving aside the damages issue, it was a stretch to think that the licensure statute applied to an entity such as Intelius. Interestingly, the statute excludes a whole host of activities that would otherwise encompass investigatory functions. Perhaps a more interesting hypothetical would be if the investigation involved the use of drones or something.

I didn't initially see this lawsuit as part of the overall privacy war that is going on in courts, but Eric's probably right (see his comment below). And from that standpoint it's tough to take too seriously.

[image credit: huhu/Shutterstock / "the symbol of Sherlock Holmes"]

_____

Eric's Comment. This ruling nicely encapsulates the sad and desperate state of privacy litigation today. In their zeal to fight back on privacy, plaintiff's lawyers are grasping at straws to find some claim--any claim--that will advance their cause, no matter how farcical the result might be. (It reminded me a little of the illogical implications of the overwritten Illinois identity theft statute, which got struck down as unconstitutional). Perhaps anything is possible, but for now I'm putting this attempt in the "mockable" pile.

Posted by Venkat at 12:47 PM | Content Regulation , E-Commerce , Privacy/Security

November 20, 2012

Expert Report on the Value of Consumer Review Websites and 47 USC 230

By Eric Goldman

[Eric's note: most expert reports in litigation never see the light of day. Naturally, this collides with my blogger's ethos of leaving no thought unpublished. As a result, after preparing this expert report regarding the social value of consumer review websites, I successfully sought permission to share this publicly--admittedly, an unusual request. I'm happy to share this with you, for what it's worth. These remarks are along the lines of my vaporware paper on the unexpected benefits of 47 USC 230 that I hope to finish some day.

Hope you have a happy Thanksgiving. It's a perfect day to give thanks for 47 USC 230!]

____

October 23, 2012

Maria Crimi Speth
Jaburg & Wilk, P.C.
3200 North Central Avenue, Suite 2000
Phoenix, Arizona 85012

Re: Xcentric Ventures, LLC v. Brewington, et al., Case No. CV2008-008275

Dear Ms. Speth:

You have asked me to opine about the social and economic impacts of consumer review websites.

Overall Conclusion: Assisted by 47 U.S.C. § 230, consumer review websites improve the American marketplace’s efficiency.

Main Points:

1) 47 U.S.C. § 230 treats the Internet as a unique medium.
2) 47 U.S.C. § 230 enables consumer reviews—a class of content unique to the Internet.
3) Consumer reviews improve the marketplace’s operation.
4) By strengthening America’s marketplace, 47 U.S.C. § 230 improves our country’s competitive position compared to other countries.

Explanation:

47 U.S.C. § 230 treats the Internet as a unique medium. Congress enacted 47 U.S.C. § 230 in 1996, at the height of “Internet exceptionalism”—the belief that the Internet was a unique medium compared to other media. Thus, the law represents an unusual example of legislative restraint. Fearing that Congress, state legislatures or the courts would develop rules that prevent the Internet from reaching its full potential, Congress immunized online intermediaries from liability for publishing third party content—even in situations where offline intermediaries would face liability for publishing the exact same content.

47 U.S.C. § 230 enables consumer reviews—a class of content unique to the Internet. Treating the Internet as a unique medium has led to the advent of consumer reviews, a whole new class of content we never saw in the offline world. Consumer opinions about goods and services in the marketplace have been shared for millennia, principally as oral “word of mouth.” However, prior to the Internet, consumers could not easily share their opinions with larger audiences. In contrast, the Internet allows consumers to share their opinions with a mass audience at virtually no cost. Humankind has never seen a phenomenon like this before.

While consumers value other consumers’ reviews generally, they especially value comprehensive and curated databases of other consumers’ reviews. However, if websites faced liability for gathering and curating consumer reviews, they would be reluctant to undertake those efforts. 47 U.S.C. § 230 provides them a legal immunity for these generation, curation and publication efforts. The result has been a proliferation of consumer review websites.

Thus, 47 U.S.C. § 230 helps create an unprecedented class of published content—consumer reviews—by providing legal immunity to consumer review websites for generating, curating and publishing those reviews.

Consumer reviews improve the marketplace’s operation. The marketplace’s “invisible hand”—the mechanism that rewards good producers and punishes bad producers—depends on well-informed consumers. Consumer reviews educate other consumers about which producers deserve their dollars. Plus, vendors become more responsive to consumers’ demands, knowing they will be publicly accountable for how well they meet consumers’ needs. Consumer reviews thus improve our marketplace’s operation.

By strengthening America’s marketplace, 47 U.S.C. § 230 improves our country’s competitive position compared to other countries. No other country provides as generous a legal immunity for consumer review websites as 47 U.S.C. § 230. Instead, in other countries, businesses typically can “veto” consumer reviews they don’t like; and naturally, they will only veto critical reviews. Compared to their foreign counterparts, American consumers have more access to consumer reviews—especially negative consumer reviews—to guide their marketplace choices. Over time, as consumer reviews improve the “invisible hand” of American consumers, the American marketplace will become more efficient than foreign marketplaces. Ultimately, 47 U.S.C. § 230 will help make the American economy stronger than foreign economies.

Qualifications/Basis of Opinion:

I am a tenured full-time professor at Santa Clara University School of Law, located in the Silicon Valley, California. I have been on the full-time faculty since 2006. I also direct our law school’s High Tech Law Institute. I teach and write in the areas of Internet Law, Intellectual Property and Advertising & Marketing Law. I am frequently quoted in the press (over 1,200 times in the past decade) and make public presentations (over 240 in the past decade) on those topics. In 2011, the California State Bar's IP Section named me the "IP Vanguard" award winner (in the academic/public policy category), and in 2012, Managing IP magazine named me to a shortlist of "IP Thought Leaders" in North America.

I worked at a major Silicon Valley law firm, Cooley Godward, from 1994-2000. I began practicing Internet Law in 1994. From 2000-2002, I was General Counsel of Epinions.com, a consumer review website. I first started teaching Internet Law (then called “Cyberspace Law”) in Spring 1996. I electronically publish a casebook, Internet Law Cases & Materials, which I use in my course and other professors have adopted as well.

I started blogging on Internet Law topics in 2005. Currently, I blog at two self-operated blogs plus a Forbes.com blog. I have alerts set up to notify me of new judicial rulings interpreting 47 U.S.C. § 230, and I blog almost all of those rulings. One of my blogs, the Technology & Marketing Law Blog, has been named to the ABA Journal’s “Blawg 100” list for the past three years.

In 2011, I organized a major conference on 47 U.S.C. § 230—one of the few academic conferences that focused solely on the statute. Speakers included both of the statute’s initial co-sponsors (Sen. Ron Wyden and former-Rep. Chris Cox), the plaintiff in the leading 47 U.S.C. § 230 case (Ken Zeran of Zeran v. America Online) and many other experts.

My CV (attached) provides more detail about my background, education, training and experience.

About My Relationship with Ripoff Report: I have repeatedly written and spoken about the Ripoff Report, including numerous blog posts (both favorable and unfavorable) about its lawsuits. I intend to continue writing and speaking about Ripoff Report as part of my academic endeavors. To minimize future conflicts-of-interest, I volunteered to provide my expert testimony in this case pro bono. Xcentric Ventures will reimburse any out-of-pocket costs I incur in connection with my expert testimony, but otherwise I am not being paid by Xcentric Ventures or anyone else for my expert testimony.

Sincerely,

Eric Goldman
c/o Santa Clara University School of Law
500 El Camino Real
Santa Clara, CA 95053
(408) 554-4369
egoldman@gmail.com

Attachment: Eric Goldman Curriculum Vitae

[Photo Credit: white-gloved hand on a black background // ShutterStock]

Posted by Eric at 02:30 PM | Derivative Liability , E-Commerce | TrackBack

Court Kicks Data Breach Claim Against Valve – Grigsby v. Valve

[Post by Venkat Balasubramani]

Grigsby v. Valve Corp., No. C12-0553JLR (W.D. Wash. Nov. 14, 2012)

Valve is facing a putative class action over a hacking incident involving a breach of Valve’s security system and access to the personal information of “Steam” users. (See "Valve confirms Steam hack: credit cards, personal info may be stolen.") This is an unexceptional ruling in a data breach class action: the court dismisses the claims (albeit with leave to amend).

The lawsuit was originally filed in the Central District of California, but the case was transferred to the Western District of Washington based on application of a forum selection clause in the Steam user agreement. data breach.jpg The court analyzes the allegations of harm in two different categories:

Allegations of future harm: First, there are allegations of future harm—i.e., plaintiffs said they would have to “spend money to ‘protect their privacy’”. (quotations in original) The court says (citing to Pisciotta and Ruiz v. Gap) that these are not cognizable damages.

Allegations of present harm: The allegations of present harm fall into a few categories: (1) loss of access to Valve’s service; (2) loss of data; and (3) loss of “the benefit of the bargain”. The court says that the present harm allegations do not give rise to the same unique issues and looks instead to the general principles applicable to pleadings, and the standards set forth by the Supreme Court in Iqbal and Twobmly. The court says that Twombly marked a shift, and together the two cases established a more stringent pleading requirement (the complaint must allege facts “with a sufficient level of specificity to raise entitlement to relief above the speculative level”). The court also says that the pleading requirements are particularly important in a putative class action such as this one where the loss of a 12b6 motion opens the door to discovery—that is likely to be resource-intensive and expensive for the defendant. In light of this, the court says: “plaintiffs’ complaint must rise to a higher plausibility threshold than it would if it were a garden-variety tort claim or a claim brought by Mr. Grigsby alone.” The court says that plaintiffs allegations fall “well short”:

[Plaintiffs] say nothing about which services were interrupted, which subscriptions or gaming networks they were unable to access, what data they ‘lost,’ how their data could have been ‘lost’ in this situation, or how they may have lost money by subscribing to Steam, which is free.

Although the court dismisses the complaint, the court gives plaintiffs 30 days leave to amend.

Not a surprising result. Courts have invoked Iqbal and Twombly in the past, but I don't recall courts focusing so much on the discovery burdens imposed by class actions and how this warrants even more stringent pleading standards. This is closely related doctrinally to standing, but it's just another tool courts have available to put the brakes on privacy class actions.

The plaintiff here does not appear to have suffered any effects from the misuse of his data, and this takes him outside the small category of recent cases where courts have declined to dismiss data breach claims. Any allegations based on diminution in value to plaintiff’s personal data are unlikely to gain any traction. Similarly, any allegations based on alleged deprivation of the benefit of the bargain are also unlikely to gain traction.

The court sends a pretty strong message to the plaintiff that it’s not enthused about his claims and will not let them move forward absent some more concrete allegations and more importantly, harm. We’ll see what the plaintiff comes back with. (The order does not contain any discussion of whether Valve offered standard credit monitoring services, but this obviously bears on the issue of whether plaintiff has cognizable damages.)

(h/t: PogoWasRIght)

Other coverage:

Data Privacy Monitor: Data Breach Class Action against Popular Video Game Developer Dismissed for Failure to Plead Adequate Damages

Posted by Venkat at 07:50 AM | E-Commerce , Privacy/Security

November 15, 2012

Court: Customer Consents to Receive Texts by Providing Phone Number to Pharmacy – Pinkard v. Wal-Mart Stores, Inc.

[Post by Venkat Balasubramani]

Pinkard v. Wal-Mart Stores, Inc., 12-cv-02902 (N.D. Ala. Nov. 9, 2012)

Text messaging lawsuits are out of control.* That said, a district judge granted a motion to dismiss brought by Wal-Mart in a text spam case that even by the most conservative standards was a harsh result. (Two other courts have also recently given text spam lawsuits the boot: Ibey v. Taco Bell and Ryabyshchuck v. Citibank.)

Pinkard visited a Wal-Mart in-store pharmacy, and at the request of Wal-Mart employees, provided her mobile phone number. She alleges that the employees did not expressly seek her permission to send text messages but rather said the number was necessary “in case . . . any questions . . . came up.” She started receiving text messages from Wal-Mart (the frequency and contents were not alleged). When she inquired with Wal-Mart staff as to why she received text messages, a Wal-Mart employee told her that it was Wal-Mart’s policy to automatically enroll pharmacy customers into a program that sends Wal-Mart-related texts to those customers.

Wal-Mart argued that by providing her number, plaintiff consented. The key question is what consent under the TCPA should look like. The court notes that the FCC has a rule that requires written consent, but this rule will not go into effect until October 2013. Therefore, written consent is not required. The court says that a party consents to receiving calls when the party “voluntarily provides her telephone number to another.” Pinkard argued that this rule only applied to telephone calls in the colloquial sense and not text messages (that the FCC and courts also treat as “calls” under the TCPA). The court is not persuaded, and says that text messages and voice calls are treated the same for other purposes of the TCPA, so there’s no reason to distinguish when it comes to consent:

no statutory, regulatory, or caselaw rationale to distinguish [between calls and text messages] presently exists. Consequently, under sec. 227(b)(1), a person ‘who knowingly releases her phone number has in effect given her invitation of permission’ to be contacted at that number, including via text message.

Plaintiffs pointed to the Ninth Circuit’s statement in Satterfield that consent needs to be “clear[] and unmistakable,” but the court says that giving someone (even an employee at Wal-Mart) your mobile number is clear and unmistakable consent. To hold otherwise, the court says would “contradict the overwhelming weight of social practice.”

Finally, plaintiff moved to amend her complaint, and she submitted a proposed amended complaint that added a bunch of factual detail, including that she did not consent to receive texts (whatever the scope of consent may be inferred from providing her number). The court says that plaintiff’s proposed amended pleading inverts the burden of proof. It’s initially Wal-Mart’s burden to prove consent. Once it satisfies this burden, it’s then plaintiff’s burden to “explicitly state the limited scope of her consent.” [emphasis in original] Either way, the court denies the proposed amendment on the basis that it would be futile.

Oy. It can’t be the right answer that if you provide a pharmacy your mobile number at the pharmacy's request, you automatically consent to receiving a stream of commercial text messages. I’m not sure in what universe this would be in accordance with the “overwhelming weight of social practice,” but probably not ours. It will be interesting to see if plaintiff appeals. I would assume she has a reasonably good chance of success, at least to proceed past the pleading stages.

The ruling touches on a favorite theme: unintended consequences from application of a law or regulation to a medium it was not necessarily originally intended to address. (See also Facebook v. Max Bounty.) Here, although virtually every court has since come to this conclusion, it was far from obvious that the TCPA’s definition of "call" encompassed text messages. (See Joffe v. Acacia Mortgage for early discussion of this issue, as well as Abbas v. Selling Source.) One of the problems with this approach is that consent for texts plays out differently than consent from calls, and the operative FCC regulations don’t provide sufficient guidance on how to distinguish between the consent that should be implied to receive a call when you give someone your telephone number and consent to receive texts. (Either way, the fact that the customer provided the number at the employee’s request should affect the analysis.)

* - If a class action suing a sports team for sending more than the allotted amount of 5 texts per week isn’t over the top, I’m not sure what is. See the recently filed complaint in Wojcik v. Buffalo Bills, Inc., 12 cv 2414-SDM-TBM (M.D. Fla. Oct. 25, 2012).

[image credit: Shutterstock/Anton Novik "Glossy Winged Mail Envelope"]

Posted by Venkat at 12:52 PM | E-Commerce , Marketing , Spam

November 10, 2012

Email That Says “Done .. thanks!” Doesn't Transfer Copyrights – MVP Entertainment v. Frost

[Post by Venkat Balasubramani]

MVP Entertainment, Inc. v. Frost, B235100 (Ca. Ct. App. Nov. 7, 2012) [pdf]

We enjoy cases where people negotiate or modify contracts via email or other modern methods of communication. The underlying rules haven’t changed, and nor should they, but people don’t expect that casual off-hand electronic communications can form or alter contractual relationships. This can lead to unintended results. The favorite from this genre is the CX Digital case, where an Instant Message conversation modified the terms of an agreement and resulted in a $1.2mm judgment: "Court Rules That Instant Message Conversation Modified the Terms of a Written Contract."

This case involved an alleged agreement to transfer rights in the book titled “The Match: The Day the Game of Golf Changed Forever.” MVP wanted to purchase rights in the book and turn it into a movie. Attorneys for the parties exchanged emails.
The lawyer for MVP sent an email (to the author's lawyer) with proposed terms, and asked whether “this is okay and [he would] send paperwork.” In response, the lawyer for the copyright owner (Alan Wertheimer) said:

done . . . thanks! Werth.

Later, the author and his entity talked to MVP and said that they did not want MVP to make The Match into a movie. MVP sued, asserting a variety of claims, but principally a breach of contract claim. In MVP’s view, Wertheimer’s “done thanks” email created a binding contract.

The court says that a transfer of copyright ownership is not valid unless there is a writing signed by the owner: “It doesn’t have to be the Magna Carta; a one-line pro forma statement will do.” Section 204’s writing requirement is slightly different from the statute of frauds. It serves more than an evidentiary function, and defenses such as equitable estoppel do not apply.

The big problem in this case is that Wertheimer did not have actual authority to transfer the copyrights. He testified that while he often negotiated these types of deals, he never signed the contracts (the author signed the agreements). MVP argued that Wertheimer had “ostensible authority," but the court says this is irrelevant. While California agency law may have certain rules for when contracts should be enforced against principals based on their agents leading others to believe they had authority, the Copyright Act requires a writing signed by the owner or the owner’s duly authorized agent.

MVP also argued that Wertheimer’s signature on the email (i.e., “Werth”) was an electronic signature under the ESIGN Act, but the court footnotes this argument and says it doesn't trump the actual authority issue. Again, the key issue is whether or not Wertheimer had authority--if he did, the email would likely have satisfied the writing requirement (given the court's earlier statement that the writing need not be the Magna Carta). (For context on Section 204 and the ESIGN Act, check out John O.’s blog post on the Hermosilla case: “Can A Copyright Be Assigned By Email?--Hermosilla v. Coca-Cola.”)

I may be saying this out of self-interest, but I like this result. It’s a bummer to have someone argue that one of your casual emails ended up granting someone rights in your client’s property.

In my comments to the Hermosilla post, I mentioned the possibility of a standard disclaimer that may preempt these types of arguments:

Nothing in this email is intended as an offer and the author disclaims any intention to make an offer or create an enforceable agreement through any email messages. Any agreement with the author of this email must be in a signed paper document!

I have not implemented one of these, but I still think it’s a good idea.

(h/t: Courthouse News)

[Image credit: Boris15 / Shutterstock.com]

Posted by Venkat at 11:45 AM | Copyright , E-Commerce , Licensing/Contracts

October 31, 2012

Data Breach Claim Survives Based on Allegation of Misuse of Personal Information -- Burrows v. Purchasing Power

[Post by Venkat Balasubramani]

Burrows v. Purchasing Power, LLC, 12-cv-22800-UU (S.D. Fla. Oct. 18, 2012) [pdf]

This is another data breach lawsuit. Some of the claims survive defendants’ motion to dismiss.

Purchasing Power runs a preferred purchasing (or discount purchasing) program for Winn-Dixie employees. It offers Winn-Dixie employees the ability to pay for items purchased via automatic payroll deductions. In October 2011, Purchasing Power and Winn-Dixie learned that a Purchasing Power employee had obtained the personal information of Burrows (the named plaintiff) and other Winn-Dixie employees. data breach.jpg Burrows alleged that when he went to file his 2012 tax return, he was advised that a return had already been filed in his name, and therefore Burrows could not get the refund that he was owed. He sued Winn-Dixie and Purchasing Power, alleging negligence, violations of the Stored Communications Act and the Florida Deceptive Trade Practices Statute, and invasion of privacy.

Standing: Defendants argued that Burrows did not suffer any actual monetary loss, and Burrows had not taken up with the IRS the issue of whether he could obtain his refund--i.e., he hadn't exhausted his remedies with the IRS. The court disagrees and says that by alleging “actual identity theft,” Burrows satisfies standing, regardless of any monetary loss. The court notes that even in Reilly v. Ceridian, an Eleventh Circuit data breach case that took a narrow view of standing, the court intimated that risk of future identity theft is not sufficient but found that actual misuse of information would be sufficient.

Negligence: The court says that Burrows’ allegation “for monetary loss for the use of his PII and identity theft” sufficiently alleges a claim for negligence. However, it also says that his allegation as to the “lost monetary value of his PII” is insufficient. The court grants the motion and denies it in part with respect to the negligence claim. I found the ruling on the negligence issue somewhat confusing, but the big takeaway is that his allegation of identity theft sufficiently states a claim for negligence.

Stored Communications Act: The court dismisses the Stored Communications Act because Burrows doesn’t allege that defendants either offer Electronic Communications Services or Remote Computing Services as defined under the SCA.

FDUTPA: The court denies the motion with respect to the deceptive trade practices statute based on several allegations: (1) defendants failed to adequately secure the PII, (2) defendants allegedly transferred the personal data of employees regardless of their participation in the purchase program; and (3) defendants failed to notify Burrows promptly of the data breach.

Invasion of Privacy: The court dismisses the invasion of privacy claim on the basis that it's an intentional tort and there was no allegation that defendants intended to compromise the employees' personal information.
__

Data breach plaintiffs have historically gotten blasted in court, but this marks the second or third ruling where the court finds standing and allows claims to move forward. What accounts for the different results? One way to explain it is that if there's actual evidence that your personal data has been misused, and this misuse is not obviously financially covered elsewhere (e.g., by a bank refund or reversal of charges), then you have enough damages to bring a claim. The risk of identity theft is still not sufficient for most courts. The claims themselves are still all across the board. In a recent California case, the court applied the rule barring economic damages without physical injury or an exception to the rule in the form of a special relationship. The court in this case doesn't discuss this issue at all; perhaps under Florida law, plaintiff could have easily alleged a special relationship (e.g., employer / employee). It's tough to know whether this is part of a larger trend, or a few outlier rulings. Either way, this ruling is broad in some respects (in allowing negligence and finding that the mere transfer of information for all employees or failure to notify affected parties quickly enough could constitute a deceptive trade practice).

Resolution of the Stored Communications Act was worth noting; it's an affirmation that entities who do not provide computing services to the public do not fall under the statute. I would have thought that plaintiff may have had an argument with respect to Purchasing Power, who was in the business of facilitating the purchases and would presumably deal with a fairly large segment of the public in situations involving the transfer of information between its client/employers and employees.

Most data breach rulings highlight the importance of the relationship between a company that takes in personal information and its service providers, but this ruling does more so. What looked like a perk for employees that any employer would be eager to offer its employees has now turned into a litigation nightmare (and has resulted in loss or hassle for some employees). I would hope the agreement between Winn-Dixie and Purchasing Power spells out what protections are put in place and who bears the responsibility for any data breach and related litigation. It's a fair bet that this agreement offers a less than definitive resolution of the issues, and it's likely we'll see another round of litigation between these two parties and/or their insurers.

(h/t: PogoWasRIght)

Other coverage:

Data Security Law Journal: The Southern District of Florida Weighs in on Data Breach Lawsuits
InsidePrivacy: Florida Data Security Claims Survive Motion to Dismiss

Related posts:

Sony Network Data Breach Class Action Suffers Setback -- In re Sony Gaming Network
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks
9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap
LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds--Low v. LinkedIn
Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data -- Reilly v. Ceridian
First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing--Katz v Pershing
New Essay: The Irony of Privacy Class Action Lawsuits
Another Data Loss Case Tossed on Article III Grounds--Whitaker v. Health Net
Reidentification Theory Doesn't Save Privacy Lawsuit--Steinberg v. CVS Caremark
Men's Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute -- Boorstein v. Men’s Journal
The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon
A Look at the Commercial Privacy Bill of Rights Act of 2011
Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media
Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou
Another Lawsuit over Flash Cookies Fails -- Bose v. Interclick
Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]

[image credit: Shutterstock / budiadiliansyah ("programmer"/"hacker")]

Posted by Venkat at 10:54 AM | E-Commerce , Privacy/Security

October 29, 2012

How Zappos' User Agreement Failed In Court and Left Zappos Legally Naked (Forbes Cross-Post)

By Eric Goldman

In re Zappos.com Inc., Customer Data Security Breach Litigation, 2012 WL 4466660 (D. Nev. Sept. 27, 2012).

In January, Zappos (part of $AMZN) announced a massive data security breach affecting 24 million consumers. As typically happens in these situations, plaintiffs' class action lawyers swarmed over Zappos for the breach, filing dozens of lawsuits. Zappos tried to send the lawsuits to arbitration based on an arbitration clause in its user agreement. Recently, a federal court struck down Zappos.com's user agreement, denying Zappos' arbitration request. This is an unfortunate ruling for Zappos, because its contract--now dead--would have been quite helpful in combating this high-profile and potentially very expensive data security breach lawsuit. More importantly, the mistakes Zappos made in its user agreement--though common throughout the Internet--are completely and easily avoidable. This post will make some suggestions for how to avoid Zappos' fate.

Nomenclature note: "user agreement" synonyms include "terms of service"/"TOS," "terms of use"/"TOU," "end user license agreement"/"EULA," and "member agreement."

Zappos' Terms of Use Was a "Browsewrap"

Courts generally divide user agreements into one of three groups: "clickwraps," "browsewraps" and "clearly not a contract." I don't use the term clickwrap; instead I prefer the term "clickthrough agreement." A clickthrough agreement is presented to users in such a way that they must take some action--usually, clicking on a button--that unambiguously signifies that they are assenting to the contract. When properly implemented, clickthrough agreements are extremely effective in courts.

In contrast, "browsewraps" are user agreements that purport to bind users simply because users browse the website. I don't use the term browsewrap; instead, I prefer to call those documents "not a contract." Although there are some aberrational cases to the contrary, for the most part courts do not treat browsewraps as a contract, and anyone relying on a so-called browsewrap does so at their extreme peril.

According to the court, Zappos presented its "terms of use" as a browsewrap. You can see the implementation from this screenshot snippet above--look for the obscure link entitled "terms of use" on the left side. (As the court notes, if you printed out the home page of Zappos.com, this snippet would be on page 3 of the 4 page printout).

The court does not have kind words for Zappos' implementation:

we cannot conclude that Plaintiffs ever viewed, let alone manifested assent to, the Terms of Use. The Terms of Use is inconspicuous, buried in the middle to bottom of every Zappos.com webpage among many other links, and the website never directs a user to the Terms of Use. No reasonable user would have reason to click on the Terms of Use, even those users who have alleged that they clicked and relied on statements found in adjacent links, such as the site's “Privacy Policy.”

Later, the court reinforces how unimpressed it is with Zappos' browsewrap argument:

The arbitration provision found in the Zappos.com Terms of Use purportedly binds all users of the website by virtue of their browsing. However, the advent of the Internet has not changed the basic requirements of a contract, and there is no agreement where there is no acceptance, no meeting of the minds, and no manifestation of assent. A party cannot assent to terms of which it has no knowledge or constructive notice, and a highly inconspicuous hyperlink buried among a sea of links does not provide such notice. Because Plaintiffs did not assent to the terms, no contract exists, and they cannot be compelled to arbitrate.

Zappos Reserved the Right to Amend the Contract Whenever It Wanted

As you can see from the screenshot snippet above, Zappos' terms of use says "We reserve the right to change...these terms and conditions at any time." Zappos isn't the only website using language like this; it's ubiquitous on the Internet. Unfortunately, despite its widespread usage, this language is toxic to a contract.

The court takes this amendment power to its logical conclusion. If Zappos can change the terms at any time, then it can change the arbitration clause at any time. Thus, citing to a long list of cases, the court says that such unilateral power to change the arbitration clause makes the clause "illusory"--and thus unenforceable.

Lessons

Zappos can hardly be surprised by this adverse judicial ruling. We have known for years that browsewraps are unenforceable (see some of the cases discussed here) and judges clearly dislike unilateral amendment clauses (see, e.g., the uncited Ninth Circuit's Douglas ruling from 2007 and the cited 2009 ruling in the Blockbuster/Facebook Beacon case).

Still, the ruling leaves Zappos in a bad position. Its contract is legally irrelevant, meaning that all of the risk management provisions in its contract are ineffective--its disclaimer of warranties, its waiver of consequential damages, its reduced statute of limitations, its clause restricting class actions in arbitration...all of these are gone, leaving Zappos governed by the default legal rules, which aren't nearly as favorable to it. Losing its contract provisions meant Zappos is legally naked.

Avoiding this outcome is surprisingly easy. Use clickthrough agreements, not browsewraps, and remove any clauses that say you can unilaterally amend the contract.

Using Clickthrough Agreements. Zappos had an easy way to form a clickthrough agreement. As shoppers are checking out of the store with their shopping cart, Zappos could say "By clicking the 'purchase' button, you agree to the Zappos terms of use" with a link to the document. It's as easy as that. No custom coding, no interstitial web pages, no real risk of abandoned shopping carts.

Even if you aren't an e-commerce site, it's still easy to form a clickthrough agreement if you have an account registration process. Right before users complete the registration, present the terms as "By [creating an account], you agree to the user agreement" with a link to the document.

Thus, the only websites that can't easily implement a clickthrough agreement are sites that have no checkout or registration processes. Websites in that category should carefully consider why they need a user agreement at all.

No Unilateral Amendment Clauses. If you are changing the user agreement only for new users who enter into the contract after the change, you don't need to tell them that you've amended the terms. They are automatically bound to your then-current terms when they click through. If you form a contract with your users each time you interact with them (such as with an e-commerce site), you aren't "amending" your contract; you're just changing the terms for subsequent transactions.

In contrast, if you are providing ongoing services to users and you want to change the deal with them, then you need to amend the existing agreement. Unfortunately, there is no reliable legal way to do so other than to require users to click through the new terms--an imperfect solution because many existing users never come back to the site, and other users will balk at the request. And worse, any failed amendment creates a variety of legal vulnerabilities, so you need an airtight amendment implementation.

Thus, to develop a legally effective contract amendment process, you should brainstorm with your attorney about creative solutions that provide flexibility without breaking the law or undermining your contract. Or, just accept that you can never materially change the contract terms for users who have signed up under a different deal. You might be surprised how little that limits you in practice.

Either way, Zappos' loss provides a good warning what not to do: don't just clone-and-revise the amendment provisions you've seen on other sites. THAT DOESN'T WORK in court, and you'll be in for an unpleasant surprise if you learn that the hard way.

Disclaimer: this post is just a general discussion about legal topics. It doesn't provide legal advice. Consult your own attorney before making any decisions.

Posted by Eric at 09:00 AM | E-Commerce , Licensing/Contracts , Privacy/Security | TrackBack

October 24, 2012

Q3 2012 Quick Links, Part 5 (E-Commerce, Miscellaneous)

By Eric Goldman and Jake McGowan

E-Commerce

* Noll v. eBay, 2012 WL 1413442 (N.D. Cal. April 23, 2012). The Complaint. eBay's "Good 'Til Canceled" fees survive a legal challenge.

* Porras v. StubHub: StubHub not liable for tickets that are not “authentic” and “valid.”

* NY Times: How shopping malls are fighting back against e-commerce: by shifting to retailers who provide services instead of selling goods.

* NY Times on Craigslist’s ongoing campaign to shut down third party apps built on its site.

Miscellaneous

* Las Vegas Sun profile of Marc Randazza

* “38% of adults sometimes think it would be easier to solve world peace than attempt to remember all their passwords.”

* Ira Steven Nathenson, Best practices for the law of the horse: teaching cyberlaw and illuminating law through online simulations, 28 Santa Clara Computer & High Tech. L.J. 657-741 (2012). Related: Teaching Cyberlaw.

* New version of James Grimmelmann’s Internet Law reader is available.

* Jay Brown, Essay: Law Faculty Blogs and Disruptive Innovation

* Nick Bilton on the Silicon Valley Bubble (socially, not economically)

* Bing Has Human Search Quality Raters. Prior blog post.

* Breaking down Google’s 2011 Revenues.

* Wired: Signing Forms at the Top Makes People More Honest.

* CNET News.com: “AngelList is now helping startups with their legal docs."

* Wired’s retrospective on SABRE--one of the first and most important electronic networks.

* VentureBeat: Sh*t Judge Lucy Koh says: Our top 5 favorites

Posted by JakeMcGowan at 03:21 PM | Content Regulation , E-Commerce | TrackBack

Does the Supreme Court Have a Free Policy Choice in Wiley v. Kirtsaeng? (Guest Blog Post)

By Guest Blogger Marketa Trimble

Does the Supreme Court Have a Free Policy Choice in Wiley v. Kirtsaeng?
(A Template for an Interpretation of the Copyright Act that Ignores the Place of Manufacture and Provides a Free Choice between the Principles of International and National Exhaustion)

The Supreme Court will make an important decision in Kirtsaeng v. John Wiley & Sons, which the Court has scheduled for oral arguments on October 29, 2012. Although the focus of the controversy has been on distinguishing between foreign-made and U.S.-made copies (see below), the key policy question in the decision should rather be which principle of copyright exhaustion the United States should adopt for all copies: the principle of international exhaustion or the principle of national exhaustion. Under the principle of international exhaustion the first authorized sale of a copy – anywhere in the world – exhausts a copyright owner’s right to distribute the particular copy, and the new owner of the copy may freely resell the copy in the protecting country (in this case in the United States). The principle of national exhaustion says that only if the first authorized sale occurs in the protecting country (in this case in the United States) will the right to distribute under the copyright law of that country (in this case U.S. copyright law) be exhausted.

The problem is that the Copyright Act has been interpreted to distinguish between copies manufactured in the United States and copies manufactured outside the United States. Courts have interpreted the Act as applying the principle of international exhaustion to copies manufactured in the United States and the principle of national exhaustion to copies manufactured outside the United States. Whether it makes sense to treat copies differently based on their place of manufacture is debatable, but it certainly makes no sense as a matter of policy to afford rights more favorable to a copyright owner (under the rule of national exhaustion) for copies manufactured outside the United States. Other countries do not distinguish by places of manufacture when they apply the exhaustion principle; they adopt the principle of either national or international exhaustion for all copies.

The question is whether the Supreme Court could both 1) abandon the distinction between copies based on their place of manufacture, and 2) make a conscious policy choice between the principles of national and international exhaustion. It might seem that the constraints of the language of the Copyright Act would preclude an interpretation that would lead to taking the two steps simultaneously. However, the template below shows that it might be possible for the Supreme Court to focus on the key policy debate and choose freely between the two principles of exhaustion, thereby selecting a pivotal policy for U.S. copyright law. The template suggests that the relevant individual provisions of the Copyright Act could be interpreted in a manner that would permit a choice of one exhaustion principle or the other without having to distinguish among copies based on their place of manufacture.

On the issue of national versus international exhaustion see also Kirtsaeng v. John Wiley & Sons, Reply Brief for Petitioner, Oct. 1, 2012, pp. 20-23.

Related posts:

* Second Circuit Says No First Sale Doctrine for Works Manufactured Outside the U.S. -- Wiley & Sons v. Kirtsaeng
* Supreme Indecision: Costco v. Omega Gums up the (Watch)Works
* Resale of International Textbooks to US Students Not Protected by First Sale Doctrine--Pearson v. Liu

Also see the HTLI conference page for Exhaustion and First Sale in IP from 2010.

_____

The template below is based solely on statutory language and ignores legislative history, case law, and other points of reference for legislative interpretation. The interpretation of the statutory language in the template is simplified to serve the purpose of an overview rather than an in-depth analysis.

U.S. Copyright Act Provision	Interpretation for International Exhaustion	Interpretation for National Exhaustion
§109(a), first sentence (The First Sale Doctrine) “Notwithstanding the provisions of section 106(3), the owner of a particular copy or phonorecord lawfully made under this title, or any person authorized by such owner, is entitled, without the authority of the copyright owner, to sell or otherwise dispose of the possession of that copy or phonorecord.”	The first sale doctrine applies to sales anywhere in the world. A person or entity becomes an “owner of a particular copy or phonorecord” by acquiring the copy or phonorecord anywhere in the world. The phrase “lawfully made under this title” refers to copies or phonorecords that are lawful – or if made under the same circumstances in theUnited States, would have been held lawful – under the U.S. Copyright Act.	The first sale doctrine applies only to sales within the United States because section 602(a)(1) makes it an infringement to import copies or phonorecords acquired outside the United States. The phrase “lawfully made under this title” means that the provision applies to any copies or phonorecords, whether manufactured in the United States or abroad, which once in the United States are held to have been lawfully made as measured by the U.S. Copyright Act.
§602(a)(1) (Infringing Importation of Copies Acquired Abroad) “Importation into theUnited States, without the authority of the owner of copyright under this title, of copies or phonorecords of a work that have been acquired outside theUnited Statesis an infringement of the exclusive right to distribute copies or phonorecords under section 106, actionable under section 501.”	The exclusive right to distribute under section 106(3) is limited by the first sale doctrine in section 109(a), and therefore it is not an infringement to import copies or phonorecords to which the distribution right was exhausted; even if they have been acquired abroad, the distribution right of the copyright owner is exhausted. Section 602 concerns copies and phonorecords that were never sold by the copyright owner anywhere in the world and are now being imported into the United States.	Section 602(a) targets copies or phonorecords “acquired outside the United States,” and the section defines the territorial scope of the distribution right to include the right to distribute outside the United States, which is not limited by the first sale doctrine in section 109(a). Section 602(a) captures copies or phonorecords acquired outside the United States whether or not they were sold outside the United States by the copyright owner.
§602(a)(2) (Infringing Importation and Exportation of Infringing Copies) “Importation into the United States or exportation from the United States, without the authority of the owner of copyright under this title, of copies or phonorecords, the making of which either constituted an infringement of copyright, or which would have constituted an infringement of copyright if this title had been applicable, is an infringement of the exclusive right to distribute copies or phonorecords under section 106, actionable under sections 501 and 506.” (emphasis added)	(1) The reason for using the longer phrase (in italics) as opposed to the shorter phrase “not lawfully made under this title” is that the provision’s emphasis is on lawful manufacture. (2) The interpretation of the first sale doctrine as covering sales in the United States and abroad is consistent with section 602(a)(2) because the doctrine does not cover copies or phonorecords that were not “lawfully made under this title,” meaning not lawful – or if made under the same circumstances in the United States, would not have been held lawful – under the U.S. Copyright Act. The distribution right to such copies and phonorecords is never exhausted in the United States and their importation and exportation is an infringement.	(1) The reason for using the longer phrase (in italics) as opposed to the shorter phrase “not lawfully made under this title” is that the provision’s emphasis is on lawful manufacture. (2) The interpretation of the first sale doctrine as covering sales only in the United States is consistent with section 602(a)(2) because the doctrine does not cover copies or phonorecords, whether manufactured in the United States or abroad, which once in the United States are held to be unlawful under the U.S. Copyright Act. The distribution right to such copies or phonorecords is never exhausted in the United States and their importation and exportation is an infringement.
§501(a), first sentence (Infringement of Copyright) “Anyone who violates any of the exclusive rights of the copyright owner as provided by sections 106 through 122 or of the author as provided in section 106A(a), or who imports copies or phonorecords into the United States in violation of section 602, is an infringer of the copyright or right of the author, as the case may be.”	It is an infringement to distribute copies or phonorecords that were never sold by the copyright owner in the United States or anywhere in the world (section 106(3) distribution right limited by the first sale doctrine of section 109(a), and section 602(a)). Importation of unlawful copies is also an infringement (section 602(b)).	It is an infringement to distribute copies or phonorecords that were never sold by the copyright owner in the United States(section 106(3) distribution right limited by the first sale doctrine of section 109(a)). It is an infringement to import copies or phonorecords that were acquired outside the United States whether or not they were sold there by the copyright owner (section 602(a)). Importation of unlawful copies is also an infringement (section 602(b)).
§109(c) and (e) (Exceptions to the right to perform publicly and the right to display publicly) “Notwithstanding the provisions of section 106(5), the owner of a particular copy lawfully made under this title, or any person authorized by such owner, is entitled, without the authority of the copyright owner, to display that copy publicly, either directly or by the projection of no more than one image at a time, to viewers present at the place where the copy is located.” “Notwithstanding the provisions of sections 106(4) and 106(5), in the case of an electronic audiovisual game intended for use in coin-operated equipment, the owner of a particular copy of such a game lawfully made under this title, is entitled, without the authority of the copyright owner of the game, to publicly perform or display that game in coin-operated equipment, except that this subsection shall not apply to any work of authorship embodied in the audiovisual game if the copyright owner of the electronic audiovisual game is not also the copyright owner of the work of authorship.”	The exceptions apply to all lawful works – whether made in the United States or elsewhere – because the phrase “lawfully made under this title” refers to copies or phonorecords that are lawful – or if made under the same circumstances in theUnited States, would have been held lawful – under the U.S. Copyright Act.	The exceptions apply to all works that are located within the reach of the U.S. Copyright Act because the phrase “lawfully made under this title” refers to any copies or phonorecords, whether manufactured in the United States or abroad, which once in the United States are held to be lawful as measured by the U.S. Copyright Act.
§110(1) (Educational Exception) “Notwithstanding the provisions of section 106, the following are not infringements of copyright: (1) performance or display of a work by instructors or pupils in the course of face-to-face teaching activities of a nonprofit educational institution, in a classroom or similar place devoted to instruction, unless, in the case of a motion picture or other audiovisual work, the performance, or the display of individual images, is given by means of a copy that was not lawfully made under this title, and that the person responsible for the performance knew or had reason to believe was not lawfully made;”	Same interpretation as for section 109(c) and (e).	Same interpretation as for section 109(c) and (e).
§110(2) (Online Learning Exception) “Notwithstanding the provisions of section 106, the following are not infringements of copyright:… (2) except with respect to a work produced or marketed primarily for performance or display as part of mediated instructional activities transmitted via digital networks, or a performance or display that is given by means of a copy or phonorecord that is not lawfully made and acquired under this title, and the transmitting government body or accredited nonprofit educational institution knew or had reason to believe was not lawfully made and acquired, the performance of a nondramatic literary or musical work or reasonable and limited portions of any other work, or display of a work in an amount comparable to that which is typically displayed in the course of a live classroom session, by or in the course of a transmission, if…”	The phrase “a copy or phonorecord that is not lawfully made and acquired under this title” refers to a copy or phonorecord whose origin is not lawful under the U.S. Copyright Act. Even if the copy or phonorecord was manufactured and/or acquired outside the United States, the copy or phonorecord is not “lawfully made or acquired under this title” if its manufacture and acquiring under the same circumstances in the United States would have been unlawful under the U.S. Copyright Act.	The phrase “a copy or phonorecord that is not lawfully made and acquired under this title” refers to a copy or phonorecord, which once in the United States is held to be unlawfully made and/or acquired under the U.S. Copyright Act. Regardless of where the copy or phonorecord was manufactured and/or acquired, once in the United States, its lawfulness is measured by the U.S. Copyright Act.
§1001(7) and §1006(a)(1)(A) (Digital Audio Recording) “An ‘interested copyright party’ is— (A) the owner of the exclusive right under section 106(1) of this title to reproduce a sound recording of a musical work that has been embodied in a digital musical recording or analog musical recording lawfully made under this title that has been distributed; (B) the legal or beneficial owner of, or the person that controls, the right to reproduce in a digital musical recording or analog musical recording a musical work that has been embodied in a digital musical recording or analog musical recording lawfully made under this title that has been distributed;” “The royalty payments deposited pursuant to section 1005 shall, in accordance with the procedures specified in section 1007, be distributed to any interested copyright party— (1) whose musical work or sound recording has been— (A) embodied in a digital musical recording or an analog musical recording lawfully made under this title that has been distributed, …”	The phrase “lawfully made under this title” refers to copies or phonorecords that are lawful – or if made under the same circumstances in theUnited States, would have been held lawful – under the U.S. Copyright Act.	The phrase “lawfully made under this title” means that the provision applies to any copies or phonorecords, whether manufactured in the United States or abroad, which once in the United States are held to have been lawfully made under the U.S. Copyright Act.

Posted by Eric at 09:50 AM | Copyright , E-Commerce | TrackBack

October 20, 2012

9th Circuit Zings Best Buy Over Robocalls – Chesbro v. Best Buy

[Post by Venkat Balasubramani, with a comment from Eric]

Chesbro v. Best Buy Stores, L.P., No. 11-35784 (9th Cir. Oct. 17, 2012) [pdf]

The Ninth Circuit has issued a few consumer-favorable rulings in the unsolicited text and phone call realm. Here is a another one.

Chesbro bought a computer at Best Buy and provided his telephone number. Best Buy says that he also signed up for Best Buy's “Rewards Zone Program.” Chesbro says he knows nothing about the program, and if he signed up to enroll, he did so unwittingly.

Then, the robocalls started. Chesbro says he received “more than five, less than a dozen” calls from Best Buy following his computer purchase. Chesbro complained to the Washington AG’s office after receiving one particular call. He also called Best Buy and told them to put him on their internal “do not call” list. (He was also signed up on the national “do not call” registry, but that doesn’t seem to have been very effective.) Finally, the straw that broke the proverbial camel’s back:

This is a very important message regarding the Best Buy Reward Zone program. We’re making some changes to increase the security of the program and be more environmentally friendly. Please listen to the entire message and then go to MyReward-Zone.com for details and to update your membership.

The following changes take effect October 31st, 2009 …

For full details and to make sure you’re ready for these changes, go to MyRewardZone.com.

If you would like to hear this message again, press 9
Thank you for your time — and for being a valued Reward Zone program member.

Chesbro sued, asserting claims under the TCPA and Washington’s do not call statute. The TCPA allows the FCC to exempt certain commercial calls that do not adversely affect the privacy interests protected by the TCPA and do not contain unsolicited advertisements. The FCC promulgated rules but said that “dual purpose” calls—calls where a company may inquire about the customer’s satisfaction or otherwise provide customer-service information but also offer to sell additional goods or services--are advertisements and subject to the prohibitions of the TCPA.

Best Buy says that the calls were purely courtesy calls or informational calls. The court disagrees:

The robot-calls urged the listener to “redeem” his Reward Zone points, directed him to a website where he could further engage with the RZP, and thanked him for “shopping at Best Buy.” Redeeming Reward Zone points required going to a Best Buy store and making further purchases of Best Buy’s goods. There was no other use for the Reward Zone points.

The court says that the absence of any reference to products or services is not determinative. The court also allows Chesbro’s claims under the Washington version of the TCPA to move forward.

Ouch. The court’s conclusion that the calls are advertisements only leaves room for Best Buy to argue consent, and that doesn’t seem like a particularly easy argument to make. (See Citibank; Thrasher-Lyon v. CCS Commercial.)

As a consumer, I applaud the court’s privacy-friendly approach. I (like everyone) can’t stand robocalls. But the court's interpretation doesn't leave much room for "informational calls" that are not advertisements. Maybe this is the right approach, as a "purely informational" or customer service call from a corporation is about as real as a unicorn. Perhaps what ultimately swayed the court is Best Buy’s mule-like refusal to honor Chesbro’s numerous opt-out requests. It’s a given in today’s day that the right hand of the corporation will never talk to the left, but that is very likely what could have tipped the scales here.

I've long advocated leaving text message-based marketing out of the marketing toolbox (due to the risk of liability). Perhaps it's time to add robocalls to the list.

Added: I thought it was worth mentioning Stern v. Bluestone, a 2009 decision from New York's highest court tackling this issue in the context of unsolicited faxes sent by attorneys: "N.Y. High Court Finds Attorney's Unsolicited Faxes Did Not Violate Communications Act."

Of interest: “The Federal Trade Commission (FTC) is challenging innovators to create solutions that will block illegal robocalls.” $50,000 bounty!
___

Eric's Comment: Following the Dex v. Seattle case we'll be blogging about soon, this is a second Ninth Circuit case this week attempting to make legal distinctions between editorial content and advertising. As I indicate in the upcoming Dex post, there are simply too many border cases for that distinction to remain coherent. Consider this: this week, the Ninth Circuit held that Yellow Pages are editorial content and a reminder about expiring loyalty points is advertising. Good luck rationalizing those conclusions!

[image credit: John T. Takai / Shutterstock]

Posted by Venkat at 09:38 AM | Content Regulation , E-Commerce , Marketing , Privacy/Security , Spam

October 19, 2012

A Reward Offer Still An Offer, Even if It's Made on YouTube – Augstein v. Ryan Leslie

[Post by Venkat Balasubramani, with comments from Eric]

Augstein v. Leslie, 2012 WL 4928914 (S.D.N.Y. Oct. 17, 2012).

As the post’s title implies, this case is about a reward offer that the plaintiff is trying to enforce.

Ryan Leslie, a musician, lost his computer and external hard drive while on tour in Germany. He offered a $20,000 reward for the return of his "intellectual property" via YouTube (and publicized the offer via his Facebook and Twitter accounts). Here is a link to the reward video here. He later increased the reward offer to $1 million in a separate video posted to YouTube [229,359 views as of the date of this post]:

In the interest of retrieving the invaluable intellectual property contained on his laptop & harddrive, Mr. Leslie has increased the reward offer from $20,000 to $1,000,000 USD.

Augstein returned the computer and hard drive, but Leslie declined to pay up, saying that he couldn't get his intellectual property from his hard drive. Leslie says he tried to access the information and was unable to, so he sent the hard drive to the manufacturer. According to Leslie, the manufacturer deleted the material and issued him a replacement hard drive.

Was the reward an offer? Leslie argued that a reasonable person would have understood the reward videos as advertisements – i.e., “invitations to negotiate.” The court says no. The videos “sought to induce performance,” and as we should all remember from contracts 101, are offers that an offeree can accept by completing performance! That the offer was posted to YouTube does not make it any less of an offer:

The forum for conveying the offer is not determinative, but rather, the question is whether a reasonable person would have understood that Leslie made an offer of a reward. I conclude that they would.

Ouch.

Should Leslie be held accountable for failing to preserve the data?: The second issue related to whether the court should order an adverse inference against Leslie due to his failure to preserve evidence. Augstein lawyered up when he contacted Leslie about the reward. As the court notes, litigation was “all but certain.” Leslie nevertheless did not take the necessary steps to preserve the hard drive (he sent it to the hard drive manufacturer). The court says that the only question was whether Leslie was negligent or whether he had some higher level of culpability in failing to preserve the data. At a minimum, the court says that he was negligent. Although the court doesn’t issue a ruling on the merits against him, it says that Augstein will be entitled to an adverse inference—the jury can infer that the missing hard drive would have contained the material Leslie was so concerned about.

Double ouch. Leslie is toast. Moral of the story? Don’t make reward offers on YouTube that you don’t intend to follow through on.
____

Eric's Comments. We've seen a few defamation cases where courts have said basically that readers don't take online assertions of fact at their face value. See, e.g., Venkat's discussion here. There's no discussion in the opinion that Leslie argued his $1M number was hyperbolic or a joke. (The opinion cites the modern classic Leonard v. Pepsico, the case involving Pepsi points and Harrier jets). Maybe if he had said it with a Dr. Evil sneer, he might have had something to argue. But it's entirely credible that a well-known musician would pay $1M to obtain work-in-progress on a lost hard drive. Indeed, at that moment of panic when we think our hard drive has melted down and we don't have a recent backup, many of us would gladly pay enormous amounts of money just to have our data back. As Venkat indicates, if you want to tell a joke online, make it really funny; otherwise, say what you mean and mean what you say.

Once we get past the "was he kidding?" question, then we have a venerable line of "rewards" cases where the communication of the reward is an offer for a unilateral contract, not an invitation for further negotiation. The classic Carbolic Smoke Ball case is in this line. If Augstein delivered the requested "intellectual property," then he completed the contract through his performance.

I'm a little puzzled about Leslie's shipping of the hard drive to the manufacturer. I'd like to know more about what steps he took to extract his data from the hard drive. After all, if the data was really worth $1M to him, I'd expect him to act pretty carefully with a balky hard drive; and obviously a replacement hard drive would be irrelevant--and something that we'd expect Leslie to protest pretty heartily. The judge seems to accept the implicit story that Leslie got cold feet about writing a $1M check and buried the hard drive so no one could tell if Augstein had delivered the IP or not. If that's what really happened, shame on Leslie.

This case got some coverage when Augstein first filed suit. See, e.g., this post.

[image credit: blambca / Shutterstock]

Posted by Venkat at 11:44 AM | E-Commerce , Evidence/Discovery , Licensing/Contracts

October 15, 2012

Sony Network Data Breach Class Action Suffers Setback -- In re Sony Gaming Networks

[Post by Venkat Balasubramani]

In re Sony Gaming Networks and Customer Data Security Breach Litigation, 2012 WL 4849054 (S.D. Cal.; Oct. 11, 2012)

This is a class action arising out of a hack of Sony’s online gaming network. The hacks commenced on April 16 or 17, 2011. When Sony discovered that its networks had been compromised, it took some networks completely offline (for up to a month). Approximately 10 days later, Sony acknowledged that customer information had been compromised and said that it was “reviewing options.” Ultimately, Sony offered its consumers:

free identity theft protection services, certain free downloads and online services, and ‘[said that it would] consider’ helping customers who [had] been issued new credit cards.

data breach.jpg Plaintiffs’ lawyers readied their engines and filed multiple class actions that were consolidated in the Southern District of California. (The page listing counsel is worth a look--there were 100s of lawyers involved!) Sony brought a motion to dismiss. The court grants the motion, with leave to amend.

Standing: Citing Krottner v. Starbucks, a case where employee data was stolen from a laptop, the court says that plaintiffs satisfy standing. The court does find that plaintiffs failed to allege any basis for standing as to two Sony entities, but Sony doesn’t have any luck overall kicking the lawsuit on the basis of standing.

Negligence: As to plaintiffs’ negligence claim, the court says that, absent accompanying physical harm, a plaintiff cannot recover for “purely economic loss” in negligence (under California law). In order to get around the economic loss rule, plaintiffs have to plead either the existence of a “special relationship” or allege that they suffered physical or property damage. The court finds that plaintiffs failed to adequately allege facts regarding the exception, but gives them a chance to re-plead. The court also hammers plaintiffs on whether they have alleged cognizable injury for negligence purposes:

without specific factual statements that plaintiffs’ personal information has been misused, in the form of an open bank account, or an un-reimbursed charges, the mere ‘danger of future harm, unaccompanied by present damage, will not support a negligence action.’

Ouch. For good measure, the court also says plaintiffs’ allegations that their consoles have lost value as a result of the data breach are “illusory.”

Consumer protection act claims: The court dismisses the consumer protection act claims brought by the out-of-state plaintiffs. For in-state plaintiffs, to have standing, plaintiffs have to show that they lost “money or other property.” The court rejects each of the plaintiffs’ arguments that they lost money or other property as a result of the breach: (1) heightened risk of injury and money spent allegedly remedying this is not sufficient under unfair competition statutes (citing the iPhone App Litigation and Ruiz v. Gap); (2) interruption of service and damage to the value of their consoles is similarly too speculative; and finally (3) diminution in the value of their consoles isn’t a credible allegation (and one that plaintiffs disavowed at oral argument).

Even if plaintiffs had standing, they had to point to statements by Sony that are “likely to deceive” a reasonable consumer, and show that consumers actually relied on such statements. Even if they get past this hurdle, they fail to point to what type of injunctive relief they would be entitled to; they don’t have restitution available as a remedy because plaintiffs did not pay Sony money for something that they didn’t obtain the benefit of.

Separately, the court says that plaintiffs do not have a cause of action available under the Consumer Legal Remedies Act because the transaction (access to the PSN) did not result in a sale or lease and even if it did, access to PSN is not a “good or service” for purposes of the CLRA (citing Ferrington v McAffee).

CA Data breach statute: Plaintiffs also brought claims under California’s newly enacted data breach statute [pdf]. This statute requires businesses to notify affected consumers of data breaches “in the most expedient time possible and without unreasonable delay.” The court says that only California residents can bring this cause of action. With respect to these plaintiffs, the court says that the savings clause insulates Sony’s actions. Section 1798.84(d) says that unless there’s an allegation that the defendant acted willfully, the defendant company is totally insulated if it provided the known information within 90 days of when it had knowledge that there was a breach.

Bailment: Plaintiffs finally brought a cause of action for bailment, which is where you deposit personal property with someone (and they are required to return it to you?). The court says that the intervening act of a third party malfeasor makes it hard to hold Sony liable, and in any event, it’s difficult to see how plaintiffs “deposited their personal property” with Sony.
__

This is another in a long line of cases rejecting claims brought by data breach plaintiffs. Although the court gives plaintiffs leave to amend their complaint, they don't have an easy task amending to remedy the deficiencies. In particular, application of the economic loss rule will make it tough for plaintiffs to bring negligence claims. The consumer protection act claims also have built in procedural challenges in a situation such as this where plaintiffs are not complaining about a straightforward money for goods/services transaction where consumers were injured. There's the final recurring issue that's common to all of the data breach cases: plaintiffs have to come forward with some credible injury or out-of-pocket loss, and an apprehension that your data will be misused is generally regarded is insufficient.

It's worth contrasting the result here with a recent opinion in a data breach case from the Eleventh Circuit (Resnick v. Avmed). (See posts from David Navetta and SC Magazine on this ruling.) In Avmed the Eleventh Circuit reversed the district court's dismissal of claims brought by data breach plaintiffs, but noted that the named plaintiffs alleged that their information had actually been misused:

Curry's . . . information was used to open a Bank of America account and change her address with the United States Post Office, and Moore's . . . information was used to open an E*Trade Financial account . . . .

In contrast, in this case, the court notes that allegations of misuse of the data were missing ("without specific factual statements that plaintiffs' [information] has been misused . . . the . . . danger of future harm, unaccompanied by present damage, will not support a negligence action").

These cases raise a couple of questions. Are these class actions going to end up consisting of classes of individuals who have had their information misused in some way? Second, does it matter whether these expenses or losses are unreimbursed? If someone opens a bank account in an end user's name and ultimately the bank cancels the card and all of the charges, does the hassle and expense of dealing with the situation count as compensable damages?

The court's conclusion on the California data breach statute is significant given the dearth of rulings (if any) under this statute. [I was slightly confused by the court's application of 1798.84(d), as this appeared to me to be a provision of California's "Shine the Light" statute.]

[image credit: Shutterstock / budiadiliansyah]

Posted by Venkat at 08:18 AM | E-Commerce , Licensing/Contracts , Privacy/Security

October 12, 2012

Second Circuit Says Arbitration Clause in Terms Emailed After-the-Fact Not Enforceable – Schnabel v. Trilegiant

[Post by Venkat Balasubramani with comments by Eric]

Schnabel v. Trilegiant, 2012 U.S. App. LEXIS 18875 (2d Cir.; Sept. 7, 2012)

Eric recently blogged at Forbes about a terms of service gaffe by Zappos that prevented Zappos from being able to enforce their terms. ("How Zappos' User Agreement Failed In Court and Left Zappos Legally Naked".) The Second Circuit recently issued an online terms of service decision that touched on similar issues. It’s been in the blogging queue for awhile, and it festered because it’s a long-winded and roundabout opinion.

online terms image.jpg The Schnabels enrolled in Trilegiant’s discount membership services offering after completing purchases at sites such as priceline.com and beckett.com. The Schnabels alleged that they were unwittingly enrolled; Trilegiant argues that there were clear disclosures around the terms of the rewards program. (We’ve blogged a bunch of these cases before, and federal legislation currently regulates this practice—commonly referred to as “data pass” or negative option marketing. See posts on Intelius and Vistaprint; the Intelius post mentions the "Restore Online Shopping Confidence Act".)

The key issue was whether Trilegiant could force the Schnabels to arbitrate their claims. The Schnabels were taken to an enrollment page containing links to terms and conditions, and these terms contained an arbitration provision. Separately, Trilegiant had a practice of emailing each “newly enrolled member” a document entitled “Great Fun Membership Terms and Conditions.” If this email bounced back, then Trilegiant would send a paper version of this document to the billing address on file.

Enforceability of online terms: Trilegiant didn’t argue that the Schnabels could be compelled to arbitrate the dispute by virtue of having viewed the online terms on the enrollment page. The reasons for their waiver of this argument is not clear. The messiness around the terms may have contributed to this. A related possibility is that it would have focused attention on the negative option marketing aspect of the transaction. Either way, Trilegiant did not have this argument available at the appeal stage. Instead of being about the enforceability of these online terms (see Eric’s discussion in the Zappos case for what loose ends you may want to tie up to ensure that terms such as these are enforceable), the case ended up being about whether terms emailed after the fact were enforceable.

Terms emailed after the fact: On the question of whether the Schnabels can be bound by arbitration terms that they ostensibly became aware of after the fact, the court says that there are two possible arguments: (1) by analogy to the shrinkwrap cases; and (2) the arbitration clause could be analyzed as “additional terms” (think back to battle of the forms from contracts class, except this arguably deals with services). The court goes on a long and winding (and somewhat interesting) tour of basic contract principles and how they’ve been applied in different contexts. Ultimately, the court says that the Schnabels were never on inquiry notice—no reasonable person would expect additional terms to be delivered via email in a context such as this. Therefore, even if the Schnabels received the emails, their continued use of Trilegiant’s service following receipt of the emails can’t be construed as implied assent to the terms:

A reasonable person may understand that terms physically attached to a product may effect a change in the legal relationship between him or her and the offeror when the product is used But a reasonable person would not be expected to connect an email that the recipient may not actually see until long after enrolling in a service (if ever) with the contractual relationship he or she may have with the service provider, especially where the enrollment required as little effort as it did for the plaintiffs here. In this context the email would not have raised a red flag vivid enough to cause a reasonable person to ancitipate the imposition of a legally significant alteration to the terms of condictions of the relationship with Trilegiant.

The court also flags that there’s a possible "additional consideration" problem with terms after the fact that are viewed as possible amendments.

As I mentioned above, this opinion contains lots of interesting references to, and discussion of, old-school contract principles, but it doesn’t do a great job of trying everything together and providing a big picture framework. I had to read it a couple of times and I'm still left scratching my head. One possible way to look at it is that it’s not an online terms case at all (since this argument was waived). Nor is it the case of a customer having to take action in order to indicate their assent to terms—such as in the shrinkwrap context—even though they weren’t necessarily aware of the terms at the time of the contract (purchase). It basically says that you can’t change the terms after the fact unless (1) you hit someone over the head with notice or (2) the customer has to take action to indicate their assent. (See Kwan v. Clearwire and the Qwest arbitration cases.) Given that Trilegiant was selling a membership services offering, Trilegiant probably did not want to make it easy for customers to decide whether to sign up (or easily cancel) after having viewed the terms--that's the nature of these types of deals.

The additional consideration issue is also interesting, and makes me wonder how it would affect situations where companies try to add in arbitration clauses after the fact (e.g., paypal/ebay)? Would they be better served offering some express consideration such as a nominal discount on some fees? Does it matter that some of these companies make it harder if you want to opt-out (e.g., by making you send in a paper form)?

____

Eric's Comments

In theory, this opinion completes a nicely integrated Second Circuit hat trick of online contract cases in conjunction with the Specht and Register.com opinions from a decade ago. In practice, this opinion might have nibbled at the edges of Specht and Register.com, but I think those opinions largely survive intact and this opinion becomes a weird tangent dealing with facts of limited applicability. As Venkat said, it's baffling why Trilegiant decided not to argue contract formation via the front door (its apparent clickthrough agreement) and instead tried the side door (a post-transaction confirmatory email). In light of cases like Hill v. Gateway, where terms delivered post-transaction were in fact enforceable so long as the buyer could unwind the relationship, I don't think Trilegiant's side door argument was frivolous, but I imagine most online contracts aficionados (like Venkat and me) read this opinion and scream "but what about the clickthrough agreement?!" So this addition to the Second Circuit online contracting troika of cases is, at best, a letdown for online contracts geeks.

Because the opinion implicates Specht and Register.com, both of which I teach in Internet Law, I'm going to add a reference to this case in the next version of my Internet Law reader. (I'm also going to add my blog post on Zappos, either as a complement or substitute for the Blockbuster opinion). However, because of its quirks, I think the Schnabel opinion will warrant just a short note, not a lengthy excerpt.
__

Other coverage:

The Shrinking Relevance of Shrinkwrap Decisions (BNA / Tom O’Toole)

[image credit: Shutterstock]

Posted by Venkat at 02:17 PM | E-Commerce , Licensing/Contracts

October 05, 2012

Judge Dismisses Claims Against Pandora for Violating Michigan’s Version of the VPPA – Deacon v. Pandora Media

[Post by Venkat Balasubramani]

Deacon v. Pandora Media, Inc., 2012 WL 4497796 (N.D. Cal.; Sept. 28, 2012)

The plaintiffs sued Pandora for improperly disclosing their “listening history” and related information (bookmarked tracks, stations, recent activity, and bookmarked artists). Plaintiffs alleged that Pandora disclosed this information in violation of Michigan’s version of the federal Video Privacy Protection Act (VPPA) to other Pandora users, non-subscribers, and finally through Facebook integration to their Facebook friends. Judge Armstrong of the Northern District dismisses the lawsuit. Although the dismissal is without prejudice, the judge sends a signal that this lawsuit is probably dead.

Standing: Pandora argued that plaintiffs lacked standing. The court says a violation of a statutory right is sufficient to confer standing, and statutes may confer standing without the showing of actual damages. Here, the language of the statute says that anyone whose information is disclosed in violation of the statute can bring a claim for actual damages or $5000, whichever is greater. So there’s no standing problem.

Statutory violation: The key question was whether Pandora engaged in “selling . . . , renting, or lending . . . sound recordings.”

The court looks to the dictionary definition of the term “renting” and says it means: the payment of consideration in exchange for “use” of something. Here, Pandora selects the song, streams the song, and deletes the song after it’s streamed. Plaintiffs don’t “use” the song in the conventional sense of the term. The court also looks to Pandora’s terms of service which say that users can’t do anything with the song (edit, change, store, or alter it in any way). Additionally, listeners have to listen to it through Pandora.com or a Pandora-supported device.

The court comes to a similar conclusion with respect to the term “lend” (to allow for temporary use of something “on the condition that the thing . . . be returned”). Each song is placed temporarily in the user’s hard drive and there’s nothing returned to Pandora after the song is played. Once the song is over, “the song file is deleted from the subscriber’s computer by Pandora.” The user doesn’t "return" the song.

The plaintiffs’ claims with respect to the disclosure of sales also fails. Pandora doesn’t sell any songs to users—it provides links where people can click through and buy songs. There also were insufficient allegations that Pandora even disclosed any items purchased by plaintiffs, whether through the referral links or otherwise.

Copyright law: Pandora also made the creative argument that copyright owners had the exclusive right to distribute the songs and transfer ownership by sale, transfer, lease (etc.). Here, Pandora obtained a license to stream the songs and the license was limited to a public performance license. Pandora did not have the right to do anything more with the underlying content and thus could not grant any of these rights to users. The court likes this argument.

CPA.The court also dismisses claims under the Michigan Consumer Protection Act, saying that a class-based complaint requires an allegation of actual damages under Michigan case law.

While the VPPA only covers “video cassette tapes or similar audio visual materials,” states have added their own protections to the mix. California, for example, enacted the Reader Privacy Protection Act. (See Eric’s post on that statute and its possible breadth here.) There’s an argument to be made that music should be treated differently from books and videotapes because books and videotapes typically provide more insight into a person’s intellectual direction and shouldn’t be disclosed to third parties without consent. In any event, the Michigan statute covers “sound recordings” so music obviously comes within this definition.

There is of course a big question about whether the Michigan statute (which was enacted more than 20 years ago) was even intended to apply to services such as Pandora. The answer has to be no, but the court gets to this result by analyzing the text of the statute with copyright licensing concepts overlaid on top. In contrast, the Hulu decision from a couple of weeks ago denied Hulu’s motion to dismiss. The differences in text between the VPPA and the Michigan statute probably accounts for this variation. The VPPA defines consumers as anyone who “rents, purchases, or subscribes,” and defines a provider as anyone engaged in the business of “rental, sale, or delivery” of videos or similar audio visual materials.

Pandora also raised a consent argument based on its terms of service. The court doesn't rely on this argument, and it's unclear if the Michigan statute's exception for written consent applies to online terms. This is an ongoing battle in the VPPA realm. See the testimony of Prof. McGeveran with respect to the consent provisions of the VPPA: "Testimony of William McGeveran".

These cases are good illustrations of the fact that these statutes should all be revisited to account for changes in delivery and distribution of information online. Minor changes in the texts of both statutes arguably account for the differing results, but the drafting choices were just happenstance, at least as they related to streaming services. Eric made this point more bluntly in recent posts about the Cloud Computing Act of 2012 and California's effort to protect social media accounts: legislatures bake technological assumptions into their drafting. These assumptions don't age well; yet legislators keep making the same mistakes.

Other coverage:

(Declan/cnet) Pandora Defeats Privacy Suit Over Facebook Integration
(Wendy / MediaPost) Pandora prevails in privacy case

[image credit: Shutterstock]

Posted by Venkat at 11:10 AM | Copyright , E-Commerce , Privacy/Security

September 30, 2012

Lovelorn Plaintiffs Strike Out Against Match.com – Robinson v. Match.com

[Post by Venkat Balasubramani]

Robinson v. Match.com, 10-CV-2651-L (N.D. Tex. Aug. 10, 2012) [pdf]

This is another suit brought by users of a dating site who claim that a dating site deceptively leaves inactive users in its system, thus reducing the users’ chances of finding their soulmate. The court dismisses their claims and sends them packing.

Breach of contract: Plaintiffs claimed, among other things, that Match.com failed to vet profiles, failed to purge inactive profiles, falsely labeled inactive profiles as “active”, failed to police the site against scammers, and failed to verify its users' identities. Plaintiffs pointed to various provisions in Match.com's user agreement that required users to assume responsibility for their own profiles and warned users against doing nefarious acts via their profiles. The court easily says that these provisions set forth Match.com’s obligations vis a vis users, and do not require Match.com to undertake any corrective action Match.com said it could take when users engaged in shady dealings with their profiles. The court also relies on Match.com’s disclaimer of warranty, which pretty clearly said that Match.com does not vet its users and is not responsible for any incorrect or inaccurate content.

Duty of good faith: Plaintiffs also argued that Match.com had a duty of good faith, and its failure to adequately police its profiles was a breach of this duty. The court says that such a duty only exists where there is a “special relationship” between the parties. While plaintiffs may have been searching for that “special relationship” using Match.com, it’s just another website that provides services to various customers, and the law does not impose a duty of good faith on Match.com. Plaintiffs also argued that there was a special relationship by virtue of the unequal bargaining power, but this argument fails as well. Similarly, plaintiffs’ argument that their provision of confidential or personal information to Match.com creates a special relationship goes nowhere. The court says that if all that is required to create a special relationship is for one party to furnish the other party with personal information, “virtually every online transaction for the purchase of goods or services . . . would give rise to a special relationship.”

Texas Deceptive Trade Practices Act: Plaintiffs also brought a claim under the Texas Deceptive Trade Practices Act. The court issues a show cause order saying it’s going to strike this claim because under Texas law a claim under the DTPA can’t be based on a mere breach of contract. The court directs the parties to file briefs as to why a claim is (or isn’t) viable under this statute. (This claims looks like it's short-lived as well.)

Oy, another set of dating site plaintiffs get the smackdown. Two other cases in this vein are Anthony v. Yahoo! and Badella v. Dinero Marketing (linked below). Yahoo! settled Anthony for $4mm. The Online Cupid case (Deniro Marketing) wasn't certified as a class and promptly settled on an individual basis.

Plaintiffs pointed to contractual obligations allegedly promised by Match.com to get around the obvious Section 230 issue. The Section 230 rules allow a provider such as Match.com broad immunity for its decisions in deleting, purging, or otherwise dealing with accounts. (See Young v. Facebook and Eric's essay on this topic.) This is also a good example of a case where the service provider’s alleged promises were undercut by disclaimers in its terms of services. For better or worse, a robust disclaimer will undermine even seemingly express assurances made in a website's marketing copy. Finally, we've seen the third party beneficiary argument raised again and again but it never goes anywhere. A website terms exist for the benefit of the site and sets forth obligations vis a vis the site and an individual user. A user is never a third party beneficiary of the site's negative contract restrictions. (See Godard v. Google; Balsam v. Tucows; Noah v. AOL.)

At the end of the day, maybe there's some skepticism--around whether the judicial system should be used as a tool to remedy the broken hearts of online daters--that influences the results in these cases, but the court’s reliance on Match.com's terms was in line with other cases.

Posted by Venkat at 12:12 PM | E-Commerce , Licensing/Contracts , Marketing

September 21, 2012

Split 9th Circuit Panel Approves Facebook Beacon Settlement – Lane v. Facebook

[Post by Venkat Balasubramani]

Lane v. Facebook, 10-16380 (9th Cir. Sept. 20, 2012)

Facebook’s Beacon initiative has generated more than a few blog posts.

Judge Seeborg approved the class settlement, over the objections of several objectors, including Ginger McCall. The objectors appealed to the Ninth Circuit saying that the settlement should not have been approved. The Ninth Circuit says that approval of the settlement was not an abuse of discretion.

The terms of the settlement were that Facebook would pay $9.5M for a full release of the claims. $3 million of this amount would go to fees and costs of administration. The remaining $6.5 million would go to the “Digital Trust Foundation,” an organization run by a three-member board of directors (Larry Magid, Chris Hoofnagle, and Timothy Sparapani, Facebook’s director of public policy). The organization would also have a legal advisory board which would consist consist of class counsel and counsel for Facebook. No monetary relief would be awarded to the class members, although they could opt-out. Facebook would agree to terminate Beacon, but nothing in the agreement stopped it from re-launching a similar initiative. (Hello, Sponsored Stories 2.0!)

The majority says that appellate review is limited to determining whether there has been a “clear abuse of discretion.” It says that cy pres remedies (where there is the “next best” distribution of the settlement amount – to someone other than the class members) are allowed, and nothing in the structure of DTF causes the cy pres remedy to be improper. As long as the remedy accounts “for the nature of the . . . lawsuit, the objectives of the underlying statutes, and the interests of the silent class members,” that’s all that is necessary.

As to the second objection that focused on the value of the settlement and the district court’s failure to consider the availability of statutory damages under the VPPA, the court relies on the familiar argument that the claims, being privacy claims, are uncertain. There aren’t a long line of cases where plaintiffs have been awarded damages under the Video Privacy Protection Act, and it’s unclear that the claims could be easily brought against Facebook, rather than Blockbuster, an entity that is in a financial quagmire. [There has been a bunch of VPPA activity involving Netflix, Hulu, and Redbox, but no clear wins, and certainly no blockbuster damage awards, for plaintiffs.]

A dissenting Judge Klienfeld tees off on Facebook and on the settlement (and to some extent the class action system in general). He has a long list of problems ranging from expansion of the class to the scope of injunctive relief, to the combination of a “clear sailing” agreement as to fees coupled with no monetary relief to class members. It’s tough to do it justice by recapping it in a blog post, so I would urge readers to check it out for themselves. Here’s a key graf that summarizes his qualms:

In this case, the [class action] process has failed. The attorneys for the class have obtained a judgment for millions of dollars in fees. The defendant, Facebook, has obtained a judgment that bars claims by millions of people victimized by its conduct. So have the other companies involved in Beacon. The victims, on the other hand, have obtained nothing. Under the settlement, Facebook even preserved the right to do the same thing in the future.

Meh. This is an underwhelming result for how long it took for the court to issue its opinion.

The 9th Circuit issued recent decisions on fees (Dennis v. Kellog) and on cy pres settlements (Nachshin v. AOL) that made me think this settlement wouldn’t get its stamp of approval, so perhaps this is a surprising ruling. I wonder whether the objectors will seek re-hearing and whether Judge Kleinfield’s dissent will interest enough interest from other 9th Circuit judges to make that happen. (Judge Seeborg tentatively rejected the proposed settlement in the Sponsored Stories class action: "Judge Seeborg Rejects Sponsored Stories Settlement For Now -- Fraley v. Facebook." This ruling likely paves the way for everyone to clean up the issues he identified in his ruling, and get it approved.)

To me, what makes the settlement problematic is the toothless injunctive relief negotiated on behalf of the class. As Judge Kleinfield points out, as long as it’s called something else, there’s nothing to stop Facebook from launching Beacon 2.0. Even assuming that cy pres is appropriate and it would be impractical to distribute small amounts to class members, I don’t get the sense that this lawsuit will act as a meaningful check on Facebook’s privacy practices, either as to programs such as Beacon, or as a general matter. It’s silly to assume that a non-profit that’s funded by Facebook could achieve this result when third party organizations haven’t been able to do much. (On the other hand, maybe people don’t really care about privacy on Facebook. Although there were some quibbles about the adequacy of notice, of the 3,663,651 class members identified by Facebook, a measly 108 opted out, and 4 submitted written objections.)

See also: New Essay: The Irony of Privacy Class Action Lawsuits (Eric's essay)

Other coverage:

Facebook’s $9.5 Million ‘Beacon’ Settlement Approved (David Kravets/Wired)
Facebook Beacon settlement gets OK (San Francisco Chronicle) (with comments from Greg Beck)
Facebook's Beacon Settlement Upheld By 9th Circuit (Wendy Davis/Media Post)

Posts on Fraley v. Facebook:

Facebook "Sponsored Stories" Publicity Rights Lawsuit Survives Motion to Dismiss--Fraley v. Facebook
Judge Seeborg Rejects Sponsored Stories Settlement For Now -- Fraley v. Facebook

Posted by Venkat at 12:13 PM | E-Commerce , Privacy/Security , Publicity/Privacy Rights

Cafepress Suffers Potentially Significant Trademark Loss for Users' Uploaded Designs (Forbes Cross-Post)

Cafepress.com ($PRSS) provides a popular user-to-user marketplace websites that allows users to upload logos or slogans and sell items bearing those logos or slogans, which Cafepress.com manufactures on demand (a so-called “print-on-demand” service). Like any other user-generated content website, there’s always a chance that users will upload material that infringes third party copyrights and trademarks. A recent adverse court ruling against Cafepress.com raises some troublesome questions about Cafepress.com’s--and other print-on-demand vendors'--potential trademark liability exposure for its users’ uploads.

The case involves a trademark for the word phrase “Born to Rock,” which the plaintiff initially registered for electric guitars and subsequently registered for T-shirts. These trademark registrations (especially the latter) may be problematic. First, many other folks have used the phrase "Born to Rock" for quite some time (including Cafepress.com users), so the plaintiff may have problems showing that it is the first commercial user of the phrase or that consumers associate the phrase only with it. Second, the phrase is capable of many different meanings that have nothing to do with electric guitars or the plaintiff. For example, take a look at some of the T-shirt designs the plaintiff complained about:

It's quite a reach for the plaintiff to think its trademark registrations should apply to "Born to be a rock star" or "Born to Rock" associated with rocking chairs.

Background to the Litigation

The plaintiff repeatedly sent trademark takedown demands to Cafepress.com. To Cafepress.com’s credit, it did not simply accede to the plaintiff’s overreaching demands. While Cafepress.com removed some users’ items in response to the plaintiff’s complaints, it refused the takedown demands for other items. Unsatisfied with Cafepress.com’s response, the plaintiff sued for trademark infringement.

Cafepress.com moved for summary judgment on two grounds: (1) it didn’t make a “use in commerce” of the plaintiff’s trademark, and (2) the “descriptive fair use” doctrine. In doing so, Cafepress.com didn’t press two other potentially strong arguments: (a) that the plaintiff’s trademark was invalid, and (b) consumers weren’t confused in the marketplace. Cafepress.com should be able to raise these arguments later. The opinion doesn’t reference another possible trademark defense for Cafepress.com, the “innocent printer” defense (15 U.S.C. 1114(2)(A)), though that may be a stretch due to the other marketplace services (such as payment processing) that Cafepress.com provides to its users.

“Use in Commerce”

The court rejected Cafepress.com’s argument that it doesn’t make a “use in commerce” as required by the trademark statute. This is not a particularly surprising result. After the 2009 Second Circuit ruling in the Rescuecom case, almost all online activity that has some commerciality to it qualifies as a “use in commerce.” In this case, the judge thought Cafepress.com made a use in commerce (emphatically so, calling Cafepress.com's argument “facetious”) because Cafepress.com manufactures and delivers the purchased items containing the allegedly infringing designs.

Descriptive Fair Use

Cafepress.com argued that the T-shirt references to “Born to Rock” weren’t intended to communicate a relationship with the trademark owner, and thus were not being used “as a trademark.” Normally this argument would apply to the trademark owner’s threshold right to sue at all, but “non-trademark use” is also an element of the defense of descriptive fair use (which allows the reuse of descriptive phrases for their lexical meaning). The court says that it cannot categorically declare merchandised items referencing “Born to Rock” as not making a trademark use, because a jury may find some of the T-shirts—such as those with guitar depictions—are plausibly associated with the trademark owner.

(Many trademark geeks will gnash their teeth about the obvious doctrinal problems with the judge’s ruling, including the fact that a plaintiff can’t satisfy its prima facie elements with a true non-trademark use, the shifted burden of proof between the prima facie case and an affirmative defense, and the judge’s introduction of consumer confusion into the descriptive fair use question).

Implications of the Ruling

Lack of a “Fast Lane” Defense. Trademark law often lacks a “fast lane” for ending unmeritorious trademark cases. In these situations, trademark defendants with winning cases validate their decisions only after incurring substantial time and expense. In my opinion, the lack of a fast lane is a defect of trademark law that ought to be fixed. For more on this, see this essay.

Here, Cafepress.com sought a relatively quick win on two legal theories. The court rejected that effort, saying that at minimum the case needs to go before a jury. That means that even if Cafepress.com wins this case (which I think it should), Cafepress.com will spend a lot of money to do so—much more than the profits it has made and will make from “Born to Rock” items.

Further, because the “use in commerce” and “non-trademark use” fast-lanes didn't work, Cafepress.com likely can’t quickly and cheaply defeat future claims by other trademark owners. This may have some bearing on its policies going forward (see below).

Contrast With Tre Milano v. Amazon.com. I recently blogged about a California appeals court case, Tre Milano v. Amazon.com ($AMZN), where Amazon defeated trademark claims based on user-vended items because Amazon was a “transactional intermediary.” Although Cafepress.com is also a “marketplace” for user-to-user sales, Cafepress.com differs from Amazon in a key respect: Cafepress.com manufactures the items on demand. This factual difference means Cafepress.com faces potentially greater trademark liability than Amazon.

What Will Cafepress.com Do?

Even if Cafepress.com ultimately wins this case, this ruling puts Cafepress.com—and all other websites in the print-on-demand space, such as Zazzle—in an awkward position. This ruling treats Cafepress.com as directly liable for user-caused trademark infringement. If that's the law, then Cafepress.com can’t simply intervene only when it receives trademark takedown notices; it could be liable even if it never receives a takedown notice. Plus, even if Cafepress.com defeats that liability with respect to specific trademark owners (because, for example, their trademarks turn out to be invalid), Cafepress.com may not be able to vindicate its decisions cost-effectively. Thus, Cafepress.com's legal defense costs may be going up.

Despite this ruling, Cafepress.com could still wait for, and then respond more aggressively to, trademark takedown notices. For example, in respond to this plaintiff's demands, it could have categorically wiped out all of the "Born to Rock" designs, even those that probably weren't infringing. While more aggressive takedowns would placate most trademark owners in most circumstances, it's not clear this would completely solve the legal problem (it depends on whether takedown notices are a precondition to Cafepress.com's liability), and overinclusive takedown responses would reduce Cafepress.com's revenues.

A third alternative would be to more aggressively pre-screen users' items for trademark concerns. This is also unattractive. Aggressive pre-screening is costly and not scalable; it’s error-prone (likely to find false positives and false negatives); Cafepress.com sellers won't like the delays and false positives; and it could exacerbate Cafepress.com’s legal liability for the false negatives. Thus, from my perspective, this ruling leaves Cafepress.com with all-around bad options.

I approached Cafepress.com for an official statement, and they sent the following:

CafePress recognizes that the court believes that there are factual disputes that precluded summary judgment in CafePress' favor. CafePress is confident that when the court and the jury hear the full record that they will see that there is no infringing content in this case, and will find in CafePress' favor. CafePress is a print on demand site where its users create all of the content that they or their purchasers select to be placed on items of merchandise. CafePress does not create the content or select the products on which the content is applied. CafePress stands up for the rights of its users to make lawful, non-infringing and fair uses of material and engage in free speech and express. CafePress intends to vigorously defend its position and its users' right of free speech in their content posted on the CafePress website.

Case cite: Born to Rock Design Inc. v. CaféPress.com, Inc., 2012 WL 3954518 (S.D.N.Y. Sept. 7, 2012). Also see Born to Rock Design's initial complaint.

My prior legal coverage of Cafepress.com-related litigation:

* Angie's List's Telephone and Fax Information Services May Be Immunized by Section 230--Courtney v. Vereb (2012)

* Online Booksellers Get 47 USC 230 Immunity for Publisher-Supplied Marketing Collateral--Parisi v. Sinclair (2011)

* Life May Be "Rad," But This Trademark Lawsuit Isn't--Williams v. CafePress.com (2010). This case held that Cafepress.com didn't face liability for taking down a user's design in response to a trademark takedown demand. The case also illustrates that Cafepress.com continues to struggle with (unreasonable?) trademark demands over thin trademarks--in that case, "Life's Rad."

* Print-on-Demand "Publisher" Isn't Liable for Book Contents--Sandler v. Calcagni (2008)

* Connecticut Blogger Not Subject to Texas Jurisdiction--Healix Infusion v. Helix Health (2008)

* Griper Selling Anti-Walmart Items Through CafePress Doesn't Infringe or Dilute--Smith v. Wal-Mart (2008)

* CaféPress Denied 230 Motion to Dismiss--Curran v. Amazon (2008)

My 2007 IP Survey course exam used a problem involving Zazzle and personalized postage stamps. See the exam and sample answer.

Posted by Eric at 08:48 AM | Derivative Liability , E-Commerce , Trademark | TrackBack

September 14, 2012

Another Blow to Banks in ACH Fraud Cases: Funds Transfers Act Preempts Indemnity Agreements -- Choice Escrow v. BancorpSouth

[Post by Jake McGowan]

Choice Escrow and Land Title, LLC v. BancorpSouth Bank, 10-03531 (W.D. Miss. Aug. 20, 2012)

Asharkyu / Shutterstock.com

Last month, we blogged about Patco v. Ocean Bank, where the First Circuit held that the bank may bear the loss of fraudulent ACH transfers because its security procedures were not “commercially reasonable” under the Funds Transfers Act provisions of the UCC. Though the decision left open the question of customer responsibility, for now it belongs in the win column for customers.

But the vast majority of these banking relationships include an agreement where the customer promises to indemnify the bank for a fraudulent wire transfer. It was unclear how these agreements can factor into the analysis--could an indemnity agreement shield a bank from the UCC’s “commercially reasonable” analysis altogether?

A district court for the Western District of Missouri considered this question in Choice Escrow v. BancorpSouth, and held that the UCC provisions preempt indemnity agreements.

Background

Choice Escrow maintained a trust account with BancorpSouth (“BSB”). In March 2010, BSB received a request online to transfer $440,000 out of Choice’s trust account. The third party made the request using Choice Escrow’s login credentials.

Choice Escrow filed claims against BSB under the “Funds Transfers Act” (i.e. the relevant UCC provisions) as adopted by Missouri. BancorpSouth shot back with four counterclaims relating to indemnity agreements signed by Choice Escrow, agreeing to indemnify BSB for any losses, costs, liabilities or expenses.

Funds Transfers Act UCC Provisions Preempt Written Indemnity Agreements

In a close call, the district court held that these ACH fraud matters are governed specifically by the Funds Transfers Act. Arriving at its decision, the court paid special attention to the intent of the UCC drafters:

On one hand, it seems obvious that the drafters of the UCC wanted banking sector parties to be protected from common law negligence claims and to encourage uniformity and consistency. On the other hand, it seems unlikely that the drafters of the UCC wanted to discourage business entities from freely exercising their rights to contract the terms of their relationships

Concluding that the Act displaced the indemnity agreements, the Court granted Choice Escrow’s motion and dismissed Bancorp’s counterclaims.

It’s rare to see a court strike out an agreed-upon contract provision; it’s even more rare when both parties are “sophisticated,” as is the case here. When it happens, it’s always a good idea to look to the policy considerations.

It’s true that these wire fraud cases would be a lot less messy if banks could avoid liability using indemnity clauses. But such “uniformity and consistency” might be unduly harsh on customers if, through these agreements, they were always on the hook regardless of the bank’s actions.

In the same vein, widespread use of indemnity clauses might also reduce banks' motivations to invest a lot in their security infrastructure--especially if they never had to fear liability for these large sums of money. Of course, the banks would still have an incentive to keep their customers’ accounts safe in an Adam Smith “Invisible Hand” sense, but I think the court doesn’t like any movement in that direction because security from wire fraud is such an important goal. With most of these cases, hundreds of thousands (if not millions) of dollars are at stake.

We still don’t know what (if any) duties the customer has in preventing fraud on their online bank accounts. It’s an important question in this case because the hacker got access through Choice Escrow’s account. The court in Patco recommended further hearings on the issue, so we may just have to wait and see.

[Eric's comment: although deal lawyers often spend lots of time drafting and negotiating indemnity clauses, there's widespread suspicion that indemnity clauses rarely work in the field or in court. Another good example here.]

Posted by JakeMcGowan at 07:58 AM | E-Commerce , Licensing/Contracts , Privacy/Security | TrackBack

September 05, 2012

Barnes & Noble's Online Contract Formation Process Fails --Nguyen v. Barnes & Noble

[Post by Venkat Balasubramani]

Nguyen v. Barnes & Noble, 12-cv-0812-JST (RNBx) (C.D. Cal.; Aug. 28, 2012)

Plaintiff tried to purchase an HP “TouchPad” tablet that was on sale because the model was being discontinued by HP. According to plaintiff, he went to barnesandnoble[dot]com, put two HP tablets in his shopping cart, put in his credit card information, and proceeded to check out. Although he received email confirmation from B&N that they would ship the two tablets, they later emailed to cancel the order. Thus:

Plaintiff was unable to obtain an HP tablet during the liquidation for the discounted price [and] as a result, plaintiff was forced to rely on substitute tablet technology, which he subsequently purchased . . . at considerable expense.

Quelle horreur...what a tragic and sad story!

Anyway, he sued for himself and on behalf of a putative class, and B&N moved to compel arbitration based on an arbitration clause in its terms of service.

The court notes the familiar standard that its job is only to determine whether there is a valid and enforceable contract that contains an arbitration clause (and whether the dispute falls within the clause). The court notes the difference between so-called ‘browsewrap’ and ‘clickwrap’ agreements, and says that the dispositive issue is notice to consumers.

B&N’s terms fail on the notice front. Citing to Specht and Hines, the court says that B&N cannot definitively show that plaintiff had notice of the terms and assented to them. There was no check-the-box (leakproof) implementation. Moreover, according to the court, B&N did not position “even the notice” of the terms in a place where a website user would see it. Often sites provide notice in places other than just the link at the bottom of the website, but B&N took the latter approach. The checkout screen, for example, did not provide the purchaser of any specific notice that the purchase of products via the B&N website was subject to its terms and conditions (e.g., "Your purchase of products or services through this website is subject to the following terms and conditions. Click here to see a copy of the applicable terms.").

It’s tough to have much sympathy for B&N here. In the context of a purchase and sale transaction where the customer is at a minimum required to enter payment information, there’s zero excuse for not requiring the consumer to check the box and indicate assent to the terms as a condition of completing the transaction.

The broader question of whether terms should be enforced in a setting where there’s no affirmative act required to complete the transaction (such as when you’re just browsing a website) is interesting. (I blogged recently about the Slide dispute where the court sent consumer claims to arbitration. There acceptance of the terms wasn’t at issue.) It's temping to see this case as a pushback on terms of service that contain arbitration clauses. However, it’s more likely an outlier in the sense that B&N’s terms of service implementation was so shoddy that it’s not likely representative of the typical terms of service case. If B&N had provided ample notice, the court would have probably enforced the terms and, as in the Slide and Zynga cases, required the consumer to arbitrate his claims.

Finally, the case hints at one of those classic contract law exam scenarios. Was B&N's advertisement a firm offer? Was B&N's confirmation of the offer acceptance of the offer? And finally, what were the plaintiff's damages from B&N's alleged breach? Could they have sourced an HP TouchPad tabled elsewhere?

Additional coverage:

"Browsewrap fails to bind customer to individual arbitration" (Rebecca Tushnet)
"Barnes & Noble Loses in Court for Lack of Notice on Terms of Service" (Eric Johnson)

Posted by Venkat at 08:12 AM | E-Commerce , Licensing/Contracts

August 27, 2012

Virtual (SuperPoke!) Pet Owners Must Arbitrate Their Claims Against Google and Slide -- Abreu v. Slide

[Post by Venkat Balasubramani]

Abreu v. Slide, Inc., 12 0042 WHA (N.D. Cal.; July 12, 2012)

This is a motion to compel arbitration filed by Google and Slide, the developer of SuperPoke! Pets. As mentioned by Eric in this initial post about the case, SuperPoke! is a game developed by Slide, which was later bought by Google. The game allowed you to care for “virtual pets” and earn coins. You could use these coins to customize the environment for your virtual pets. You could also buy virtual currency which you could use to purchase certain premium items. Users apparently bought a bunch ($6MM worth, according to an earlier filing by Google) of virtual currency before Google ultimately shut the game down. Users sued, alleging that termination of SuperPoke! Pets by Google and Slide violated California consumer protection laws and California common law. Defendants moved to dismiss, or in the alternative to force the consumer-plaintiffs to arbitrate their claims.

Judge Alsup lays out the general standards for enforcement of arbitration agreements, noting the federal policy in favor of arbitration where there is a valid contract. He cites to Concepcion, a Supreme Court case which looked with disfavor on a California statute which imposed higher burdens for enforceability specifically on arbitration agreements. The court’s role is to determine whether there’s a valid and enforceable contract and whether the dispute falls within the parameters of the contract. Here, the terms of use contain an arbitration provision and it clearly applies to the dispute. The remaining question is whether defendants can show that the arbitration clause is unenforceable because it’s unconscionable. No luck on this front.

Plaintiffs attacked the arbitration clause in a variety of ways, but Judge Alsup says many of their challenges do not go to the enforceability of the arbitration provision and are aimed at the terms of service. These challenges (90 day limitation on recovery of monetary damages, a one year statute of limitations) are of no help to plaintiffs. The court turns to the four objections which are focused on the arbitration provision:

Waiver of injunctive relief: The court says that a one-way waiver of injunctive relief may be problematic (even though it doesn’t necessarily go the arbitration provision itself and is more directed overall at the terms of service). In any event, the court says that this is severable.

Filing fee: Plaintiffs complained about the filing fee, arguing that that $775 filing fee would be unduly burdensome. The court says that the actual filing fee is $125 (or $375 at the most) and this can’t be considered excessive.

No attorneys’ fees: Plaintiffs also say that the fact that the arbitration clause does not provide prevailing plaintiffs an opportunity to recover fees makes it unconscionable. The court says that there’s no requirement that an arbitration clause must provide for the recovery of fees.

Informal negotiations requirement: Finally, the court rejects plaintiffs’ argument that the requirement that they enter into “informal negotiations” prior to asserting their claim renders the clause unconscionable. This obviously does not get any play.
___

Ouch. Judge Alsup’s ruling puts this putative class action on ice. Without the possibility of recovering fees, I can’t see the plaintiffs lawyers pursuing this one (although if plaintiffs spent $6MM, maybe this is enough to maintain the interest of the lawyers).

How arbitration clauses in online terms would fare post-Concepcion was an open question. Although there are not enough data points to be sure, the available rulings indicate that these clauses will enjoy robust success. Companies have taken the Supreme Court’s cue and are adding back arbitration provisions into their user agreements, including sometimes adding class action waivers. (See, e.g., eBay.) At least in one instance, plaintiffs tried to attack this type of a change preemptively, but their claims (which were brought against Sony when Sony changed the terms of its PlayStation 3 terms to require arbitration) did not meet with success. (See “Users Can't Sue Sony for Changing Online Terms to Require Arbitration – Fineman v. Sony Network Entertainment.”)

Judge Alsup’s decision to reject plaintiffs’ arguments around the limitation clauses was interesting. A ninety day limitation on money damages and a one year statute of limitations is fairly harsh. Given the widely accepted notion that people don’t read online terms, I question whether other courts would enforce these types of draconian provisions as freely. (The court’s distinction between arguments that go to the terms and those that are focused on the arbitration clause was interesting. Even though the limitations/exculpatory provisions do not speak specifically to arbitration, the net effect is to nuke a plaintiff’s claims. I found this distinction somewhat formalistic.)

It may be that the real action is around procedural unconscionability. As the Qwest, Clearwire, Harris v. Blockbuster, and other cases linked below indicate, a surefire way to challenge an arbitration clause is to challenge formation or notice of the change to require arbitration (or on the basis that it can be changed “at any time, with or without notice”). Companies who change online terms to include arbitration provisions would be wise to dot their i’s and cross their t’s in this regard.

Posted by Venkat at 10:29 AM | E-Commerce , Licensing/Contracts

August 26, 2012

Online Marketplace Not Liable to Buyer for Aborted Private Sale of Facebook Shares -- Facie Libre Associates v. SecondMarket Holdings

[Post by Venkat Balasubramani]

Facie Libre Associates v. SecondMarket Holdings, 2012 N.Y. Misc. Lexis 3914; 2012 NY Slip Op 51545U (Supreme Court of NY; Aug 10, 2012)

SecondMarket operates an “online marketplace website” where shares of privately held companies are bought and sold. Karl Voskuil, a former Facebook employee, wanted to sell some of his Facebook shares prior to Facebook's IPO. He found a willing buyer in two "Facie Libre" entities that were organized to purchase Facebook shares and hold them until they became public. (This WSJ article provides background on the transaction, and also points out that Facie Libre is a latinate rendering of Facebook: "Deal For Facebook Shares Leads To Suit Vs. SecondMarket.")

Voskuil entered into a stock transfer agreement with Facie Libre to sell 75,000 Facebook shares (at $33 a share, a total purchase price of $2,475,000). Under this agreement, Voskuil was required to deliver a legal opinion to Facebook verifying that registration of the shares was not required under the Securities Act of 1933. This document had to be delivered to Facebook within 60 days of notifying Facebook that a shareholder proposed to sell Facebook shares. Separately, SecondMarket entered into an "Intermediary Services Agreement" agreement with Voskuil under which SecondMarket would “design, implement and facilitate” the transaction for $75,000. Facie Libre was not a party to any agreement with SecondMarket.

Fortunately or unfortunately (depending on which side of the transaction you were on), the transaction did not close. The required legal opinion was delivered on March 26, 2010, one day after the 60 day deadline. According to Facie Libre, SecondMarket undertook the obligation to deliver the legal opinion, failed to timely do so, and was not forthcoming about the transaction's status. SecondMarket allegedly only told Facie Libre three months after Facebook informed SecondMarket that the transaction would not close that Facebook did not approve the transaction. Some time after, Voskuil returned the purchase price that Facie Libre had wired to him ($2,400,000). Facie Libre sued SecondMarket alleging various theories relating to the aborted sale. Facie Libre’s primary argument was that SecondMarket was obligated to procure and timely deliver the legal opinion and its failure to do so was a breach.

Website terms: SecondMarket argued that it had an online agreement in place that contained a one year limitations period on when claims could be brought. The court dismisses this defense, saying that although SecondMarket had website terms in place, these were generally applicable to website users and do not supply any relevant terms for a separate transaction such as the Facebook stock sale.

Breach of contract: Facie Libre asserted a claim as a third party beneficiary under the Voskuil/SecondMarket intermediary services agreement. It argued that under this agreement, SecondMarket had an obligation to furnish the legal opinion. The court rejects this argument, saying that nothing in this agreement requires SecondMarket to procure the legal opinion. In fact, the intermediary services agreement expressly says that Voskuil has the obligation to furnish the legal opinion.

Negligence / Breach of Fiduciary Duty: The court also dismisses Facie Libre’s negligence and breach of fiduciary duty claims. As far as negligence, the court says that Facie Libre can’t sue in negligence since the relevant agreements require Voskuil to furnish the legal opinion (SecondMarket had no duty to do so). The breach of fiduciary duty claim fares no better. Facie Libre argued that it “subscribed to SecondMarket’s website and relied on [SecondMarket’s] expertise.” The court says that the parties engaged in an arms-length transaction and Facie Libre’s purported reliance (if any) on SecondMarket’s expertise didn’t establish a fiduciary relationship.

Misrepresentation: The one claim that survives is the misrepresentation claim. The court says that SecondMarket knew the transaction didn’t close and nevertheless strung Facie Libre along. Had Facie Libre known the transaction didn’t close, it would have taken steps to remedy the situation.
__

Oy. I don’t know the economics of who would have lost or gained from any appreciation in the Facebook shares had the transaction closed as planned, but it’s safe to say that given the downward slide in Facebook stock, someone may have actually benefited from the transaction not closing. This probably would be Facie Libre. The WSJ article linked above was written in June 2011, and it notes that at that time, Voskuil retained the shares after the botched sale, and the shares were "worth several times more than they were when he first agreed to sell them to Felix [one of the principals of Facie Libre]." He may have unloaded the shares since then, but if he has not done so, the shares are worth much less today than Facie Libre offered to pay for them. Given that Facie Libre likely didn't lose any money from the sale not having gone through, you wonder why the lack of damages didn't get any play from the court. (I thought this would be worth at least a passing mention, if nothing, to note how quickly fortunes can change.)

This court's conclusion with respect to SecondMarket's website terms argument is right--your agreement to the website terms do not supply contract terms for all aspects of your relationship with the website. Parties have tried this argument before and it typically goes nowhere. On the other hand, given that Facie Libre brought a fiduciary duty argument that seemed premised in part on SecondMarket's website representations, it's interesting that this didn't figure into the discussion of whether the limitations in SecondMarket's website terms could preclude Facie Libre's claims.

Posted by Venkat at 01:10 PM | E-Commerce , Licensing/Contracts

Amazon.com's Anti-Counterfeiting Efforts Blessed by California Appellate Court (Forbes Cross-Post)

By Eric Goldman

A California appellate court has blessed Amazon.com's ($AMZN) efforts to police counterfeit goods sold by its third party merchants. This is especially good news for Amazon because the leading precedent on the topic had blessed eBay's ($EBAY) more aggressive anti-counterfeiting efforts, so it wasn't clear Amazon would be equally protected even if it had less aggressive practices. Nevertheless, the news is not all good for Amazon. The opinion indicates that Amazon is having some difficulty keeping counterfeits off its site. If Amazon can't fix that, it could face both continued legal hassles and a consumer backlash.

The opinion tells a poignant story about a manufacturer's problems with counterfeiting. The manufacturer, Tre Milano, makes the "InStyler Rotating Hot Iron Hair Straightener." Tre Milano claims that the item has been a marketplace success, and that it's a popular item to counterfeit. Putting aside the lost revenues to Tre Milano, counterfeit versions of the InStyler can create other problems: they pose significant safety hazards to consumers, and unwitting buyers of the defective or poorly constructed counterfeit items are unfairly panning InStyler in consumer reviews.

Tre Milano has an active anti-counterfeiting program that includes buying goods to check if they are counterfeit and sending takedown notices to eBay and Amazon. It had an ongoing dialogue with Amazon. For example, the court says "From May 1, 2010 to April 28, 2011, Tre Milano sent 311 NOCI’s to Amazon." (NOCIs are "notices of claimed infringement," a type of takedown notice). To Tre Milano's chagrin, Amazon sometimes didn't honor its takedown notices when Tre Milano didn't confirm that it had done a test buy.

In this sense, Tre Milano and Amazon reached a typical impasse. Tre Milano has incentives to send takedown notices when sellers are setting low prices--maybe because they are counterfeiters, or maybe because they are overly aggressive discounters of legitimate goods or selling legitimate used goods. Either way, Tre Milano is fine with kicking those legitimate sellers out of the market as a collateral consequence of chasing counterfeiters. Meanwhile, Amazon doesn't want to kick legitimate merchants off its network simply based on self-interested allegations of bad behavior; this would sour its merchant relations and cost Amazon its cut of their sales. So Tre Milano doesn't care too much if its takedown notices are accurate, while Amazon cares a lot about the notice's accuracy.

The legal rules matter a lot to who bears the risk of errors in Tre Milano's takedown notices. If the law says Amazon has to assume Tre Milano's takedown notices are accurate (or bear liability for getting that wrong), then Tre Milano can send notices freely and Amazon will toss a lot of legitimate3 merchants overboard. In contrast, if the law says that Tre Milano has to verify the counterfeiting allegations before Amazon has to honor its takedown notices, then Tre Milano has to do more prep work and some counterfeit sellers will avoid the ax.

The court concludes that Amazon can ignore Tre Milano's unverified takedown notices because Amazon is a "transactional intermediary," not the actual seller of counterfeit goods. The court applies the same legal standards set by the Second Circuit in Tiffany v. eBay, even though (1) Amazon may have done less to police against counterfeits than eBay's practices endorsed by the Second Circuit, (2) Amazon acted as the payment service provider for its merchant sales, a service eBay didn't provide, and (3) Amazon didn't always remove items in response to takedown notices (in contrast, eBay always acted on Tiffany's takedown notices; the lawsuit was over Tiffany's demand that eBay should be even more proactive).

Obviously this ruling is good news for Amazon, but I think it's also good news for other e-commerce websites enabling third-party merchants to sell to consumers. Manufacturers routinely make unreasonable demands on e-commerce websites to do more to police against counterfeits. Here, the court rejected Tre Milano's demands on Amazon, and those demands were not nearly as unreasonable as many other demands that manufacturers make. Thus, this opinion sends a strong signal to manufacturers that they should tone down their anti-counterfeiting demands on e-commerce websites; and it gives some encouragement to e-commerce websites to stand up to overly aggressive manufacturer demands.

Even so, e-commerce websites can't simply ignore counterfeit sales on their websites, even if made by third party sellers. Doing too little anti-counterfeiting work can result in low judicial sympathy if challenged in court, and worse, it can undermine buyers' trust in the e-commerce site. In some cases, buyers are completely OK with counterfeit goods (such as luxury branded goods, where consumers may like the design or status and don't need an authentic good to achieve that goal), but buyers are not likely to be OK with counterfeit electronic goods like the InStyler due to the safety and quality issues. Even though Amazon may have dodged the legal bullet here, it's hardly comforting for Amazon consumers to know that Amazon hasn't figured out a reliable way to screen out sales of counterfeit InStylers.

Case cite: Tre Milano, LLC v. Amazon.com, Inc., 2012 WL 3594380 (Cal. App. Ct. August 22, 2012). Like so many California appellate court opinions, this was designed "not published" for no good reason, so it is not citable or binding precedent. For legal geeks: this opinion never explains why the lawsuit remained in state court despite Tre Milano's allegations of a Lanham Act violation.

Posted by Eric at 08:04 AM | Derivative Liability , E-Commerce , Trademark | TrackBack

August 14, 2012

No Liability for Takedown Notice that Results in Termination of Facebook Page -- Lown Cos. v. Piggy Paint

[Post by Venkat Balasubramani, with comments from Eric]

Lown Companies v. Piggy Paint, LLC, 1:11-cv-911 (W.D. Mich.; Aug. 9, 2012)

Lown and Piggy Paint are squabbling over “piggy paint” trademarks. Lown has a registration for “PIGGY POLISH,” and alleges that defendants’ “PIGGY PAINT NATURAL AS MUD” brand infringes on Lown’s mark. The court doesn’t explain the reasons for this, but the marks in question are for nail polish products. Pigs and nail polish don’t have a natural association in my mind from a branding standpoint, but I’m no branding expert. [Eric's observation: I'm not sure Venkat is an expert in nail polish, either.]

In response to the trademark infringement claims asserted by Lown, Piggy Paint asserted counterclaims based on Lown’s complaint to Facebook that apparently resulted in the “removal” of Piggy Paint’s Facebook page. Interestingly, Piggy Paint’s Facebook page had some 19,000 fans. The court describes Lown’s complaint as having requested removal of Piggy Paint’s page on the grounds of “copyright infringement.”

Tortious Interference: The court says that Piggy Paint’s counterclaim allegations do not state a tortious interference claim:

Piggy Paint has not shown any valid business expectancy. Although Piggy Paint alleges that it had 19,000 fans of the page, Piggy Paint has not and cannot show that the removal of the facebook page – which did not offer any means of placing orders or doing business – resulted in the loss of any business.

The court also says that there’s no malice on the part of Lown because it acted with “a desire to protect its own mark.”

Conversion: The court also says that there’s no conversion claim. Piggy Paint’s conversion argument was convoluted, and based on the theory that Lown wrongfully “exercised control over [Piggy Paint’s] mark . . . by removing [Piggy Paint’s] page from Facebook.” The obvious problem with this argument is that Facebook and not Lown was the one who removed the page.
__

Not to belittle the products or brands involved, but how in the heck did Piggy Paint amass 19,000 Facebook fans? Anyway, this dispute is a great reminder that brand pages and anything similar on a third party platform are not assets you should ever (ever) bank on. (Twitter caused a media dustup when it suspended then reinstated the account of a British reporter based on a complaint from NBC.) Facebook has its own processes for when and how it responds to complaints, but regardless of whether its reaction was over protective or under protective of rights, it is insulated and can’t be held liable. (See the Complexions case, among others.)

It’s not easy to hold the party who sends the takedown notice liable, either. The court rightly treats the Facebook page as something that doesn’t support a tortious interference claim. The Phonedog case, which is still pending, came to a different conclusion, although the facts were slightly different and the case dealt with Twitter followers. (A part of the ongoing struggle in the courts as to how to treat social media assets. See also Eagle v. Morgan, Maremont v. SF Design Group, and the OMGFacts case.)

Interestingly, the court notes that Lown sent a "copyright" takedown notice. This raises the question of whether Piggy Paint could have asserted a claim under Section 512(f) for sending a wrongful takedown notice. Even assuming that Piggy Paint could have argued that the takedown notice should be covered under Section 512(f), given the high bar for liability under Section 512(f), a mistaken takedown notice would be unlikely to support liability.

In any event, damages would likely be difficult to prove, and plaintiffs don't often win these types of cases. See the Ground Zero museum case, the Pandora jewelry case, among others linked below. Ordonez v. Icon Sky is a rare case where damages were awarded for a takedown request that disrupted someone's web presence. This case and Ordonez may have reached different results because this case was contested and did not involve a default judgment. Another possibility is that the judge gave short shrift to the potential for commerce on a Facebook "fan" page as opposed to a more traditional web presence; or that the Ordonez case involved a model, whose web presence would ostensibly be more important to booking gigs and generating revenue. Either way, this case's result is probably in the mainstream and the Ordonez result seems like an outlier regarding damages for disruption of a web presence.

Other coverage:

Tom O'Toole: Court Says Facebook 'Fans' Don't Translate Into Protected Expectation of Business

Eric's Comments

This is a breezy opinion that isn't likely to persuade other judges. However, the core ruling on the tortious interference claim goes right to the heart of the battle over social media accounts. As Venkat notes, the judge says:

Although Piggy Paint alleges that it had 19,000 "fans" of the page, Piggy Paint has not and cannot show that the removal of the facebook page — which did not offer any means of placing orders or doing business — resulted in the loss of any business

Let's assume this is true and Piggy Paint can't prove any actual lost sales from the page's takedown. Even so, the Facebook page was clearly a major part of Piggy Paint's relationship with its customer base, and the page takedown unquestionably disrupts that relationship and Piggy Paint's ability to keep in touch with its audience. At minimum, the judge was quite tone-deaf to the practical implications of this page's takedown. But if disrupting a communication channel between a business and its fans isn't a legal problem, then a lot of the other social media account battles should fail as well. For example, this thinking moots the Phonedog case because the continued patronage of the account's followers is the only real asset at issue.

Venkat is also right that businesses are constantly at peril that their cyberspace presence on third party websites will simply vanish. For more on this, see my article on 47 USC 230(c)(2) and online account termination. In particular, I'm nervous about all of the businesses heavily investing in their Facebook pages. Don't go crying to the lawyers if those pages go POOF.

Posted by Venkat at 10:51 AM | Copyright , Derivative Liability , E-Commerce , Licensing/Contracts , Trademark

Bank Might Bear Loss for Fraudulent Money Transfers Initiated From Its Website--Patco v Ocean Bank (Catch-Up Post)

By Blogging Assistant Jake McGowan (with Venkat's supervision), with a comment from Eric

Patco v. Ocean Bank, 11-2031 (1st Cir. July 3, 2012)

When a scammer siphons money from a customer's online bank account, should the bank or the customer bear the loss? Last year, we blogged about a pair of cases that considered this question and came to differing conclusions, albeit under slightly different portions of the Uniform Commercial Code.

Article 4A of the UCC states that the risk of loss falls on the banks by default, but banks can shift it back to the customer in two ways: (1) by showing the commercial reasonableness of the security procedures it offered, or (2) by showing that the payment was approved in good faith and in compliance with security procedures agreed to by the customer.

In Experi-Metal v. Comerica Bank, a district court in Michigan focused on whether the bank accepted suspicious transfers “in good faith.” The court sided with the customer, finding that Comerica did not act in good faith since it approved the fraudulent wire transfers despite several warning signs. In contrast, in the lower court opinion in Patco v. Ocean Bank, a district court in Maine focused on the other portion of Article 4A: whether the bank’s security procedures were “commercially reasonable.” That district court sided with Ocean Bank, ruling that the security procedures in question were commercially reasonable and thus insulated the bank from liability. Patco appealed the adverse ruling against it.

On July 3, the First Circuit reversed the district court decision and ruled in favor of Patco, holding that Ocean Bank’s online fraud security measures were not “commercially reasonable” under the UCC as codified under Maine law. The court, however, did leave room for Ocean Bank to argue that Patco might have been partially responsible for the loss.

After the First Circuit’s ruling, both this and the Experi-Metal decisions place the risk of loss (or in Patco’s case, proving the adequacy of security measures) on the bank. Still, questions linger how and when banks may successfully shift the risk of loss back to the customer.

Background

Patco was a small business that maintained a business account with Ocean Bank’s predecessor. Ocean Bank (and its predecessor, who Ocean Bank acquired during the time period at issue) used a “Premium” multifactor authentication scheme devised by Jack Henry & Associates to protect customer funds from ACH fraud. Along with passwords and device-specific cookies, Ocean Bank utilized “challenge questions” created by the customer as a last line of defense. The questions could be triggered by transactions with high-risk profiles (e.g., unusual IP address or unusual time of withdrawal) or by a transaction exceeding a specified dollar amount. Ocean Bank controlled what types of transactions would trigger additional security measures.

The ACH fraud that resulted in loss of the funds occurred after the bank decided to lower the dollar amount triggering the extra security steps from $100,000.00 to $1.00, meaning all Patco transactions triggered the “challenge questions” line of defense against ACH fraud. This increased the challenge questions’ vulnerability to key-logging malware, and thus diluted its protective qualities. As Venkat explained in his initial post on this case, the wrongdoers gained access to the account by installing malware on Patco’s computers. The key question was whether the security measures employed by the bank were commercially reasonable.

The First Circuit’s Ruling

“Commercial Reasonableness” and the One-Size-Fits-All Approach

The First Circuit found that the bank’s security procedures must take into account “the circumstances of the customer” known to the bank. In this case, Ocean Bank did not comply with this mandate because it lowered the challenge question dollar-amount trigger to $1.00. The bank claimed that it lowered the amount to combat low-dollar fraud, but the Court didn’t see that as a valid excuse. Patco’s transfers were typically much larger, so the one-size-fits-all approach would have violated the “circumstances of the customer” requirement anyway.

Ocean Bank also tried to satisfy the requirement by trotting out its risk-profiling procedure, which provides a numeric score based on the risk of fraud associated with the circumstances of a particular transaction. But the court quickly dismissed this line of reasoning, pointing out that Ocean Bank failed to act upon the unusually high-risk profile scores for the specific fraudulent transactions in question.

Further, the Court went on to suggest that compliance with federal security guidelines would not necessarily qualify the procedures as “commercially reasonable.” While Ocean Bank’s multifactor authentication scheme complied with federal guidelines, its one-size-fits-all security measures were ineffective for Patco, and therefore were not commercially reasonable. In other words, the scheme has to be geared to work for the particular customer.

Together, these passages raise the already high standard set for “commercially reasonable,” and make it harder for banks to shift the risk of loss in ACH fraud cases.

Customers’ Responsibilities in a “Commercially Unreasonable” Security System

While the court held that Ocean Bank could not prove that its security measures were commercially reasonable—and in fact the court said they were unreasonable—the decision also noted that Patco (the customer) might bear some blame for the loss: “Article 4A does not appear to be a one-way street. Commercial customers have obligations and responsibilities as well[.]” The Court stopped short of stating what those responsibilities might look like, and left those questions for development on remand.

From the perspective of the banks, this passage in the Patco ruling may be a sign that they lost a battle but can win the war. Arguably the most important feature of this decision is that it opens the door for an analysis of the customer's security obligations, even where the bank's security system is “commercially unreasonable.” It is unclear how the court will handle such an analysis; an egregious example of employee negligence regarding passwords or challenge questions may shift liability entirely. For example, even though Ocean Bank’s system was “commercially unreasonable,” Patco may have been partially liable for the breach if its carelessness with a password or user ID led to the breach.

On the other hand, a breach of such an obligation might just be a way for banks to mitigate damages, in a contributory negligence style of defense. Until this question is fleshed out in further decisions, it will be too early for either customers or banks to point to this decision as an emphatic victory.

Two other notes: We’ve blogged ad nauseam about data breach plaintiffs who get kicked out of court for lack of standing (not being able to prove harm). This is an easy standing case for the plaintiff for the simple reason that it suffered out-of-pocket loss. It’s also worth pointing out that the risk of loss rules here apply to commercial accounts. As the court footnotes, Reg Z governs consumer accounts (consumers can more easily shift much of the loss to the bank by default). A final question that remains is whether the bank (or more likely insurance company) can go after the security consultant for its own role in advising the bank regarding its security measures—is “premium” protection a guarantee of commercial reasonableness?

As always, both banks and customers should educate themselves of the latest phishing tactics and try to minimize the potential of ACH fraud. It’s nearly impossible to legislate security. In the same vein, an off-the-shelf anti-fraud prevention program will not necessarily protect you against the type of fraud that occurred in this scenario.
_____

Eric's Comment

Neither litigant looks great in this dispute. Patco allegedly got malwared with a keystroke logger, and now it may be trying to foist the economic consequences of that hack onto the bank. On the other hand, the bank is throwing its customer under the bus, even though the bank transferred money when its own security procedures had flagged a problem. As Jake points out, the consumer rules in these circumstances are more favorable. Otherwise, this case would be incredibly chilling for consumer online banking. Even so, I could see Ocean Bank's corporate customers questioning their banking relationship given Ocean Bank's corner-cutting on security, its security procedure failure and its willingness to fight its customer over losses that the bank could have prevented.

Posted by Venkat at 09:23 AM | E-Commerce , Licensing/Contracts , Privacy/Security

August 13, 2012

Court Declines to Dismiss Video Privacy Protection Act Claims against Hulu

[Post by Venkat Balasubramani]

In re Hulu Privacy Litigation, C 11-03764 LB (N.D. Cal.; Aug. 10, 2012)

Hulu is facing a putative class action alleging that Hulu improperly disclosed the video viewing choices of its users without obtaining consent. Hulu initially argued that plaintiffs lacked standing. Relying on the Ninth Circuit’s decision in First American Fin’l Corp. v. Edwards, the court said that alleging a violation of a federal statute was sufficient to satisfy Article III standing. Now the court looks at whether the allegations state a claim for 12(b)(6) purposes.

Is Hulu a “video tape service provider”? The VPPA only covers the rental, sale, or delivery of “prerecorded video cassette tapes or similar audiovisual materials.” Hulu argued that this language does not cover online providers. The court disagrees. The court looks to the language of the statute and finds that the phrase “similar audiovisual materials” focuses on the content, not the means of content delivery. While the dictionary definition of the word “material” is inconclusive, and everyone agrees that online delivery wasn’t around when the VPPA was enacted, the court looks to the legislative intent:

Congress was concerned with protecting the confidentiality of private information about viewing preferences regardless of the business model or media format involved. The question is whether the mechanism of delivery here – streaming versus bricks-and-mortar delivery – ends this case at the pleading stage. . . . Given Congress’s concern with protecting consumers’ privacy in an evolving technological world, the court rejects [Hulu’s] argument [that it’s not covered by the statute because the statute does not cover digital distribution].

Other defenses: Hulu raised two other defenses, neither of which the court buys, at least at the 12(b)(6) stage. First, Hulu says that its disclosures fall within the VPPA’s “ordinary course of business” exception. The statute defines ordinary course of business to include “debt collection activities, order fulfillment, request processing, and the transfer of ownership.” Hulu’s disclosures (to Facebook, Doubleclick, QuantCast, Google Analytics, and ScoreCard) do not clearly fall under this definition. No dismissal at the pleading stage based on this defense.

Second, Hulu argued that plaintiffs were not “consumers” as defined by the VPPA. The statute defines consumers as “any renter, purchaser, or subscriber,” and since the proposed class did not involve paying Hulu customers, Hulu argued that they were not consumers. The court disagrees with Hulu, saying that “[i]f Congress wanted to limit the word ‘subscriber’ to ‘paid subscriber,’ it would have said so.”

The VPPA has spawned a lot of litigation recently! Facebook’s ill-fated beacon initiative was the first target, but since then, Netflix, Redbox, and Hulu have all been ensnared in VPPA class actions. Interestingly, someone mentioned that books were initially proposed to be part of the VPPA, but at the FBI’s request, were carved out. [Eric's note: books are now covered in California under the Reader Privacy Act.]

To my knowledge, two of the three issues decided in this ruling have not been previously dealt with: (1) does the VPPA apply to purely online service providers, and (2) does it cover non-paying customers. The court could have probably gone either way on this, and the court's conclusion takes the privacy-friendly approach. As interpreted in this manner, the VPPA applies to a wide range of sites, from YouTube to Vimeo. The scope of the proposed class also shows the reach of the VPPA as construed in this manner. The proposed class encompasses people who visited Hulu.com between March 4, 2011 and July 28, 2011 and who viewed video content. Hulu didn’t actually provide a list to third parties of what videos these individuals viewed. It used certain cookies that respawned and were difficult to delete, and disclosed unique identifiers (e.g., Facebook IDs & Hulu profile identifiers). It’s tough to argue based on the allegations in the complaint that Hulu was guilty of some sort of knowing malfeasance. It used a third party ad network that allegedly engaged in aggressive tracking practices and as a result Hulu is potentially on hook for damages under the VPPA.

I’m somewhat surprised to not see any discussion of the Hulu terms of use. I would expect that, if I register on a free website to view videos, my viewing habits would at a minimum be used for ad targeting. As to why this and more was not disclosed and assented to in the terms of service is a mystery to me. I guess some interpret the VPPA to require consent on a movie-by-movie basis and something other than a term of use-based consent. See this post by Wendy Davis that mentions possible amendments to the VPPA that would tweak these to make sharing easier.

Other coverage:

ReadWriteWeb (Nancy Scola): The Hulu Dilemma: How Private is Your Video Playlist?
Forbes (Kash Hill): Court Case Spells Trouble for Frictionless Sharing of Videos on Facebook

Posted by Venkat at 08:43 AM | E-Commerce , Licensing/Contracts , Marketing , Privacy/Security

August 06, 2012

Online Marketplace Isn't Liable for Bad Conduct by Merchants It Certifies--Englert v. Alibaba

[Post by Venkat Balasubramani]

Englert v. Alibaba, 11CV1560 RWS (E.D. Miss.; Apr. 27, 2012)

Englert and other plaintiffs purchased products found on alibaba.com. The products included “ExtenZe male enhancement, Vimax,VigRX Plus, Energy Wristband (Power Balance), and Razor Blades Fusion Power." Plaintiffs alleged that the products were counterfeit, or tampered with (some were seized by customs officials prior to delivery). The products were sold by third parties but displayed in a location on alibaba.com that allows third party merchants to display their products or services. Sounds like an easy Section 230 case for Alibaba, so where does it fit in? Alibaba, for a fee, allowed third party suppliers to list themselves as “Gold Suppliers”. As explained by its website:

A Gold Supplier is a paid membership for suppliers on the Alibaba website who have a serious interest in doing business with buyers worldwide . . . Gold Suppliers must complete an authentication and verification process by a third-party security service provider.

Alibaba’s website, however, stated that Alibaba:

disclaimed any warranty, express or implied, and liability whatsoever for any loss howsoever arising from or in reliance upon any information, action, or omission of any of its members on its websites.

Alibaba also had (an apparently leakproof) terms of service which explained that Alibaba is an intermediary, that it’s not responsible for the quality of any products or services, or any information provided by sellers.

The court dismisses plaintiffs’ claims for fraud, negligent misrepresentation, and breach of contract (plaintiffs didn’t contest Alibaba’s request to dismiss the breach of contract claims). The court says that plaintiffs’ claims do not allege any false statements on the part of Alibaba based on conferral of “Gold Supplier” status. The statements only refer to the sellers themselves (e.g., that they have a serious interest in doing business). Plaintiffs argued that this amounted to an implied representation that the products or services offered by “Gold Supplier” sellers are authentic, but the court doesn’t buy this argument. Moreover, the court looks to the terms of service and says that any understanding on the plaintiffs’ part that “Gold Supplier” status means that the underlying products or services would be of a particular quality is undermined by the unequivocal disclaimer of warranties and release of liability in the terms. Plaintiffs thus cannot allege that they relied on any statements from Alibaba, even to the extent the statements are false.

Alibaba kept its endorsement of third party sellers relatively narrow, and included robust disclaimers or warranties in its terms of use, thus nullifying the legal effect of its endorsement. It's a case worth noting from this standpoint, particularly for anyone who operates a marketplace or another ecosystem where an endorsement or rating system becomes important. Not particularly the best result for customers, who may or may not have thought that there was something special about "Gold Suppliers" vs. ordinary suppliers, but the court says in any event that a disclaimer in a leakproof terms of service trumps.

eBay Gets 47 USC 230 Dismissal of Products Liability Claim--Inman v. Technicolor
eBay Denied 230(c)(2) Defense Over Counterfeit Coin Policing
eBay Denied 230 Defense for Its Marketing Representations--Mazur v. eBay

Related:

Jeff Dotty, Choose Your Words Wisely: Affirmative Representations as a Limit on Section 230 Immunity, 6 Wash J.L. Tech. & Arts 259 (2011)

Posted by Venkat at 03:51 PM | Derivative Liability , E-Commerce , Licensing/Contracts , Marketing

August 04, 2012

CA Court Confirms that Pineda v Williams-Sonoma (the Zip-Code-as-PII Case) Applies Retrospectively -- Dardarian v. OfficeMax

[Post by Venkat Balasubramani]

Dardarian v. OfficeMax North America, Inc., 11-CV-0947-YGR (N.D. Cal.; Jun. 25, 2012)

The Song-Beverly Act is a California statute that prohibits retailers from requesting personal identification information in connection with credit card transactions. In Pineda v. Williams-Sonoma, the California Supreme Court held that the definition of personal information includes a zip-code (i.e., retailers cannot ask for zip codes during credit card transactions). The court in that case held that its decision could be applied retrospectively and rejected Williams Sonoma’s arguments that it would be unfair to apply this decision to conduct before the date of the decision. (Here is our prior blog post recapping that case: “California Supreme Court Rules That a ZIP Code is Personal Identification Information -- Pineda v. Williams-Sonoma.”)

The question in this case was whether OfficeMax offered any better arguments for why the statute should not be applied retrospectively against it. OfficeMax argued that the California Supreme Court’s decision in Pineda was a departure from previous precedent and that OfficeMax had relied on a lower court decision in Party City v. Superior Court, where a court of appeal held that a zip-code does not constitute personal information.

The court says that this is insufficient to escape retrospective application of the statute for several reasons. First, Pineda was a decision from the California Supreme Court and it did not overrule any existing precedent from the same court. Party City was a lower appellate court decision and the California Supreme Court did not sanction the lower court’s approach when it denied review. Moreover, the court finds that the Party City opinion was only around for two years before the California Supreme Court granted review in Pineda and announced the contrary rule. OfficeMax was unable to point to a “near-unanimous body of lower-court authorities” that sanctioned its practice of collecting zip-codes.

In addition to Party City, OfficeMax pointed to one other case it happened to be involved in in support of its argument that it relied on lower court decisions when it collected zip-codes: Thoms v. OfficeMax. In Thoms v. OfficeMax, the court granted OfficeMax’s demurrer based on the Party City decision. While both Party City and Thoms held that zip-codes are not personal information (and were effectively overruled in Pineda) the court says that OfficeMax did not start collecting zip-code information based on these decisions. It had a long-standing policy of collecting zip-codes and merely continued its practice in light of these two decisions. This isn’t the type of reliance (e.g., a change in behavior) that warrants against retrospective application.

OfficeMax also argued that Pineda granted review on the question of whether “reverse engineering” someone’s address based on their zip-code violated the statute and thus Pineda’s decision to address the larger question of whether a zip-code constituted personal information was a surprise. Although the court ruled on the broader question of whether it was appropriate to collect the zip-code information, OfficeMax argued that the decision in Pineda was unforeseeable. The court disagrees, noting that as early as when the parties filed their briefs in Pineda, the issue of whether a zip-code constituted personal information was on everyone’s radar screen and therefore, there was nothing unforeseeable about the court’s decision in Pineda.

Finally, the court also finds that public policy favors retrospective application of the statute. OfficeMax argued that it had ceased the practice of collecting zip-code information and that it never reverse engineered this information to obtain the addresses of its customers, but the court says that the policy furthered by the statute is to forbid retailers from collecting information that could result in a breach of the customer’s privacy. While the fact that OfficeMax did not reverse-engineer this information may bear on OfficeMax’s culpability, the fact that it collected the information in the first place meant that it engaged in conduct that the statute was aimed to prevent. The court also rejects OfficeMax’s argument that retrospective application would undermine the administration of justice by holding it liable for actions it thought were lawful when it engaged in them. The court says that OfficeMax should have taken the conservative route and not have collected this information in the first place.

Pineda was a harsh decision for retailers, and the court’s conclusion in that case was certainly not an obvious one given the language of the statute. Nevertheless, the court in this case does not give OfficeMax a reprieve and says that it should be held to this conduct.

The big take away from Pineda is that collecting seemingly innocuous bits of information that can be reverse engineered can trigger a privacy violation. (For another example of this, see the recent FTC settlement with MySpace, where the agency held that allowing third parties to derive someone’s identity through a unique ID was a privacy violation: “Syncing and the FTC’s MySpace Settlement.”) California is not alone in having this type of legislation directed at retailers in place. Here is a similar example from Massachusetts: “Mass. Court: ZIP Code is personal identification info under credit card statute but plaintiff must still allege harm—Tyler v. Michaels Stores.” (Interestingly, the retailer defeated the plaintiffs' lawsuit in Massachusetts where the court concluded that the collection of information in that case did not result in any harm.)

OfficeMax made some reasonable procedural and fairness based arguments for why it should not be in the hook for its past conduct, but given the prophylactic nature of the statute, the court was not persuaded. This illustrates that when it comes to privacy statutes and regulation, while companies have done fairly well in defending against privacy lawsuits (and numerous lawsuit have been dismissed due to lack of harm) overall, companies may want to exercise caution where a statute that specifically prohibits the collection of certain information is implicated.

[cross-posted at IAPP's Daily Dashboard]

Posted by Venkat at 08:30 AM | E-Commerce , Privacy/Security

July 07, 2012

H1 2012 Quick Links, Part 4 (Search Engines, eBay, Social Networking Sites)

By Eric Goldman

[Note: if you click on any of the Scribd links below and get a warning that you're accessing adult content, ignore that. In only the latest of Scribd's f-ups, it has deployed a massively overinclusive adult content classifier that thinks dry legal briefs in business-to-business disputes are adult content. I agree that they aren't material that kids would find interesting, but the big scary warning for (as just one example) an antitrust brief from the Ohio AG is absolutely ridiculous. I've asked Scribd to manually reclassify the documents as kid-safe, but not surprisingly given Scribd's track record, customer support isn't exactly their strong suit. The good news is that I largely moved away from using Scribd a few months ago, but I do have some backlogged legacy links I'm posting through these quick links.]

Search Engines

* Why I left Google: "The Google I was passionate about was a technology company that empowered its employees to innovate. The Google I left was an advertising company with a single corporate-mandated focus....It turns out that there was one place where the Google innovation machine faltered and that one place mattered a lot: competing with Facebook."

* Gizmodo: The Case Against Google.

* From a complaint: "GOOGLE, as the self-appointed curator of all the World’s knowledge, has usurped the 5th Estate."

* Search Engine Land: Rhode Island is getting a disproportionate share of Google's penalty in the illegal pharmaceuticals ads case. Partially related: WSJ: Did the DOJ apologize to Google for post-settlement statements about the illegal pharma ad situation?

* Facebook is cooking up a new search initiative.

* Perfect 10 v. Yandex NV, 2012 U.S. Dist. LEXIS 80661 (N.D. Cal. June 11, 2012). Perfect 10 gets jurisdictional discovery to see if it can establish personal jurisdiction over Yandex.

* Stebbins v. U.S., 2012 WL 1664155 (Fed. Cl. Ct. May 14, 2012). David Stebbins loses again, this time in his suit against the United States for not honoring his purported arbitration award against Google/Yahoo. Prior blog post.

* Getachew v. 7-Eleven, Inc., 2012 WL 872745 (D. Colo. March 14, 2012) and Getachew v. 7-Eleven, Inc., 2012 WL 872755 (D. Colo. January 30, 2012). One of those employment disputes where Google gets dragged in. Fortunately, Google was dismissed for failure of service of process.

* Trkulja v Yahoo, [2012] VSC 88 (Victoria Sup. Ct. March 15, 2012). Yahoo hit with a $225k (AU) damage award for publishing defamatory search results. Some background. The same outcome wouldn’t happen in the US due to 47 USC 230. See, e.g., Parker v. Google, Maughan v Google, and Murawski v Pataki.

* Australian Competition and Consumer Commission (ACCC) wins appeal against Google.

* WSJ: Facebook, Google to Stand Trial in India. The court order.

* Matt Cutts made a video about search quality raters. Prior blog post.

* SF Gate: Google's search anthropologist.

* Google commissioned papers by Eugene Volokh (search results are protected by the First Amendment) and Marvin Ammori (on remedies for search bias). My latest article on this topic.

* Filings in the myTriggers appeal:

- Amended Brief of Defendant and Counterclaim Plaintiff-Appellant My Triggers
- Reply Brief of Defendent and Counterclaim Plaintiff-Appellant My Triggers
- Brief of Plaintiff and Counterclaim Defendant-Appellee Google
- Amicus Brief of Ohio AG Supporting Defendant and Counterclaim Plaintiff-Appellant My Triggers

Prior blog post.

eBay

* Block v. eBay, Inc., 2012 WL 1601471 (N.D. Cal. May 7, 2012). eBay’s proxy bidding does not violate the eBay user agreement’s declarations that eBay isn’t involved in the transaction and isn’t the bidder’s agent. This has been appealed to the Ninth Circuit.

* Smith v. eBay Corp., 2012 WL 1951971 (N.D. Cal. May 29, 2012). Antitrust lawsuit against eBay for linking eBay and Paypal survives motion to strike.

* Custom LED, LLC v. eBay, Inc., 2012 WL 1909333 (N.D. Cal. May 24, 2012). Lawsuit over eBay’s featured item program survives motion to dismiss.

* Faboozi v. Stubhub, Inc. (ND Cal. Feb. 15, 2012). StubHub wins a case over various challenges to its ticket sales.

Social Networking Sites

* AdAge: How Content Is Really Shared: Close Friends, Not 'Influencers':

Our data show that online sharing, even at viral scale, takes place through many small groups, not via the single status post or tweet of a few influencers. While influential people may be able to reach a wide audience, their impact is short-lived. Content goes viral when it spreads beyond a particular sphere of influence and spreads across the social web via ordinarily people sharing with their friends.

At BuzzFeed, we looked at the 50 stories that had received the most Facebook traffic since mid-2007. A handful of these posts had millions of Facebook referrers, and even the smallest had nearly 100,000 Facebook views. But the median ratio of Facebook views to shares was merely 9-to-1.

This means that for every Facebook share, only nine people visited the story. Even the largest stories on Facebook are the product of lots of intimate sharing -- not one person sharing and hundreds of thousands of people clicking.

The median for Twitter was even lower, at 5-to-1. Reddit, which has traffic concentrated on its popular front page, had a median of only 36.

* Just how big of a threat is Pinterest to Twitter and Facebook? Big! AdWeek, MediaPost and Fortune.

* State v. Hall, 2012 WL 988606 (Ariz. App. Ct. March 22, 2012). A probationer is restricted from using "electronic bulletin board systems." He accesses Facebook and MySpace. The court holds that social networking sites are "electronic bulletin board systems" such that the probationer violated the terms of his probation. The consequence: he goes back to jail for 10 YEARS. Kashmir Hill’s coverage.

* Cohen v. NJ Parole Bd., 2012 WL 1601159 (D.N.J. May 7, 2012). Regarding restrictions imposed on a sexual offender probationer: “the restriction of access to social networking services on the Internet is limited in scope and appears to be geared to the nature of defendant's sex offender conviction. Thus, it does not appear to be unconstitutionally broad or vague, nor is it violative of plaintiff's First Amendment rights. A complete or total ban on any Internet access has not been imposed.”

* Maryland bans employers asking for Facebook passwords. SB433 and HB964.

* Wired took a deep look at Klout. I’m completely unimpressed with Klout. It seems to reward quantity equally with quality, and it is too dependent on recency.

Posted by Eric at 01:07 PM | Content Regulation , E-Commerce , Search Engines | TrackBack

July 06, 2012

Confirmatory Opt-Out Text Message Doesn't Violate TCPA – Ibey v. Taco Bell

[Post by Venkat Balasubramani]

Ibey v. Taco Bell Corp., 12 CV 0583 (HVG) (S.D. Cal.; June 18, 2012)

Plaintiff responded to an invitation to complete a survey about Taco Bell and “voluntarily sent a text message . . . to the number 93138.” In response to his text, he received instructions on how to complete the survey. He then changed his mind and sent a “STOP” message. In response to the STOP message, he received a confirmatory text message from Taco Bell acknowledging that he would receive no further messages.

He sued, alleging that the confirmatory message violated the TCPA. Taco Bell moved to dismiss or in the alternative for summary judgment. The court grants the motion to dismiss.

The court says that plaintiff “expressly consented” to contact by Taco Bell, and that

[Taco Bell’s] sending a single, confirmatory text message in response to an opt-out request from Plaintiff, who voluntarily provided his phone number by sending the initial text message, does not appear to demonstrate an invasion of privacy contemplated by Congress in enacting the TCPA.

In order to assert a claim under the TCPA, the plaintiff must also allege that the text was sent using equipment that had the capacity to generate random or sequential numbers. (See Satterfield.) The court says that plaintiff failed to make this allegation. In fact, the court says that if the facts are as they had been pled by plaintiff, Taco Bell would be entitled to summary judgment. Although the court grants plaintiff leave to amend, judging from the tone of the court's order, Ibey would be wise to drop his claims. (Ibey moved to reconsider the court's order, you can access his motion here.)

There has been at least one case going the other way – i.e., holding that even confirmatory opt-out messages can violate the TCPA. (See Ryabyshchuk v. Citibank.) This case is distinguishable from Ryabyshchuk on the basis that consent was not an issue here. Plaintiff admitted that he voluntarily texted Taco Bell in the first place. In any event, it’s nice to see this court come to the conclusion that should be glaringly obvious: a confirmatory opt-out message shouldn’t violate the TCPA or separately form the basis for liability.

This decision notwithstanding, companies should consider avoiding sending a confirmatory opt-out message to avoid the hassle of litigating these types of claims.

Posted by Venkat at 12:16 PM | Content Regulation , E-Commerce , Marketing , Spam

July 05, 2012

Men's Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute -- Boorstein v. Men’s Journal

[Post by Venkat Balasubramani with comments from Eric]

Boorstein v. Men’s Journal LLC, 12-771 DSF (Ex) (C.D. Cal.; June 14, 2012)

California’s Shine the Light (STL) statute is a little unusual in that it mandates that businesses make specific disclosures about their privacy practices. For the most part, when it comes to telling consumers what you will do with consumer information and restrictions on how you will use such information, your own privacy policy and the FTC Act are the main regulations that companies need to worry about. The STL law is designed to inform users as to how their information is being used for direct marketing purposes. It doesn’t necessarily impose any substantive restrictions on the use of such information, but it requires websites to disclose (at the consumer’s request) how their information is being used. To this end, businesses are supposed to designate contact information where consumers can request how their information is being distributed. Alternatively, the business can comply with the statute by allowing consumers to opt-in or opt-out of distribution of their information. It’s an interesting attempt by the California legislature to give consumers more control and choice, but as this case illustrates, things didn’t really work out that way.

Boorstein sued (on behalf of a putative class) alleging that Men’s Journal did not comply with the statute because it failed to provide consumers with the appropriate contact information to enable consumers to make requests under the STL statute. Boorstein did not allege that he took any steps to find out this information (or otherwise find out about Men's Journal's information sharing practices) by contacting Men’s Journal. Boorstein simply alleged that Men's Journal's failure to designate contact information alone was sufficient to allege a violation of the statute.

The court says no go.

No standing as a result of loss of economic value to Boorstein’s information: First, the court says that Boorstein did not suffer economic injury that was caused by a violation of the statute. It’s questionable in the first place whether Boorsteein’s information has economic value in Boorstein’s hands. (See, e.g., Del Vecchio v. Amazon, among other cases.) In any event, the court says the statute does not actually prohibit the exploitation of consumer information for marketing purposes. Additionally, the statute is backward looking, and only requires businesses to disclose their use of consumer information for the “immediately preceding calendar year.” End result: even to the extent plaintiff's personal information is property that can be appropriated by Men's Journal, any harm Boorstein suffered isn't caused by the alleged statutory violation.

Failure to provide contact information is not an “injury” under the STL law: The court also says that Men’s Journal’s failure to display the contact information alone does not state a claim under the STL law. The law requires some sort of “injury” flowing from a violation, and as mentioned above, the court says there’s no injury to the value of Boorstein's personal information that results from the alleged statutory violation. Case law only recognizes “information injury” (failure to provide required information) where the information is requested but not provided. Boorstein’s failure to allege that he requested the contact information from Men's Journal undermines his claim. The court also says that Boorstein’s injury is “procedural,” rather than “informational.”

Boorstein’s argument based on the Men’s Journal subscription fee fails: Boorstein also made the typical consumer protection argument that the price of the Men’s Journal subscription included the value of the designated contact information for STL law purposes, and Men’s Journal’s failure to provide this information means that he has been cheated out of his bargain. [Say what?] The court says that Boorstein’s allegation that Men’s Journal impliedly represented that it would "abide by all applicable laws" doesn’t mean that Men’s Journal agreed to provide contact information as part of the subscription price--or, more importantly, that Boorstein would not have subscribed had he known the contact information would not be forthcoming. The court also says that Boorstein cannot make out a UCL claim because he has not lost “money or property” as a result of Men’s Journal’s violations of the statute. As already mentioned, he would have subscribed anyway, so Boorstein can’t use the subscription price as part of his “money or other property” argument. Similarly, he also can’t use the value of his personal information in order to support his UCL claim.

A few observations:

1. The "personal information as property" meme is not gaining much traction. In fact, apart from an initial decision or two that recognized this as a possible theory (for standing purposes), courts have pretty resoundingly rejected it. (Del Vecchio v. Amazon and In re iPhone App Litigation are two recent examples.) Perhaps a blockbuster appellate ruling will come along to rescue privacy plaintiffs. Until then, the trial courts are not buying this argument at all.

2. The "privacy as part of the purchase price" argument is also something that plaintiffs often raise, but courts don’t like this either. It’s worth noting that in this case, even the plaintiff’s own allegations (as the court described them) didn’t expressly say that he would not have bought the magazine subscription had he known he would not have been provided contact information. There's an obvious reason for this.

3. The court doesn’t get into Article III standing here, and instead relies on lack of statutory standing. To me, the two standing concepts all run together into a big quagmire, but when dealing with a state law in federal court, it seems preferable to rely on statutory standing as a bar. (First American v. Edwards, the then-pending Supreme Court case in which Facebook and other companies weighed in on as amici, involved standing under a federal statute. But in an anticlimactic move, the Supreme Court dismissed the case without ruling on it. I didn't think a ruling in First American's favor in this case would have dramatically changed the landscape, but the lack of a decision from the Supreme Court moots this issue for now.)

4. Obviously, this ruling puts a slight crimp in the legislature’s vision of using STL to give consumers additional control over how their information is used. The court's ruling doesn’t leave consumers in a great position. Even if Boorstein had requested the information and it wasn’t provided, would he be able to obtain damages under the statute? STL provides for statutory penalties, but the tone of the ruling is that Boorstein hadn’t been damaged anyway (or damaged in a way that was tied to the statutory violation), so it’s possible that the court would have come out the same way even if Boorstein had made the necessary request.
____

Eric's Comments:

California's "Shine the Light" statute is a textbook example of a miscalibrated privacy statute (which I would argue describes almost all privacy statutes). It starts from a simple premise--consumers just want to know if a business is selling their personal information to marketers--and, to effectuate this premise, imposes substantial compliance costs and obligations on businesses (mostly just creating traps for the unwary) without any clear countervailing benefit for consumers or society at large. Not only do I question the basic premise that consumers "just want to know" about sales of their private info to marketers (see my Coasean Analysis of Marketing article), but as this and related cases illustrate, the private cause of action means that the statute almost certainly will be enforced by privacy class action lawyers who are more interested in their own quick profits than in advancing consumer welfare (see my Irony of Privacy Class Action Litigation article). There are a number of good cautionary lessons that legislators, and the privacy advocates who egg them on, could learn from this statute and this ruling, but I'm skeptical either legislators or privacy advocates will take the time to reflect on those lessons.
____

Venkat's follow-up comment:

I mildly dissent from Eric's position questioning "the basic premise that consumers 'just want to know' about sales of their private info to marketers." I may be idiosyncratic and in the minority in this regard, but particularly when it comes to magazine subscriptions I would love to know where my information ends up. (My instinct is that a big chunk of my junk mail is a result of the three or four magazine subscriptions I have in place.) I'm not sure I would change my purchasing decisions dramatically, but knowing this bit of information may tip the balance a bit or cause me to try to pressure the companies into not making my information available to third parties for direct marketing purposes. [On a loosely related note, those who are trying to get rid of junk mail may want to check out PaperKarma, an app that lets you take photos of and upload junk mail and then sends an unsubscribe request on your behalf.]

Other coverage:

First Reported Shine the Light Suit Dismissed for Failure to State Cognizable Injury
'Shine The Light' Lawsuit Against 'Men's Journal' Dismissed
Federal Judge Dismisses Shine-the-Light Suit

Posted by Venkat at 12:10 PM | E-Commerce , Marketing , Privacy/Security , Spam

July 04, 2012

Judge Koh Whittles Down iPhone App Privacy Lawsuit – In re iPhone Application Litig.

[Post by Venkat Balasubramani]

In re iPhone Application Litig., 11-MD-02250-LHK (N.D. Cal.; June 12, 2012)

Plaintiffs brought a putative class action against Apple and several “mobile industry defendants.” The basic allegations are that apps available for free in the app store improperly allowed for the disclosure of personal information to the mobile industry defendants, who have acquired personal details (addresses, current whereabouts, unique device identifier, gender, age, zip code, and time zone) from plaintiffs and tracked them. Judge Koh granted the bulk of defendants’ motion to dismiss with prejudice in open court and recently issued a written order setting forth the court’s reasons. It’s a thorough order that digs in to privacy claims under federal statutes, and well worth reading in its entirety. (Kudos to Judge Koh. She consistently cranks out some must-read orders in this corner of the blogosphere.)

Standing: Citing to the Ninth Circuit’s opinion in Edwards v. First American Corp., among other cases, the court says that plaintiffs’ allegations that defendants violated the Wiretap Act and Stored Communications Act in accessing plaintiffs’ own personal information is sufficient to confer standing. (See this post from Wendy Davis that talks about ongoing litigation involving Video Privacy Protection Act claims against Hulu and discusses the issue of how the Supreme Court's ruling in the Edwards case can affect other privacy cases. Between the time Judge Koh issued her order and I finished up this blog post, the Supreme Court dismissed Edwards without a ruling, leaving intact the Ninth Circuit's opinion.)

Stored Communications Act: The SCA requires plaintiff to show that defendants accessed “a facility through which an electronic communications service” is provided without authorization and accesses wire or electronic communications that are “in storage”.

Judge Koh says: (1) plaintiffs' iPhones are not “facilities through which electronic communications services” are provided; (2) the data in question is not in “storage” that is either incidental to transmission or for backup purposes; and (3) the exception allowing access by service providers applies to the mobile industry defendants (but not to Apple). The most interesting of these conclusions is the first one, and this conclusion is contrary to several cases that have gone the other way (that this court says “provide little analysis on this point of law”). Citing to Crowley v. Cybersource, the court says that treating computers or devices of end users (as opposed to service providers) as facilities would render other parts of the statute illogical.

Wiretap Act: Plaintiffs’ Wiretap Act claims require them to show that defendants intercepted “the content” of wire, oral, or electronic communications. The court agrees with Apple that the identities of parties to a communication and “other call data” is not “content” under the Wiretap Act. Plaintiffs cited to In re Pharmatrak for the proposition that the “contents” of a communication includes any personally identifiable information, but the court disagrees, noting that Pharmatrak relied on a Supreme Court case from the 70s that discussed an earlier version of the Wiretap Act. The statute was since amended to specifically take out “information concerning the identity of the parties” to a communication. [Apple also argued that it shouldn’t be held liable for any interception because it was an intended recipient of the information, but the court rejects this argument.]

Computer Fraud and Abuse Act: The court says there are two problems with plaintiffs’ claims under the Computer Fraud and Abuse Act. First, plaintiffs voluntarily downloaded the apps and thus would have “serious difficulty pleading a CFAA violation.” Additionally, the court says that plaintiffs will not be able to satisfy the $5,000 damage threshold necessary to assert a CFAA claim. The argument that the use of personal information benefited the mobile industry defendants and generated a benefit of over $5,000 to them does not fly with the court (citing In re Zynga and Del Vecchio v. Amazon). Second, the court also finds plaintiffs’ argument that creation of the location history files consumed the devices’ memory and shortened battery life to not be “plausible.” Damage means there has to be some notable impairment of performance, and the court says plaintiffs cannot demonstrate that here.

California Constitution: The California Constitution protects against privacy intrusions by both public and private actors. In order to be actionable, the defendant’s intrusion must be sufficiently serious in nature to constitute “an egregious breach of the social norms underlying the privacy right.” The court says plaintiffs’ allegations fall short on this score.

Other State Law Claims: Plaintiffs asserted a slew of other state law claims, the bulk of which fell by the wayside. These included conversion (personal data is not the type of property that can be converted); trespass (citing Intel v. Hamidi); negligence (as to negligence claims against Apple, hello, Section 230). The court did allow two state law claims to go forward: (1) Consumer Legal Remedies Act claims and (2) claims under California unfair competition statute.

Judge Koh's ruling is extremely thorough and holds the plaintiffs' claims up to some harsh scrutiny. It's not difficult to see that it will be widely cited in privacy cases. Two things that are most significant about this ruling (other than the fact that it thoroughly neuters a class action that at first glance seems like it would get over the motion to dismiss hurdle):

First, the court's ruling that plaintiffs' devices are not facilities under the Stored Communications Act will be relevant in a variety of scenarios. I recently blogged about claims brought against an employer for "shoulder surfing" an employee-co-worker's Facebook page, and a Stored Communications Act claim under this scenario doesn't look so promising in light of Judge Koh's ruling. (See “Accessing an Employee's Facebook Posts by "Shoulder Surfing" a Coworker's Page States Privacy Claim.”) It's worth noting that in the Computer Fraud and Abuse Act scenario, mobile phones have been found to constitute protected computers.

Second, the court also affirms that privacy plaintiffs will not be able to satisfy the jurisdictional threshold by asserting that they suffered $5,000 worth of loss to their personal information. The court's position that while personal information may be property in the metaphysical sense, this does not translate into loss for CFAA purposes, is part of a growing body of cases that have rejected attempts by privacy plaintiffs to rely on defendants' exploitation of personal information for the proposition that this information has economic value.

It's interesting that after blasting the federal claims, the court allows the UCL claims to proceed. Plaintiffs' allegations were pretty slim here and if this is all that is necessary, plaintiffs will be able to overcome a motion to dismiss every time.

Finally, I remain curious about the applicability of Section 230 in this scenario and why Apple doesn't push this issue. (I'm sure they have some reason for doing so; maybe Barnes v. Yahoo is an easy workaround for plaintiffs.)

Posted by Venkat at 02:44 PM | E-Commerce , Privacy/Security , Trespass to Chattels

June 29, 2012

Photographer's Suit Against Client for Republishing Photos on Facebook Proceeds – Davis v. Tampa Bay Arena

[Post by Venkat Balasubramani with comments by Eric]

Davis v. Tampa Bay Arena, Ltd., 2012 WL 2116136 (M.D. Fla.; June 11, 2012)

This seems like a run-of-the-mill dispute between a photographer and client, but I think it contains some helpful lessons. I have a feeling we will see more of these in the future. Chalk it up to more aggressive copyright enforcement, or an impulse to put out an increasing amount of content, or a combination of the two.

Davis worked from 1998 through 2011 (under various contract arrangements) for Tampa Bay Arena as the in-house photographer photographing events. (For what it's worth, here's what looks like Davis' site.) Davis (smartly) retained ownership of the photographs and licensed them to the arena for limited uses. The agreement in place between the parties allowed for use by the arena in the following ways:

newsletter, advertising, display prints, broadcast, and the venue website.

The arena terminated its relationship with Davis in 2011 but continued to use his photographs. In early 2011, the arena created a Facebook page and posted Davis’ pictures on the page. Apparently Facebook had a feature that allowed users to download photographs at the click of a button, and this feature was available on the arena’s Facebook page. Davis asked the arena to remove the photographs from its Facebook page. The arena demurred, and Davis sued, asserting claims for infringement, conversion, and breach of contract.

Breach of contract: The court declines to dismiss the infringement claim, finding that there is a factual dispute as to whether the arena’s use falls within the permitted uses of the agreement. The court does dismiss the infringement claims based on unregistered photographs (with leave to amend). However, the court declines to dismiss Davis’ claims for statutory damages finding there are factual disputes with respect to the timing of the infringements and the registrations.

Conversion and Breach of Contract: The court also declines to dismiss Davis’ conversion and breach of contract claims. The court does not mention preemption when discussing the conversion claims, but finds that the arena’s retention of the slides is sufficient to support a claim. (Some of the photographs were taken with a digital camera and others were taken in slide format.) The court mentions preemption when dealing with the breach of contract claim, but summarily says that the “extra element” required to support a breach of contract claim (when also bringing a claim for infringement) is satisfied when there is a contract in place. Nevertheless, the court says that Davis alleges breaches that are independent of infringement: (1) adding corporate sponsorships to photographs; (2) refusing to return the photographs; (3) conveying rights to Facebook; (4) failing to give appropriate credit; and (5) using photos for sponsorship purposes.

Unfortunately for the arena, the license provisions cover the "venue website" but do not expressly reference Facebook. This isn’t surprising, given that at the time the parties negotiated the 2008 agreement, Facebook was hardly as ubiquitous as it is now. The idea of creating a Facebook page was probably not even a glimmer in the arena's eye.

The key question will be whether the arena can argue that use of the photos on the Facebook site should fall under “advertising”. This will probably be a tough argument, particularly given that anything posted to Facebook grants Facebook broad license to re-use it (e.g., in sponsored stories) and, equally as important, allows end users (fans) to freely download it. (Recall the dispute--still ongoing--between Agence France Presse and a photographer who made photos of the Haiti earthquake. AFP took the position that photos posted to Twitpic were subject to a broad license. The parties filed cross-motions for summary judgment which are currently pending before the court.) Unless the arena has some blockbuster emails from Davis evincing an understanding that the arena’s use in “advertising” was intended to be broadly construed, this may be a tough one for the arena to win.

A few copyright issues that the case brought to mind:

- when is a breach of a license agreement actionable as infringement versus as a breach of contract (as the court noted in MDY v. Blizzard, when a breach of a condition implicates one of the copyright owner’s exclusive rights, which was probably satisfied here)

- can Davis make out a conversion claim based on retention of the photos? (retention of the slides may suffice for the non-digital photos)

- how about the arena’s argument that Davis can’t exploit the photos without its consent or without the consent of the artists or performers (how will this affect Davis' chances for damages in the event he is limited to actual damages?)

These questions aside, I think this is a good cautionary tale when dealing with freelance photographers. One obvious point from this case is clients/licensees should spell out in advance what their acceptable uses would be, and in the era of social media, it’s worth being expansive, or as general as possible. Something like “the arena can use the photos on its websites or in third party websites or platforms for purposes of advertising or promotion” would have gone a long way here.

The trajectory of the relationship between Davis and the arena is interesting. As recounted in this news story posted to Davis' blog, Davis had a long-standing relationship with the arena. The arena posts the photos to Facebook. Davis complains, then sends a C&D, ultimately leading to termination of the relationship. Davis seemed like he had a sweet gig as an in-house photographer at the arena. Was Davis over-reacting when he asked the arena to remove his photos from its Facebook page? Will his proceeds from the lawsuit make up for the money he loses from the arena's business?
____

Eric's Comments

I've complained before about dealing with freelance photographers. During my stint at Epinions, we got sued only two times--both by freelancer photographers for photos we had obtained from third parties, and in both cases the financial demands were completely untethered from reality. As a result, when I see someone who describes themselves as a "freelance photographer," I just assume their alter ego is "pugnacious plaintiff." If you're negotiating a contract with a freelance photographer, get everything you possibly could ever want into the contract before writing a check. Once the cash moves, any activities not clearly permitted by the contract will cost a boatload more or invite a lawsuit, even if financially irrational. CAVEAT EMPTOR!!!

Personally, I won't deal with freelancer photographers who have unreasonable negotiating positions on copyright. That's a good signal that they are likely to be tendentiously unreasonable in the future too. In fact, in my capacity as HTLI director, I just kiboshed a deal with a photography vendor whose contract was muddled on copyright terms and who didn't back down when we made a reasonable counterproposal. Major red flags. The best news: we found a replacement vendor who was half the price and whose form contract was more reasonable about copyright from the start.

Speaking of financial irrationality, I want to amplify on Venkat's discussion about the relationship. The opinion says that Davis was getting $350 per event, plus $130/hr for events over 4 hours (implying an hourly rate of no less than $87.50/hr for events shorter than 4 hours), and he retained the copyright to the photos and could presumably commercialize those in a variety of ways. Getting paid a decent hourly rate to produce copyrighted material that can be further commercialized without restriction sounds like a pretty sweet gig to me (and that doesn't count the other perks, like the free entrance to cool events and the opportunity to rub shoulders with the rich and famous). Meanwhile, it's no surprise that the arena dumped him overboard when he threatened litigation, so Davis chose to grab for the litigation cash and free up his time for other gigs rather than keep the existing economic arrangement with the arena.

Was that a good economic choice? It's hard to tell, but the opinion does give another clue. David sued on 255 photos, 215 which weren't registered at the time he sued, meaning that at most 40 of the photos could possibly support statutory damages and attorneys' fees. It's not clear from the case if all 40 actually were registered on a timely basis, so we'll have to see if Davis is eligible for any enhanced statutory remedies at all.

I'm going to go on a limb and suggest that the maximum possible damages for the 215 photos will be de minimis. Although Davis might have a standard licensing fee for his photos, which would support a plausible claim for actual damages for these photos, the dollar value can't be very high for the use on a Facebook page. And even if all 40 of the other photos qualify for statutory damages, my guess is that the damages will be more on the $750 side than the $30,000 side (and certainly not the $150,000 side).

So how much could this case be worth in Davis' best-case (but still realistic) scenario? $50k? $100k? Is that maximum potential upside worth chucking a long-term relationship (13 years) with the arena? Only Davis can answer that question, and obviously he has (at least implicitly). I hope he made a wise choice.

Posted by Venkat at 09:19 PM | Copyright , E-Commerce , Licensing/Contracts

June 27, 2012

Court Refuses to Dismiss Claims Against Alleged Twitter-Bot Spammer--Twitter v. Skootle

[Post by Venkat Balasubramani]

Twitter, Inc. v. Skootle Corp., et al., 2012 WL 2375486 (N.D. Cal.; June 22, 2012)

Twitter sued several alleged spammers, including (1) those who provided software for the use of automated account creation and tweeting, and (2) other defendants who actually created automated accounts and sent large amounts of spam tweets.

One of the individual defendants who allegedly created and maintained numerous bot accounts moved to dismiss on the basis of personal jurisdiction, venue, and for failure to state a claim. The court declines to grant his motion.

Subject matter jurisdiction: Twitter has a good faith basis for alleging that the amount in controversy exceeds the jurisdictional threshold for diversity jurisdiction, and the court finds defendant is unable to establish to a legal certainty that the claims do not meet this jurisdictional amount.

Personal jurisdiction: The court easily finds that defendant is subject to personal jurisdiction because he aimed his acts at a California corporation and agreed to its terms of service. Defendant is unable to demonstrate that the exercise of personal jurisdiction is unreasonable. (The court says in a footnote that it's not commenting on the enforceability of forum clauses in "clickwrap" agreements generally, but just that there hasn't been a showing of unreasonableness in this case.)

Venue: The court similarly says that venue is proper under the forum selection clause in Twitter’s agreement and defendant fails to argue with any credible facts as to why litigating the dispute in California would be unduly burdensome.

Failure to state a claim: Defendant argued that Twitter’s sole remedy for a violation of Twitter’s terms of service is to suspend user accounts, but the court says that Twitter’s terms expressly reserve any other available remedy to Twitter. Twitter alleges that creating bot twitter accounts and sending spam tweets was a violation of its terms and it was damaged by defendant’s breach of the terms. At the pleading stage, Twitter easily satisfies its burden.
__

A fairly run of the mill ruling resolving some typical arguments raised by a pro se defendant.

It’s worth noting that Twitter did not assert claims under CAN-SPAM, and the core of its claims are based on a breach of its terms of service. (See my previous posts on CAN-SPAM and social media posts that mention why Facebook posts don’t track neatly to CAN-SPAM: "N.D. Cal.: Facebook Posts are Electronic Mail Messages, Subject to CAN-SPAM"; "Facebook Gets Decisive Win Against Pseudo-Competitor Power Ventures -- Facebook v. Power Ventures." The same would be true of tweets.) A noteworthy move by Twitter to not push the envelope on this issue.

The fight that may end up being interesting is the one between Twitter and the defendants who allegedly made available the software used by those who created bot accounts and tweeted. These defendants may have a potential Section 230 defense available, and to establish liability, Twitter will have to show something more than that the software can be used to manage tweets from multiple accounts and automate tweets (functionality shared by many tools that are perceived as “legitimate” by Twitter). (See also "Keylogger Software Company Not Liable for Eavesdropping by Ex-spouse -- Hayes v. SpectorSoft.")

[A final procedural note. The court (separately) issued a show cause order requiring Twitter to demonstrate that joinder is proper. The order notes that there doesn't seem to be a connection between several of the defendants other than the fact that they were all engaged in Twitter-spamming.]

Posted by Venkat at 06:57 PM | E-Commerce , Licensing/Contracts , Spam , Trespass to Chattels

June 13, 2012

Bank Can't Use Facebook for Service of Process -- Fortunato v. Chase Bank

[Post by Venkat Balasubramani]

Fortunato v. Chase Bank USA, N.A., 2012 WL 2086950 (S.D.N.Y.; June 7, 2012) [pdf]

Fortunato was an apparent victim of identify theft--her estranged daughter allegedly opened up a Chase credit card in her name and racked up $1,243.09 in charges. Chase went after Fortunato, obtained a default judgment and garnished her wages. Furtunato turned around and sued Chase, alleging abuse of process, conversion, and a violation of the Fair Credit Reporting Act. Chase impleads Fortunato's estranged daughter, but runs up against a snag. It can't find her and thus cannot effect service of process.

Chase engages the service of investigators who dig around and find four possible addresses for the daughter. After repeated efforts and dead end leads, the process server still can't serve the daughter, so Chase asks for permission to serve by (1) "private Facebook message"; (2) to the email address listed on the Facebook profile; and (3) delivery of the summons and complaint to Fortunato (the estranged mom). I'm guessing Chase's costs in conducting this investigation and attempts at service have well exceeded the amount of the initial debt, but that's neither here nor there.

The court looks to New York state rules for service of process, as constrained by Due Process restrictions. While courts have authorized service by email, the court says that in those cases, the party seeking to serve via email made a showing that the parties

conduct[ed] business extensively, if not exclusively, through their internet websites and correspond[ed] regularly with customers via email. [Additionally, the parties did] not disclose their physical address or location of incorporation.

In contrast, here, Chase did not offer any such evidence, and did not offer any evidence that the Facebook profile in question was the daughter's. The court adds:

The Court's understanding is that anyone can make a Facebook profile using real, fake, or incomplete information, and thus, there is no way for the Court to confirm whether the Nicole Fortunato [the daughter] the investigator found is in fact the third-party Defendant to be served.

The court orders Chase to effect service by publication. The court says that it's unclear which local newspaper is best suited to get the word out to the daughter, so Chase should publish notice in the four locales where the daughter was thought by the investigator to reside.

Email service is expressly authorized by the federal rules, but the rules authorize such service only on foreign defendants. This rule requires prior authorization by the court. State court rules authorize service by certain types of postal mail, so this is a possibility under the federal rules as well (Federal Rule 4(e) incorporates state authorized methods of service of process.)

Procedural quirks aside, the big question is whether there is a bit of Facebook exceptionalism going on here. If a court has some discretion to authorize service in a manner reasonably calculated to provide a party of notice of the lawsuit, does it make sense for the court to deny the request on the basis that "anyone can create a Facebook profile?" Does it make sense to rely on postal mail--that someone may or may not come across, or pick up--while discounting a tool that most of the population uses on a somewhat regular basis? The court also surprisingly orders service by publication . . . in a newspaper. As between notice in a newspaper where they are not sure of the daughter's geographic location and a private message to a Facebook account that there's some reason to believe is the daughter's, which has the greater chance of providing notice? (Who, other than retro hipsters, even reads the classifieds anymore?)

Over time, courts will warm up to service via Facebook, but as in the cases involving service via email, fax, or other means, will require some sort of showing that the account actually belongs to the party in question. Where the allegedly wrongful act is perpetrated via a Facebook account, this showing will be relatively easy to make, but in a situation like this where someone looks like they're off the grid, parties will have a tougher time convincing a court that service via Facebook is appropriate.

Other coverage:

ABA Journal: Federal Judge Refuses Request to Serve Party via Facebook

Jeff John Roberts: Judge says bank can’t use Facebook to reach defendant — try local paper instead

Posted by Venkat at 08:58 AM | E-Commerce , Evidence/Discovery , General

June 07, 2012

Plaintiffs Squeak Past Motion to Dismiss in Amazon P3P Case – Del Vecchio v. Amazon

[Post by Venkat Balasubramani with comments from Eric]

Del Vecchio v. Amazon.com, 2012 WL 1997697 (W.D. Wash.; June 1, 2012)

I previously posted on Del Vecchio v. Amazon, a case that challenged Amazon’s alleged failure to respect the P3P protocol. P3P allows websites to summarize their privacy policies in machine readable code so that web browsers could be configured to automatically "determine a website's privacy settings and adjust its [own] security settings, including its level of cookie-filtering protection." (In theory, it allows users to control collection and use of their information through configuring their browser settings.) The plaintiffs allege that Amazon miscoded its P3P settings and used a token Amazon knew to be invalid, thus miscommunicating its policies to web browsers. Plaintiff sued on her own behalf and on behalf of a putative class, alleging claims under the Computer Fraud and Abuse Act and Washington consumer protection statutes. In the first round, the court granted Amazon’s motion to dismiss. (My prior blog post on the case: “The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon”; see also our post on Bose v. Interclick, a separate lawsuit challenging the use of flash cookies: “Another Lawsuit over Flash Cookies Fails -- Bose v. Interclick.”)

CFAA Claims: The court dismisses plaintiffs' CFAA claims with prejudice due to plaintiffs’ failure to credibly allege that they satisfied the $5,000 damage threshold. Plaintiffs argued that they satisfied the damage threshold in two ways: (1) the value of their personal information was in excess of $5,000 and Amazon’s exploitation resulted in a “loss” to them, and (2) they purchased anti-virus software.

The court rejects the anti-virus software purchases, noting that the anti-virus program had nothing to do with the alleged exploitation of the P3P protocol by Amazon. Plaintiffs also alleged that they purchased the software prior to accessing Amazon’s site, so by their own allegations, Amazon’s conduct did not necessitate the purchase of the software.

The argument that gets a little more attention is the loss attributable to the exploitation of personal information by Amazon. One recent case (Claridge v. RockYou) recognized that personal information can be property for standing purposes. Most courts have been lukewarm to this theory, and this court rejects it as well, saying that the alleged exploitation of personal information by Amazon can’t satisfy the jurisdictional threshold in this context:

Plaintiffs do not allege that they attempted to sell their “private information” to one of the purchasers they identify . . . and were rebuffed because [Amazon] had already sold or publicized that information. . . . It is not enough to allege only that the information has value to [Amazon]; the term “loss” requires that plaintiffs suffer a detriment—a detriment amount to more than $5,000.

Consumer Protection Act Claims: Two key points with respect to the claims under the Washington CPA. First, the court says Washington law “does not require damages to show ‘injury’” (although the damage has to be to plaintiff’s “business or property”). Second, the court says that the issue of whether Amazon’s access of plaintiffs’ computers was “authorized” can’t be resolved on the pleadings. The court directs the parties to come up with a briefing schedule and (if necessary) conduct discovery on the issue of “authorization”.

Trespass to Chattels and Unjust Enrichment The court dismisses the first claim, finding no credible allegation that there was any diminution in performance of plaintiffs’ computers. The court says it’s skeptical of the unjust enrichment claim for the same reasons that it dismisses the CFAA claim. However, because plaintiffs’ unjust enrichment claim--that Amazon took property that was valuable (personal information) without authorization--depends on the resolution of the authorization issue, the court defers ruling on this until completion of discovery and further briefing.

Plaintiffs keep pressing the “personal information as property” argument, but courts remain unconvinced (a few exceptions notwithstanding).

On the issue of “authorization,” Amazon’s terms are less than clear about the use of Flash Cookies. They reference flash cookies, but the terms contain the typical language that without cookies users may not be able to take advantage of certain features of the site. Interestingly, the terms do reference browser settings and this may cut against Amazon’s overall argument here (e.g., “you can disable or delete . . . data used by browser add-ons, such as Flash cookies, by changing the add-on’s settings or visiting the Web site of its manufacturer . . . ."). The core of plaintiffs’ argument is that Amazon failed to respect the browser settings and P3P protocol. Language in the policy saying that the user can control the level of cookie placement or activity through the use of browser settings would, if anything, seem to reinforce plaintiffs’ argument. Plaintiffs would still face damages issues, that as Eric notes below will be tough to overcome, but I'm surprised to see the court say that plaintiffs' possible agreement to the terms would definitively resolve the issue of authorization.

This ruling could conceivably prompt a settlement. For their separate reasons, the parties may not want to litigate the issues of whether plaintiffs were truly harmed and what Amazon’s business practices were. It’s still curious that the alleged P3P shenanigans received so little attention from the court. Maybe plaintiffs will try to re-inject into the mix through discovery. We’ll see.

Eric's comments

As Venkat indicates, the judge shuts the door on the CFAA and trespass to chattels claims. The WA consumer protection act and unjust enrichment claims survive, but only out of an abundance of judicial caution (as the judge notes himself). The court says it's "very likely" that Amazon's privacy disclosures negate those claims. If I were in Amazon's shoes, I'd reject any settlements and litigate the crap out of this. The judge has made it clear that this lawsuit will fail.

As usual, the litigation circles around the harm suffered by the plaintiffs. Funny, because that's an easy issue to resolve. The plaintiffs have NONE. Not a scintilla of harm. NOTHING. Without any underlying harm, lawsuits like this aren't laudable in the least. For more on why I think privacy advocates should oppose lawsuits like this one rather than applaud them, see my article The Irony of Privacy Class Action Lawsuits.

The court wisely gets to the right point. For example, the judge properly rejects the argument that non-monetary harm can be counted towards the CFAA's $5k threshold. The court also gets the plaintiffs to admit that individuals' PII has no economic value to the individuals, even if it's commercializable by websites. Thus, showing that Amazon could make money from the data in its database does nothing to get the plaintiffs closer to the CFAA's $5k threshold. The judge, wielding Iqbal, lays into the plaintiffs for rehashing their assertions about harm without any factual evidence at all. If the judge really wants to tells plaintiffs to stop wasting everyone's time and resources, a whiff of sanctions would help a lot.

Posted by Venkat at 11:57 AM | E-Commerce , Privacy/Security , Trespass to Chattels

May 30, 2012

Is SOPA's "Follow the Money" Meme Infecting Anti-Spam Litigation? – Project Honey Pot v. Does

[Post by Venkat Balasubramani]

Project Honey Pot v. Does, 11-cv15 (LMB/JFA) (E.D. Va.; May 21, 2012)

Project Honey Pot is a “spam-tracking network that ‘allows spammers, phishers, and other e-criminals to be tracked throughout their entire ‘spam life cycle’’.” It had, and maybe still has, great ambitions and was founded by Matthew Prince, of Unspam fame. As detailed by Eric in this blog post, Unspam is (or was) a for profit company that operated a "do not email kids" registry aimed at allowing people to comply with Utah's "don't email the kids" law: "Utah's 'Don't Email the Kids' Registry a 'Financial Failure.'" Prince also publicly defended Utah's ill-fated key word advertising law: "Keyword Advertising as Corporate Identity Theft—Sen. Eastman Defends New Utah Law Banning Keyword Advertising." (Prince is now CEO of CloudFlare, which offers, among other things, services that help you comply with EU's cookie regulations: "CloudFlare To Launch Service For Sites Dealing With Tortuous EU Cookie Law.")

Anyway, PHP filed and voluntarily dismissed a couple of lawsuits in Virginia without any apparent docket activity. This time around, it tried to go after banks who allegedly offered payment processing services to online pharmacies, along with two individual defendants.

The complaint alleged that one of the Doe plaintiffs attempted to buy a prescription drug through an online pharmacy. He paid for it by debit card but never received any medication in the mail. He didn’t suffer any out-of-pocket loss (the bank credited him the amount charged and changed his debit card number), but he alleged that since this transaction, he has received “voluminous spam email.” The complaint alleged claims under CAN-SPAM, the Virginia Computer Crimes Act, a slew of state law claims, as well as RICO claims.

Several banks filed motions to dismiss on the basis of personal jurisdiction. The court dismissed these defendants in December 2011, finding that the complaint raised speculative allegations regarding any conspiracy between the banks and the pharmacy operators. PHP dismissed one of the individual defendants, intimating that this defendant was a victim and not one of the perpetrators. The court dismissed the other defendant due to PHP's failure to effect service, and closed the file. (This is a simplified version of the procedural history; there are a few other details that are not relevant here, including the fact that PHP filed an appeal before the case was fully resolved.)

PHP filed a motion to alter or amend the judgment and reopen the action as to two of the banks. Apparently PHP’s counsel obtained a dataset of 900,000 transactions for “Glavmed” from a well-known security blogger, Brian Krebs. (See "SpamIt, Glavmed Pharmacy Networks Exposed.") The dataset included numerous records allegedly “tied to Virginia residents.” PHP also pursued third party discovery and obtained transaction records from 2006 through 2010. 63 of these transaction records identified the processing bank, and 51 of these identified transactions were allegedly tied to two of the defendant-banks.

The court denies PHP's motion to reopen the case, largely on the basis that PHP did not offer any justification for why it failed to come forward with the evidence earlier. The court also says that even if it considered this evidence, it would still dismiss the defendant-banks. PHP relied on the “conspiracy theory of personal jurisdiction.” Because the pharmacies deal with Virginia residents and since the banks deal with the pharmacies, in PHP’s view, this was sufficient for personal jurisdiction. The court says there are three flaws with this view. First, PHP cannot show that either of the banks in question have any “direct contacts” with Virginia. Second, PHP’s evidence:

still does not link the defendant banks with Virginia customers, [the individual defendants], or the single transaction at issue in this case.

Finally, the court says that even if PHP could show that the banks processed transactions for any merchants with Virginia customers, personal jurisdiction would not be proper due to the “extremely attenuated nature of the banks’ contacts with the forum.”

The court doesn’t reach the underlying merits of PHP’s claims against the banks, but the opinion is tinged with enough discussion of the banks’ “attenuated” connection with any underlying spam activity that you don’t get any warm fuzzies regarding PHP’s claims against the banks.

There are a couple of problems with PHP's theory on the merits. First, the Doe plaintiff didn’t suffer any financial injury. Standing issues aside, there is no such thing as a standalone legal claim for receiving spam emails. (Cf. Cherny v. Emigrant Bank.) It’s fairly well established that you can only sue under CAN-SPAM if you are the provider of Internet Access Services, and PHP’s factual allegations did not include any IAS-specific harms. (See Gordon v. Virtumundo.) I don't see the basis for any CAN-SPAM claims in this scenario. (It’s unclear exactly how “Project Honey Pot” fits into the picture. It all sounds very Righthavenesque.)

Even assuming PHP or Doe can sue the payment processors under CAN-SPAM, under what theory will it hold a payment processor liable? They payment processors did not send any emails. Nor were their products or services advertised via any emails. Courts have allowed parties to proceed against third parties in the chain in some trademark (Gucci v. Frontline; Akanoc) cases, but outside the context of affiliate liability, I'm not aware of any such cases in the spam context. (See also, the Perfect 10 v. Visa and Perfect 10 v. ccBill cases, dealing with payment processor liability in the copyright context, discussed by Eric in these posts: "Credit Card Providers Aren't Liable for Third Party Infringement--Perfect 10 v. Visa"; "Ninth Circuit Opinion in Perfect 10 v. CCBill.")

CAN-SPAM contains provisions governing third party (affiliate) liability, but the banks clearly did not fit within the statute. (See the Cyberheat case where the government was able to make a case for affiliate liability but had some damaging facts. A key distinction in this case is that the banks did not procure or initiate the emails in question.) Section 6 of CAN-SPAM discusses liability for third party service providers in certain limited scenarios, but the section authorizing civil actions by IASs does not list Section 6 under the list of sections that support a civil cause of action brought by an IAS. Any attempt to go after a third party in the chain based on a vague conspiracy theory (as opposed to satisfying CAN-SPAM’s standards for affiliate liability) would be an extension of liability that has no basis in the statute.

PHP's attempt to hold the banks liable is similar to the "follow the money" instincts underlying SOPA/PIPA. (Check out Eric's post on the OPEN Act for why he is not a fan of this approach: The OPEN Act: Significantly Flawed But More Salvageable Than SOPA/PROTECT-IP.) PHP figures that if it obtains any sort of a favorable ruling against the banks, it can then wave this ruling around to try to get banks to terminate relationships with reported spammers. As the trademark and copyright rulings illustrate, trying to impose this type of liability against payment processors who provide services to alleged infringers or counterfeiters is far from easy. But while there is case law plaintiffs can rely on in those contexts, it seems like a long shot at best, with little or no basis in the statute, in the anti-spam context.

Maybe PHP has achieved some lucrative settlements behind the scenes, but this ruling makes me wonder what it's been doing. The whole thing has a quixotic feel to it.

Related posts:

Posted by Venkat at 10:06 AM | Derivative Liability , E-Commerce , Spam

May 24, 2012

LLC Members in Online Store Venture Bound by Partnership Fiduciary Duties -- Health and Body Store v. Justbrand Limited

[Post by Venkat Balasubramani]

Health and Body Store, LLC v. Justbrand Limited, 11-4132 (3d Cir.; May 11, 2012)

*Sigh.* Another group of people attempt a web venture with zero documentation and end up in court. One of the many perennial themes of this blog is that people must spell out the terms of any web venture in advance. This includes everything from a joint blogging arrangement to a jointly operated online store or a simple web development agreement. It’s not optimal to leave the documentation for later. You say you will deal with it later, but time flies, and as the value of the venture or the priorities or expectations of the parties shift, it becomes increasingly difficult to calibrate the arrangement from even ground. (In the extreme case, such as between Eric and I, a simple email or phone conversation may suffice, but I’d strongly advise against it. Reminder to Eric: if the big buyout materializes, all bets are off!)

Anyway, this is what happened here. Silverman and Singer worked for Hotheadz as sales trainees. While they worked for Hotheadz, and with Hotheadz’s permission, Silverman and Singer began to operate an independent online business; the bulk of the products sold by this business were purchased from Hotheadz. In 2007, Silverman and Singer registered [healthandbodystore.com] and [warmingstore.com] and put “substantial effort” into developing the underlying websites. These sites experienced moderate sales in 2007, but sales grew in 2008 and 2009 (from $60K to $150K and $170K, respectively).

In 2008, the CEO of Hotheadz became concerned that Silverman and Singer’s independent activities were interfering with their duties at Hotheadz. He gave them several options: (1) contribute the websites into Hotheadz; (2) leave Hotheadz and operate their ventures independently; or (3) form a joint venture. The parties exchanged a letter of intent, but this was never finalized. According to Silverman, they did not address the essential terms that he would expect to see in such an agreement.

In 2010, Hotheadz formed Health and Body Store as an LLC. The LLC had two members: Hotheadz, and Justbrand, which was an LLC operated by Silverman and Singer. Silverman and Singer continued to operate the websites, but did so allegedly with the support of Hotheadz. Among other things, Hotheadz provided warehousing, customer service, and other infrastructure. In 2011, Hotheadz sent a draft operating agreement (for HBS) to Silverman and Singer. The draft LLC agreement required payment of a “management fee” of $20,000 per month to Hotheadz and required Silverman and Singer to transfer the domain names to HBS. Silverman and Singer were less than enthused with the proposed arrangement, so they made arrangements to break off the relationship. They stockpiled inventory (ordering it from Hotheadz through an entity called “Novell Brands”). Ultimately, they resigned from Hotheadz, changed all of the passwords, and went off on their own.

District Court Proceedings: Hotheadz filed a complaint, along with a request for a preliminary injunction. The complaint asserted a variety of claims, including claims under the Computer Fraud and Abuse Act and the Lanham Act. The district court initially granted Hotheadz’s request for preliminary relief, but at a later hearing found that there was no meeting of the minds as to the essential terms of the HBS venture, and thus, no basis to impose fiduciary duties on Silverman and Singer. The court also rejected Hotheadz’s Lanham Act claim because Silverman and Singer agreed to remove any Hotheadz trademarks from the websites.

The Third Circuit Ruling: The Third Circuit reverses the district court on the fiduciary duty question. It finds that Silverman and Singer (through their entity) “cooperated with Hotheadz in the formation of HBS.” Since the parties never executed the LLC agreement, the default partnership law provisions applied and gave rise to a fiduciary relationship between the partners. This meant that in operating the websites, Silverman and Singer “were obligated to operate the Websites in a manner consistent with [their] fiduciary obligations to Hotheadz and to HBS.” The court finds that Sliverman and Singer owe fiduciary obligations through their ownership interest in Justbrand (which was a member of the LLC, along with Hotheadz) but potentially in their individual capacities as well. Silverman represented at times that he was a “partner,” “owner,” “president,” or “vice president” of HBS and to the extent he held any of those positions, this may be sufficient to independently impose fiduciary duties on Silverman and Singer.

The court passes on the Lanham Act claims, noting they overlap with the fiduciary duty claims and there is insufficient evidence in the record to determine who had the valid and legally protectable interest in the appearance of the websites. (Hotheadz’s Lanham Act claim seems to span alleged misuses of its Hotheadz marks, as well as goodwill that HBS may have had in the appearance of the websites.)

Finally, the court footnotes the fact that it's leaving the appropriate relief for the district court to decide in the first instance, hinting that no relief at the injunction stage may be appropriate:

[i]t is possible, of course, that no remedy at all should be given, even if there has been a breach, since the balance of equities may make a preliminary injunction inadvisable.

Eric has posted on a slew of cases that deal with online "divorces" where joint site operators split up with each other. Mikhlyn v. Bove is the paradigmatic example: "Cautionary Tale of Website Co-Ownership--Mikhlyn v. Bove." The most recent involved parties squabbling over a Tea Party-related Google Group: “Tea Partiers Wage War Against Each Other Over a Google Groups Account--Kremer v. Tea Party Patriots.” Based on how often we see these disputes, parties can't be reminded of the necessity for clear documentation often enough.

Hotheadz's trademark claims based on the "Hotheadz" marks were muddled and the court does not address them, but they seemed tenuous at best. As a reseller, HBS (or Singer and Silverman) should have the right to refer to Hotheadz to accurately describe the products sold by HBS. As to any claim based on the "Health and Body Store" mark, these overlapped with the fiduciary duty claim and it made sense to focus on the fiduciary duty claim. These types of disputes often spur claims under the Computer Fraud and Abuse Act or theories of conversion, but these claims really piggyback on the underlying ownership claim.

It was unfortunate for Silverman and Singer to have agreed to form the LLC and consented to filing the formation papers, without having ironed out the details of the underlying relationship. The court's opinion is unclear on to what extent they "cooperated" with Hotheadz in this process. It could have been as menial as counsel for Hotheadz filing the certificate of formation and obtaining email confirmation from Silverman and Singer. Something like this shouldn't sign Silverman and Singer up for fiduciary duties, but this is yet another pitfall of online marriages. If you form an entity with another person, you may sign up for a lot more in the way of duties than you intended to. Half-papering the arrangement may be just as bad as not having any contracts in place at all. It certainly put Silverman and Singer in a worse off position here. Interestingly, the court notes that Hotheadz helped Silverman and Singer and provided support for the business, but the court's order wasn't overly detailed on this point.

Eric's essay on co-blogging:

Co-blogging Law

Posted by Venkat at 03:41 PM | E-Commerce , Trademark

April 23, 2012

SuperPoke! Pets Virtual Gold Dispute Worth Over $5 Million--Abreu v. Slide

By Eric Goldman

Abreu v. Slide, Inc., 2012 WL 1123367 (N.D. Cal. April 3, 2012). The Justia page.

Google bought Slide, which operated the SuperPoke! Pets online game. Wikipedia has some of the game's history. As part of the gameplay, users could buy virtual gold. Apparently a lot of them did; Google alleges that users bought $6M+ of virtual gold from October 2010 through June 2011. The plaintiffs allege that Slide whipsawed its users. After exhorting users to buy virtual gold, in June 2011 Slide stopped selling virtual gold and wiped out existing gold accounts, but it said the site was ongoing and told subscribing users they could enjoy premium accounts for life. Then, in August 2011, Slide announced a hard stop in 6 months, and Slide actually shut down in March 2012. By shutting down, the plaintiffs allege that Slide improperly wiped out virtual assets worth real money.

I'm torn about the underlying merits of this dispute. I'm sure Google has good explanations for the choices it made, and I staunchly defend the right of virtual world operators to control their environments as they see fit. Still, it's bad for consumer trust and the industry generally for Slide/Google to eliminate virtual assets that people bought with real money without providing some refunds, even if Slide made disclosures up the ying-yang about caveat emptor. We'll get to those more interesting questions later (if the case doesn't settle).

For now, the only issue in this ruling is whether the case stays in federal court or goes back to state court. To stay in federal court under CAFA, the case must meet certain standards, including having an amount in controversy over $5M. Google argues that it clears the threshold because users bought over $6M of virtual gold. The court says this allegation suffices, the plaintiffs can't adequately rebut it, and the case stays in federal court per CAFA.

Both Venkat and I wondered if Google's declaration of the $6M+ number will eventually come back to haunt Google. Neither of us couldn't think of a way it would. I imagine Google is going to argue that consumers got what they paid for, so the fact that there's over $6M in revenues is ultimately irrelevant.

Posted by Eric at 11:37 AM | E-Commerce , Licensing/Contracts , Virtual Worlds | TrackBack

April 11, 2012

Parents' Lawsuit Against Apple for In-App Purchases by Minor Children Moves Forward -- In re Apple In-App Purchase Litigation

[Post by Venkat Balasubramani]

In re Apple In-App Purchase Litigation, 5:11-CV-1758 (N.D. Cal.; Mar. 31, 2012)

Facebook recently dealt with a class action over sponsored stories where minors asserted violations of their publicity rights. The court enforced the Facebook terms of service and transferred the dispute to California. ("Facebook's "Browsewrap" Enforced Against Kids--EKD v. Facebook.") Apple is grappling with a lawsuit also involving minors, where parents of minor children argued that Apple’s practice of distributing free apps was misleading because minor children could purchase “game currency” for a short duration after the parents had logged in. The court denies Apple’s motion to dismiss the lawsuit.

The factual allegations are somewhat interesting, and I have to give credit to the plaintiffs’ counsel for their creativity. Plaintiffs argued that Apple distributed free apps, and users of the apps could purchase in-app virtual currency for a short duration (15 minutes) after the password authentication process. Parents supposedly downloaded apps, gave them to their kids, and in this fifteen minute duration, the kids allegedly rang up bills (ranging from $99.99 to $338.72 “at a time”).

Voidability of the contract: Apple argued that although the minors purchased the apps, the relevant contract was the terms of service in place between the parents and Apple and this was a binding, enforceable agreement. The terms of service placed responsibility for unauthorized use of log-in credentials on the end user; therefore, Apple argued it was not responsible for the in-app purchases. The parents argued that each in-app purchase was a separate and voidable contract that may be disaffirmed by the parent or guardian. The court punts on the issue and says that at the pleading stage, the plaintiffs’ arguments should be allowed to proceed. The court footnotes an interesting contract law issue, noting Apple’s argument that a contract cannot exist where an offer is made to one party (the parents) but is accepted by another party (their children) and the consideration is supplied by the original offeree (the parents). Disappointingly for afficianados of contract law, the court does not resolve this issue.

Consumer Legal Remedies Act claim: The Consumer Legal Remedies Act statute prohibits unfair or deceptive acts or practices and looks to what is likely to “mislead a reasonable consumer.” The key question was whether Apple concealed or omitted facts that it had a duty to disclose. Citing to advertising from Apple that billed the “bait Apps” as “’free’ or nominal,” the court says that plaintiffs alleged the requisite misrepresentation by Apple. Two of the plaintiffs testified that they downloaded apps because they were free and gave them to their kids, only to find out later that for fifteen minutes after they had entered their iTunes passwords, their kids could make purchases from within the apps. These allegations were sufficient at the pleading stage.

Unfair Competition Law: Finally, the court also finds that plaintiffs adequately state a claim under California's unfair competition statute. Plaintiffs' allegation that Apple violated their CLRA rights independently states a cause of action under the UCL statute. The court also finds that plaintiffs plausibly state a claim under the substantial injury/benefit test: plaintiffs alleged substantial harm with no countervailing benefit to Apple from Apple’s unfair practices.

Duty of Good Faith/Restitution: Apple gets a mixed result on these two claims. The good faith and fair dealing claim is dismissed because there is no allegation that Apple lacked subjective good faith or that it intended to frustrate the common purpose of the agreement. The restitution claim moves forward, but piggybacks on the contract, CLRA, and UCL claims.

Forming online contracts with minors always struck me as a tricky issue. While most sites get by with a provision in the agreement that the minor has obtained the consent of his or her parent or guardian, as noted in E.K.D. v. Facebook, there’s a potential disaffirmance problem. As Eric mentions in his post on E.K.D., resolution of this issue may depend on whether the benefit has already been conferred on the minor, in which case the minor can’t disaffirm the contract. (See A.V. v. iParadigms, discussed in Eric's post here: "Clickthrough Agreement Binding Against Minors--A.V. v. iParadigms".) So what happens if the minor disaffirms? Can the site cease the allegedly improper conduct on a prospective basis and avoid liability? In this case, the minors surely enjoyed the benefits of their purchases (“game currencies!”); so in order to disaffirm the agreement, they should have to return the currency, which may pose a problem for the parents. (For this reason, my instinct tells me that Apple has the better argument on the disaffirmance issue, but this is just a gut feeling.)

As always, in these cases where plaintiffs challenge Apple’s conduct in the app store, I wonder about the viability of a Section 230 defense. It doesn’t seem as viable in this case as in the typical case since plaintiffs are alleging that Apple made statements that were misleading, but the court doesn’t delve into the details on these statements so it’s tough to tell. Apple's statements may be fairly narrow and not sufficient to get around a Section 230 defense. In any event, I'm curious about Apple's reasons for not asserting a Section 230 defense.

One thing is for sure. The knives of plaintiffs’ lawyers are sharpened when it comes to online litigation. I can see Apple defeating this lawsuit eventually, but the claims themselves surprised me from a factual standpoint. I doubt Apple could have anticipated something like this.

Added: Rebecca Tushnet comments: "What, exactly, was not easy to anticipate about what would happen with "free" games suitable for kids allowing easy in-app purchases (when the phone's been handed over to the kid)?"

Posted by Venkat at 11:19 AM | E-Commerce , Licensing/Contracts , Marketing

April 06, 2012

AdKnowledge Denied 47 USC 230 Immunity (Again)--Chang v. Wozo

By Eric Goldman

Chang v. Wozo LLC, 2012 WL 1067643 (D. Mass. March 28, 2012)

This case is a cross between Swift v. Zynga and Goddard v. Google. Tatto runs a website, Wozo, that sells art posters. It created a "poster of the month" negative-option club that sent 2 posters/month for $30/month until the customer opts-out. Who has enough wall space for 24 posters a year? Tatto ran ads offering a "free" poster for a 99 cent shipping fee. Unlucky customers allegedly were surreptitiously enrolled in the poster club. To sweeten the deal, Tatto bundled its free poster offer with additional incentives to consumers, including AdKnowledge's virtual currency ("Super Rewards Points") pursuant to a deal with AdKnowledge. Chang, as class representative, alleges he responded to an ad for the bundled free poster and virtual currency and got duped into the poster club.

AdKnowledge tries a number of tactics to exit the lawsuit early, but I'm going to focus only on its 47 USC 230 defense. Citing Swift v. Zynga in a footnote (in which AdKnowledge was denied a 230 dismissal in a similar circumstance), the court's rejection of 47 USC 230 is brief:

Adknowledge and Chang dispute whether the content of the internet advertisements at the heart of this case were developed solely by Wozo and Tatto or whether the content was developed at least in part by Adknowledge....This is a dispute of fact that cannot be resolved at this juncture.

Nowadays, every plaintiff asserts that a 230-immunized entity "developed in part" the offending content. Therefore, it was lazy at best for the court to simply take the statement at face value in rejecting the 230 immunity. As Judge Kozinski said in Roommates.com, the Section 230 immunity needs to be robust to avoid death by a thousand duck bites.

On the other hand, the court may be responding to AdKnowledge's contract with Tatto to advertise a bundled offering, which does raise the question of how the contract allocated responsibilities for the bundle. For example, if AdKnowledge crafted the ad copy and deliberately omitted any reference to the poster club, 47 USC 230 probably doesn't apply to the ad copy. In contrast, if AdKnowledge crafted fully legally-compliant ad copy based on everything AdKnowledge knew but Tatto independently and surreptitiously crammed the poster club onto users, 47 USC 230 might very well protect AdKnowledge for Tatto's rogue behavior. See, e.g., Goddard v. Google and Mazur v. eBay. I can see why a court would want to see more facts beyond the complaint before making assumptions on a 12b6 motion to dismiss. At the same time, I hope the court will be willing to revisit Section 230 if AdKnowledge has the facts to throw Tatto under the bus.

Posted by Eric at 11:54 AM | Derivative Liability , E-Commerce , Marketing | TrackBack

April 02, 2012

Users Can't Sue Sony for Changing Online Terms to Require Arbitration – Fineman v. Sony Network Entertainment

[Post by Venkat Balasubramani]

Fineman v. Sony Network Entertainment, C 11-05680 SI (N.D. Cal.; Feb. 9, 2012)

In a move that caused a stir among consumer activists and others, Sony revised its EULA in September 2011 requiring PlayStation 3 users to choose between agreeing to submit dispute to arbitration (on an individual basis) or foregoing the right to access the “Sony PlayStation Network.” Plaintiff filed a putative class action alleging unfair competition and contract claims against Sony based on Sony’s imposition of the revised terms. The court rejects plaintiff’s claims.

The court says that a claim under California's unfair competition law requires a plaintiff to prove economic injury in the form of the loss of “money or property” to which the plaintiff is entitled. The diminution of a future property interest has been found to be sufficient by courts. The court nevertheless says that the two property rights plaintiff argued Sony deprived him of are insufficient: (1) the loss of the right to pursue class action claims outside of arbitration against Sony; and (2) the loss of access to the PlayStation Network.

With respect to loss of access to the PlayStation Network, the court says that plaintiff gave this up voluntarily when he made the choice to agree to the revised terms. The court also finds acceptance of the arbitration provision to be insufficient to support a UCL claim. While plaintiff may become embroiled in a dispute with Sony at some point in the future and arbitration may yield less in the way of money damages than litigation, at the present time plaintiff cannot allege that he has been economically harmed by Sony’s imposition of the arbitration clause. (In a footnote, the court distinguishes Fraley v. Facebook, where the court declined to dismiss plaintiffs’ claim that Facebook failed to compensate them for exploiting their publicity rights.)

Plaintiff also made an argument that imposition of revised terms by Sony devalued his PlayStation3 (i.e., he bought it expecting access to the PlayStation Network and now Sony is imposing an “additional charge” to access that network). This argument received little or no attention from the court. Plaintiff did not make a contractual argument as had the plaintiffs in some recent cases that Sony’s reservation of the right to modify the contract at will rendered the contract terms illusory or was a breach of the original agreement. (See Lebowitz v. Dow Jones: “No Breach of Contract Claim from Mid-Stream Change of WSJ Online Pricing.”) The court does note that plaintiff actually accepted the revised terms so he had continued access to the PlayStation Network—perhaps it would have viewed this argument differently if the plaintiff had rejected the new terms.

Finally, plaintiff made an argument that Sony breached its implied covenant of good faith and fair dealing. The court says this is basically a disguised breach of contract claim and, because plaintiff acknowledged he was not bringing a breach of contract claim, the court dismisses this claim as well.

[Plaintiff amended his claims to assert a claim for injunctive relief but the court dismisses this without prejudice for lack of jurisdiction. Plaintiff can pursue this claim in state court.]
__

Sony's move to require arbitration of disputes was in response to the Supreme Court's decision in AT&T v. Concepcion, which said the Federal Arbitration Act preempted state laws which treated arbitration agreements unfavorably. Courts appear willing to uphold arbitration provisions in the wake of Concepcion. (See Swift v. Zynga for a recent example where a court forced a consumer to arbitrate disputes based on terms of use which included an arbitration provision.) We can expect to see more companies taking this route. The dismissal of Fineman's claims shows that it won't be easy to challenge these types of changes proactively.

It's interesting that the court didn't take a rigorous look at whether Sony's revised terms affected the underlying economic deal between Sony and the end users. Did Sony advertise access to the PSN network as part of the PS3? Was it reasonable for users to expect continued access on the terms that they initially signed up for? How about the loss of any data or virtual property that plaintiff would have forfeited had he declined continued access to the network? The court's discussion is fairly cursory on these issues.

On the other hand, even when a paid service is involved, courts are sympathetic to the needs of companies to revise terms. For example, the court recently approved Dow Jones' change to WSJ online pricing, finding that plaintiff did not state a claim for breach of contract since the contract allowed for a change in terms: "No Breach of Contract Claim from Mid-Stream Change of WSJ Online Pricing."

Although California's Consumer Legal Remedies Act provides for a limited cause of action when unsoncionable terms are included in consumer contracts, Fineman did not argue that the terms were unconscionable. The court acknowledges that whether the arbitration clause is enforceable is not an issue that is before the court. If someone down the road wants to challenge enforcement of the terms based on their unconscionability, that possibility is still open. These challenges face a high bar, and this dispute will probably end up being a persuasive argument for why the revised terms were not procedurally unconscionable. Someone could also challenge the agreement on the basis that it's illusory and allowed Sony to revise it at will. (See Harris v. Blockbuster and my recent post on mixed rulings on the Qwest arbitration clauses.) However, given that Sony gave users an explicit choice and was upfront about it, I think that type of challenge would be a long shot.

Posted by Venkat at 02:55 PM | E-Commerce , Licensing/Contracts , Virtual Worlds

March 23, 2012

Qwest Gets Mixed Rulings on Contract Arbitration Issue—Grosvenor v. Qwest & Vernon v. Qwest

[Post by Venkat Balasubramani]

I recently blogged about Kwan v. Clearwire, which involved Clearwire’s efforts to force arbitration of a consumer dispute. The court in that case looked at Clearwire’s contracting practices and made an initial ruling that customers could not be forced to arbitrate their disputes because of a failure in the contracting process. (There will probably be additional proceedings around the arbitration issue in that case.) Qwest has been involved in class action litigation over its early termination fees and other practices, and courts recently issued rulings in two cases which address similar contracting issues. Both rulings are interesting and instructive because they tackle fundamental contract law questions.

Grosvenor v. Qwest, 09-cv-02848-MSK-KMT (D. Col.; Feb. 23, 2012) [pdf]:

Grosvenor subscribed to Qwest in 2006 and received a disk containing software to activate the service. The install window contained a link to the applicable terms and contained a check-the-box indicating assent to the terms. Grosvenor had to click on “I Accept” in order to proceed with the installation. The only problem was that the install window did not contain the actual terms. Worse yet, it did not even contain a link to the terms. The terms were two links away.

The court says that requiring a user to click through a couple of links in order to view the terms does not as a matter of law pose a bar to contract formation. However, there is another problem:

the fact that a user must navigate a web page in order to ascertain terms of an offer is particularly difficult where the software being installed is the means by which the internet can be accessed.

D’oh! The court says that the record is bereft of facts indicating that Grosvenor already had internet access at the time he signed up for Qwest and thus he probably had “no way of accessing the terms of Qwest’s agreements until he completed installation of the software, and completion of the software installation would not occur until Mr. Grosvenor manifested his acceptance of the terms or [sic] the agreement." Because of this flaw, the court says that the check-the-box presentation of the terms at the time of install probably does not create an enforceable contract.

Qwest also argued that after Grosvenor signed up, he received a “Welcome Letter” that Qwest sent to everyone who signed up. The subscriber letter does a better of job of directing Grosvenor to the operative terms, so the court says this solves the problem of Grosvenor having to dig around. Also, because it was a paper letter sent after Grosvenor obtained internet access, it addresses the problem with the issues which undermined the online terms. Additionally, the court says that because the letter advised users that they should cancel their service in 30 days if they did not agree to the terms, users have the comfort of making their decision in a leisurely manner. The court says that Grosvenor entered into a contract with Qwest in 2006 because he assented to the terms in the letter.

Grosvenor’s underlying qualm with Qwest was over Qwest’s alleged failure to honor a “price for life” guarantee and he argued that this was not part of the original deal—this was something Qwest implemented as part of a service upgrade. The court expresses some skepticism as to whether the upgrade constituted a new agreement but in any event says that because Qwest sent Grosvenor a second welcome letter relating to the upgrade, Grosvenor assented to any new terms. Net result: Qwest and Grosvenor entered into a contract and this contract contained an arbitration clause.

Although the court finds that Grosvenor agreed to Qwest's terms, Grosvenor argued that Qwest's subscriber agreement was illusory because Qwest included a provision that it could modify terms of the agreement at its discretion. Qwest had a Harris v. Blockbuster problem. (See “Stop Saying "We Can Amend This Agreement Whenever We Want"!--Harris v. Blockbuster.”) In Harris, the court invalidated an agreement because the agreement said Blockbuster could amend it at any time and did not have to provide notice to the customer. In Harris, the modified terms were effective upon use of the service by the customer. Qwest had a similar provision in its subscriber agreement saying that Qwest would “modify the Service and/or any of the terms and conditions of [the] Agreement . . . and [changes became] effective upon posting to www.qwest.com/legal.” Other than some precedent that’s unfavorable to Qwest (and binding on the district court) the court says that there’s one big problem to Qwest’s argument that Grosvenor assented to the modified terms by continuing to use the service: Grosvenor had to access the service in order to view the modified terms, and because he had no opportunity to review the terms without continuing to use the service he had no meaningful right to reject the terms.

The court says that the arbitration clause is illusory and unenforceable.

Vernon v. Qwest, 09-cv-01840-RBJ-CBS (D. Col.; Mar. 8, 2012):

Vernor is a companion case but heard by a different judge in the same district. Plaintiffs asserted claims on behalf of a putative class, alleging that Qwest’s imposition of Early Termination Fees was improper. The named plaintiffs all signed up for slightly different offerings from Qwest.

The first question was whether plaintiffs had entered into enforceable agreements with Qwest. The court runs through the “browsewrap” / “clickwrap” taxonomy, and also mentions “hybrid arrangements,” where the terms presented to the customer do not appear in the same screen as the accept button—i.e., the customer must click through a hyperlink to read the terms (citing Fteja v. Facebook and Swift v. Zynga). (See Judge Can't Decide if Facebook's User Agreement is a Browsewrap, But He Enforces It Anyways--Fteja v. Facebook and Zynga Wins Arbitration Ruling on "Special Offer" Class Claims Based on Concepcion -- Swift v. Zynga for posts on these cases.) The court says that assent may be gleaned “from the totality of the circumstances,” and in this case plaintiffs had “reasonable notice” of the terms, so the terms are enforceable. As in Grosvenor, the court looks to the “welcome letter” sent by Qwest and says that this is enough to put customers on notice of the terms.

As a backup argument, plaintiffs also asserted that the arbitration clause was illusory because (as in Grosvenor) Qwest reserved the right to revise the agreement at any time. This court comes to a different conclusion than Gorsvenor and finds that the agreement is not illusory. The agreement said that Qwest can revise the terms at any time and revised terms were effective on posting. However, the agreement contained an exception for when a revision “results in a material and adverse economic impact” to the customer. Where there is a "material adverse economic impact," the agreement required 30 days notice. Based on this, the court says that the agreement does not give Qwest “the unfettered right” to make changes to it and therefore there is no illusory agreement problem. (See the Dow Jones case I blogged about for a similar result: "No Breach of Contract Claim from Mid-Stream Change of WSJ Online Pricing – Lebowitz v. Dow Jones.")

Plaintiffs made two other arguments that didn’t get much traction with the court: (1) that the agreement was unsoncsionable and (2) that Qwest waived its right to insist on arbitration.

It's depressing to see companies not tie up loose ends on their online contracting processes. It immediately makes the customer's claims seem more sympathetic--if the company can't get the contract right, chances are it's going to botch the customer service. It's possible that Qwest had some reason for not presenting the subscriber agreement in the box itself at the time of install, but it better have a compelling reason for not doing so. As a result, the court has to go through judicial contortions to enforce the agreement. The court enforces the agreement due to the fact that the terms were communicated via a letter to the customer. Courts continue to see mail as a legally sufficient form of notice and I wonder whether people in the modern era are likely to read mailings they receive from company's like Qwest. (I know I would recycle it immediately.) Also, there's an FTC rule that governs mailings for free products or services, perhaps it wasn't enough of a colorable issue for plaintiffs to have raised, but I was surprised to not see a footnote from the court on this issue. If there's no agreement as a result of the online terms, Qwest's mailer is ostensibly an offer and I wondered whether offers via mail had to comply with certain requirements.

The illusory agreement issue is one to watch as well. Contracts will continue to come under fire because they include a provision saying one party can change the terms at will. It's an understandable lawyerly instinct to include this in an agreement, but I would resist this impulse! In one of the two cases, Qwest skated past the illusory agreement challenge, but the fact that one of the two judges was willing to strike down the agreement illustrates how risky it can be to include this provision in an agreement.

Previous posts:

Vendor Fails to Form Either an Online or Paper Contract With Customers--Kwan v. Clearwire
Zynga Wins Arbitration Ruling on "Special Offer" Class Claims Based on Concepcion -- Swift v. Zynga
Judge Can't Decide if Facebook's User Agreement is a Browsewrap, But He Enforces It Anyways--Fteja v. Facebook
Stop Saying "We Can Amend This Agreement Whenever We Want"!--Harris v. Blockbuster
Facebook's "Browsewrap" Enforced Against Kids--EKD v. Facebook

Posted by Venkat at 02:10 PM | E-Commerce , Licensing/Contracts

March 22, 2012

No Breach of Contract Claim from Mid-Stream Change of WSJ Online Pricing – Lebowitz v. Dow Jones

[Post by Venkat Balasubramani]

Lebowitz v. Dow Jones & Co., 06 Civ. 2198 (MGC) (S.D.N.Y.; Mar. 12, 2012)

Dow Jones operates WSJ Online. Historically, it offered WSJ Online subscribers access to WSJ Online and Barron’s Online. At some point, Dow Jones decided to spin-off Barron’s. It gave existing subscribers the choice between accessing Barron’s instead of WSJ Online or accessing WSJ Online and paying a separate fee (pro-rated and up to a maximum of $20) to access Barron’s.

Plaintiffs brought a putative class action, arguing that a mid-stream change in the subscription price was a breach of the subscriber agreement. Alternatively, plaintiffs argued that if the agreement was interpreted to allow Dow Jones to unilaterally change the price this would render the contract illusory. The contract provision allowed Dow Jones to:

change the fees and charges then in effect, or add new fees or charges, by giving [subscribers] notice in advance.

The court disagrees, noting that contractual provisions which allow unilateral changes are not illusory as long as the right to make these changes are constrained in some manner. Looking to case law in New York, the court says that requiring an obligor to exercise its discretion in a reasonable manner or a manner evincing good faith sufficiently constrains the obligor’s discretion. The court says this is the case here:

there is no evidence that Dow Jones used the discontinuance provision to deprive plaintiffs of an unreasonably large part of WSJ Online’s content, and there is no reason to interpret this provision as permitting such extreme behavior. Dow Jones acted reasonably, and therefore this provison of the subscriber agreement is not illusory.

Plaintiffs also argued that Dow Jones failed to give advance notice of the price change and this constituted a breach. Dow Jones had provided notice via a “pop-up” box, which indicated that it was conveying an “IMPORTANT NOTICE TO READERS.” This box appeared on each homepage. When users clicked on this box, a notice appeared which informed subscribers of the spin-off and the fact that the pricing would be changing.

There have been a slew of disputes involving contracts which one party says they can modify at any time. Harris v. Blockbuster presented this problem and Eric’s advice was on point: “STOP PUTTING CLAUSES INTO YOUR CONTRACTS THAT SAY YOU CAN AMEND THE CONTRACT AT ANY TIME IN YOUR SOLE DISCRETION BY POSTING THE REVISED TERMS TO THE WEBSITE” It doesn’t look like companies have heeded this advice and thus continue to struggle with arguments from consumers that this type of a provision renders contract illusory. Dow Jones dodged a bullet here, and although I’ll leave the contract law 101 deep dive to others, the result here did not comport with basic common sense and equity. It’s as if you sign up to on a month-long plan to purchase a particular type of combo meal deal at McDonald’s and halfway through they come along and change up the combination. Rather than forcing customers to pick between WSJ Online or Barron’s going forward, Dow Jones could have just refunded a portion of the subscription fees. The court’s decision deprives plaintiffs of this choice. It wasn't clear from the opinion, but it seemed like the decision was made just to separate the two subscriptions--the order did not discuss some compelling reason (other than subscriptions) why Dow Jones made the decision.

Another interesting part of the dispute was how Dow Jones dealt with notice. Dow Jones has to provide subscribers notice in order for the revised terms to be effective. This is another problem area for companies. (See Eric’s post on the Douglas v. Talk America case, where the Ninth Circuit struck down a contract amendment due to failed notice: “Ninth Circuit Strikes Down Contract Amendment Without Notice--Douglas v. Talk America.” Some suggestions as to notice are discussed in that post.) The court here spends two sentences on the adequacy of notice via a pop-up box. The pop-up box method of notice would work in many cases, but it was surprising to see the court ignore the details of the notification here. I suspect other courts would not always be so approving of notice via this method, absent consideration of other facts, such as the size of the box and the overall user experience.

Previous posts:

Posted by Venkat at 06:03 AM | E-Commerce , Licensing/Contracts , Marketing

March 21, 2012

Trademark Lawsuit Over Website Text Comparing Products Baffles the Judge--AR Pillow v. Cottrell

By Eric Goldman

AR Pillow Inc. v. Cottrell, 2012 WL 868109 (W.D.Wash. March 13, 2012). The complaint.

Every time I read an opinion like this, a little piece of me dies. This is a ridiculously easy case, yet somehow it got all tangled up.

The litigants are rival vendors of similar products to combat baby acid reflux. For a slightly similar dispute involving trademark fights over baby products, see BabyAge v. Leachco.

The plaintiff is largely complaining about text on the defendant's website explaining why the plaintiff's product isn't as good as the defendant's. From my perspective, the explanation doesn't constitute a trademark "use" at all because the trademark is being used as a referent. See, e.g., Naked Cowboy v. CBS, 2012 WL 592539 (S.D.N.Y. Feb 23, 2012). Thus, the court should dismiss the trademark claim for non-trademark use. But if the court doesn't do that, at least it should dismiss as a nominative use. See, e.g., 1 800 GET THIN v. Hiltzik. There is absolutely no question that the defendant's reference qualifies as a nominative use under Ninth Circuit law. Yet, and here's where a piece of me dies, the opinion doesn't discuss nominative use AT ALL. What???

Instead of addressing the two most obvious grounds, the court engages in doctrinal contortions to fit this case into a standard likelihood of consumer confusion analysis. As I've explained elsewhere, the multi-factor LOCC test simply makes no sense when a third party is using the trademark editorially as a referent. My paradigmatic example is the Ballysucks case, where the LOCC analysis is ridiculous because the court is trying to compare a vendor with a griper who registered a "sucks" domain. The LOCC test doesn't work any better here. The judge almost seems to know that the LOCC test isn't the right test, but he doesn't seem to know what else to do.

Fortunately, the judge overcomes his shaky analysis by reaching the right result, concluding that there's insufficient evidence of consumer confusion. Yay for good outcomes. But we need to find better ways to make it clear trademark law should not play a role in situations like this. For more on that, see my Online Word of Mouth paper.

One more point: the court's technological discussions are a mixed bag. On the plus side, citing Network Automation and Matt Cutts' blog post/video, the judge rejects the plaintiff's claims over keyword metatags because Google ignores them. But then the judge launches these groaners:

"there is no evidence in the record that use of the term AR Pillow in Google or other search engine currently leads to defendant's website"

and later

"Consumers who search for AR Pillow today are not presented with defendant's website in the rankings"

Oh god, not this again. Please, let's kill this meme RIGHT NOW. Relative placement of search engine results is a HORRIBLE way to evaluate trademark disputes. First, as I explain here, the junior user doesn't control placements--the search engines do. Second, in my post on the Bitchen Kitchen litigation, I explain technological reasons why this is a terrible idea, including search results personalization, the fact that results change minute-by-minute, and the fact that different search engines rank their results differently. Judges, I beg you, please don't go down this wormhole.

Posted by Eric at 10:00 AM | E-Commerce , Trademark | TrackBack

March 06, 2012

StubHub Gets Section 230 Immunity from Anti-Scalping Laws Because Users Set Prices--Hill v. StubHub

By Eric Goldman

Hill v. StubHub, Inc., 2012 WL 696223 (N.C. App. Ct. March 6, 2012). My blog post on the trial court ruling against StubHub in this case. Earlier blog post on the motion to dismiss ruling.

This long-running case (4.5 years so far) is just one of many arising out of the Hannah Montana concert tour of 2007, which unexpectedly turned into a watershed Cyberlaw moment. The tour has spawned substantial legislative and litigation activity, including the notorious RMG v. Ticketmaster case, and several of the cases have reached bad legal results as populist judges have felt sorry for the tweeners and their parents gouged by high ticket prices due to the extraordinary demand.

One of the bad Hannah Montana rulings came in this case. Last year, the trial judge denied StubHub's Section 230 immunity in an rogue opinion. The appellate court correctly reverses that ruling and holds that "Defendant is entitled to immunity from any liability arising from the ticket price established by Mr. Holohan" and orders the trial court to grant summary judgment to StubHub. The result is a great Section 230 win, and the supporting opinion is mostly good too.

The court sets the context for its opinion:

According to our research, there have been approximately 300 reported decisions addressing immunity claims advanced under 47 U.S.C. § 230 in the lower federal and state courts. All but a handful of these decisions find that the website is entitled to immunity from liability.

Unfortunately, the judge didn't appear to see David Ardia's article, which would have sped up the research and empirically challenged their last sentence. Nevertheless, the court's assessment rightly treats plaintiff wins as exceptional and perhaps aberrational, so there better be a good reason why the immunity doesn't apply. Reinforcing this point, the court says later "The reported decisions construing the immunity provisions of 47 U.S.C. § 230 have rejected a number of efforts to expand the range of factual situations in which a website is deprived of the immunity from liability provided by that statutory provision."

This case turned on who the court thought was the ticket "seller." The trial court treated StubHub as the real seller due to the various tools StubHub provides to facilitate matching, in which case users are effectively StubHub's suppliers just like the pretext report generators in the Accusearch case.

The appellate court saw it differently. The opinion treats StubHub as a venue for buyer-seller matching and the users as the real sellers. This styling of StubHub as a venue, not the seller, also disposes of the plaintiffs' related claim that StubHub overcharged the maximum service fee that a "seller" or its agent can charge (a law that North Carolina has since amended to exclude StubHub). Once the court conceptualized StubHub as a venue, the Section 230 immunity follows naturally. No one questions that the StubHub sellers set the final price for the tickets they have, which makes the price, as a data item, third party "content" to StubHub.

After canvassing a number of the plaintiff Section 230 wins, the court synthesizes a new legal standard for what constitutes content development:

to “materially contribute” to the creation of unlawful material, a website must effectively control the content posted by those third parties or take other actions which essentially ensure the creation of unlawful material

The latter standard, "essentially ensure the creation of unlawful material," is a trivial variation of the Roommates.com standard that foreclosed the Section 230 immunity if you "design your website to require users to input illegal content."

However, the former standard, "effectively control the content" of third parties, is a non-sequitur. The apparent support for that standard is the court's discussion of Jones v. thedirty, which the court said predicated liability "upon the website’s decision to affirmatively adopt or ensure the presentation of unlawful material." The court should have said that the Jones case was a mistake; but even if the court doesn't believe Jones is wrong, saying liability can attach when a website "effectively controls" third party content isn't supported by Jones or by the law generally. Websites get Section 230 immunity because they exercise editorial control over third party content, so what "control" is the court contemplating that isn't subsumed in the permissible editorial control? Further, the court's additional standard was unnecessary because the court never applies this looser standard to the facts at issue. In an opinion clearly designed to take the wind out of the plaintiffs' sails, the opinion's sloppy articulation of the legal standard is an stiff ocean breeze. Sigh.

In refuting the trial court's analysis, the court provides a more useful recap:

the prevailing tendency among decisions construing the relevant statutory language is to hold that the immunity provided by 47 U.S.C. § 230 is (1) not defeated by evidence tending to show that the website had notice of the unlawful posting; (2) not affected by the fact that a website attempts to earn a profit; and (3) not subject to any liability on the basis of “reasonable foreseeability” or “willful blindness” analysis. Thus, the fact that Defendant may have been on notice that its website could be used to make unlawful sales and that certain of Defendant’s practices may have provided incentives for the overpricing of certain tickets does not support a decision stripping Defendant of its immunity under 47 U.S.C. § 230.

All true. In particular, I can't recall another opinion expressly discussing a "willful blindness" challenge to Section 230 immunity.

The court also criticizes the trial court's review of the entire website in determining Section 230's applicability, even considering features that were not used by the litigants. The court says it's inappropriate to do this kind of holistic review of features that weren't implicated by the case's facts:

the appellate cases addressing immunity claims arising under 47 U.S.C. § 230 have analyzed the specific content alleged to be unlawful rather than examining the entire website on a more generic basis

Finally, the court goes out of its way to knock the NPS v. StubHub denial of Section 230 immunity:

Aside from the fact that the evidentiary and procedural context present in NPS is substantially different from that before the Court in this case, we simply do not find the reasoning employed by NPS persuasive, believe that it is inconsistent with the decisions concluding that knowledge of unlawful content does not strip a website of the immunity from liability granted under 47 U.S.C. § 230, and decline to follow it in deciding the present case.

Because of its limitations, I'd love to see the NPS precedent relegated to the dustbin. Since that ruling, we've had several good Section 230 rulings in ticket cases, including this one and the Milgram v. Orbitz case. As the favorable precedent continue to mount, I hope lawsuits against ticket resale venues will wane.

Posted by Eric at 11:33 AM | Derivative Liability , E-Commerce | TrackBack

January 19, 2012

Just How Egregiously Must a Trademark Plaintiff Act Before a Court Awards Attorneys' Fees to the Defendant?--1-800 Contacts v. Lens.com

By Eric Goldman

1-800 Contacts v. Lens.com, 2012 WL 113812 (D. Utah Jan. 13, 2012). Prior blog posts on the case dismissal in December 2010 and 1-800 Contacts' fee dispute with its attorneys.

The federal trademark statute says judges may award attorneys' fees to the winning party in "exceptional" cases. What does it take for a case to be "exceptional"? Apparently, it has to be pretty egregious conduct, as this long-running money pit of a case illustrates.

1-800 Contacts sued Lens.com for competitive keyword advertising. Through the course of the litigation, we learn the following facts:

* 1-800 Contacts accrued $650k in legal fees pursuing the case and capped its legal fees at $1.1M before it stiffed its law firm.
* the defendant Lens.com made less than $21 in profits from its competitive keyword ad buys. 1-800 Contacts also tried to attribute to Lens.com keyword ad buys made by Lens.com's affiliates, a legal argument the court ultimately rejected.
* 1-800 Contacts had done the same thing it was suing Lens.com for doing. 1-800 bought Lens.com's keywords and made about $220k in profit from those keyword ad buys, yet it had duplicitously tried to shut down Lens.com for making less than $21.

To me, this looks like an egregious misuse of the litigation process--exactly the kind of sanctionable behavior that should be considered "extraordinary" enough to make the plaintiff reimburse the defendant for its sizable legal fees. Indeed, the court has harsh words for 1-800 Contacts, including calling 1-800 Contacts' behavior "troubling" and specifically referencing its hypocrisy for suing over behavior it had itself engaged in. The court also says "1-800 Contacts’ actions raise questions about vexatious suits to defeat competition."

Nevertheless, the court decides not to award attorneys' fees. The court cites the following factors in denying the attorneys' fee request:

* the legitimacy of keyword advertising remains legally unsettled. Even when it was clear the direct infringement case was weak, 1-800 Contacts still had a non-frivolous claim for secondary infringement.
* Lens.com did engage in competitive keyword advertising, even if its purchases were "minuscule."
* Lens.com itself was sanctioned for discovery violations.
* even though 1-800 Contacts' expert reports were largely tossed, some of the reports were admitted.

It's clear the judge had distaste for both parties. Lens.com also has a parallel antitrust claim going against 1-800 Contacts in a different forum, and the judge seemed to be deferring to that case to remediate any abuses by 1-800 Contacts. Still, given 1-800 Contacts' condemnable conduct, it's curious the judge didn't stick them with a fee shift.

I think this ruling gives us some more insight into the trademark bullying phenomenon. The mockably ridiculous USPTO report on trademark bullying noted that trademark law's fee shift provision acts as a deterrent against abusive trademark litigation. (For example, it says "the potential for an award of attorneys’ fees is an existing deterrent to misuse of the litigation process in trademark disputes.") Given how hard it is to get a fee shift in light of a ruling like this, this was just another way in which the USPTO completely understated a very real problem in the field.

Posted by Eric at 03:34 PM | E-Commerce , Marketing , Search Engines , Trademark | TrackBack

January 05, 2012

SOPA/PROTECT-IP/OPEN Linkwrap #2

By Eric Goldman

It's been a busy time for news related to SOPA (the Stop Online Piracy Act, not the Stop Online Privacy Act, although that could be an unintended result!), PROTECT-IP/PIPA, and the OPEN Act. In a bit, I'll recap some links. First, though, some general thoughts about the last month.

As I predicted, SOPA has been incredibly divisive. It has largely boiled down to Hollywood in support vs. the rest of the world against, with an emerging "with me or against me" attitude. What a shame. We get much better results when the tech and entertainment community collaborate rather than play zero-sum games.

Naturally, I think Hollywood has made several strategic miscalculations here. First, the outrageousness of its proposals has mobilized the tech community. It's been fascinating watching companies and politicians scramble to disavow themselves from SOPA when targeted by the anti-SOPA advocates. That NEVER happens when it comes to a Congressional proposal to regulate technology. Perhaps this mobilization will be a flash in the pan, or perhaps Hollywood has poked a sleeping tiger once too often.

Second, Hollywood's credibility with its financially-sponsored politicians may be wearing thin. Politicians will happily take its money, but they don't enjoy looking like fools--and many SOPA supporters have, in fact, looked pretty silly while being left twisting in the wind by their Hollywood patrons. Money will buy a lot of politician patience, but the goodwill reservoir is not bottomless.

Third, even if Hollywood can succeed in passing something like SOPA or even PIPA, I believe it would be counterproductive to its long-term interests. As I've mentioned before, we all benefit from having larger common markets (see, e.g., NAFTA or the EEC), and the Internet has emerged as the largest common market of all. A Balkanized Internet will devolve into disparate smaller markets that represent less value for everyone.

A final counterproductive point, although Hollywood may not care. SOPA/PIPA absolutely will drive US dollars--and jobs--overseas. For example, I ditched GoDaddy as my domain name registrar and took my business to a foreign registrar who won't be subject to SOPA/PIPA. If other folks make the same calculations I did, collectively it will be a boon for foreign service providers and a net loss for US service providers. At best, SOPA/PIPA preserve some jobs at the expense of others; my guess is that our economy will suffer a net reduction in jobs. Just what we need during this protracted economic downturn.

The amazing thing is: despite the complete lack of credible empirical evidence supporting SOPA/PIPA, and despite a groundswell of grassroots opposition to it, and despite companies and politicians dropping their support of SOPA/PIPA when the spotlight is cast on them, Hollywood might still be able to succeed in this rent-seeking endeavor. It's evidence of just how well Hollywood has embedded itself into Congress' psyche (and wallets).

Some news items since my last linkwrap:

* OPEN has been introduced in the Senate as S.2029.

* CDT's list of opponents. As you know, I am on it.

* Mike Masnick broke a huge story about Dajaz1.com, showing how our government repeatedly broke the law in falsely pursuing a so-called rogue website. The conduct of the government is chilling--things like this aren't supposed to happen in our democracy!--and if heads don't roll for the coverup, it will be another nail in the coffin of our republic.

* The government also lost the Rojadirecta case. Also, an in-depth look at the Operation in Our Sites bust of Ninja Video, where the government continues to make questionable interpretations of criminal copyright law.

* Constitional Law scholar extraordinare Laurence Tribe and advocate Marvin Ammori both explained how SOPA violates the First Amendment. Marvin followed up with a First Amendment assessment of the manager’s amendment. Corynne McSherry’s thoughts.

* Why aren't members of Congress listening to the opposition? Maybe it has something to do with the revolving door between government and industry. See this article: SOPA revolvers: Sixteen former Judiciary staffers lobby on online copyright issues.

* Wikimedia’s General Counsel Geoff Brigham explains “How SOPA will hurt the free web and Wikipedia”

* One of the many unanswered questions: who is a rogue website and how many are there? CNET News.com suggests that SOPA is all about taking out just one website--The Pirate Bay. Seriously, we're going to break the Internet because of The Pirate Bay? Talk about collateral consequences for something that could be handled with incredibly narrow legislative fixes—or better yet, with precise transborder enforcement cooperation.

* EFF on the good and bad in the OPEN Act.

* Mike Masnick completely destroys Lamar Smith’s so-called statement of facts in support of SOPA. Reading articles like this remind us that support for SOPA/PROTECT-IP is hardly about "the facts."

* More "fact" debunking, this time by Julian Sanchez.

* Speaking of "the facts" or the lack thereof, it appears that the House Judiciary Committee is massively overclaiming who supports SOPA. Misleading the American public apparently is just business as usual in DC.

* Meanwhile, companies are realizing that being listed as a SOPA supporter isn't necessarily good for business. SOPA opponents targeted GoDaddy, who instantly declared their lack of support for SOPA but remains completely untrustworthy and hypocritical.

* Meanwhile, SOPA is turning into an election-year issue, and politicians are beginning to learn the power of Reddit.

* If you want to speak up, check out SOPA Track and find out where your legislators stand. My Congresswoman, Anna Eshoo, has been firm in her opposition to SOPA, but the California senators are both PIPA co-sponsors because they too deeply in bed with Hollywood to listen to other constituents. So fair warning to Sen. Boxer and Feinstein--I plan to vote for your opponents, whoever they are, in the next election cycle.

* Great article about how SOPA will become a Trojan horse for all types of online content censorship, not just the suppression of rogue websites.

* Opposition to SOPA is bipartisan: “I suggest the left and right unite and pledge to defeat in primaries every person named as a sponsor on H.R. 3261, the Stop Online Piracy Act.”

Just a reminder because everyone knows SOPA is so ridiculously extreme: PROTECT-IP is NOT an acceptable "compromise" to SOPA. PROTECT-IP is also extreme. As I indicated previously, if we're going to have any legislative discussions about rogue websites, we should start with the OPEN Act and iterate from there. In light of the action in the courts (see the links below), any legislative solution should be coupled with increased immunities for Internet intermediaries so that they don't just coddle the rightsowners irrespective of the legislation.

FWIW, I have called Rep. Eshoo to thank her for her opposition to SOPA, and I've contacted Sens. Feinstein and Boxer to let them know that I disagree with their positions on PROTECT-IP. Have you contacted your legislators to tell them how you feel? If you don't speak up, they won't know where you stand.

Prior blog coverage of SOPA/PROTECT-IP/OPEN:

* More on Ex Parte Cutoffs of Foreign "Rogue" Domain Names
* Does the House Judiciary Committee Debating SOPA Know What's Going On In the Courts?--Philip Morris v. Jiang
* If You Dislike SOPA, You'll Dislike This Case Too--True Religion v. Xiaokang Lei
* The OPEN Act: Significantly Flawed But More Salvageable Than SOPA/PROTECT-IP
* I Don't Heart SOPA or PROTECT-IP: A Linkwrap
* Ad Network Avoids Contributory Copyright Infringement for Serving Ads to a Rogue Website--Elsevier v. Chitika
* Court OKs Private Seizure of Domain Names Which Allegedly Sold Counterfeit Goods--Chanel, Inc. v. Does
* Why I Oppose the Stop Online Piracy Act (SOPA)/E-PARASITES Act

Posted by Eric at 09:15 AM | Copyright , Derivative Liability , E-Commerce , Trademark | TrackBack

January 04, 2012

Keyword Advertiser Mostly Defeats Trademark Lawsuit--Scooter Store v. SpinLife

By Eric Goldman

Scooter Store, Inc. v. SpinLife.com, LLC, 2011 WL 6415516 (S.D. Ohio Dec. 21, 2011). The Justia page.

This is a spirited litigation between two retailers of wheelchairs, motorized scooters and related items. Maybe that retailing sector is so profitable that it warrants a litigation cat-fight, but my guess is these litigants are spending their retirement money beating up each other in court.

Today's ruling deals with SpinLife's AdWords advertising triggered on keywords such as “the scooter store,” “scooter store,” “my scooter store” and “your scooter store” as well as the inclusion of such terms in the spinlife.com's metatags. The plaintiff (let's call them TSS) has registered trademarks in "The Scooter Store" in certain classes but not for retail stores, because the PTO rejected that usage as generic. TSS asserted that SpinLife's keyword ads and metatags infringed its trademark rights.

The court ultimately concludes that "The Scooter Store" is generic for retail stores. This isn't surprising; the PTO had said the same thing to TSS. In fact, I've argued that all "[noun] store" marks (where the store sells the noun) are generic. Surprisingly, a different court ruled otherwise with respect to Apple's claims over "app store." I still think that court got it wrong.

Weirdly, having held the term generic, the court then spends several pages considering the question: "Can SpinLife's use of generic phrases cause consumer confusion?" What??? TSS tried to argue that it's enforcing its trademarks from other classes, not the generic term. The court wisely rejects that. If a term is generic in a class, then it's free for competitors to use in that class--FULL STOP, end of story.

The weirdness continues when the court doesn't dismiss the state anti-dilution claim based on TSS's purported rights in a generic term. WHAT??? Apparently the court is willing to consider TSS's trademark registrations in the other classes for dilution purposes, even though the court just said the registrations were irrelevant for infringement purposes. I understand that dilution claims cut across classes, so that part makes sense, but it's crazy to consider that a registered mark could control the term's use in a class where it's generic. The federal anti-dilution statute has a number of defenses that would clearly free the defendant, so the court's ambivalence may just be a quirk of Texas' anti-dilution statute. In any case, I imagine the judge will get to the right place eventually, but the fact it didn't get there instantly is puzzling.

Before the court declared TSS's marks generic, SpinLife argued that buying trademarked keywords is categorically permissible under trademark law per 1-800 Contacts v. Lens.com. The court rejects this strong proposition, saying "this Court will not rely on a single out-of-circuit case to conclude that the Adword purchases are not actionable under any circumstances." The court's decision isn't surprising given the diversity of rulings we've seen over trademarked keywords, although I think the world would be a better place if the court did adopt the strong proposition.

In the end, the court says SpinLife is free to use "scooter" and "store" in AdWords and its metatags without restriction. Furthermore, TSS ends up with weaker assets than it thought it had pre-litigation (see, e.g., American Blinds which exited its keyword advertising enforcement case similarly bereft) and a clear signal that it should stop spending money on its lawyers and start investing those dollars towards competing on the merits.

Other cases in the category of irrational enforcement actions against keyword advertisers:

- King v. ZymoGenetics. The defendant advertiser got 84 clicks.
- Storus v. Aroa. The defendant advertiser got 1,374 clicks over 11 months.
- 800-JR Cigar v. GoTo.com. The search engine defendant generated $345 in revenue from the litigated terms.
- Sellify v. Amazon. The defendant got 1,000 impressions and 61 clicks.
- 1-800 Contacts v. Lens.com. 1-800 Contacts spent no less than $650k (and was willing to spend $1.1M) to pursue Lens.com, which made $20 of profit from competitive keyword ads. It also tried to hold Lens.com responsible for affiliate ad buys which generated about 1,800 clicks, which under the most favorable computations were worth about $40k.
- InternetShopsInc.com v. Six C. The defendant got 1,319 impressions, 35 clicks and zero sales.

Posted by Eric at 09:00 AM | E-Commerce , Marketing , Search Engines , Trademark | TrackBack

December 16, 2011

Does the House Judiciary Committee Debating SOPA Know What's Going On In the Courts?--Philip Morris v. Jiang

[Post by Venkat Balasubramani, with comments from Eric]

Philip Morris USA, Inc. v. Jiang, 11-cv-24049 (S.D. Fla.) (TRO entered on Nov. 16, 2011) (Prelim. Injunction Entered on Dec. 12, 2011)

This is yet another case where a court orders broad remedies to a rightsowner who alleged that various foreign domain names were selling infringing products. See our recent blog posts on the Chanel and True Religion cases.

The plaintiff in this case is Philip Morris, who alleges that an investigator purchased products from various websites. The investigator forwarded the products to a Philip Morris representative, who alleged that "what appeared to be Marlboro cigarettes were in fact counterfeit." Additionally, the representative

reviewed and visually inspected the internet websites operating under each of the subject domain names, as well as pictures of items bearing the Philip Morris USA Marks offered for sale on the internet websites, and determined that the products were not genuine and/or authorized Philip Morris USA products.

The court issues a TRO that is similar in scope to the Chanel TRO. (The same lawyer was involved in both cases on the plaintiff's side, so this is probably more of a function of the fact that Chanel and Philip Morris sought similar relief.) The TRO contains the following:

- Defendants are enjoined from using any Philip Morris marks, in websites, domain name extensions, links to other websites, search engine databases.
- The domain name registrars are directed to transfer the domain name certificates to plaintiff (for deposit with the court).
- The registrars are directed to transfer the domain names to GoDaddy, who will "hold the registrations for the . . . domain names in trust . . . during the pendency of [the] action."
- GoDaddy shall also update the DNS data so it points to a copy of the complaint, summons, and court documents (<http://servingnotice.com/jiang/index.html>).
- Finally, Western Union is directed to "divert" transfers made by US consumers to three named individuals

The court later extends the TRO and enters a preliminary injunction with substantially similar terms. The orders in this case don't order any sites de-listed, but are still pretty extraordinary in scope. The fact that the court orders the complete disabling of websites and orders registrars to transfer domain names to GoDaddy based solely on the strength of the declarations Philip Morris's investigator and representative is really surprising. Of course, ordering (on an ex parte basis) the diversion of funds transmitted through Western Union is extreme.

As with the Chanel and True Religion cases, the same questions remain. Is there a relationship between the various defendants and the domain names? What type of notice of the lawsuit did defendants actually receive? Was there actually infringement or counterfeiting? The plaintiffs in these cases end up convincing the court of a key fact: immediate, ex parte relief is necessary because defendants will hide assets and shift operations. Courts seem to take this allegation at face value. (The court does authorize service via alternate means and Philip Morris filed affidavits of service in accordance with the court's directive, but this seemed like an afterthought.)

Yesterday's SOPA hearings caused many observers to cringe (see, e.g., Mike Masnick's horrifying recap). I think it's worth revisiting the question of how courts appear already open to remedies people think are objectionable in legislative proposals that are being considered.

Eric's Comments

In our True Religion post, I asked just how many similar cases are in the system. Unfortunately, there's not an easy way to quantify the litigation activity. For example. in the True Religion case, the entire action was sealed for a couple of weeks. Even without the seal, I don't know how to find these ex parte rightsowner enforcement cases against foreign rogue websites other than laboriously reviewing every federal filing, having readers tip us off or serendipity.

However, with today's case representing the third foreign rogue website enforcement case we've found in the past month, I'm going to guess that more enforcement actions are out there today or are coming imminently. This seems to suggest that rightsowners have figured out a way to work with the current system without any additional legislation.

The fact that rightsowners are making progress on their own without help seems quite relevant to the debates about SOPA taking place right now in the House Judiciary Committee. Unfortunately, those debates are so ungrounded from reliable fact-based deliberation that the unpersuadable committee members wouldn't care if we found a million of these cases. In contrast, if they were willing to consider the facts on the ground, the possibility that courts are giving rightsowners what they want is a strong indication that SOPA doesn't need to be slammed home on the fast track without proper deliberation.

From my perspective, the three cases demonstrate the problems with ex parte judicial oversight. Only hearing one side of the story isn't enough to trigger the kind of draconian remedies the courts are granting. In particular, in this case, interdicting money being sent via Western Union is quite troubling. Basically, the court says that money being sent by customers who may have done nothing wrong goes into a holding tank--the customers don't get their money back now (and maybe never?) even if the transaction didn't consummate. It seems like rejecting the money transfers, rather than interdicting the money, would have a lot fairer to the buyers caught in the middle. But they aren't in court to defend their interests, and no one else is speaking up on their behalf, so the rightsowner can make a pure cash grab from potentially innocent buyers. That kind of result wouldn't happen with real due process.

Instead of insulting each other on Twitter or reading the sports pages, what the House Judiciary Committee should be doing is putting the existing legislative proposal to the side, taking a close look at what's going on in these cases, figuring out how much relief rightsowners are getting today from the courts, and then deciding if any incremental legislation is necessary to fill any gaps or--equally importantly--curb any rightsowners' abuses of the ex parte process. Instead, sadly, the House Judiciary Committee will continue its bizarre form of political theater until the rightsowners get what they paid for.

Meanwhile, I would be interested in trying to curb the ex parte abuses in court, but I don't know how. We are finding out about these orders after-the-fact, and I don't know how to get ahead of the curve. If the affected domain name owners aren't complaining after-the-fact, perhaps that's a sign that the rightsowners are truly hitting only the bad guys. On the other hand, if the process remains ex parte, inevitably rightsowners will make some serious mistakes that will have terrible consequences for legitimate players. I wish I could figure out a way to sensitize the judges about those risks before they rotely accede to the rightsowners' requests.

Posted by Venkat at 09:46 AM | Domain Names , E-Commerce , Trademark

November 21, 2011

Can A Copyright Be Assigned By Email?--Hermosilla v. Coca-Cola

By John Ottaviani with comments from Venkat and Eric

Vergara Hermosilla v. The Coca Cola Company, No. 11-11317 (11th Cir. Nov. 3, 2011).

Can a copyright be assigned by an exchange of emails? Section 204(a) of the Copyright Act provides that a transfer of copyright ownership is not valid unless an instrument of conveyance, or a note or memorandum of the transfer, is in writing and signed by the owner of the rights conveyed or by such owner’s duly authorized agent. The 11th Circuit has recently affirmed a lower court’s decision that an exchange of emails was sufficient to constitute a contract to assign a copyright. The court’s decision, however, does not seem to adequately address whether the email exchange satisfies the “writing” requirement in Section 204.

Background

The dispute arises out of Coca Cola’s worldwide marketing campaign for the 2010 FIFA World Cup soccer tournament. As part of its advertising campaign, Coca Cola enlisted recording artist K’Naan to create a new version of his song “Wavin’ Flag,” and called the new version the “Celebration Mix.” Coca Cola had certain lyrics in the “Celebration Mix” adapted and sung in different languages by local artists and K’Naan. In 2009, Coca Cola contacted Jose Puig, a representative of Universal Music Latin America, to produce a Spanish version of the Celebration Mix. The Spanish lyrics were to be sung by David Bisbal, a Spanish language singer. Puig was referred to the plaintiff, Rafael Vergara Hermosilla, in November 2009. Vergara adapted the Celebration Mix into Spanish, and subsequently delivered the Spanish lyrics to Puig in December 2009. A dispute later arose over Vergara’s compensation for the adaptation.

Puig and Vergara negotiated a settlement. After a phone conversation about the terms of the deal, Vergara wrote this email:

[B]ecause I am a man of my word and honor, that is not moved by economic motives, my only request is the my credits are respected as producer and adapter of the Spanish version (that every time the name of any composer of this version appears, my name appears as adapter), and obviously, the credits for the production that are detailed in the invoice sent for this production, which I have detailed below.

For the adaption, you may consider it a work for hire with no economic compensation to that respect. I believe what’s legal is a dollar.

I hope this leaves clear what my work was and what my good intentions were from the beginning.

The next day, Puig responded by email to Vergara to the effect that “You can count on the credits on the track. I am resending you the contract.”

Puig subsequently sent draft contracts confirming the assignment, but inadvertently omitted the provisions that would give Vergara the credits. So Vergara rejected what he characterized as his “proposal” and filed a lawsuit in the Southern District of Florida to enjoin Coca Cola from using the Spanish version of the Celebration Mix without giving him proper credit.

After initially enjoining Coca Cola in May 2010 from disseminating the Spanish version of the Celebration Mix without giving credit to Vergara as the adapter, in February 2011 the District Court granted a summary judgment in favor of Coca Cola. The district court found that the e-mail exchange constituted an assignment by Vergara of his copyright in the adapted lyrics. The court characterized the exchange of emails as an offer and acceptance, “and at that moment the deal was made irrevocable.” The court determined that Puig’s sending of formal contracts that did not reflect all of the terms of the earlier emails was not a “counteroffer which is labeled as an acceptance, but adds new terms” (which typically is not binding under Restatement (Second) of Contracts §59), but was an offer to modify an existing contract. Although Vergara rejected this offer, the court found that this did not impact the initial agreement to assign the copyright.

In a brief aside, the district court also recognized that Section 204 of the Copyright Act requires a signed writing for a conveyance. However, the district court simply noted without discussion that “Courts have found emails to constitute signed writings.” (citing Lemel v. Mattel, Inc., 394 F.3rd 1355 (Fed. Cir. 2005) and the federal E-Sign Act).

11th Circuit Decision

The 11th Circuit opinion is relatively short and to the point. After reciting the facts, the 11th Circuit found that, under Florida law, “the record established without dispute that Vergara assigned his copyright interests to Universal.” The court used a traditional contract analysis to characterize Vergara’s e-mail as an offer and Puig’s e-mail as an unconditional acceptance, which together were effective to create a contract.

Discussion

Unfortunately, while the 11th Circuit found that the e-mail exchange constituted a binding contract under Florida law, the court did not address whether the e-mail exchange constituted a “writing” for purposes of Section 204 of the Copyright Act. Prior to the adoption of the E-Sign law, courts differed as to whether an e-mail exchange would satisfy the writing requirements of Section 204. Section 7001(a)(2) of the federal E-Sign Act, which was enacted in 2000, provides in relevant part that “a contract relating to [a transaction in or affecting interstate or foreign commerce] may not be denied legal effect, validly or enforceable solely because an electronic signature or an electronic record was used in its formation.”

Few courts have addressed what consitutes a "writing" for purposes of E-Sign. Earlier this year, the Arkansas Supreme Court found that a waiver of coverage in an online insurance application constitutes a "writing" for purposes of the Arkansas insurance law requirng such waivers to be in writing. In 2010, the federal district court in Colorado found that an e-mail summary of a settlement meeting could consitute a "writing" for purposes of the Colorado Statute of Frauds, but that the summary could not be enforced as a contract because it was written by an administrative assistant and was not "subscribed by the party to be charged."

But does E-Sign apply to transactions involving transfers of copyrights? Professor Nimmer notes that “[n]othing about the ESIGN Act overtly mentions copyrights in particular or other federal enactments in general.” He further notes that E-Sign does purport to apply “to any transaction in or affecting interstate or foreign commerce,” with some exceptions. It remains to be seem, then whether courts will treat e-mail as having sufficient formalities to satisfy the writing requirement in Section 204 of the Copyright Act.

The 11th Circuit decision also ignored the fact that Vergara’s email characterized the adaptation as a “work made for hire.” Would the decision have come out any differently if analyzed under the “work made for hire” provisions? Probably not. Under Section 101 of the Copyright Act, certain works qualify as a work made for hire if “the parties expressly agree in a written instrument signed by them that the work shall be considered a work made for hire.” The court did not discuss the question whether the adaptation qualified as one of these specially ordered works (at best it might be viewed as a part of an audio visual work, or as a translation, but probably not). Even if the adaptation did qualify as a work that could potentially be a “work made for hire,” does the exchange of emails constitute “a written instrument signed by them?” I find it harder to classify the exchange of e-mails as an “instrument’ within the meaning of the work made for hire definition. This may be why the 11th Circuit decided the issue on contract grounds, but it would have been nice to have some analysis of this issue.
_________

Comment from Venkat:

This is a great post by John that delves into the interplay between the federal ESIGN Act and the Copyright Act. I wonder whether an email disclaimer would have affected the analysis. There’s been a lot written on the efficacy and the desirability of email disclaimers in other contexts, but I wonder if an email disclaimer that said

Nothing in this email is intended as an offer and the author disclaims any intention to make an offer or create an enforceable agreement through any email messages. Any agreement with the author of this email must be in a signed paper document!

would have protected Hermosilla? I’m guessing the court would have said that Hermosilla’s unequivocal intent to reach an agreement trumped anything in an email disclaimer. It may not have been useful here, but it would be useful in other contexts, such as where people exchange email messages in an attempt to settle a dispute and one party tries to use an email along the way to say that the parties reached a settlement and tries to enforce a settlement on this basis. I’m not a fan of email disclaimers, but this type of a disclaimer may be worth exploring.
_________

Eric's comments.

To me, the legal doctrine in this case seems pretty straightforward. If the parties formed a contract or did a proper contract amendment, the fact that the contract was made via email should satisfy the Section 204 "writing" requirement per E-SIGN/UETA. After all, Section 204 is a statute of fraud, and E-SIGN/UETA were designed to say that emails satisfy the statute of frauds. See, e.g., the many real estate cases reaching this result and John E. Theuman, Satisfaction of Statute of Frauds by E-Mail, 110 A.L.R.5th 27 (2003). I don't see any reason why copyright law would be handled differently under E-SIGN or UETA. My analysis is the same for the "work for hire" statute of fraud.

For me, the harder part is whether the email exchange properly formed a contract/contract amendment and, if it did, if Coca-Cola (or its assignor) violated one of the contractual conditions such that their failure to perform negated the contract. If this situation didn't have a whiff of the content creator changing his mind with venal intent, I think other courts might have been more sympathetic on that point.

Posted by John Ottaviani at 08:50 AM | Copyright , E-Commerce , Licensing/Contracts | TrackBack

October 15, 2011

Q3 2011 Quick Links, Part 5

By Eric Goldman

See the other quick links posts in this series:

* Q3 2011 Quick Links, Part 4
* Q3 2011 Quick Links, Part 3
* Q3 2011 Quick Links, Part 2 (Trademarks/Domain Names Edition)
* Q3 2011 Quick Links, Part 1 (Copyright Edition)

Trade Secrets

* Congressional proposal to add a private cause of action to the federal Economic Espionage Act. David Almeling supports the general idea. My take from an email list:

I don't understand the incremental value of a federal private cause of action beyond the current state laws for the described situations. I also wonder if this is the beginning of the end for federal deference to state regulation of trade secrets. If the amendment get adopted, it would be entirely logical to see the restrictions relaxed over time to make it into a general-purpose private right of action for any trade secret misappropriation. For an analogous regulation, see the significant expansion of the CFAA over the past quarter-century, and especially the growing number of cases involving CFAA violations because former employees continued to access their former employees' hardware (and, presumably, misappropriate trade secrets).

* Mattel's lawsuit against MGA over the Bratz dolls has gone sour for Mattel in a big way. It was hit with another $225M in damages, bringing the amount it owes MGA to $310M. Oops.

* Probation for two individuals in the first lost iPhone prosecution, but no charges against Gizmodo. Yet, somehow, Apple apparently lost yet another "priceless" iPhone prototype at a bar.

Patents

* Bessen et al, The Private and Social Costs of Patent Trolls:

In the past, non-practicing entities (NPEs) — firms that license patents without producing goods — have facilitated technology markets and increased rents for small inventors. Is this also true for today’s NPEs? Or are they “patent trolls” who opportunistically litigate over software patents with unpredictable boundaries? Using stock market event studies around patent lawsuit filings, we find that NPE lawsuits are associated with half a trillion dollars of lost wealth to defendants from 1990 through 2010, mostly from technology companies. Moreover, very little of this loss represents a transfer to small inventors. Instead, it implies reduced innovation incentives.

* Joe Mullin is blogging again on patent matters, especially NPE issues! From his blog, check out his co-blogger's post on Innovatio, which is sending licensing demands to hundreds of companies who are offering industry-standard wi-fi to consumers.

E-Commerce

* After tossing its CA affiliates aside like rag dolls, Amazon and CA struck a deal on sales taxes that reinstated its CA affiliates (1, 2).

* Businesses using Groupons may be getting lower Yelp reviews.

* Dan Ariely deconstructs online retailers and websites to show how they are using psychological forces to get us to do what they want.

* Earll v. eBay, 5:11-cv-00262-JF (N.D. Cal. Sept. 7, 2011). eBay could be exposed to claims under the Disabled Persons Act and the Unruh Act.

* Foley v. JetBlue Airways (N.D. Cal. Aug. 3, 2011). Federal aviation law preempts California law regarding disability accessibility to airline website.

* Weinstein v. eBay. StubHub wins an anti-scalping case under New York law.

* NYT: Good example of how a properly managed consumer review website can improve marketplaces.

Contracts

* David Stebbins is at it again. He sued Google to enforce his purported $500 billion arbitration win. The magistrate recommended dismissing the case as frivolous. Stebbins sued Microsoft too; see the long interview with him and a link to his video.

* Davis v. Avvo, 8:10-cv-02352-JDW-TBM (M.D. Fla. Sept. 13, 2011). Forum selection clause in Avvo’s user agreement upheld.

* Fusha v. Delta Airlines (D. Md. Aug. 30, 2011). Venue selection clause in check-the-box user agreement upheld.

* TradeComet.com LLC v. Google, Inc., 2011 WL 3100388 (2nd Cir. July 26, 2011): "a district court is not required to enforce a forum selection clause only by transferring a case pursuant to § 1404(a) when that clause specifies that suit may be brought in an alternative federal forum. Rather, in such circumstances, a defendant may seek to enforce a forum selection clause under Rule 12(b)."

A separate summary order upheld the applicability of Google's forum selection clause against TradeComet. The court says Google's clause doesn't overreach because "Google unquestionably holds a ‘special interest’ in making sure that it is not subject to suit in numerous different fora for claims arising from its agreements with over a million advertisers."

* Marso v. United Parcel Service, Inc., No. 09 CVS 2582 (N.C. App. Ct. Sept. 20, 2011). UPS required customers to go through a mandatory clickthrough agreement on computers in its store, but...

plaintiff asserts that defendant's employee entered the information into the computer, and that "[n]o one advised [plaintiff], orally or in writing, about any UPS Tariff, waybill, or service guide," or advised him that he could request a copy of the same….plaintiff suggests by his argument that he did not assent to the terms of service identified in the UPS Tariff, which would limit defendant's liability for the fraudulent cashier's check collected by defendant upon delivery of plaintiff's package to Mr. Thompson, and instead asserts that he formed an oral contract with defendant's employee which obligated defendant to be liable to plaintiff for $12,145.00 without limitation. Thus, there appears to be a genuine issue as to whether plaintiff assented to be bound by the limiting terms of the UPS Tariff, and whether defendant presented plaintiff with actual or constructive notice of the terms set forth by the UPS Tariff.

* Truong v. eBay, Inc., 2011 WL 3716999 (Cal. App. Ct. Aug. 24, 2011). This is a busted eBay Motors transaction where eBay warned the winning buyer not to complete the transaction and the seller sued for tortious interference with contract:

eBay raised the immunity provision of the federal Communications Decency Act (47 U.S.C. § 230). As appellant pointed out to the trial court, and as that court ruled, the pertinent provision of that statute makes the law applicable to an action taken by an internet service provider to restrict access to or availability of material that is obscene, harassing, “or otherwise objectionable.” The conduct alleged against eBay was not editing or policing content of items posted on its marketplace, but interfering with a contract. (See 47 U.S.C. § 230(c)(2)(A).) eBay does not urge this ground in its respondent’s brief.

* Added to my RSS feed: The Tech Contracts Blog by David Tollen.

Miscellaneous

* ABA Journal on electronic service of notice.

* James Grimmelmann's Internet Law casebook.

* On TWiL in late August, I discussed privacy and MP3Tunes with Denise Howell, Evan Brown and David Snead. The recording.

* Top 15 most popular "Damn You Auto Correct" postings of all time. Hilarious.

* Good news: I will receive the 2011 "IP Vanguard Award" (in the Academic/Public Policy category) from the California State Bar's IP Section.

Posted by Eric at 07:02 AM | E-Commerce , Licensing/Contracts , Patents , Trade Secrets | TrackBack

September 13, 2011

Ninth Circuit Upholds Web Host's Liability for Counterfeiting Retailers--Louis Vuitton v. Akanoc

By Eric Goldman

Louis Vuitton Malletier SA v. Akanoc Solutions, Inc., No. 10-15909 (9th Cir. Sept. 12, 2011). Prior blog posts:
* Another Bad Ruling in Louis Vuitton v. Akanoc
* Making Sense of the $32M Contributory Trademark Infringement Judgment Against a Web Host
* Web Host Faces Potential Contributory Trademark Liability

This cases involves a US web host, Akanoc, that hosted Chinese retailers selling counterfeit Louis Vuitton goods. The web host apparently ignored numerous takedown notices from Louis Vuitton. Louis Vuitton sued for contributory copyright and trademark infringement, and the result has been a string of troubling rulings. For a sample of those, consider the trial court's rulings that individuals directly infringe copyrights when browsing a photo of a counterfeit good, and a 512 agent for service of notice could be personally liable for any infringements. Ugh. The coup de grace was a massive $32+M jury verdict against the defendants for willful infringement.

On appeal to the Ninth Circuit, the court issued a characteristic "omnibus" opinion that resolves lots of contentions in relatively short order. Opinions like this rarely become major precedents, which is fine by me given the results. Overall, the court rejects all of the defendants' arguments except one, but that one saves the defense over $10M.

Some of the more interesting points:

* MSG leased equipment to Akanoc. The jury held MSG liable, but the trial court reversed that. On appeal, the Ninth Circuit agreed that MSG wasn't liable for the retailer counterfeiting because "Louis Vuitton presented no evidence that MSG had reasonable means to withdraw services to the direct infringers."

* the defendants argued that its customers' websites were the "means" of trademark infringement, not the hosting services to them. The court rejected the argument as irrelevant:

websites are not ethereal; while they exist, virtually, in cyberspace, they would not exist at all without physical roots in servers and internet services....Appellants had control over the services and servers provided to the websites. Stated another way, Appellants had direct control over the “master switch” that kept the websites online and available.

This seems to resolve one of the open issues from the Ninth Circuit's 1999 Lockheed v. NSI case, which is the circuit's benchmark opinion on contributory trademark infringement online. That case said NSI as a domain name registrar wasn't responsible for an infringing domain name, but it implied that vendors closer to the infringement--such as web hosts--could be. This ruling confirms our assumption that web hosts have more affirmative obligations to intervene against trademark infringement than domain name registrars do.

* "providing direct infringers with server space" qualifies as a material contribution for contributory copyright infringement.

* the court touched on the required scienter for both contributory trademark and copyright infringement, but this discussion goes nowhere given that the jury found willful infringement.

Even though the defendants did not prevail on its doctrinal arguments, the appeal was partially successful because the court reduced the damages award over $10M (the jury had awarded $32+M against three defendants; the judge post-ruling had dismissed MSG, which cut the award to about $21M; this panel reduces it further to $10.8M). The trial court judge's jury instructions allowed the jury to cumulate awards against each defendant for the same infringements, rather than forcing them to make a single award joint-and-several. The appeals court fixed that perplexing error.

Even so, the lesson remains that any web host that fails to promptly honor takedown notices--copyright or trademark--does so at extreme peril. We don't have an express notice-and-takedown scheme for trademarks, but we've gotten there on a de facto basis.

Posted by Eric at 09:05 AM | Copyright , Derivative Liability , E-Commerce , Trademark | TrackBack

September 07, 2011

Reflections on the DOJ-Google Half-Billion Deal over Illegal Pharma Ads (July-August 2011 Quick Links, Part 2)

By Eric Goldman

I haven't previously written on the DOJ's bust of Google over illegal pharmaceutical ads, partially because I couldn't reconcile my views about this enforcement action. From my vantage point, this action equally fits into two dichotomous stories, and these stories may not be mutually exclusive.

Story #1: Google's massive revenues and profits are significantly inflated by illegitimate ads. Here, we learn that Google was raking in millions of dollars from ads for illegal pharmaceuticals. We also know Google has struggled with gambling ads (1, 2), ads for bogus ringtones, ads that trademark owners consider infringing, and other problematic ads.

The sources of Google's revenues may be like the log that no one wants to turn over to see what's under it. I bet that if we could get a detailed line-item breakdown of where Google's revenues come from, more than a few folks would be queasy about some key revenue categories.

Over the years, Google has taken some baby steps to screen out bogus advertisers from its network, but I wonder if Google's "Must. Be. Scalable!" mantra--and the concomitant profits that come from willful blindness--has inhibited Google from undertaking some needed, but necessarily manual, steps to police its ad network more aggressively.

Story #2: The incumbent DC regulators view Google's emerging power as unwanted competition to their regulatory power, and like typical incumbents, the DC regulators are closing ranks on the start-up--meaning they have become hellbent on busting Google, legitimately or not. To me, the Google Buzz settlement is a clear example of how DC regulators are unnecessarily flexing their muscles against Google.

Some details made me wonder if the DOJ misused its power in this enforcement action:

* the Rhode Island's US Attorney's post-announcement attack on Larry Page, declaring that he knew of the illegal ad sales. Given the DOJ's subsequent rhetoric, it makes me wonder if the DOJ threatened Page with criminal prosecution. If nothing else, the personal prosecution threat would have a powerful in terroram effect to goad Google to take a deal, warranted or not.

To be clear, the non-prosecution agreement doesn't explicitly protect Larry Page, but I think a personal prosecution is super-unlikely at this point. The agreement might insulate his acts on the company's behalf, and I can't imagine the DOJ will want to spend further prosecution resources after getting such a big score already. So the net effect is that this deal should end the matter.

* the deal was structured as a civil forfeiture. Note the DOJ (or any other federal agency) would have encountered significant problems bringing a civil action against Google over the third party ads. 47 USC 230 would have preempted the action, and with a half-billion dollars at issue, Google surely would have litigated any statutory ambiguities rather than roll over. Therefore, as Peter Henning explains, the government avoided pursuing a doctrinally questionable criminal prosecution and simultaneously bypassed a likely 47 USC 230 immunity of any civil action. Pretty tricky navigation by the DOJ.

* finally, Google disgorged both its revenues AND ITS ADVERTISERS' REVENUES from the illegal ads. I can't think of any comparably sweeping remedy in any other advertising lawsuit (am I forgetting something?). I simply can't believe the DOJ could have gotten a judge to order a similarly expansive disgorgement. Thus, it appears the DOJ asked for way more cash than the law actually allows--and yet a pliable target forked it over.

If Story #2 is true, the deal could be an unholy pact: Google bought the freedom of its CEO for a check that is a pinprick compared to its cash on hand; and the DOJ got a huge taste of Silicon Valley's wealth and publicly blare that justice was served--even if the DOJ vastly exceeded current law to get there.

One more reason that story #2 could be plausible. The DOJ portrays this as a case about illegal pharmaceuticals, but it imprecisely lumps together a variety of factually different situations into that category, including:

* pharmaceuticals that are never legal in the United States
* fraudulent pharmaceuticals, i.e., sugar pills sold as brand X
* counterfeit pharmaceuticals, i.e., bioequivalent pharmaceuticals sold as brand X but made by someone else
* prescription pharmaceuticals that aren't fraudulent or counterfeit but are being sold without a prescription
* prescription pharmaceuticals that aren't fraudulent or counterfeit that being sold with a prescription, just not one recognized by US law

Note that the consumer harm in the last 3 circumstances is unclear. It's possible that some consumers win in each of those cases by getting the desired pharmaceutical at a cheaper cost than US drugs. Such consumer wins don't make the pharmaceutical sales legal; but it raises the question of whether the US government was pursuing the best interests of its citizens

One final point: the DOJ press release describes the illegal pharmaceutical advertisers as "rogue" websites. That's an interesting characterization. It seems to tie into the DHS ICE's domain name seizures and the proposed PROTECT IP Act. At minimum, the DOJ enforcement action reinforces how desperately DC regulators want Internet companies to do more of their policing work. Also, perhaps the deal's template shows how the DOJ thinks it can achieve PROTECT IP irrespective of whether Congress enacts the law.

August 30, 2011

Second Circuit Says No First Sale Doctrine for Works Manufactured Outside the U.S. -- Wiley & Sons v. Kirtsaeng

[Post by Venkat Balasubramani]

Wiley & Sons, Inc. v. Kirtsaeng, 09-4896-cv (2nd Cir. Aug. 15, 2011)

Wiley asserted copyright infringement claims against Kirtsaeng, who imported into the United States and sold "foreign editions" of Wiley textbooks. The books had legends printed on them which indicated that they were "Authorized for sale in Europe, Asia, Africa and the Middle East Only," and any exportation or importation to another region was prohibited. Kirtsaeng, who sold the books to finance his education, reportedly earned a tidy profit (between $900,000 and $1.2 million). The jury found Kirtsaeng liable for willful infringement and imposed $75,000 in damages for eight separate works. The district court judge disallowed Kirtsaeng's first sale defense, and on appeal, the Second Circuit addressed the issue of whether it should have been available to Kirtsaeng.

A section of the Copyright Act (section 602(a)(1)) provides that unauthorized importation is a violation of the copyright owner's exclusive distribution right:

Importation into the United States, without the authority of the owner of copyright under this title, of copies . . . of a work that have been acquired outside the United States is an infringement of the exclusive right to distribute . . . .

Separately, the section codifying the first sale doctrine (section 109(a)) provides that:

the owner of a particular copy . . . lawfully made under this title . . . is entitled, without the authority of the copyright owner, to sell or otherwise dispose of the possession of that copy . . . .

The key question was whether the "lawfully made under this title" language of the first sale section refers to items that were physically made in the United States or whether it encompasses copies that were licensed by a United States copyright holder but manufactured abroad. There's obvious tension between section 602(a)(1) and section 109(a). Allowing importers to take advantage of the first sale doctrine with respect to works manufactured abroad would limit the copyright owner's rights under section 602(a)(1), as the owner would not be able to prevent the importation of copies once sold.

The Ninth Circuit recently took up this conflict, and ruled in Costco v. Omega that the "lawfully made under this title" language in section 109(a) only applied to items that were produced in the United States. The Supreme Court accepted cert. in the Costco case but affirmed without providing any guidance due to a 4-4 split among the Justices (Justice Kagan recused). A prior Supreme Court case dealing with the interplay between section 109 and 602(a)(1) (Quality King Distributors, Inc. v. L'anza Research International, Inc.) held that the first sale defense is available to imported goods, but that case involved goods that were manufactured within the United States, sent abroad, and then imported. The Ninth Circuit held that Quality King did not overrule existing Ninth Circuit precedent which restricted the first sale defense to goods that are "legally made and sold in the United States."

Wiley argued in the Second Circuit that, because the Copyright Act (Chapter 17 of the US Code) did not apply extraterritorrialy, "lawfully made under this title," should mean "lawfully made in the United States." The Second Circuit found that the textual argument was not determinative. Among other things, copyright protection can apply to works published in foreign nations, and elsewhere in the Copyright Act Congress used the phrase "lawfully made under this title" and did not limit it to items that were produced in the United States. Nevertheless the court held that any conflict between sections 109(a) and 602(a)(1) was best reconciled by limiting the first sale doctrine to "works manufactured domestically." According to the court, this was the approach the Court hinted at in Quality King and the approach that best comports with the overall structure of Title 17.

The court also pointed to some drawbacks of the approach suggested by Kirtsaeng. Under his approach, copyright holders could control importation either only where (1) the importer does not legally "own" the copy or (2) where the work is produced in a country where US copyrights are not protected (i.e., by treaty). From the court's perspective, this was untenable, because in order to be able to control importation, copyright owners would have to either not sell their works or would have to produce them in countries "that may not honor their copyright in the first place." Kirtsaeng also argued that US copyright owners could take advantage of the importation bar to circumvent the first sale defense by outsourcing all of their manufacturing to foreign countries and ship them back into the US for domestic sales. While this seemed farfetched to me, the court said this was a policy matter that did not affect its interpretation of the statute.

Judge Murtha dissented, pointing out that in Quality King, the Court noted that the bar on importation without permission "is an infringement of the . . . distribution right." Because the rights of distribution are expressly "'subject to sections 107 through 122,' the copyright owner's power to limit importation is qualified by the first sale doctrine . . . . " He also argued that the overall structure of the Copyright Act and other provisions support Kirtsaeng's position. In other sections of the Copyright Act, Congress expressly referenced the location of manufacture, and if it wanted to limit the first sale doctrine only to works manufactured in the United States, it could have easily done so. He also argued that economic justifications favor Kirstaeng's position. Allowing a copyright owner to freely limit importation would lead to uncertainty in the secondary market. It would also "provide an incentive for U.S. copyright holders to manufacture copies of their work abroad," since works manufactured abroad would in practical terms be entitled to greater copyright protection.
__

Although the policy clearly should favor the re-seller here, I didn't see a clear solution to the statutory conflict, and don't see either side as having a particularly compelling argument. The place of manufacture as a basis for a distinction seems arbitrary to me, particularly when it comes to something like content. I would expect that this may not be the last word, and the Supreme Court may end up weighing in on this case.

My understanding is that the publishing industry has traditionally treated the domestic and foreign markets separately and, as a matter of long-standing practice, has charged different prices for domestic and foreign editions of books. This pricing structure depends on being able to limit the availability of foreign editions in the domestic market. At first glance, this is precisely what section 602(a)(1) facilitates. I don't think this is a practice that should be encouraged, but it's one that publishers have long engaged in and that courts have supported. (See Eric's post on a case from the Southern District of New York, which reaches the same conclusion: "Resale of International Textbooks to US Students Not Protected by First Sale Doctrine--Pearson v. Liu.")

On the other hand, does it make sense to limit the copyright owner's control to new versions of the books? Should the resale market remain free of the copyright owner's control? Wiley's approach ends up allowing for greater copyright protection for works in the foreign markets, which is odd from a copyright standpoint. But will this realistically result in some sort of offshoring push by publishers? I wasn't sold on this argument.

One tweak in the case is that Wiley included a legend in one of the foreign editions which referenced US copyright laws:

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form . . . except as permitted under Section 107 or 108 of the 1976 United States Copyright Act.

As the dissent notes, it's awkward for Wiley to be able to rely on rights under the Copyright Act but for Kirtsaeng to be deprived of the protections afforded by the same act. Interestingly, the majority references this legend in a footnote states that they "are . . . somewhat puzzled as to why Title 17 is invoked." I wasn't sure if this referred to Wiley invoking Title 17 in the legend, or Wiley bringing an infringement claim under Title 17 rather than some other cause of action. (An interesting sidenote: Kirtsaeng was located in the US and sold the books via eBay; what result if he had been located off-shore and sold to US consumers via eBay?)

As books, including textbooks, migrate to devices and are sold or licensed in digital form, the focus of this battle will shift away from first sale to DRM. Although it's early to tell, my impression is that thus far, content owners are winning that battle.

[An interesting footnote to the case is that Kirtsaeng consulted, among other sources, "Google Answers" in order to determine the legality of his practice. It's unclear what answer he was provided, but he either didn't get the right answer, or got the right answer and disregarded it.]

Other coverage:

Poking More Holes in the First Sale Doctrine (EFF)
Legally Bought Some Books Abroad? Sell Them In The US And You Could Owe $150k Per Book For Infringement (Techdirt)

Previous related posts:

Software Vendor Trumps First Sale Doctrine via License--Vernor v. Autodesk
UMG Can't Enforce "Not for Sale" Restrictions on Promo CDs -- UMG v. Augusto
Supreme Indecision: Costco v. Omega Gums up the (Watch)Works

Posted by Venkat at 04:39 PM | Copyright , E-Commerce

August 15, 2011

Missouri Federal Court Says LegalZoom Could be Engaged in the Unauthorized Practice of Law -- Janson v. LegalZoom

[Post by Venkat Balasubramani]

Janson v. LegalZoom, Inc., 2:10-CV-04018-NKL (W.D. Mo. Aug. 2, 2011)

Background: LegalZoom offers "blank legal forms that customers may download." In addition, LegalZoom makes available an internet portal. Here's how LegalZoom describes this aspect of its services in an advertisement:

Over a million people have discovered how easy it is to use LegalZoom for important legal documents, and LegalZoom will help you incorporate your business, file a patent, make a will and more. You can complete our online questions in minutes. Then we'll prepare your legal documents and deliver them directly to you.

Another advertisement states that after answering a "few simple online questions . . . you get a quality legal document filed for you by real helpful people."

Through its portal, LegalZoom makes available various documents, including entity formation documents, estate planning documents, pet protection agreements, and copyright, trademark, and patent applications. Customers pick what type of document they wish to have prepared and answer various questions via a "branching intake mechanism." The questionnaire process is "fully automated," although LegalZoom sometimes provides recommended selections based on how a majority of previous customers answered a particular question. After customers complete the questionnaire, a (human) LegalZoom employee reviews the data for errors or inconsistencies. After the data file is approved, LegalZoom's software creates a document based on the customer's input. A (human) LegalZoom employee then reviews the document again and fixes any formatting problems. The completed document is then mailed (and in some cases emailed) to the customer where the customer can choose to execute the document or take it to a real live lawyer and have him or her advise as to next steps. (This is the process the court describes for agreements, wills, and similar documents. The process for filings varies.)

Plaintiffs sued, asserting that LegalZoom was engaged in the unauthorized practice of law. Plaintiffs also asserted claims for "money had and received" and the Missouri Merchandising Practices Act. Plaintiffs never had any personal interactions with LegalZoom employees; nor did they believe that they were "receiving legal advice while using the LegalZoom website."

Discussion: The court starts with a review of Missouri precedent interpreting Missouri's unauthorized practice statute. Although the statute contains definitions for the "practice of law" and "law business," the court notes that it's ultimately up to the judiciary--which is the "sole arbiter of what constitutes the practice of law"--and not the legislature to determine what crosses the line.

The two main Missouri cases on the unauthorized practice issue were Hulse v. Criger and In re Thompson. Hulse involved a real estate business which prepared legal documents as an "ancillary" service to Hulse's business as a realtor. The Missouri Supreme Court said the preparation of legal documents did not violate unauthorized practice rules, as long as the document preparation services were ancillary to the main business and no separate fees were charged for preparing documents. In Thompson, the court said that the sale of "do-it-yourself divorce kits" was fine, as long as no "personal advice as to the legal remedies or the consequences flowing therefrom" is given.

The court concludes that LegalZoom's sale of blank forms is not the problem. The court finds problematic fact that LegalZoom prepares a document in accordance with a customer's preferences, and conveys the impression that LegalZoom does something more than allowing the customer to pick and choose among various clauses:

LegalZoom's internet portal offers consumers not a piece of self-help merchandise, but a legal document service which goes well beyond the role of notary or public stenographer. The purchaser [in Thompson] understood that it was their responsibility to get it right. In contrast, LegalZoom says 'Just answer a few simple online questions and LegalZoom takes over. You get a quality legal document filed for you by real helpful people.'

Interestingly, the court finds that even LegalZoom's decision tree questionnaire, which allows the customer to craft his or her own document, may be problematic:

LegalZoom's branching computer program is created by a LegalZoom employee using Missouri law. It is that human input that creates the legal document. A computer sitting at a desk in California cannot prepare a legal document without a human programming it to fill in the document using legal principles derived from Missouri law that are selected for the customer based on the information provided by the customer. There is little or no difference between this and a lawyer in Missouri asking a client a series of questions and then preparing a legal document based on the answers provided and applicable Missouri law....

The Missouri Supreme Court cases which specifically address the issue of document preparation . . . make it clear that this is the unauthorized practice of law. The fact that the customer communicates via computer rather than face to face of that the document is prepared using a computer program rather than a pen and paper does not change the essence of this transaction.

The court rejects LegalZoom's request for summary judgment and says that there is a factual question as to the role played by LegalZoom in the transaction. LegalZoom also raises First Amendment and Due Process arguments but the court rejects these as well.

___

The court's conclusion that LegalZoom's software service may constitute the unauthorized practice was interesting. Is there a key difference between what LegalZoom does and "document assembly" services? The court says that offering "blank forms" is clearly OK, but what if someone offered blank forms that could be customized by the client? What if, along with a blank set of forms, someone offered a database and a FAQ that allowed customers to weigh the benefits of various contractual provisions and select the ones that the customer felt was most appropriate for his or her situation? Should it really matter that LegalZoom made this easier by taking in the customer's input through a decision tree and then spitting out a legal document? The line between offering a large variety of forms and offering a customized document where the customer gives input to determine clauses seems awfully thin.

One of the potential problems for LegalZoom is that its advertisements (cited by the court) did not square with its service. At its core, LegalZoom seems like a turn-key document generation service, but its advertisements do not embrace the image of the self-reliant non-lawyer drafter of legal documents. LegalZoom says that "it" will take care of preparing your legal documents, and as a bonus, LegalZoom's team of "real helpful people" will be available to assist. It was entirely predictable that LegalZoom's marketing wanted to put out the image of LegalZoom "taking care of everything" for the customer and, to the extent LegalZoom's marketing and legal departments had any sort of a battle over this issue, the marketing department apparently won out. (It is really a selling point that you are entrusting your legal document to a software application?) Not that it would have necessarily helped, but I'm surprised also that LegalZoom did not have its customers agree to any sort of disclaimers.

Eric pointed out via email that this factual scenario is hardly new. Unauthorized Practice of law Committee v. Parsons Technology, Inc. was a dispute (in 1999!) over whether "Quicken Family Lawyer" violated the unauthorized practice rules in Texas. Like LegalZoom's service, QFL also asked "a series of questions relevant to filling in the [relevant] legal form" and generated a document. As described by the court:

[Plaintiff] alleges that QFL acts as a 'high tech lawyer by interacting with its 'client' while preparing legal instruments, giving legal advice, and suggesting legal instruments that should be employed by the user.' In other words, QFL is a 'cyber-lawyer.'

The court there had no trouble concluding that the QFL service violated the unauthorized practice rules, so the result in the LegalZoom case is hardly unprecedented.

A few other oddities about this case. The court says that it's solely the province of the courts (and the Missouri Supreme Court) to determine what constitutes the unauthorized practice, but it looks like the decision may end up falling to a jury rather than the court. To the extent there is a mechanism available to it, I'm surprised the court did not just certify the question to the Missouri Supreme Court. I also wondered about the availability of a Section 230 defense for LegalZoom. Its advertisements and human intervention likely make for a Section 230 argument difficult to make. Even removing these two elements, to the extent the defense was available, the case looks like it would make for a fun application of the Ninth Circuit's Roommates decision.

Finally, the court mentions the fact that the plaintiffs in question "never believed that they were receiving legal advice while using the LegalZoom website," and did not have any contacts with LegalZoom employees. While the court's overall conclusion on the unauthorized practice issue is certainly defensible (in light of the statute and case law), the court does not reconcile its decision with these bad facts with respect to the two named plaintiffs, or any procedural class action issues that this raises.

This may seem like a snarky afterthought, but I'm surprised LegalZoom didn't clear these issues with local jurisdictions in advance. They may end up winning (either at this stage or the next) but I wondered what this ruling does for public confidence in their services.

Additional coverage:
Order in LegalZoom Case (Richard Zorza's Access to Justice Blog)
Is Legal Software Conduct? True or False? (eLawyering Blog)
Class Action Claims Online Legal Forms Pose Threat To Consumers (WSJ)

Posted by Venkat at 09:11 AM | E-Commerce

August 12, 2011

The 9th Circuit Tackles a Pair of Internet Jurisdiction Cases

[Post by Venkat Balasubramani]

I'm inclined to agree with Eric that internet personal jurisdiction cases are not the most exciting. The resolution of a question over whether personal jurisdiction is proper often has more to do with whether the court likes your case or finds it interesting than with whether the non-resident defendant satisfied the "Zippo's sliding scale" or some other test. It ends up being a crapshoot much of the time, albeit one that's informed by the court's view of the equities.

The Ninth Circuit issued two new decisions dealing with personal jurisdiction online. Both applied the Supreme Court's recent decision in J McIntyre Machinery, Ltd. v. Nicastro [pdf]. How did that precedent change things? As best as I can tell, it didn't--personal jurisdiction cases continue to be as erratic as always.

Mavrix Photo v. Brand Technologies [pdf]:

Mavrix is a Florida-based photo agency that licenses celebrity photos. It has a California presence. It maintains an office in Los Angeles, employs LA-based photographers, and has a registered agent in California. Brand is an Ohio corporation which runs celebrity-gossip.net. The court notes that celebrity-gossip.net is ranked number 3,622 out of approximately 180 million websites (per Alexa) and receives "more than 12 million unique visitors and 70 million U.S. page views per month."

In 2008, one of Mavrix's photographers shot photos of Josh Duhamel and Stacy Ferguson ("better known by her stage name 'Fergie' . . . [whose group] has sole some 56 million records in the last decade and has won Grammy awards for such hit singles as 'I Gotta Felling' an 'My Humps.'"). Brand allegedly reposted the photos to Brand's website, and Mavrix sued for copyright infringement. The district court dismissed, finding that personal jurisdiction was not proper. The Ninth Circuit reverses.

The court finds that Brand "continuously and deliberately" exploited the California market, but the facts it points to are somewhat curious. Brand's site has third party advertisers and these "third-party advertisers on Brand's website had advertisements directed to Californians." The court relies on this to conclude that Brand "knows--either actually or constructively--about its California user base, and . . . it exploits that base for commercial gain." At the same time, the court also notes that there was nothing in the record to show that "Brand marketed its website in California local media."

The court does not point to any facts that Brand itself targeted Brand's website to California residents. Third party advertisers may have done so, but obviously advertisers will be interested in targeting locally and offering local products or services. Typically, personal jurisdiction cannot be exercised absent a showing that there is some sort of targeting on the part of the non-resident defendant. In tort or infringement cases, courts tend to imply purposeful direction where the non-resident takes acts which the defendant knows or reasonably should know will be felt in the forum state. Causing harm to a celebrity who is a California resident is the classic example of this (this was the result in Calder v. Jones, which employed the "effects test" to find jurisdiction). That wasn't the case here. Although Mavrix's business revolved around celebrity culture, it was a Florida corporation.

Ultimately, the Ninth Circuit relies on the online version of the stream of commerce analysis, under which an online publisher or infringer who has substantial traffic from all fifty states can be sued anywhere (in any state):

where, as here, a website with national viewership and scope appeals to, and profits from, an audience in a particular state, the site's operators can be said to have 'expressly aimed' at that state.

But I thought this is exactly the opposite of what the Court said in J. McIntyre, where the Court found the stream of commerce approach--which looked to the forseeability of the product ending up in a forum state as a basis for personal jurisdiction--problematic:

The owner of a small Florida farm might sell crops to a large nearby distributor, for example, who might then distribute them to grocers across the country. If foreseeability were the controlling criterion, the farmer could be sued in Alaska or any number of other States’ courts without ever leaving town.

McIntyre resulted in a fractured opinion with no clear majority. Mavrix takes the approach that any highly trafficked website whose advertisers engage in local targeting can be sued pretty much anywhere. It's almost as if the Ninth Circuit is sending out a flare to the Supreme Court, asking for this case to be taken up.

[Eric's brief note: this reminds me a little of the old LICRA v. Yahoo battle from over a decade ago, where the fact that Yahoo (as an ad network) targeted ads to French users supported French jurisdiction. That was a bad decision even then. But at least in that case, Yahoo built and ran the geo-targeting technology. Here, the court doesn't close the loop to establish that Brand cultivated advertisers seeking to target CA residents or otherwise affirmatively try to connect its CA readers with advertisers. Bad ruling.]

CollegeSource v. AcademyOne [pdf]:

This is a crazy, long, drawn out dispute over . . . wait for it, digitized versions of college course catalogs. CollegeSource has digitized a significant volume of catalogs and is the established player in the space. AcademyOne comes along and asks about licensing CollegeSource's catalogs but CollegeSource declines. AcademyOne then hires a foreign contractor to collect catalogs from the internet. Somehow AcademyOne ends up with a slew of CollegeSource catalogs. Although it's not totally clear, it looks like AcademyOne's contractor accessed catalogs from the websites of colleges and universities, but in many instances, the institutions simply linked to the files as they resided on CollegeSource's server. Thus, AcademyOne appears to have obtained several course catalogs which were digitized by CollegeSource and which contained CollegeSource's watermark.

CollegeSource sued, alleging Computer Fraud and Abuse Act and terms of use (breach of contract) violations. (Here's a post on the Pennsylvania edition of the dispute between the parties: "College Course Description Aggregator Loses First Round in Fight Against Competitor in Scraping Case.")

The district court granted AcademyOne's motion to dismiss for lack of personal jurisdiction, and the Ninth Circuit reverses. The court says that general jurisdiction is not proper because AcademyOne is a Pennsylvania corporation that does not have any sort of a significant presence in California. However, the court says that specific jurisdiction is proper. Why? Because AcademyOne knew that it was taking acts which would harm a California company when it downloaded course catalogs owned by CollegeSource. AcademyOne approached CollegeSource about a potential licensing relationship and most likely learned that CollegeSource is a California company in this process. AcademyOne (or its contractor) also saw the CollegeSource watermark when they downloaded the course catalogs. Finally, AcademyOne, as the entrant in a very small competitive space would undoubtedly be aware of CollegeSource. The court finds these facts, along with the fact that some of AcademyOne's employees registered to try out CollegeSource on a trial basis (and would have presumably learned of CollegeSource's location this way), sufficient to establish personal jurisdiction over AcademyOne.

It's unclear as to whether the actions of AcademyOne's contractor will be attributed to AcademyOne for all purposes or just for jurisdictional purposes. It looks like the parties will have to duke out the issue of derivative liability under the Computer Fraud and Abuse Act and California's anti-hacking statute in the next chapter of this litigation. This particular chapter ends with a win for CollegeSource.

I'm trying to make some sense of the two opinions (you almost wish the court would have compared the two opinions since they were issued together and both authored by Judge Fletcher).

In both cases the court rejected general jurisdiction, finding that the "exacting" standard for establishing general jurisdiction had not been satisfied. In the CollegeSource case, the court noted that AcademyOne advertised to California-specific AdWords, but this did not move the needle for purposes of general jurisdiction. Interestingly, in CollegeSource the court did not rely on targeting to find specific jurisdiction proper. The court instead relied on AcademyOne's awareness (or imputed awareness) of where CollegeSource was located. These types of facts were almost non-existent in Mavrix--there was nothing to show that Brand knew in advance where Mavrix was located. This wouldn't have mattered anyway because Mavrix was headquartered in Florida, not California. It looks like Mavrix takes a "general jurisdiction for infringing content" approach to jurisdiction. If your content or website infringe and you have enough traffic and locally target, you can be sued in any state, even one where the plaintiff does not reside. A somewhat scary result for larger publishers and websites.

Oddly, in Mavrix, the court notes that things have changed since the advent of Zippo's "sliding scale" approach--the court rejects Mavrix's attempt to argue that Brand is subject to general jurisdiction because it had a highly interactive website:

Many of the features on which Mavrix relies to show Zippo interactivity--commenting, receiving email newsletters, voting in polls, uploading user-generated content--are standard attributes of many websites. Such features require a minimal amount of engineering expense and effort on the part of the site's owner and do not signal a non-resident defendant's intent to 'sit down and make itself at home' in the forum by cultivating deep, persistent ties with forum residents. To permit the exercise of general jurisdiction based on the accessibility in the forum of a non-resident interactive website would expose most large media entities to nationwide general jurisdiction. That result would be inconsistent with the constitutional requirement that 'the continuous corporate operations with a state' be 'so substantial and of such a nature as to justify suit against the nonresident defendant on causes of action arising from dealings entirely distinct from those activities.'

While the Ninth Circuit cautions against a test for general jurisdiction which would cast an overly broad net in terms of personal jurisdiction over non-resident defendants, that seems to be the precise result of the court's specific jurisdiction analysis.

Posted by Venkat at 01:03 PM | E-Commerce

August 09, 2011

Zynga Wins Arbitration Ruling on "Special Offer" Class Claims Based on Concepcion -- Swift v. Zynga

[Post by Venkat Balasubramani with comments from Eric]

Swift v. Zynga, 2011 WL 3419499 (N.D. Cal.; August 4, 2011)

The US Supreme Court decided AT&T Mobility v. Concepcion earlier this year, and a question left open in that decision is how the Federal Arbitration Act's preemption of state laws which disfavor arbitration clauses would play out in the online context. Most people thought that this decision would allow internet companies to push consumer claims into arbitration through provisions in relevant terms of use agreements, and a recent ruling involving Zynga seems to confirm this.

Background: Swift alleged that she accepted "special offers" while playing Zynga's Facebook apps. She argued that the special offers were misleading, and sued Zynga as well as two of its advertising partners. The lawsuit was originally filed in late 2009 and amended in February 2010. Following the Supreme Court's decision in Concepcion, Zynga moved to compel arbitration and to stay the litigation in light of the Supreme Court's ruling.

Plaintiff received the allegedly misleading offers through Zynga's "YoVille" app, which during the relevant time period contained the following arbitration provision:

You agree that any suit . . . arising out of or relating to these Terms of Use or any of the transactions contemplated herein or related to the Service or any contests or services thereon . . . shall be resolved solely by binding arbitration before a sole arbitrator under the rules and regulations of the American Arbitration Association ("AAA"); provided, however that notwithstanding the parties' decision to resolve any and all disputes arising under these Terms of use through arbitration, Zynga may bring an action in any court of applicable jurisdiction to protect its intellectual property rights or to seek to obtain injunctive relief or other equitable [sic] from a court to enforce the provisions of these Terms of Use or to enforce the decision of the arbitrator. The arbitration will be held in San Francisco.

This agreement was silent as to whether the claims could be aggregated. The terms were presented to Swift when she first decided to start playing the game via a link under a button titled "allow access," which provided notice that the application would access Swift's Facebook profile information. Under the "allow access" button, the app presented the following text:

By proceeding, you are allowing YoVille to access your information and you are agreeing to the Facebook' terms of service in your use of YoVille. By using YoVille, you also agree to the YoVille Terms of Service.

In August 2009 Zynga implemented a "Universal TOS," which contained terms that were different from the YoVille Terms of Service. As relevant to the present dispute, these terms required arbitration on an individual basis, and excluded disputes relating to "theft, piracy, invasion of privacy" from their scope. [I'm not sure what Zynga's rationale is for excluding privacy-related claims from the arbitration clause, but this could end up being relevant to the growing number of privacy lawsuits against Zynga.]

Discussion:

Was there a binding agreement requiring arbitration? Swift argued that she did not assent to the YoVille terms because the terms were not presented in a leakproof manner--i.e., she could access the application without affirmatively representing that she agreed to the terms. Swift relied on Specht v. Netscape and Hines v. Overstock for the proposition that "submerged" terms cannot be enforced by an online merchant. The court disagreed and held that Specht and Hines were distinguishable. In both cases, the consumer would have to hunt around to find the terms, whereas in this case, the terms were presented right underneath the button which allowed Swift to access the application. The court pointed to the fact that Swift did not affirmatively put forth any evidence that she did not read or agree to the terms. The court also pointed to Register v. Verio, where the Second Circuit enforced the online terms and rejected Specht's implication that an "I agree" button was a prerequisite to enforcing online terms.

Did plaintiff's claims fall within the arbitration clause? Swift argued that since claims involving "theft" were excluded from the arbitration clause, her claims were not subject to arbitration. The court doesn't treat this argument very seriously, noting that the "complaint against Zynga cannot reasonably be construed as including a claim for "theft," and therefore the complaint is not expressly exempted from the arbitration clause."

Did Zynga waive the right to arbitrate its claims? Swift also argued that Zynga waived the right to arbitrate its claims, by never raising the issue of arbitration and litigating the case for over a year and a half before raising the issue of arbitration. She also pointed to a clause in the universal terms which said that if the bar on class arbitrations is found to be unenforceable, then the dispute will be litigated. She brought up a variety of arguments in support of this claim (e.g., Zynga acted inconsistently with its right to compel arbitration; she will be prejudiced) but the court rejects all of these arguments. Because Zynga could not have compelled arbitration pre-Concepcion, and since no court found the arbitration clause unenforceable--thus requiring the parties to proceed in court--nothing stops Zynga from seeking to compel arbitration based on Concepcion. In the court's view, because:

Zynga acted promptly following the change in the law by ceasing litigation activity and moving to compel . . . it acted consistently with its rights.

Are the Universal Terms unenforceable because they are unconscionable? Plaintiff raised an unconscionability argument but seems to have pursued it in a lackluster manner. The court notes that "Plaintiff presented no evidence that might support [its procedural unconscionability argument]."

How about the third parties? The non-Zynga defendants tried to latch on to Zynga's request to compel arbitration but they were not so lucky. They argued that the definition of "Zynga Parties" in the limitation of liability section of the terms was broad, and thus they should be able to invoke the arbitration clause. However, the arbitration clause did not mention "Zynga parties," and the court concludes that the two sections have to be read separately. They also argued that as "agents" they should be entitled to enforce the arbitration clause, but the court sides with the plaintiff on this issue, noting that although initially plaintiff labeled these defendants as "agents" after conducting some discovery, she called them independent contractors. Finally, these defendants argued that they were third party beneficiaries. Citing to Balsam v. Tucows, the court rejects this argument as well.

The End Result: After concluding that Zynga is entitled to invoke the arbitration clause and the other defendants are not, the court nevertheless stays the lawsuit as to the non-Zynga defendants and orders the claims with respect to Zynga to be arbitrated. In response to the ruling, Swift decided to dismiss her claims with Zynga with prejudice so she could proceed against the non-Zynga defendants in court. This means Zynga is off the hook.
___

To come back to the initial question, as a result of Concepcion, a lot of online disputes--particularly class actions--are going to end up in arbitration instead of the courts. Even if a dispute has been pending for awhile, a defendant who has the option available is going to push for arbitration. This makes me wonder whether online terms typically contain arbitration clauses which bar class claims or whether companies and their lawyers shied away from those terms in response to decisions which struck down arbitration clauses which barred class claims? Including a class action bar runs the risk of the entire agreement being invalidated, so you certainly can't fault a company for not including this provision in online terms. Going forward, I wonder if online terms will become even more one-sided--since companies have greater assurances that arbitration clauses will be enforced, will this cause them to load up agreements with more onerous terms?

The argument over whether there was a meeting of the minds as to the online terms was interesting, but Zynga's placement of the terms (in a location where plaintiff could not credibly claim she did not read them before she clicked "allow access") made the "I didn't read the terms of use" argument difficult to make. Nevertheless, I still like the idea of having a box that users check that says "by checking this box, I am saying that I have read and agree to the terms." There's a minor distinction between a user clicking "allow access" or installing the application and actually having to check a box saying he or she read and agreed to the terms. I like the insurance that the latter approach provides, but as this decision indicates, it's not essential. Also, from the decision, it seemed that Swift did not access the app from her mobile device, but if she did, I wondered how this would affect the court's analysis of whether she had imputed knowledge of and agreement to the terms.

Second, there is virtually no discussion in the order of how Zynga amended its terms to substitute the "Universal Terms" for the "YoVille Terms" which Swift initially agreed to. The court summarily notes that the initial terms contained provisions to the effect that Zynga "had the right to change the terms at any time" and "use after notice of [a] change in terms constitutes acceptance of the changes." The court surprisingly does not delve into the issue of what notice Zynga attempted to provide Swift (if any) or any of the other circumstances behind the revisions of the terms (or the substitution of the Universal Terms for the YoVille Terms). As mentioned in this post about Roling v. E-Trade Securities, it's pretty risky to include a provision in the agreement that says "we can amend this agreement any time and the revised version is effective after posting." In this day and age, particularly where there may be some ability to message the end user or post messages that the end user will have a tough time arguing they did not read or see, there is no reason to play with fire with respect to this issue. I don't know why companies continue to do it. (The agreement did say that it's effective after "posting" which is better than nothing.)

Given the Court's decision in Concepcion that laws which disfavor arbitration conflict with the Federal Arbitration Act, I wonder if the focus of disputes around the arbitrability of online terms will shift from substantive to procedural? Swift did not appear to make much of an argument as to procedural unconscionability, so it's unclear how much traction this type of argument will get in other cases. Cases poking holes in forum selection and arbitration clauses have focused on both. (See, e.g., Bragg v. Linden Research, Inc., 487 F. Supp. 2d 593 (E.D. Pa. 2007).) Concepcion just speaks to arbitration clauses so there's still some room for consumer plaintiffs to argue unconscionability if they are presented with an extreme set of terms (e.g., terms that are on-sided as to forum, costs, disclaimers). It will be interesting to see how courts resolve these arguments and whether consumer plaintiffs are able to use these as an end run around Concepcion. I think this is an important unresolved question at this point, and would caution against loading up online terms with overly one-sided provisions in response to Concepcion.

Zynga has to be happy about this ruling. As a result of invoking the arbitration clause, it got the plaintiff to dismiss her claims with prejudice against Zynga.

Eric's Comments

As this case illustrates, the Supreme Court's Concepcion decision could be a potential game-changer for online user agreements. Even so, I believe that today's best practices are:

1) A mandatory non-leaky clickthrough formation procedure.
2) Mandatory venue in vendor's home court with an arbitration option. See the discussion in Evans v. Linden.
3) No use of arbitration as a waiver of class action rights. Concepcion suggests that more aggressive arbitration clauses, including those that preclude consolidated arbitration, might work. This would be terrific news for vendors if true, but I'll believe it when I see more rulings than this one, especially given that this court basically punted on unconscionability. There are strong public policy norms working against an arbitration clause or other contract provision that prevents class formation.
4) Contract amendments take effect only when users are actually given notice of the amendment. See the Ninth Circuit's Douglas case for the minimum steps required. An opt-in is legally stronger but has a number of procedural problems.
5) Irrespective of the contract language, users are in fact given actual notice of any amendments.

Zynga may have cut corners on some of these fronts but got a favorable bounce in court. Kudos to them and their lawyers. Still, based on the precedents, I wouldn't anticipate the next defendant with identical facts will be so fortunate. Because of the low odds of a repeat victory, I don't recommend any changes to the best practices based on this opinion.

This opinion deals with contract formation for Facebook apps, and its reasoning could extend to Facebook Connect as well (which has a different UI, I believe). (I vaguely recall a prior case on contract formation via Facebook Connect before but now I can't remember it--any help?) The opinion provides some reason for optimism about contract formation procedures by the many apps/websites who rely on Facebook's existing user registrations instead of creating direct user account registrations. In this case, notice that the dialog box apparently treated an "allow" as "yes" to four different issues--if the user wanted to proceed, if the user wanted Facebook to transfer its info to YoVille, if the user agreed to the applicability of Facebook's TOS, and if the user agreed to the YoVille user agreement. That's a lot of work from one dialog box acting as an interstitial to the user's destination. This court gives the participating app effectively a free pass, saying:

Zynga persuasively counters that the dialogue box in question is Facebook’s standard dialogue box presented to users wishing to access any number of Facebook applications, and Zynga followed the norm for Facebook applications and was not attempting to hide its terms of service.

(An aside: I've always been troubled by Facebook Connect because participating websites put Facebook in total control of their user relationships. Should Facebook's winds shift capriciously, Facebook could easily lock out the participating website's entire registered userbase. After-the-fact antitrust claims won't resuscitate the dead businesses. Websites, listen carefully: if you put all of your registered user eggs in the Facebook Connect basket, you may get a jumpstart on your registered users but don't expect my sympathy if all the eggs break.)

An unfortunate collateral consequence of this ruling and the resulting Zynga dismissal: with Zynga out of the case, we may not get any further clarification to fix the troubling Swift v. Zynga ruling on 47 USC 230. AdKnowledge (which the opinion repeatedly spell-check corrected into "Acknowledge"--whoops) is still a defendant in this case, so perhaps they will push 47 USC 230 further. Otherwise, we'll just cross our fingers that the prior 230 ruling is an aberration that most other judges will smartly ignore or distinguish.

Posted by Venkat at 09:07 AM | E-Commerce , Licensing/Contracts

July 09, 2011

"App Store" Isn't Generic, But Apple Can't Enforce Its Purported Trademark in the Term--Apple v. Amazon

By Eric Goldman

Apple, Inc. v. Amazon.com Inc., 2011 WL 2638191 (N.D. Cal. July 6, 2011)

Apple's enforcement campaign over the term "App Store" is ridiculous. Apple is trying to prop up a farcically weak trademark claim--and to what end? To prevent its competitors from using the only logical term to describe their venue? Apple's efforts to control the term seem to be anti-consumer because Apple wants to make consumers think harder to figure out the relationships between various vendors. I'm glad Microsoft and Amazon are fighting Apple's overzealousness.

The judge apparently didn't think much of this dispute either, because she almost certainly had a law clerk do the heavy lifting on this opinion. The opinion doesn't start its analysis until page 11 (of 18); the prior material being an uninsightful summary of the parties' contentions. I can read the contentions in the parties' briefs if I really care, thank you very much.

When the opinion actually starts cooking, it breezily dismisses Amazon's claim that "app store" is generic:

The court does not agree with Amazon that the mark is purely generic, for the reasons argued by Apple

Okay...

The opinion next concludes that Amazon didn't create a likelihood of consumer confusion by offering an "appstore." The LOCC factors:

* "App Store" isn't a strong mark.
* even though the parties' services are related (both are app stores using that term in the proper generic sense), Amazon's apps only run on Android, not iPhones.
* the terms are identical in sight/sound/meaning, but the opinion again notes the Android/iPhone divide.
* no evidence of actual confusion.
* the point on marketing channels was incoherent and irresolute.
* the parties' arguments on purchaser care were too speculative.
* the intent factor favors Amazon because it believes the term is generic.
* the product line expansion point was also irresolute. The court says Amazon would like to offer iPhone apps but needs Apple's permission to do so.

Here's how the court summarizes the LOCC analysis:

Thus, two of the eight factors somewhat favor Apple, and three factors somewhat favor Amazon. The remaining three factors are neutral, or do not clearly favor either side. Accordingly, under this analysis, the court finds that Apple has not established that it is likely to prevail on the “confusion” element of its infringement claim.

This is what happens when you use the LOCC test to adjudicate a generic term. The LOCC test isn't insightful in that case, and some of the factors will weigh in favor of the plaintiff because the defendant is just trying to use the dictionary term for its dictionary meaning. Microsoft is still fighting Apple's trademark registration application in the TTAB, and I'm hoping the TTAB's expertise with trademarks will help it do what this judge seemed afraid to do: call the term generic.

The opinion allocates another 5 pages to a dilution analysis, although most of those pages are also a recap of the parties' contentions. The court's complete analysis of dilution issue:

The court finds that Apple has not established a likelihood of success on its dilution claim. First, Apple has not established that its “App Store” mark is famous, in the sense of being “prominent” and “renowned.” The evidence does show that Apple has spent a great deal of money on advertising and publicity, and has sold/provided/furnished a large number of apps from its AppStore, and the evidence also reflects actual recognition of the “App Store” mark. However, there is also evidence that the term “app store” is used by other companies as a descriptive term for a place to obtain software applications for mobile devices.

With regard to the statutory “blurring” factors, the marks are similar, but “App Store” is more descriptive than it is distinctive. Apple did have substantially exclusive use of “App Store” when it launched its service a little over three years ago, but the term appears to have been used more widely by other companies as time has passed. The mark does appear to enjoy widespread recognition, but it is not clear from the evidence whether it is recognition as a trademark or recognition as a descriptive term. Moreover, there is no evidence that Amazon intended to create an association between its Android apps and Apple’s apps, and there is no evidence of actual association.

With regard to tarnishment, there is no evidence to support a likelihood of success on this part of the claim. Apple speculates that Amazon's App Store will allow inappropriate content, viruses, or malware to enter the market, but it is not clear how that will harm Apple's reputation, since Amazon does not offer apps for Apple devices.

This discussion is so garbled, I'm not even sure where to begin. Let's drill down on the blurring discussion. In the LOCC analysis, the court assumed without deciding that "App Store" had achieved secondary meaning. Here, the court apparently undercuts that assumption by implying (saying?) that the mark isn't "distinctive"--in other words, lacking secondary meaning.

If the court intended to conclude that App Store had secondary meaning, then stacking up new definitions for the term is exactly what blurring is supposed to prevent, so the court should allow Apple to shut down Amazon and all of the other parties who are adding those new definitions. Or, if the court is saying that the term was once "distinctive" but now isn't, that's genericide. I don't know of a way for a descriptive term to obtain secondary meaning and then lose it without that term becoming generic for trademark purposes.

We all know what really happened--the term was generic from the moment Apple started using it, and the term has been proliferating through the English language as new useful dictionary terms tend to do. The court's timidness in reaching that conclusion forces it to contort the rest of its doctrinal analysis.

Despite the doctrinal mush, one thing seems pretty clear to me. Apple may have delayed the genericide death of its App Store trademark claim, but I don't see any situations where Apple can enforce its mark currently. I read this opinion as saying that so long as the term isn't being used in connection with a store for iPhone apps, there won't be any consumer confusion or dilution. But my understanding is that Apple isn't letting other stores offer iPhone apps, so the defendant pool should be a nullset. So whether it's because of genericism or the impossibility of consumer confusion, this opinion signals to Apple that it's wasting everyone's time and money trying to protect the App Store term.

Posted by Eric at 12:47 PM | E-Commerce , Trademark | TrackBack

July 04, 2011

June 2011 Quick Links, Part 2

By Eric Goldman

Social Media

* The Third Circuit issued its en banc rulings in Layshock v. Hermitage School District and J.S. v. Blue Mountain School District, both involving school discipline against kids who created fake MySpace profiles of school administrators. Prior blog post on both cases. The good news is that the kids won in both cases; the courts held that the administrators overreacted. However, the decisions don't resolve any of the fundamental issues about the legitimacy of school discipline for kids discussing school-related issues online.

* Too Much Media, LLC v. Hale, 2011 WL 2305620 (N.J. June 7, 2011). A blog commenter doesn’t qualify for the NJ reporter shield law.

* Dr. T.S. v. Plain Dealer, No. 96201 (Ohio App. Ct. June 16, 2011). Uploading a 20 year old version of a newspaper doesn’t reset the single publication rule, even if the article becomes newly indexable in Google.

*Back in September 2010, Xcentric v. Bird settled in a no money deal. The settlement agreement. Ripoff Report's appended response to the original blog post. Prior blog post.

* Scott P. v. Craigslist dismissed. It appears Scott P. gave up against Craigslist. Prior blog post.

* News.com: Is the FTC going after Twitter...again?

* Another PR agency loses a client account over an ill-advised tweet.

* NY Times tries to deconstruct the Twitter hashtag convention.

* Art of Living Foundation v. Does, 2011 WL 2441898 (N.D. Cal. June 15, 2011). Griping bloggers about Ravi Shankar and his organization avoid defamation and trade secret liability for now.

* Jakobot v. American Airlines, 2011 U.S. Dist. LEXIS 64824 (S.D. Fla. June 20, 2011). In a battle over whether the plaintiff lives in Florida or Texas, the court says: “The internet is often filled with old, out-of-date, unsubstantiated, self-aggrandizing and misleading information. It is not enough to submit a selective chunk of Plaintiff's 'Google footprint' and note every time that a tie to Florida appears -- Defendant must do more to connect the dots.”

* State v. Hanson, 2011 WL 2301801(Minn. App. June 13, 2011). Statutory rape conviction reversed based on a mistake of age defense when the victim misreported her age to MySpace. Prior blog post.

* The Duluth doctor is appealing his defamation lawsuit loss against a patient's family member who criticized him online.

* Marin IJ: "A Greenbrae cosmetic surgeon who filed a defamation suit against an online reviewer was ordered to pay nearly $20,000 in attorney's fees after a judge dismissed the case."

* IT World: Is Facebook really 'hated' more than Bank of America?

* Job opening: Executive Director, Public Participation Project, to work towards a federal anti-SLAPP law. Spread the word!

Google

* Reuters on how the FTC's investigation of Google could chill innovation regardless of its outcome. Google's blog post about the investigation.

* In June, I participated in a TechFreedom panel on search engine bias on Capitol Hill. Declan McCullagh moderated. His writeup: "On Capitol Hill, it's all about beating down Google". The video.

* News.com: Google's Enemies: a Primer.

* Google hires TWELVE lobbying firms to fight the FTC (on top of the 6 they already had).

* Neeley is appealing his loss to Google. Prior blog coverage.

Spam

* Spam filters have taken a huge bite out of spam. See my 2003 article expressing confidence that technology would do a much better job fighting spam than legislation.

* Amazon's Kindle hit by spammed e-books. Another example that service providers have to exercise editorial control to curb spam.

Miscellaneous

* The FTC approved the final order in the Chitika case.

* CA enacts an Amazon tax and Amazon instantly tosses its affiliates overboard--including me! More evidence that the taxman will effectively kill the affiliate industry.

* Weinstein v. eBay Inc., 2011 WL 2555861 (S.D.N.Y. June 27, 2011). As a secondary market, StubHub does not need to comply with NY state law requiring printing the face value on tickets.

* Ni v. Slocum, A128721 (Cal. App. Ct. June 30, 2011). Rejecting electronic signatures in support of a ballot petition. Contrast Anderson v Bell in Utah about the application of UETA to election petition signatures.

* Zamora Radio, LLC v. Last.fm LTD., 2011 WL 2580401 (S.D. Fla. June 28, 2011). A defense-favorable Internet personal jurisdiction ruling: "the AccuRadio website reflects a low quality of commercial activity; visitors cannot purchase products or download music and are primarily limited to live streaming audio. Moreover, Plaintiff has not established that (1) Florida constitutes a principal consumer base for AccuRadio's service; (2) AccuRadio.com makes any reference to Florida, or directs visitors to any Florida establishments; (3) AccuRadio has engaged in any print, radio, television, or Internet advertising targeting Florida residents; or (4) AccuRadio has in any way specifically encouraged Florida residents to visit AccuRadio.com." The court distinguishes co-defendant Last.fm: "AccuRadio users do not have to download a program to access and listen to AccuRadio's programming and AccuRadio users do not download music from AccuRadio's website....Further, AccuRadio's website is not specifically directed at Florida consumers and local information about concert events is not provided on AccuRadio's website."

* Take James Grimmelmann's Internet Law exam.

Posted by Eric at 08:43 AM | Content Regulation , E-Commerce , Search Engines , Spam | TrackBack

June 07, 2011

Site Moderators Weren't Agents of the Site--Cornelius v. BodyBuilding.com

By Eric Goldman

Cornelius v. BodyBuilding.com, LLC, 2011 WL 2160358 (D. Idaho June 1, 2011)

This case involves a nutritional supplement called Syntrax, which is available for sale on an e-commerce site BodyBuilding.com. The site supports users comments and message boards and deploys user-moderators to oversee the conversations. Moderators "may, among other things, edit and delete posts, move threads, and ban forum users for violations of the forum’s terms and conditions." Moderators self-nominate but are elected by the community. Moderators don't get paid, but they get a discount for onsite purchases and a free trip to Boise.

This ruling involves three posts made by user "deserusan" and one by "INGENIUM" that made critical remarks about Syntrax. A Syntrax competitor, Gaspari, later hired deserusan as a part-time CSR, and deserusan disclosed that employment status in his onsite signature block. However, perhaps unexpectedly, when deserusan updated his signature block, the update automatically propagated to all of deserusan's old posts, thus making it appear that deserusan was bashing Syntrax as an official employee of a competitor. Meanwhile, INGENIUM subsequently became an onsite moderator, so his legacy posts (including the one at issue) got the elevated visibility given to posts by moderators, even though it was written when INGENIUM wasn't a moderator.

Syntrax initially sued more than 15 defendants over these posts. The case has generated a number of interesting and confused rulings along the way, and we've blogged it three times before:

* "Website Privacy Policy Supports Pseudonymous Poster's Expectation of Privacy -- Cornelius v. Deluca"
* "Troubling Ruling About 47 USC 230 and Moderators--Cornelius v. DeLuca" (which included the classic analysis of whether calling someone a "Cornholio" is defamatory)
* "Online Retailer Isn't Liable for User Comments--Cornelius v. DeLuca"

Gaspari and BodyBuilding.com are the only defendants remaining, and in this ruling, the court grants both summary judgment.

Regarding Gaspari's liability, deserusan had made the offending posts before becoming an employee, but the court had previously ruled that it could be liable if "Plaintiffs could prove that Gaspari intentionally and unreasonably failed to remove the allegedly defamatory posts after notice and opportunity to do so." The court concludes that Gaspari lacked adequate knowledge. It didn't know about the posts when hiring deserusan, it didn't know he changed his signature block or that doing so would affect old posts, and it didn't control the posts. Also, similar to Ripoff Report, BodyBuilding.com restricted its authors' ability to delete their old posts.

[In our exchange about this post in draft mode, Venkat wondered about the legal test the court used here. This is the standard legal test for, say, a business that leaves a defamatory comment posted on the bathroom wall. I don't know if the test makes sense in the context of an employer reviewing a new employee's old online activities, but the court gets to the right place either way.]

Regarding BodyBuilding.com's liability for the remaining claim of Lanham Act unfair competition, the plaintiff contends that "Bodybuilding.com endorsed or “adopted” INGENIUM’s statement – and therefore became responsible for it – when it failed to remove the post after INGENIUM became a moderator." This should have been an easy 47 USC 230 dismissal--even if the post was by a moderator, the website is never liable for it--but the court had previously ruled otherwise. This led to an inquiry whether the moderator was the website's agent.

The court concludes that moderators weren't acting within any agency scope when posting online, and nothing created apparent authority for those posts. Separately, the court says there may not be any damages because it's unclear if anyone saw the post during INGENIUM's time as a moderator.

With all of the facts on the table, it's easy to see why this case took so many rulings to resolve. Users changed their status to employees/moderators, which in turn changed how their posts were presented. It takes a little while to unpeel these layers. On the other hand, this shows why 47 USC 230 is so helpful. If the court had taken the position all along that a moderator's post was third party content, the case would have been tossed a long time ago, and the parties would have saved a lot of time and money.

The court reached a good place in declining to hold that agency law made the site responsible for its moderator's post. However, even if 47 USC 230 didn't apply, the entire inquiry was flawed because independent user-moderators should almost never be considered agents of the site, and therefore courts should screen out agency arguments much earlier in the process. We don't get too many agency arguments as bypasses to 47 USC 230, but this case leaves plaintiffs with some reason to explore those doctrinal interstices.

Rebecca is also covering this suit.

Posted by Eric at 09:28 AM | Derivative Liability , E-Commerce , Marketing | TrackBack

May 26, 2011

Online Insurance Application Constitutes “Writing” for Purposes of Waiving Insurance Coverage for Medical Benefits--Barwick v. GEICO

By John Ottaviani

Barwick v. Government Employee Insurance Co., Inc., 2011 Ark. 128 (March 31, 2011) [link]

Although 47 states, the District of Columbia, Puerto Rico and the Virgin Islands have adopted the Uniform Electronic Transaction Act (UETA), we have had very few cases discussing or interpreting UETA. Here, we have a case where the court is asked whether a waiver in an online insurance application is a “writing” for purposes of a state insurance law that requires coverage waivers to be in writing.

The facts are fairly simple. In 2009, a woman (who subsequently married the plaintiff) purchased automobile insurance coverage online at GEICO’s website. In the online application, the woman rejected coverage for medical benefits as permitted under Arkansas law. The online form bore the woman’s electronic signature. In a discovery deposition, the woman also acknowledged that she completed the form on the website, that she did not select the coverage for medical benefits, and that she signed the application electronically.

The lower state court granted summary judgment to GEICO and dismissed the husband’s claim for medical benefits. On appeal, the husband argued that the electronic application containing his wife’s electronic signature did not meet the requirement that a rejection of coverage be “in writing” under the terms of Arkansas Code Annotated Section 23-89-203 (Repl. 2004). The husband argued that because a general statute does not apply when a specific one governs the subject matter, the insurance statute requirement that the waiver of coverage be “in writing”, takes precedence over the more general provisions in the UETA. He also argued that pressing a computer button did not constitute a “writing” for purposes of waiving coverage.

The Arkansas Supreme Court reviewed the history of UETA and noted that Arkansas had adopted UETA in 2001 to facilitate electronic transactions. The court found that the online application was an “electronic record” under UETA. The Court also found that there was no conflict between the insurance statute and UETA, and that the two provisions can be read “harmoniously” to mean that an electronic record can fulfill the requirement of written rejection for coverage. As a result, the Arkansas Supreme Court affirmed the lower court’s grant of summary judgment to GEICO.

A few thoughts:

• The court’s analysis is straightforward and correct. One would think that the legal issue is obvious, but there have been very few cases interpreting UETA to date (perhaps because the statute is so simple?). UETA was drafted so that the state legislators did not have to amend the numerous statutory requirements for “writings” in each statute. Instead, UETA provides a global approach that a record or signature may not be denied legal effect or enforceability solely because it is in electronic form, and a contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation. But it’s nice to now have a case to point to when a client questions the validity of online agreements.

• GEICO also argued that the plaintiff should be estopped from questioning the validity of the electronic waiver of coverage, because he is also seeking to benefit from the insurance policy obtained throughout the online application. Because the court dismissed the appeal on the UETA grounds, it did not need to address the estoppel argument.

• There do not seem to be any evidence issues in this case. The woman in question did not deny that she completed the online application and affixed an electronic signature. She also gave a deposition testimony that she completed the form on the website, that she and did not select coverage for medical benefits, and that she signed the application electronically. Query whether or not the court would have denied summary judgment if any of these facts had been in dispute.

• Unlike the court in Colorado last year, the Arkansas Supreme court correctly determined that EUTA, and not the federal Electronics Signatures In Global and National Commerce Act (commonly known as “E-Sign”), applies to this case. E-Sign has a peculiar “reverse preemption”. E-Sign governs in the absence of a state law or in states that made modifications to UETA that are inconsistent with E-Sign. In effect, Congress forces a state to adopt UETA in a uniform manner, by providing that the state version of UETA controls over E-Sign if UETA is adopted without modification. Here, Arkansas appears to have adopted UETA without any significant modifications, so UETA’s provisions should govern questions of contract formation and enforceability in Arkansas.

See also this brief post on a Federal Circuit UETA case.

Posted by John Ottaviani at 07:00 PM | E-Commerce , Licensing/Contracts | TrackBack

Ninth Circuit: FACTA Does not Cover Emailed Receipts -- Simonoff v. Expedia

[Post by Venkat Balasubramani]

Simonoff v. Expedia, No. 10-35595 (9th Cir.; May 24, 2011)

FACTA is a statute which requires merchants to truncate the customer's credit card information on receipts that are "electronically printed." Plaintiffs have brought claims against online retailers for including credit card information on emailed receipts. Courts have not been receptive to these claims, and in Simonoff v. Expedia, the Ninth Circuit joins other circuit courts in holding that FACTA does not apply to email receipts.

Venue Selection

Before getting to the substantive issue, the court addressed the parties' arguments regarding the applicability of the forum selection clause. Expedia's online agreement provides that users

consent to the exclusive jurisdiction and venue of courts in King County, Washington.

Simonoff argued that "courts in King County" referred only to state courts, and therefore jurisdiction was not proper in federal court. The court disagrees, noting that if the online agreement used the words "courts of King County," this would have mandated a different result, because:

the phrase "the courts of" a state refers to courts that derive their power from the state—i.e., only state courts—and [a] forum selection clause, which vested exclusive jurisdiction in the courts "of" [a particular state, would limit jurisdiction to courts of that state.]

[It appears Expedia heeded the Ninth Circuit's advice from Doe 1 v AOL. Note to self! I think saying "federal or state courts" works, if you are open to jurisdiction in federal or state courts, but if you used this language you would say "federal or state courts in King County."]

FACTA and Electronic Receipts

On the issue of whether FACTA applies to emailed receipts, the court followed the approach taken by other circuits, including Shlahtichman v. 1-800 Contacts, Inc., discussed in this blog post: "Electronically Printed" Does not Include Automated Merchant Email." The court notes that although the technologies around the dissemination of information have changed over the years, "print" still means to imprint onto something tangible—no one ever says "print this to your iPad":

'Print' refers to many different technologies—from Mesopotamian cuneiform writing on clay cylinders to the Gutenberg press in the fifteenth century, Xerography in the early twentieth century, and modern digital printing—but all of those technologies involve the making of a tangible impression on paper or other tangible medium. Although computer technology has significantly advanced in recent years, we commonly still speak of printing to paper and not to, say, iPad screens. Nobody says,"Turn on your Droid (or iPhone or iPad or Blackberry) and print a map of downtown San Francisco on your screen." We conclude that under FACTA, a receipt that is transmitted to the consumer via email and then digitally displayed on the consumer’s screen is not an "electronically printed" receipt.

Congress's use of the term "electronically printed" isn't particularly precise, but the court finds that if Congress intended the statute to cover email receipts it could have easily said so:

in enacting FACTA, Congress did not use language that would have clearly extended FACTA’s protection to electronically mailed receipts. For example, Congress could have applied FACTA to 'electronically printed or transmitted receipts,' to 'electronically printable' receipts, or to 'electronically displayed' receipts. Congress, however, chose not to do so, even though it has referred to digital methods of communication and commerce in numerous other statutes. We can’t fill in the blanks with words that Congress didn’t supply. [emphasis in original]

The court also notes that the structure and staggered implementation of FACTA supports its interpretation that "electronically printed" does not cover emailed receipts. The statute is intended to cover the printing of receipts to the extent this is within the merchant's control, and not a situation where the printing or display happens at the consumer's end:

if computer screens were deemed to 'print' receipts within the meaning of the statute, merchants' liability would hinge on the date the customer purchased and began using a computer screen—an unintended, nonsensical, and unpredictable result.

The statute was intended to protect against identity theft, and it is difficult to see where the risk of identity theft is when the customer is emailed a receipt. To the extent the risk exists, it is something the customer, and not the retailer, is better situated to protect against. In any event, as the court in Shlahtichman noted, there are other statutes directed at protecting against identity theft when the information is stored or transmitted in electronic form (e.g., the Computer Fraud and Abuse Act).

At the end of the day, this was another attempt by plaintiffs' lawyers to push the envelope and sue under a statute which created a civil cause of action without any showing of harm. The court smacks down the plaintiff's attempt.

Other coverage: "Ninth Circuit: FACTA does not apply to credit card receipts sent via email" (Evan Brown)

Posted by Venkat at 02:11 PM | E-Commerce

May 05, 2011

Court Finds Webloyalty Rewards Program Disclaimers Sufficient to Defeat Misrepresentation Claims -- Berry v. Webloyalty

[Post by Venkat Balasubramani]

Berry v. Webloyalty.com, Inc., et al., 10-CV-1358-H (CAB) (S.D. Cal.; Apr. 11, 2011)

This is another online membership program case. Plaintiff purchased tickets from movietickets.com using his debit card. He alleges that he was offered a $10.00 discount and, when he took advantage of this discount, he unwittingly signed up for a rewards program operated by a third party that resulted in monthly recurring charges. Plaintiff asserted a variety of claims, including for unfair business practices against defendants. Based on the disclosures at the time of the transaction, the court rejects the claims and dismisses the case.

The court cites to and reproduces the disclosures in its order, and finds that:

the explicit and repeated disclosures that Defendants made in their enrollment page suffices to defeat the . . . claims.

Plaintiff cited to Keithly v. Intelius, where the court found that disclaimers did not defeat a plaintiff's claim of being misled into signing up for a rewards program. ("Intelius May be Liable for Deceptive Online Marketing Practices Based on Third Party Transaction at Checkout.") The court notes that in contrast to Keithly, in this case, the customer was not taken through a byzantine transaction process. Here, the plaintiff took a "voluntary step to click on the coupon offer" that looks like it was presented in the page before the checkout page. As the court notes, in all, the plaintiff "took three affirmative steps to accept the terms of the club membership," and had an opportunity to decline. The court held that the disclaimers around the offer were "sufficient to place reasonable consumers on notice that they are entering into the Shopper Discounts & Rewards club and that they are accepting the offer by clicking on the 'YES' button."

The Defendants used the same strategy used by defendants in similar cases to focus on the screenshots of the signup process and thereby limit discovery. Defendants initially presented the screenshots. Plaintiff challenged the authenticity of the screenshots. The court allows limited discovery into the issue of authenticity, and plaintiff is unable to come up with anything to adequately challenge the authenticity of the screenshots. As a result, the court takes judicial notice of the screenshots and adjudicates the issue on the basis of the pleadings and the screenshots of the signup process. The court also takes judicial notice of the acknowledgment page, confirmation email, and account history as well. This is a good strategy on the defendants' part to narrow the case and take a case that may have otherwise resulted in a potential discovery quagmire and focus it on the individual signup process for the plaintiff in question.

This case is distinguishable from Keithly on the basis that in Keithly, the checkout process was much more convoluted. On the other hand, in Keithly, the court expressly cites to the "least sophisticated consumer" standard, and there's no such reference by the court in this case. The implication is that any consumer who is duped into signing up for the rewards program in this case is per se unreasonable. In addition, although it did not apply to the conduct in question since it had not been enacted at the time of the transaction, the recently passed "Restore Online Shoppers' Confidence Act" speaks directly to the issue of post-transaction offers that result in recurring charges for the consumer. The statute prohibits the passage of credit card or billing information from one online merchant to another, finding that:

[t]he use of a 'data pass' process defied consumers' expectations that they could only be charged for a good or a service if they submitted their billing information, including their complete credit or debit card numbers.

Plaintiff tried to rely on this and requested that the court take judicial notice of this Congressional finding, but the court says that the Congressional statements issued in the statute "are subject to dispute." Ordinarily, it does not make sense for a court to take judicial notice of a particular industry practice since the experience in a particular case may vary, but I wonder if the court should have given greater weight to the findings, at least with reference to the question of whether a particular online practice was reasonable. As to the point quoted above which relates to billing information being transmitted to a third party, there is no dispute that Webloyalty engaged in this practice and that Congress thinks it's sufficiently out of touch with consumers' expectations that it should be prohibited. Either way, it's worth mentioning what the statute covers:

- before obtaining billing information, the third party seller has to clearly and conspicuously disclose the material terms of the transaction;
- the fact that the third party seller is not affiliated with the initial merchant has to be disclosed to the consumer;
- the third party seller has to obtain (directly from the consumer) the consumer's billing information, name and address and contact information, along with the consumer's affirmative consent.

The statute imposes a blanket ban on the practice referred to as "data-pass" - i.e., disclosure of the consumer's credit or debit card or other account information by the initial merchant to the third party merchant. The statute also prevents "negative option marketing," where a merchant interprets the consumer's failure to take action as assent for future charges.

Previous posts:
Fifth Circuit Blesses Vistaprint's Rewards Program Sign-Up Process -- Bott v. Vistaprint USA Inc.
Internet Rewards Program Class Action Survives Initial Motion to Dismiss -- In re Easysaver Rewards
Intelius May be Liable for Deceptive Online Marketing Practices Based on Third Party Transaction at Checkout -- Keithly v. Intelius
Intelius Dodges a Bullet Over Allegedly Deceptive Online Marketing Practices -- Hook v. Intelius

h/t: "Screenshotapalooza:Webloyalty disclosure sufficient as a matter of law" (Professor Tushnet) ("The court, however, found that the disclosures were prominent enough that no reasonable consumer could have been fooled by them (essentially deeming all the people who feel cheated by programs of this type unreasonable).")

Posted by Venkat at 04:36 PM | E-Commerce

April 08, 2011

Intelius Dodges a Bullet Over Allegedly Deceptive Online Marketing Practices -- Hook v. Intelius

[Post by Venkat Balasubramani]

Hook v. Intelius, 10-CV-239(MTT) (M.D. Ga.; Mar. 28, 1011)

I mentioned a class action in Washington against Intelius over its online sales practices in a couple of weeks ago. ("Intelius May be Liable for Deceptive Online Marketing Practices Based on Third Party Transaction at Checkout.") Although the Washington court denied Intelius's motion to dismiss and allowed the claims to go forward, a judge in Georgia came to a different conclusion and dismissed a similar complaint against Intelius.

Motion to Strike the Screenshots: Intelius took an interesting approach in its motion to dismiss. It attached archived versions of the screenshots which reflected the webpages which the plaintiff ostensibly viewed when he made the purchase at Intelius. Intelius also convinced the court to allow limited discovery on the authenticity of the screenshots, and if found to be authentic, rule on the motion to dismiss while considering the screenshots. The court finds that there is no evidence to indicate that the screenshots were not authentic representations of

the webpages that resulted from running [plaintiff's] email search request on the regenerated archived code from [the date in question].

Plaintiff argued that Intelius's evidence could be self-serving and that Intelius representatives could have concocted a scheme to conduct a fraud on the court, but the court finds that there's no evidence to back this up (and that if such a scheme existed and was discovered, it would "subject the Defendants and their attorneys to the harshest possible sanctions"). [Convincing the judge to allow limited discovery into the webpages in question was a creative approach by Intelius to avoid lengthy drawn out discovery that would otherwise accompany a lawsuit.]

The Transaction Process: The court describes the flow of the transaction in "laborious" detail. In the first step, the customer conducts a search for an email address (at one of Intelius's partner sites). In the second step, the customer "lands" on the Intelius site. The results page are displayed on the third step. On the fourth page, the customer is presented with pricing information for the first time. "Identity Protect," the product that plaintiff claims he unwittingly signed up for is also mentioned. Here, the customer can choose between the standard pricing ($4.95) and a "special price" of $1.95:

[t]he unmistakable impression one gets from viewing this page is that there are two purchase options: one, at the "Regular Price" of $4.95, and another at the "Special Price!" of $1.95, which is 60% off and comes with a "FREE Identity Protect Trial." However, it is not clear at this point that the 60% discount is conditioned on the customer selecting the free Identity Protect trial.

The fifth page contains an explanation of Identity Protect, as well as the fact that the customer is charged $19.95 if the customer does not cancel after the 7-day trial. As the court notes:

At this point, the ambiguity of the previous page with respect to the Identity Protect trial's relationship to the discount is resolved, one can only receive the $3.00 discount by signing up for a free, seven-day trial of Identity Protect.

After the fifth page, there are five additional pages - the customer actually receives the requested information at the tenth page. The confirmation page does not provide any information about how to terminate the Identity Protect membership.

EFTA Claim: Plaintiff claimed that Intelius engaged in an "unauthorized fund transfer." The court says no, the transfers were "clearly . . . preauthorized."

ECPA Claim: Plaintiff also claimed that Intelius unlawfully intercepted an electronic communication. The court rejects this claim as well, finding that Intelius was a party to the communication (i.e., was intended to receive plaintiff's credit card information) and "used the information for the purpose it was given."

Unjust Enrichment: The court also rejects plaintiff's unjust enrichment claim, finding that Intelius performed according to the terms of its agreement with plaintiff, and plaintiff took six months to cancel the trial membership. Unjust enrichment applies where there is no contract and here there was a contract which both sides performed.

Georgia Unfair Trade Practices Claim: Plaintiff had a few theories as to how Intelius violated Georgia's unfair trade practices statute, but the court shoots them all down. With respect to the core claim that Intelius failed to disclose material facts about the membership program, the court states:

Intelius disclosed the details of the Identity Protect program at least five times before the Plaintiff made his purchase. One wonders, if these five disclosures were not sufficient to make the Plaintiff aware of the nature of the transaction, what would have been?

___

The tenor of this court's decision is different from the Washington court's. There, Judge Lasnik noted that

[t]he capacity of a marketing technique to deceive is determined with referenced to the least sophisticated consumers among us.

The court here did not delve into the standard but one does not get the sense that the court evaluated the transaction from the perspective of the "least sophisticated internet consumer."

On the other hand, the transactions in question were slightly different. I've uploaded the pages from the court's order which contain the screenshots in question (which are worth a look and which you can access here), and there is a fair amount of disclosure that if you don't cancel the Identity Protect trial within seven days, you will be billed $19.95 monthly. However, you do get the sense that customers are put through a transaction labyrinth to make it hard for the customers to jump between the two tracks. Once the customer goes down the free trial path, the customer is not given much of an opportunity to simply remove the free Identity Protect trial and continue with the transaction. Unlike the Georgia court, the Washington court focused on the process and whether it would be deceptive to the consumer.

One thing is for sure, Intelius is definitely not taking the "one click" approach to online transactions!

Previous post:

"Intelius May be Liable for Deceptive Online Marketing Practices Based on Third Party Transaction at Checkout"

Posted by Venkat at 12:07 PM | E-Commerce | TrackBack

April 07, 2011

StubHub Denied Section 230 Defense in Scalping Case--Hill v. StubHub

By Eric Goldman

Hill v. StubHub, Inc., 2011 WL 1675043 (N.C. Super. Ct. Feb. 28, 2011). My previous blog post in this case.

This is a putative class action lawsuit against StubHub for violating North Carolina's anti-scalping laws, which both restrict the resales prices of tickets and service fees charged for the resale. The plaintiffs claim StubHub violates both provisions.

StubHub interposed a 47 USC 230 defense, something that StubHub has asserted with mixed success before. The court rejects the defense.

The court begins with a survey of Section 230 jurisprudence. Principally building off the bloated statements in Roommates.com, the court summarizes its legal assessment:

A review of the cases below leads this court to conclude that an internet service provider crosses the line and becomes liable for content on its website when the internet service provider (“ISP”) materially contributes to and/or specifically encourages the offending content. To “materially contribute” in this context means to influence the offending content in a way that promotes the violation of law that is represented by the offending content. To “specifically encourage” means to elicit and make aggressive use of the offending content in the business of the internet service provider. Each case must be decided on its own facts, giving deference to the public policy embodied in the statute. Cases in which the offending content is unlawful require a heightened degree of materiality and specificity. Intent to violate the law is not required. Conscious disregard by an internet service provider of known and persistent violations of law by content providers may impact the courts’ determinations of the service provider’s claim to immunity, especially where the ISP profits from the violations.

Elsewhere, the court says Section 230 "protects those ISPs which are truly innocent bystanders in use of the web."

What is the court talking about? It is a weird way of trying to distill the state of the law (which the court mischaracterizes by saying the "case law governing the question of loss of immunity as an internet service provider is not extensively developed"). Oddly, after spending 40% of its opinion supporting various cases that led it to draw this legal conclusion, the court doesn't explicitly use this recap to guide its analysis. Yet another reason not to give the recap much credit. One other point that undercuts the court's credibility: the court didn't address the highly relevant Milgram v. Orbitz case which reached the opposite result on similar facts.

In my opinion, the most interesting part of the court's opinion relates to Section 230's application to the ticket price. The court acknowledges that each seller sets his/her own price for the ticket. Nevertheless, StubHub can be responsible for the price sellers choose because StubHub does a number of things to manage prices on the site. (StubHub wants sellers to sell at the highest obtainable price because that maximizes StubHub's fees; but prices above the market-clearing price mean that no deals are done, in which case StubHub doesn't get any cut).

The court enumerates several ways that StubHub shapes the prices:
* StubHub decides which events it supports in the first place (it doesn't allow ticket sales for every event)
* "It actively solicits listings for high-demand events. It monitors its competition for listings."
* It cuts special deals for "LargeSellers" (a point also raised in the NPS v. StubHub case). The court says "StubHub influences the pricing of the LargeSellers" through various programmatic details.
* StubHub shows sellers pop-up windows telling them if their price is out of a targeted pricing range and encourages sellers to rethink the price.
* Later, the court gives other examples of how "StubHub is in total control of the transaction."

The court summarizes and concludes the pricing discussion:

StubHub’s business model does not require scalping practices. It encourages them. It is designed to produce the highest volume of ticket sales at the prevailing market price for events which are sold out, and thus likely to generate market prices higher than the face value of the tickets irrespective of the fees involved on both sides. Having engaged in detailed studies of pricing and pricing habits of its users and competitors, it strains credulity that StubHub had no information about the relation of market value to face value. It could not reasonably drive its customers’ prices to market value without that information. It does not provide information on the face value of tickets to buyers on its website. Further, it controls its website to prevent communication between buyers and sellers, thus facilitating its role as the arbiter of market price.

I feel like I'm missing something pretty fundamental. Don't all retailers--even marketplaces like eBay--try to drive their prices to "market prices"? Is there any other logical pricing outcome?

In its conclusion, the court says that StubHub

directly participated in developing the pricing on its system....StubHub encouraged illegal content. Phrased differently, the use of its website to scalp tickets in violation of North Carolina law was a predictable consequence of its business model. StubHub encouraged, materially contributed to, and made aggressive use of the pricing content on its website. It profited from tickets sold at prices higher than face value. It was consciously indifferent and willfully blind to the illegal prices being posted, knowing that the predictable consequences of its pricing model would be the generation of illegal prices. It is not entitled to immunity. It does not qualify as a Good Samaritan.

The odd thing about the court's pricing discussion is that, by the court's own admission, StubHub is usually encouraging sellers to reduce their offered prices. So if StubHub changes its practices in response to this opinion to improve its Section 230 defense, ironically consumers will likely pay higher ticket prices, not lower. Talk about a Pyhrric victory.

If it holds, this ruling about steering price-setting might apply to any e-commerce site that wants Section 230 protection for seller pricing choices. For that reason, obviously this opinion has risk for StubHub's parent, eBay, but I would note that the reason could be applied to Google's AdWords auctions. Google does a number of things to affect advertisers' bids in the auction, and this ruling could potentially affect Google's Section 230 coverage for those auctions. On the other hand, so much of the court's opinion turns on the illegality of scalping. If the marketplace auctions lead to a legal price, this opinion's rationale might drop away.

Then again, retailers have an increasingly tough time claiming 230 immunity for items they sell, especially items delivered offline. See, e.g., my post about Parisi v. Sinclair. Clearly, this judge thought StubHub was closer to a retailer than a marketplace.

The court says StubHub's buyer's fee is also illegal under the anti-scalping law.

StubHub's counsel has told me that they plan to appeal this opinion. It will be interesting to see how this ruling fares on appeal.

A final note: this ruling is just the latest detritus from the legally disastrous 2007 Hannah Montana concert tour. The legal developments arising from that tour have been horking the law for years--Ticketmaster v. RMG being the flagship example. Add this ruling to the list of reasons why Cyberlawyers should hate Hannah Montana.

Posted by Eric at 12:14 PM | Derivative Liability , E-Commerce | TrackBack

April 05, 2011

March 2011 Quick Links, Part 2

By Eric Goldman

Trademark

* Apple is on the road to CrazyTown with its attempt to secure and protect trademark rights in “App Store.” Among the "highlights" this month:
- it sued Amazon. Marty’s comments. The Justia page.
- Microsoft has been scoring a lot of points in its TTAB opposition. My comments on the latest developments. This battle is so pitched, it’s devolved into a font war.
- Apple successfully “persuaded” MiKandi, an "app store" for adults, to change its description to "app market."

* Google's trademark win for "Android" is being appealed to the Seventh Circuit.

* Advocate General's opinion in the EU keyword advertising case of Interflora v. Marks & Spencer. Let me know if you have the patience to read the whole thing. I don't.

* Jim Jansen: "it probably doesn't pay, on average, to bid on competitors branded phrase."

* At SSRN: Counterfeiters: Friend or Foe? The article tries to evaluate when knockoffs create demand for the original or act as substitutes: "The advertising effect dominates substitution effect for high-end authentic product sales, and the substitution effect outweighs advertising effect for low-end product sales."

* BoingBoing: NYT shuts down the @freeNYTimes auto-retweeting account on trademark grounds because the re-tweet service blows apart NYT's paywall. BTW, given its holes, I don’t think it should be called a “paywall.” Maybe more like a “pay-chain-link-fence”?

* GoDaddy takes down a website that tried to emulate Reed College's website.

* Washington Post caves in response to demand from Washington Redskins' team and changes a blog name from "Redskin Insider" to "Football Insider."

Retailing and Manufacturing

* WSJ: Manufacturers and retailers are beginning to push back on the paradox of choice. AdAge on Walmart using its market share to promulgate private regulations on its suppliers.

* Fast Company: How to sell more carrots? Market them like junk food.

* Illinois is the latest state to enact an "Amazon tax," so Amazon and Overstock tossed their Illinois affiliates overboard. When are states going to learn that the Amazon tax doesn't actually improve their financial situation? They don't get the increased sales tax revenue, and they lose the income tax from state-based affiliates. This is the opposite of a Pareto optimal move--no one gets made better off, but some get made worse off. This is also a good example of how state tax policy can degrade our national economy.

* SaferProducts.gov is now live.

* NYT: Car manufacturers are asserting copyright to prevent the National Highway Transportation Safety Administration from republishing their “technical service bulletins” describing warranty extensions and other unusual problems with their cars.

Privacy

* From the FTC: "in the last 15 years, the FTC has brought more than 300 privacy-related actions, including: 32 data security cases, 64 cases against companies for improperly calling consumers on the Do Not Call registry, 86 cases against companies for violating the Fair Credit Reporting Act (FCRA), 97 spam cases, 15 spyware (or nuisance adware) cases, and 15 cases against companies for violating the Children’s Online Privacy Protection Act (COPPA)."

* FTC busts Chitika for having opt-out cookies expire in 10 days. According to ClickZ, Chitika claims it was a bug; the cookie was supposed to expire in 10 years.

* ClickZ: "Device Fingerprinting Could Be Cookie Killer." A follow-up story on privacy concerns.

* Time Magazine: Data Mining: How Companies Now Know Everything About You

* The FTC gave final approval to its settlement with Twitter. Prior blog post.

* Jane Yakowitz, Tragedy of the Data Commons. Brooklyn VAP Jane Yakowitz takes on Paul Ohm's reidentification paper. The abstract:

Accurate data is vital to enlightened research and policymaking, particularly publicly available data that are redacted to protect the identity of individuals. Legal academics, however, are campaigning against data anonymization as a means to protect privacy, contending that wealth of information available on the Internet enables malfeasors to reverse-engineer the data and identify individuals within them. Privacy scholars advocate for new legal restrictions on the collection and dissemination of research data. This Article challenges the dominant wisdom, arguing that properly de-identified data is not only safe, but of extraordinary social utility. It makes three core claims. First, legal scholars have misinterpreted the relevant literature from computer science and statistics, and thus have significantly overstated the futility of anonymizing data. Second, the available evidence demonstrates that the risks from anonymized data are theoretical - they rarely, if ever, materialize. Finally, anonymized data is crucial to beneficial social research, and constitutes a public resource - a commons - under threat of depletion. The Article concludes with a radical proposal: since current privacy policies overtax valuable research without reducing any realistic risks, law should provide a safe harbor for the dissemination of research data.

* Woodrow Hartzog, Promises and Privacy: Promissory Estoppel and Confidential Disclosure in Online Communities, 82 Temp. L. Rev. 891 (2009). The abstract:

Online communities often provide significant support for those who seek it. Yet in order to take advantage of that support, users must frequently disclose sensitive information such as dating profiles, candid thoughts, or even past substance abuse. What happens when other community members fail to keep this potentially harmful information confidential? Traditional remedies will likely fail to protect people when members of an online community violate the confidentiality of other members. In this Article, I contend that promissory estoppel, an equitable doctrine designed to protect those who detrimentally rely on promises, can ensure confidentiality for members of online communities. The application of promissory estoppel via a website's terms of use agreement as a method for protecting disclosure has substantial advantages over tort-based, technological, or contractual remedies. Under the third-party beneficiary doctrine or the concept of dual agency, these agreements could create a safe place to disclose information due to mutual ability to enforce promises of confidentiality.

Posted by Eric at 02:33 PM | E-Commerce , Privacy/Security , Trademark | TrackBack

Online Booksellers Get 47 USC 230 Immunity for Publisher-Supplied Marketing Collateral--Parisi v. Sinclair

By Eric Goldman

Parisi v. Sinclair, 2011 WL 1206193 (D.C. D.C. March 31, 2011). The complaint. More source documents.

Sinclair self-published a book that Parisi believes defamed him. The book showed up in Books-a-Million, B&N and Amazon. All of the retailers published an allegedly defamatory promotional statement supplied by the "publisher" (in this case, the author). In B&N and Amazon's cases, it appears that Sinclair's self-publication venue, Lightening Source, supplied a data feed that they used to automatically build a display page containing the allegedly defamatory statement.

With respect to the publisher-supplied promotional statement, the online booksellers claimed 47 USC 230 immunity. This proves to be an easy case because the online booksellers simply republished the third party-supplied content. The court explicitly rejected an argument that Books-a-Million "adopted" the publisher's collateral as its own. This is consistent with the uncited Black v. Google opinion. The court also explicitly granted Books-a-Million's 12(b)(6) motion to dismiss, saying that was appropriate when the immunity is apparent on the complaint's face, as it was here. (B&N and Amazon brought summary judgment motions).

Despite this being an easy 230 case, the court delineates two 47 USC 230 boundaries. First, it refuses to embrace the Perfect 10 v. ccBill conclusion that 230 preempts state IP claims, but it doesn't accept the alternative proposition (from the Project Playlist and Friendfinder cases) either. Instead, it dismisses the false light claim (which the court liberally construed as a publicity rights claim) on newsworthiness grounds.

Second, in FN3, the court says that B&N and Amazon can't claim 47 USC 230 immunity for the online sale of physical books delivered in realspace. The court distinguishes the republication of marketing collateral, which are covered by 230, from sale and delivery of the physical books themselves, which are not. This seems like a sensible distinction. Even though 230 immunizes offline conduct when the claim is based on online communications (see, e.g., Doe v. MySpace), offline deliveries of tortious material by the defendant should be outside the scope of 230. For more on this, see the uncited Curran v. Amazon.com case. The court suggests that a Kindle sale--where the online retailer sells third party materials but delivers them electronically--would also drop out of 230's protection. This is consistent with the uncited the Accusearch case, although I personally think 230 can apply in that situation.

Even though 230 isn't availing for the book sales themselves, the booksellers exit the case because they lacked the required actual malice.

Despite the two 230 limits identified by the court, this case is a good 230 win for the defense. Among other things, it reminds us that online retailers are fully eligible for 47 USC 230's immunity if they meet the requisite elements. Also, at our 230 retrospective, Kai Falkenberg of Forbes expressed a worry that this case may require online publishers to clearly demarcate their content from third party content. As it turns out, the consumers' perceived source of the allegedly defamatory content didn't come up in the court's discussion.

Posted by Eric at 10:12 AM | Content Regulation , Derivative Liability , E-Commerce | TrackBack

April 01, 2011

Trademark Owner Gets Injunction Against Keyword Ad Campaign That Generated No Sales for the Advertiser

By Eric Goldman

InternetShopsInc.com v. Six C Consulting, Inc., 2011 WL 1113445 (N.D. Ga. March 24, 2011)

[I know the headline sounds like an April Fools joke, but no April Fools here...although, as I will show, this case definitely involved some foolishness.]

I hate sounding like a broken record, but I'll say it again. Most keyword ad lawsuits are not economically justified, so trademark owners are almost invariably making a bad business decision bringing them. Check out this beautiful case study of that principle.

The plaintiff has a trademark in "Dura Pro" for practice golf mats. Six C is a competitor who outsourced its PPC campaign to Channel Advisor. Channel Advisor placed competitive keyword ads triggered by "Dura Pro." In January 2009, the trademark owner complained to Six C, who promptly told Channel Advisor to drop the keyword. Channel Advisor didn't follow this instruction completely, meaning that some ads continued despite Six C's instructions. The plaintiff sued March 2009, and the court indicates that Channel Advisor fully dropped the term by April 2009 (although elsewhere it says the rogue ads persisted for 14 months).

For reasons not explained in this opinion, Six C admitted that its keyword ad buys constituted trademark infringement, narrowing the issues in this case to remedies for the admitted infringement.

The court rejects the plaintiff's claims for lost sales. The plaintiff submitted a spreadsheet showing a decrease in sales, but the court says the spreadsheet showed monthly fluctuations in sales, and the plaintiff only showed correlation, not causation, with the post-advertising decrease.

The plaintiff also sought the defendant's profits from the keyword advertising, and this is where the lawsuit gets farcical. It turns out that the defendant only got 1,319 impressions on its Dura Pro ads, 35 clicks from those impressions (2.6% clickthrough rate) and NO SALES from those clicks. Are you kidding me? The plaintiff sued over a keyword ad campaign that generated ZERO SALES for the defendant? It seems like the plaintiff should have been thrilled that its competitor was wasting money on an ineffective campaign. Instead, foolishly, the trademark owner spent its own money to pay its lawyers to get the defendant to stop wasting its advertising dollars. Great business decision, guys.

The court also denies attorneys' fees, citing Six C's responsiveness to the trademark owner's initial C&D (even if Channel Advisor didn't properly execute Six C's instructions). The court does award the trademark owner the court costs of the action, but these should be relatively small.

Finally, the court grants the trademark owner's request for an injunction (with the exact restrictions to be hashed out), but big whoop. Six C dropped the keyword a long time ago, and given the keyword's conversion rate, that wasn't really a sacrifice. The court says that the trademark owner was suffering irreparable injury "regardless of the fact that defendant's unauthorized use appears to have been unintentional, and that it did not result in any readily quantifiable harm to plaintiff." I think the judge could have more aggressively scrutinized the trademark owner's arguments on this point, but an injunction is a logical outcome for an admitted trademark infringement, even if it's mostly inconsequential in this case.

Notice that the defendant gets a decent outcome here in large part because it chose to quickly drop the keyword at the trademark owner's request. Not all advertisers would be so risk-adverse. Then again, I would expect most advertisers to fight the trademark infringement claim rather than admitting to it.

I'm adding this outcome to the list of irrational keyword ad lawsuits. Other precedents in that genre:

- King v. ZymoGenetics. The defendant advertiser got 84 clicks.
- Storus v. Aroa. The defendant advertiser got 1,374 clicks over 11 months.
- 800-JR Cigar v. GoTo.com. The search engine defendant generated $345 in revenue from the litigated terms.
- Sellify v. Amazon. The defendant got 1,000 impressions and 61 clicks.
- 1-800 Contacts v. Lens.com. 1-800 Contacts spent no less than $650k (and was willing to spend $1.1M) to pursue Lens.com, which made $20 of profit from competitive keyword ads. It also tried to hold Lens.com responsible for affiliate ad buys which generated about 1,800 clicks, which under the most favorable computations were worth about $40k.
- and now InternetShopsInc.com v. Six C. The defendant got 1,319 impressions, 35 clicks and zero sales.

Posted by Eric at 11:56 AM | E-Commerce , Marketing , Search Engines , Trademark | TrackBack

March 16, 2011

FTC Online Endorsement Guidelines Strike Again - FTC Dings Legacy Learning Over Allegedly Misleading Affiliate Reviews

[Post by Venkat Balasubramani with some comments by Eric]

In re Legacy Learning Systems, Inc., FTC File No. 102 3055 [FTC Release] [Complaint (pdf)]

An FTC press release notes that the FTC settled with Legacy Learning over allegations that Legacy improperly utilized affiliates to "promote its courses through endorsements in articles, blog posts, and other online editorial material." Specifically, the FTC complaint alleges:

[Legacy] recruited "Review Ad" affiliates for [Legacy's affiliate program], who promote Legacy’s instructional courses through positive endorsements in articles, blog posts, or other online editorial copy that contain hyperlinks to Legacy’s website in close proximity to the endorsements. [Legacy's] Review Ad affiliates often post such endorsements using statements that give readers the impression the endorsements have been submitted by ordinary consumers.

As noted in the release, the guidelines - which govern endorsements or testimonials - require disclosure of a material connection between a reviewer and a company. Under these guidelines, a positive review from a person connected with the seller or product ("someone who receives cash or in-kind payment to review a product or service" or who gets a cut of the sales) should come with a disclosure. The complaint alleges that twenty-five of Legacy’s "review ad" affiliates were responsible for at least $5 million in sales of Legacy's products.

What did the reviewers do wrong?: Reviewers did not disclose that they were affiliates of Legacy - i.e., received a cut of the sales, and in some cases were paid to review Legacy products . These were not "the independent reviews reflecting the opinions of ordinary consumers." (Examples of the reviews can be found in Exhibit A to the Complaint [pdf].) In some cases, the reviewer websites had disclosures, but the disclosures were anemic at best and were not contained in the posts themselves (e.g., "we are paid by some of the companies who's [sic] products we review" - not exactly a robust disclaimer). [Italics added.]

Where did Legacy go astray: For one thing, Legacy called these affiliates "review ad" affiliates. I would probably avoid this terminology. The complaint did not include a copy of the affiliate terms, so we don't know whether Legacy contractually required the affiliates to comply with the FTC's guidelines or explained how to comply. The complaint also does not specify whether Legacy paid the reviewers for their reviews (it alleges that the affiliates received a cut of the sales), but judging from some of the reviews and the websites of the reviewers, and from Legacy's suggestions to its affiliates, this seems to be the case (at least with some reviewers). Legacy offered suggested disclaimers (to affiliates) on its website but even these were ambiguous ("Affiliate Disclosure Requirements and Examples Legacy Learning Systems"):

[Suggested] Disclosure: We are a professional review site that receives compensation from the companies whose products we review. We test each product thoroughly and give high marks to only the very best. We are independently owned and the opinions expressed here are our own. [emphasis added]

Regardless of what Legacy may have suggested or required of its affiliates, Legacy also did not have any sort of compliance program to make sure that its affiliates made the necessary disclosures.

As part of the (proposed) settlement, Legacy will:

- pay $250,000;
- monitor and submit monthly reports about their top 50 revenue-generating affiliate marketers;
- make sure that affiliates disclose they earn commissions for sales and are not misrepresenting themselves as independent users or ordinary consumers.

Professor Goldman has posted a bunch about possible section 230 issues with the FTC's guidelines ("Do the FTC's New Endorsement/Testimonial Rules Violate 47 USC 230?"; "A Fuller Explanation of Why the FTC Endorsement/Testimonial Guidelines Violate 47 USC 230"). The facts are somewhat similar to those alluded to in his example. Here, Legacy set up an online affiliate program (on its site, using ShareASale). Legacy is the provider of an interactive computer service. Its affiliates are third parties, and Legacy is being sued for content generated by third parties (its affiliates). This looks like Blumenthal v Drudge, where AOL was sued for allegedly defamatory content provided by Drudge and AOL had paid Drudge for the content. The only difference is that here, Legacy was subject to potential liability for content that was placed on the affiliates' websites, whereas AOL was sued for content which Drudge submitted to AOL's website. I don't have a good answer on the Section 230 issue (here's a response to Paul Levy to Professor Goldman's posts on the FTC guidelines and Section 230: "Do the FTC's New Advertising Guidelines Run Afoul of Section 230?"), but it looks like the FTC isn't too worried about Section 230 acting as a bar to enforcing their guidelines against companies whose products are promoted without proper disclosures.

Previously, the FTC went after a company which posted fake reviews on behalf of its client. ("FTC Dings PR Firm for Fake Reviews -- In re Reverb Communications.") The FTC also issued a warning shot to AnnTaylor over gifts to bloggers. ("FTC Drops Investigation of Advertiser Who Gave Gifts to Bloggers.") This time, rather than merely firing the warning shot, the FTC went after Legacy, and extracted a settlement.

_________________

Eric's Comments: I agree with Venkat's post, especially the questions about 47 USC 230's applicability to this situation. I should note that my view on 47 USC 230's applicability is idiosyncratic. In addition to Paul's post, Rebecca Tushnet has also voted that my arguments are bunk. Rebecca Tushnet, Attention Must Be Paid: Commercial Speech, User-Generated Ads, and the Challenge of Regulation, 58 Buff. L. Rev. 721 (2010). Nevertheless, I would love to see someone test the FTC's theory here. I don't see it as a slam dunk that a judge would accept the FTC's theories.

For this post, I'll raise a different issue. I wonder if this case is another step in an ongoing winddown of the online affiliate industry. We're already seeing a big contraction of online affiliate programs due to states' adoptions of the "Amazon tax." As we've seen repeatedly, Amazon and others toss their affiliates overboard when states adopt these laws. (Which ironically makes these laws a type of fool's gold for state legislatures: the laws have failed to generate new sales tax revenues but have reduced income tax bases for the states that have adopted them).

Now, the FTC is taking the position that an affiliate program operator is legally responsible for consumer reviews written by its affiliates that failed to make appropriate disclosures. Furthermore, the program operator's main crime is that it failed to check out these affiliates and find out what they were writing and whether they had made adequate disclosures. The FTC's fix is to require the program operator to monitor 100 affiliates (the top 50 plus another randomly selected 50) each month to see if they are up to no good. What a hassle. The FTC settlement also requires than any non-complying affiliates are supposed to get the axe immediately, without notice or a cure period--a one-strike rule. Nice. At the peril of an FTC investigation, who needs crap like this? For most affiliate program operators, the profit-maximizing response is to just cut loose the long-tail affiliates or shut down the program entirely. Combining this effect with the Amazon tax sweeping the nation, the affiliate industry is on the run.

Another ironic note: I bet many of the program operator's affiliates are, in fact, experts in that market niche and therefore are better positioned than many other consumers to evaluate the product offerings in the niche. So the FTC crackdown may counterproductively reduce the flow of USEFUL consumer reviews about products.

A final irony: courts are less willing to extend liability to affiliate program operators than regulators are. As the most recent example, see the 1-800 Contacts v. Lens.com ruling. We didn't see an affiliate program operator-friendly ruling in the Amazon tax litigation in New York, but I keep hoping that gets reversed on appeal. If it does, and if anyone actually stands up to the FTC juggernaut, perhaps we'll see the courts revitalize the affiliate industry. If not, I say we're at the beginning of the end for affiliate programs as we've known them for the past 15 years.

Posted by Venkat at 02:54 PM | Content Regulation , Derivative Liability , E-Commerce , Marketing

March 15, 2011

Intelius May be Liable for Deceptive Online Marketing Practices Based on Third Party Transaction at Checkout -- Keithly v. Intelius

[Post by Venkat Balasubramani]

Keithly v. Intelius, No. C09-1485RSL (W.D. Wash.; Feb. 08, 2011)

A district court judge in Washington held that Intelius could potentially be held liable for allegedly deceptive marketing practices based on its making available third party services as part of the online checkout process.

Background: Intelius offers "background check" and look-up services to customers on the web. Customers brought a putative class action alleging that they were deceived during the online check-out process into buying third party subscription services.

The plaintiffs' experiences varied slightly, but some of the plaintiffs alleged that after they selected the desired services from Intelius, they were offered these services for $49.95, but were also presented with an option to enroll in a "mysterious 'Identity Protect'" service and pay $39.95 (i.e., get a $10 discount on the product which they ordered). These customers were taken through several pages which mention the basic and add-on services, and in one of the pages, the customer was informed that enrolling in 'Identity Protect' would result in the customer's credit card being billed monthly (if the customer did not cancel after the seven day free trial).

At this point the customers could complete the order, but another group of customers were told that they could take a "Community Safety Survey," and receive $10.00 cash back, when they tried the "Family Safety Report." Customers who responded favorably to this were then presented with a survey - one of the questions is related to community safety, and the other question is billing related. Here, the customer is again presented with (what the court describes as) confusing options, one of which allows the customer to complete his or her order, and the other which sends the customer further down the path which ultimately results in the purchase of the "Family Report" service. As the court describes it, "[n]o information is provided regarding the company that is offering this service."

As alleged by plaintiffs, the services are offered after the customer has input his or her payment information and were offered by third party defendant Adaptive Marketing. [Intelius settled with the Washington AG's office in late 2010 around marketing practices that look similar to those alleged here. Adaptive parent's company was also recently hit with a big ($32.6 million) judgment in Iowa: "Judge hands down $32.6 million consumer protection verdict; hundreds of thousands of Iowans could receive restitution."]

Washington Consumer Protection Act: Defendants argued that the complaint failed to adequately allege deceptiveness. In order to satisfy the deceptiveness element, a plaintiff "need not show that defendants intended to deceive or defraud, but only that the practice had the capacity to deceive a substantial portion of the purchasing public." Additionally, deception (which is evaluated by the "net impression" created by the solicitation) "may result from the use of statements not technically false or which may be literally true." Under this standard, the court finds that two of the three marketing techniques were deceptive.

Identity Protect Plaintiffs: This group of plaintiff selected the background report for purchase. They had to click two different "continue" buttons to complete the transaction, and in between the two steps, "Identity Protect" was added to their orders, "without any meaningful disclosure regarding the service or its price." At some point down the road (in step 4), the pricing details of "Identity Protect" were revealed, but they were the least conspicuous elements on the page. As described by the court:

[t]he elements that are most noticeable at Step 4 convey the impression that the consumer is purchasing a background report for $39.95 (a savings of $10.00) and that Identity Protect costs nothing. A reasonable consumer in Keithly's position could believe that clicking the red "Continue" button would answer his every need: it would allow him to purchase the product he wanted for a total of $39.95. Nothing about the key design elements would suggest that Keithly should be hunting for other terms and conditions and, and even if he did, the details of the offer blend in with the description of "Identity Protect Benefits" and the site security information to such an extent that he could miss them. The consumer could reasonably believe that clicking "Continue" would complete the order he had initiated at least four screens ago.

After step four, these consumers were not presented with any opportunities to remove Identity Protect, despite the transaction running the course of "ten screens." Similarly, after step four, there were no other disclosures regarding the pricing or terms for the Identity Protect service. In fact, "every order summary presented between Step 4 and the end of the transaction indicated that Identity Protect would cost $0.00." The court does note that not everyone would be fooled by this marketing technique:

[s]ome individuals would understand that obtaining something for nothing is a rare event and, at Step 3, would decline the offer of a $10.00 discount on the assumption that there was a catch. Others would take the time to read every word of the screen shot labeled Step 4 and realize that the advertised $0.00 price tag for Identity Protect would jump to $19.95 per month after the first seven days. But not everyone is so wary and/or detail-oriented, nor is the CPA designed to protect only those who need no protection. The capacity of a marketing technique to deceive is determined with referenced to the least sophisticated consumers among us. The FTC has noted that on-line consumers do not read every word on a webpage and advises advertisers that they must draw attention to important disclosures to ensure that they are seen.
[emphasis added]

In other words, online retailers should not hide the ball as to what is being purchased, or as to the terms of the purchase. This applies to the text of the webpage, but also applies to the checkout process itself. If the process is confusing, it does not matter is the text is technically accurate! Consumers should be able to assume that they can "safely complete an uncomplicated internet transaction without fear of being swindled or saddled with unwanted goods and services if her reviews the order summary and clicks on the link or button that purportedly completes the purchase."

The court ruled with respect to a second group of Identity Protect plaintiffs that the practices were - as a matter of law - not deceptive because there was a disclosure on every screen that Identity Protect could be cancelled any time, but that "[a]fter [the] trial, [the consumer] will be billed $19.95 per month."

Family Safety Report Plaintiffs: The court similarly finds that the Family Service Report transactions could be deceptive. After the consumer bought the report from Intelius (and after the consumer clicked on the "show my report button") the consumer is presented with an option to "take the 2008 Community Safety Survey and claim $10.00 CASH BACK when you try Family Safety Report." Here the consumer is presented with a choice to try the Family Safety product or not, but the option to try the Family Safety Report is more prominently presented. If the customer clicks on the "Yes" button and provides his or her email address, the customer actually authorizes Intelius to "transfer" the customer's account information to the undisclosed third party who is offering the service. The court points to the design elements on the page that all fail to highlight that the consumer is actually signing up for something that he or she will be on the hook for:

None of the normal cues related to a consumer transaction are presented: no product is selected, no order summary is provided, no payment information is exchanged, and no confirmation of the transaction is generated. By providing an email address and clicking the red button, the consumer will have purchased an on-going service from an undisclosed entity. Unless the consumer had the forethought to print the webpage before moving on, he will have no idea how to contact the purveyor of the service once the subscription fee starts showing up on his account statement.

I blogged about the VistaPrint case where the plaintiffs argued that they were improperly signed up for a rewards program. There the district court and Firth Circuit both found that a disclaimer and the language of the transaction effectively undermined the claims. The court in this case disagrees with the approach in VistaPrint, noting that such "a truncated analysis is improper under Washington [law]" because the court should look at the transaction as a whole. Aside from the deference given to any disclaimers or disclosures, the processes in VistaPrint and in this case appear fairly different. There the customers had to check the box saying they agreed to the terms, enter their email address twice, and most importantly, the rewards program offer was presented after the transaction with VistaPrint.

In contrast, in this case, the court intimates that the merchant was doing everything it could to thwart the effective completion of the transaction, and the consumer is guided through a maze of steps where the merchant or third party tries to add an unwanted product into the consumer's shopping cart at each step. A big takeaway is that the flow of the transaction and overall impression to the consumer is equally as important to the text, and if the overall process is viewed as deceptive, a few disclaimers will not save you. Here, it was obvious that (taking the plaintiffs' allegations as true), customers were being put through a maze of a checkout process, with numerous traps along the way.

The practice of injecting third party service (with recurring billing) into a transaction has drawn the ire of regulators. State AG's have gone after companies, and recently President Obama signed the Restore Online Shopping Confidence Act. (Here's an interesting background article on this statute: "How an Oil Baron's Heir Cleaned Up a $1.4 Billion Internet Scam.") The act covers sales by "third party sellers," and prohibits the data pass that the plaintiffs are complaining about here. The act requires the third party seller to disclose the terms, and the fact that the third party seller is not affiliated with the merchant. The act also requires the third party seller to obtain "the express informed consent" for the charge by obtaining the account number, name and address, and a means to contact the consumer from the consumer, and requiring the consumer to check the box of perform some other affirmative act to indicate consent. It looks like the transactions in question would have been covered by the statute. The act is intended to be enforced by the FTC and the State Attorneys General, but it does not rule out private enforcement, and I'm sure plaintiffs will be citing it aplenty.

Previous posts:

"Fifth Circuit Blesses Vistaprint's Rewards Program Sign-Up Process -- Bott v. Vistaprint USA Inc."
"Internet Rewards Program Class Action Survives Initial Motion to Dismiss -- In re Easysaver Rewards"

Posted by Venkat at 04:39 PM | E-Commerce , Licensing/Contracts

March 01, 2011

Jan.-Feb. 2011 Quick Links, Part 3 (Trademarks, Domain Names and Trade Secrets Edition)

By Eric Goldman

Trademarks and Domain Names

* From my perspective, the Department of Homeland Security (DHS) domain name seizures are one of the US government’s top 5 all-time worst assaults on the Internet’s integrity. DHS’s ICE division is grabbing domain names—the virtual equivalent of printing presses—citing half-baked legal theories and poorly researched factual claims without any advance notice or adversarial proceedings. This is exactly what we expect our government won’t do.

Yet, I haven’t seen a proportionate blowback. Why aren’t affected domain name owners suing the government for improperly seizing their printing presses? (This takes me back to the 2-decade-old Steve Jackson Games case and the EFF’s founding). Why aren’t there Congressional hearings asking DHS to defend its behavior? Where aren’t other parts of the administration forcing DHS to justify itself? Why aren’t judges pushing DHS to do a better job of demonstrating their cases on an ex parte basis? I’m a little baffled why there hasn’t been a revolt against the DHS’s baldfaced abuse of government power. I confess I’m part of the problem in that I haven’t grabbed the pitchforks either, but I’m not sure how I can best help. If you have any thoughts, I’d welcome them.

A linkwrap on this topic:

- Techdirt raises some general questions.
- One of the DHS affidavits. Techdirt deconstructs it.
- Sen. Wyden seems like our only legislator paying attention.
- Wendy Seltzer explores the due process problems.
- An ICE representative tried to defend its actions, with no success.
- Another 18 names seized.
- In a crackdown aimed at child porn, DHS took down 84,000 websites "by mistake." This is exactly the kind of “mistake” that would not happen if due process were followed and speech restrictions were subject to adversarial proceedings.
- EFF on what the repeated DHS screwups teach us about the "wisdom" of COICA:
- Techdirt: “ICE Boss: It's Okay To Ignore The Constitution If It's To Protect Companies”

* Private Career Training Institutions Agency v. Vancouver Career College (Burnaby) Inc., 2011 BCCA 69 (BC Ct. App. Feb 11, 2011): "The burden was on the appellant to satisfy the judge that there were reasonable grounds to believe that the respondents’ use of keyword advertising was actually or potentially misleading. He found as a fact that the appellant had not established that the respondents’ keyword advertising was actually or potentially misleading. He stated that the appellant had not persuaded him that the respondents’ use of its competitors’ names in keyword advertising “could...lead a student astray or into making a harmful error of judgment”. There was evidence to support those findings."

* NY S953: New York is trying yet again to ban domain name sales to terrorist groups. My prior blog post.

* Kim v. Coach: class action suit for Coach sending trademark takedown notices to eBay for the resales of legitimate goods. AP story.

* Joe Mullin recaps our efforts to crack open the Rosetta Stone v. Google joint appendix.

* LinkedIn allows ad targeting by company name. Competitive poaching, anyone? Will they be the newest defendants in keyword ad lawsuits?

* Rebecca covers an interesting and complicated dispute over a comparable drug being linked to a patented drug in a pharmaceutical reference database, with some parallels to keyword advertising.

* The Supreme Court denied certiorari in the latest appeal in Moseley v. V Secret Catalogue Inc. Prof. McCarthy on the ruling for which certiorari was sought.

* Law.com: Digital Chocolate and Zynga Settle over 'Mafia Wars'

* Ford sues Ferrari for naming one of its race cars "F150" in celebration of Italy's 150th anniversary of unification.

* Subway seeks to trademark "footlong."

* Las Vegas Sun: Double Down Saloon v. Double Down Lounge.

* Technolawyer tries to enforce a trademark in “SmallLaw.”

* Fleischer Studios v. AVELA (9th Cir. Feb. 23, 2011). The Ninth Circuit says that the Betty Boop character is in the public domain. This is quite a remarkable opinion, but I particularly call your attention to the discussion about trademarks and merchandising (cites omitted):

Even a cursory examination, let alone a close one, of “the articles themselves, the defendant’s merchandising practices, and any evidence that consumers have actually inferred a connection between the defendant’s product and the trademark owner,” reveal that A.V.E.L.A. is not using Betty Boop as a trademark, but instead as a functional product. Just as in Job’s Daughters [a 1980 9th Circuit case the majority cites even though it wasn't cited by either party or the district court], Betty Boop “w[as] a prominent feature of each item so as to be visible to others when worn . . . .” A.V.E.L.A. “never designated the merchandise as ‘official’ [Fleischer] merchandise or otherwise affirmatively indicated sponsorship.” Fleischer “did not show a single instance in which a customer was misled about the origin, sponsorship, or endorsement of [A.V.E.L.A.’s products], nor that it received any complaints about [A.V.E.L.A.’s] wares.”...“The name and [Betty Boop image] were functional aesthetic components of the product, not trademarks. There could be, therefore, no infringement.”

The court goes on to discuss Dastar:

If we ruled that A.V.E.L.A.’s depictions of Betty Boop infringed Fleischer’s trademarks, the Betty Boop character would essentially never enter the public domain. Such a result would run directly contrary to Dastar.

I applaud the majority opinion's spirit, and this could be quite a revolutionary opinion if it truly sets Ninth Circuit precedent. However, I’ve repeatedly criticized the Ninth Circuit for making up the rules panel-by-panel (I know I'm not the only one), and I suspect this is just another one-off. Kate Spelman thinks this is a good case for en banc review (I agree).

* WSJ: A quick survey of major legal issues in franchising law.

* Meth Lab Cleanup LLC v. Spaulding Decon, LLC, 2010 WL 5572397(D. Idaho Oct. 25, 2010): "the mere fact that resulting harm from the alleged confusion over the contents of the parties' websites may be incurred by an Idaho company is not sufficient to show that Spaulding “directed” its conduct toward Idaho."

* Walgreens is elevating the profile of its house-branded products.

* Index of WIPO UDRP Panel Decisions

* Oddee: 12 Hilarious Knock-off Fails

Trade Secrets

* Has the original Coca-Cola recipe leaked out?

* Reality Blurred: The producers of Survivor sue over leaked information about the upcoming season, but they drop the suit once they learn the leak source.

* David S. Almeling et al, A Statistical Analysis of Trade Secret Litigation in State Courts

Posted by Eric at 01:44 PM | Domain Names , E-Commerce , Internet History , Trade Secrets , Trademark | TrackBack

February 17, 2011

eBay's Venue Selection Clause Upheld in Missouri--Earll v. eBay

By Eric Goldman

Earll v. eBay, 2011 WL 497781 (W.D. Mo. Jan. 4, 2011). The initial complaint.

Earll, who is deaf, sued eBay for violations of the Americans with Disabilities Act (ADA) and the CA state law analogue. Her complaint relates to the fact that eBay telephonically confirms sellers, which poses a problem for deaf sellers. As part of the signup process, Earll clicked on eBay's user agreement, which included eBay's standard venue selection clause specifying its home court as the mandatory venue for lawsuits. eBay invoked the clause against Earll to move the suit there.

Earll tries to knock out the user agreement by arguing that it was fatally defective for not disclosing the telephonic verification requirement. The court deems that omission immaterial.

Earll then argues that the venue selection clause covers only a subset of claims a plaintiff might bring, and therefore it does not apply to her civil rights claim. The court rejects the argument because her claims "relate to her inability to sell items on eBay's website."

Earll then argues that some courts have rejected venue transfers in disability-related cases where a transfer would prevent disabled people from litigating, and thus undermining the law's policy objectives. Acknowledging that, the court says that Earll never indicated that she would abandon her claim if it was transferred, and California courts are just as capable of adjudicating ADA claims as the Missouri courts.

Having rejected Earll's arguments, the court orders the venue transfer. This is a nice win for eBay on two fronts. First, it's yet another case upholding its venue selection clause. I just blogged on a similarly favorable case (Evans v. Linden Research) where Second Life, invoking a clause copied from eBay's, also successfully invoked the clause. In light of the confusion we had after Comb v. PayPal, it's nice to see more predictable contract interpretation results.

Second, ADA claims are very dangerous for online sites. See, e.g., the NFB v. Target case. Having the case in eBay's home court surely helps eBay's odds of success in a risky case.

January 29, 2011

Class Action Brought by "Lonely and Vulnerable" Men Against Online Cupid Site Moves Forward -- Badella v. Deniro Mktg.

[Post by Venkat Balasubramani with some comments by Eric]

Badella v. Deniro Marketing LLC, 10-03908 CRB (N.D. Cal.; Jan 24, 2011)

This is a good one.

A group of plaintiffs brought a putative class action against an online dating website that they alleged contained predominately fake profiles. As Judge Breyer describes it in more colorful language:

This is a putative class action purportedly a vast, fraudulent scheme centered around an internet dating website that lures 'often lonely and vulnerable men' into joining . . . with the false promise that they are communicating with real women in their area who are interested in dating and/or intimate relationships.

Plaintiffs brought claims for fraud, RICO and California's anti-spam statute against multiple defendants. They alleged that they were "drawn" to the website fraudulently (e.g., via "spam, internet pop-up ads, or social networking scams"), induced to sign up for free, and then induced to upgrade to paid memberships.

Fraud: With respect to the fraud claim, defendants argued that the website terms of use undermined plaintiffs' reliance on any purported misstatements. The website terms stated:

This Service is for Amusement Purposes only.
You understand and accept that our site, while built in the form of a personals service, is an entertainment service. . . You are not guaranteed that you will find a date, a companion, or an activity partner, or that you will meet any of our members in person.
Online CupidTM Communications: You understand, acknowledge and agree that some of the user profiles posted on this site may be fictitious, and are associated with . . . our "Online CupidsTM", ("OC"). Our OC's work for the Site in an effort to stimulate conversation with users, in order to encourage further and broader participation in all of our Site's services, including the posting of additional information a.or pictures to the users' profiles.

Judge Breyer found that the terms did not undercut reliance for three reasons: (1) plaintiffs alleged that nearly all (as opposed to some) of the profiles are fictitious; (2) the fake profiles were not always labeled "OC," as promised; and (3) the plaintiffs alleged a "widespread and pervasive effort on Defendants' part to make the website appear to be a legitimate dating service." The disclaimer did not defeat reliance because defendants allegedly used a "wealth of information" to create a false impression, and the disclaimer was not as prominent as the information which created the false impression. In rejecting the claims, the court suggested what an appropriate disclaimer would look like, and contrasted this with the one from the website terms:

THIS WEBSITE USES FICTITIOUS PROFILES - READ THIS DISCLAIMER [or] THE MAJORITY OF PROFILES YOU SEE WILL NOT CORRESPOND TO ACTUAL WOMEN - READ THIS DISCLAIMER.

Disclaimers have achieved mixed results against claims of misleading website practices. (See, e.g., Vistaprint; Easysaver Rewards; Duffy v. The Ticketreserve, Inc.) I found the court's conclusion plausible, although a part of me said that an average person reading this disclaimer would conclude that they weren't visiting a typical dating website. Maybe the court figured - as many people do - that people rarely read or digest website terms?

Defendants also argued that the fraud claims were not pled with particularity. The court held that with respect to initially being drawn to the site, the plaintiffs failed to allege the particulars of how they were fraudulently drawn to the site. With respect to being persuaded to register and upgrade to paid memberships, the court held that these allegations were pled with particularity, since plaintiffs' allegations referenced specific messages sent by fake profiles which were not so labeled. Interestingly, plaintiffs alleged that in order to make the fake profile messages more compelling, defendants did not rely on "canned or automatic messages . . . [they employed] actual individuals who control hundreds of fictitious profiles." [Reasonable minds can disagree about the quality of the copy, but my feeling was that anyone who has ever moderated blog comments or been exposed to blog spam would be able to spot this as the same type of copy from a mile away.]

RICO: For the RICO claim, plaintiffs argued that defendants engaged in a conspiracy to commit wire fraud and access device fraud. The underlying fraud plaintiffs alleged was that defendants set up numerous entities to fraudulently obtain merchant accounts and then used these merchant accounts to process credit card payment for the websites in question.

The court does not give defendants' argument much credit here and declines to dismiss the RICO claims. I didn't check to see whether RICO claims have been successfully brought in the online context, but this seems like a way to attack a bunch of people in the chain of a transaction and drastically expand the scope of liability. A charge of conspiracy was successfully brought by the government in Kilbride, a criminal CAN-SPAM case. "Defendants Convicted in 1st Criminal CAN-SPAM Trial." There, among other things the government alleged that defendants used fictitious entities to register domain names. The court in Kilbride also relied on the use of privacy protection services to register the domain names. The RICO claims will have to be fleshed out and no one knows how they will fare, but plaintiffs' theory sounds pretty expansive.

Spam claims: Plaintiffs brought claims under California's spam statute. The court concludes that these claims are barred by the one year statute of limitations, thus avoiding the preemption question that has been plaguing California courts for some time, including in Reunion.com, another case where plaintiffs alleged they were induced to sign up (and upgrade) using unsolicited messages and allegedly bogus "friend messages." ("Reunion.com Revisited Again: Claims Under CA Spam Law Not Preempted by CAN-SPAM -- Hoang v. Reunion.com.") Interestingly, an appeals court in California recently held that under the California statute claims for actual damages must be brought within three years of the receipt of the emails, while claims for statutory damages can only be brought one year within the receipt of the emails. The court's opinion here does not contain a discussion of whether plaintiffs sought actual or statutory damages, but if they sought actual damages, the dismissal does not jibe with the recent appeals court ruling in Hypertouch. ("CA Appeals Court: Claims Under State Spam Statute Not Preempted by CAN-SPAM - Hypertouch v. Valueclick.")
___

It's hard to not be judgmental about this suit. People - specifically "lonely and vulnerable men" - sign up for these random "dating" websites and then complain because a greater than anticipated number of the profiles are fake (??). I can just picture one of the plaintiffs saying: "I'm playing the odds by going on this site. I don't know what the odds are (no one does), but they were different from what you promised!" It's also hard to fault the court for deferring the underlying issue of whether the users were misled to the factfinder, but unless the plaintiffs are chosen carefully, they are not going to have an easy time credibly explaining how they were misled. In the meantime, we can take comfort that the interests of lonely and vulnerable men trolling internet dating sites for dates can be protected.
___

Comments by Eric: It's interesting how Venkat concludes his post, because in fact I have zero sympathy for the website (treating the allegations as true, as the court was required to do on this motion to dismiss). I'm trying to imagine a world where customers would pay substantial fees to a "dating" site where much/most of the interaction was with automated scripts. (I also couldn't get Austin Power's "fembots" out of my mind reading this case). The silly disclaimers--that the site was for "amusement" and that paying customers should expect automated interactions--clearly weren't likely to be read by anyone who actually paid money to the site. So it seems axiomatic to me that the only people who paid should have been the people who didn't get the message.

Thus, this seems like one of those cases where the fine print ("we're just going to send you canned messages if you pay us a lot of money") is designed to completely contradict the big print ("we're a dating site"). You can't do that.

This case brought to mind the old Anthony v. Yahoo case, where Yahoo allegedly retained profiles of expired/terminated members so that it looked like it had a bigger dating pool. (Yahoo ultimately settled for up to $4M). We talk about how it can be a jungle out there for single people, but oh man, at least their dating services shouldn't be lying to them. Clearly, before you starting "dating" your dating site, you need to diligence it too.
___

Related (coverage of a recently filed class action against Match.com over an alleged excessive number of inactive or fake profiles):

"Lawsuit Claims More Than Half Of Match.com Profiles Are Inactive Or Fake" (Joe Mullin)
"Love’s Labour’s Lost in Cyberspace" (Danielle Citron/Concurring Opinions)

Posted by Venkat at 08:30 AM | Content Regulation , E-Commerce , Marketing , Spam

January 20, 2011

CA Appeals Court: Claims Under State Spam Statute Not Preempted by CAN-SPAM - Hypertouch v. Valueclick

[Post by Venkat Balasubramani with some comments from Eric]

Hypertouch, Inc. v. Valueclick, Inc., et al., B218603 (Cal. Ct. App.; Jan. 18, 2011)

A California appeals court weighed in on a long-running debate: whether CAN-SPAM preempts California's spam statute. This is a significant decision that covers a lot of ground (I think it mentions just about every major spam case), and it is sure to be appealed.

Background: Two of the seminal anti-anti-spam cases were Mummagraphics and Virtumundo. Mummagraphics said that CAN-SPAM is intended to cover material misstatements in emails and preempted contrary state laws (to the extent they imposed liability for immaterial misstatements). Virtumundo said that only legitimate ISPs that have suffered actual harm can sue under CAN-SPAM. In Virtumundo, the Ninth Circuit also rejected the plaintiff's claims under Washington's email statute. The plaintiff in Virtumundo was pushing the envelope, and it was unclear as to whether the Ninth Circuit's rejection of his state law claims was restricted to the plaintiff's fanciful claims which clearly stretched the scope of Washington's spam statute to the breaking point. Mummagraphics and Virtumundo were from the Fourth and Ninth Circuit respectively, and they left open the question of how other state spam statutes would fare, including California's, which is one of the most expansive (and important). Lower federal courts courts struggled with applying Virtumundo and Mummagraphics to the preemption question in California, and decisions were all over the place. Some courts held that CAN-SPAM's savings clause only saves state statutes that sound in traditional fraud, and since California's spam statute didn't require proof of reliance and damages, it did not fall into this category and was preempted. (Here's my April 2010 post on Hoang v. Reunion.com, a case that struggled with the preemption question: "Reunion.com Revisited Again: Claims Under CA Spam Law Not Preempted by CAN-SPAM -- Hoang v. Reunion.com.")

Factual Background: Hypertouch brought claims against Valueclick, various Valueclick subsidiaries, and PrimaryAds for violating section 17529.5 (California's spam statute). As the court describes it, Hypertouch is a small provider of email service to about 100 customers. Valueclick provides online marketing services to:

third-party advertisers who promote retail products. . . . Valueclick contracts with these third-party advertisers to place promotional offers on websites that are owned and operated by various Valueclick entities. Consumers, in turn, can visit Valueclick's websites and earn rewards in exchange for participating in the advertised promotional offers.

Valueclick contracts affiliates who "drive traffic" through methods chosen by the affiliates in their discretion. Valueclick provides the affiliates the creatives for a promotion, and the affiliates promote as they see fit (in many cases hiring sub-affiliates to effect the promotions). Valueclick alleged that it had no "knowledge of, or control over, the email delivery methods or header information used by [affiliates] or their sub-affiliates." [This is a risky admission!] PrimaryAds looks like it's similar to Valueclick - PrimaryAds operates a website which contains third party offers. PrimaryAds contracts with affiliates who download materials from PrimaryAds' website, engage in promotions (which are tracked by PrimaryAds). PrimaryAds requires its affiliates to sign agreements stating that the affiliates will comply with all laws, including anti-spam laws, in carrying out their promotion activities. PrimaryAds also alleged that it had "no control over the email delivery methods used by affiliates."

Hypertouch argued that Valueclick and PrimaryAds were advertised via emails that violated California spam statute in three ways: (1) the emails contained deceptive header information (because the from and to fields did not accurately reflect the sender or recipient); (2) the subject lines were likely to mislead recipients into thinking they would receive free stuff; and (3) the emails used third party domain names without the third party's permission. The trial court granted defendants' motion for summary judgment. The trial court held that defendants could only be held liable for emails they sent or caused to be sent (which cut out a chunk of the emails in question). The trial court also found that CAN-SPAM preempted state spam statutes which regulated misleading emails, unless the statutes covered "common law fraud or deceit." Since the claims did not cover the elements of common law fraud, they were preempted. Significantly, the court awarded defendants $100,000 in costs.

The appeals court's decision: The court reversed and ruled for Hypertouch, with an order that dramatically expands the reach of potential liability for products or companies that are advertised via email (regardless of whether they send the email). It's a blockbuster ruling for the anti-spam community.

Preemption: CAN-SPAM's preemption provision states that it preempts state statutes that regulate the use of commercial email "except to the extent that any such statute prohibits falsity or deception in any portion of a commercial email." The court acknowledges that CAN-SPAM's preemption was intended to accomplish a uniform standard for email regulation (to avoid requiring compliance with a "patchwork" of laws). The court also cites to a Senate Report that says that states laws prohibiting things like "fraudulent or deceptive headers, subject lines, or content" should not be preempted "because they target behavior that a legitimate business trying to comply with relevant laws would not be engaging in anyway."

The court disagrees with the trial court's conclusion on preemption and provides two main reasons, along with a lengthy discussion (and canvassing of the case law): (1) the language of the preemption clause does not support a finding of preemption; (2) allowing state law claims that reach misleading but not fraudulent emails would not undermine a national standard.

Hypertouch's claims survive summary judgment: Defendants argued that Hypertouch failed to put forth evidence that defendants either sent the emails or "knew" they were being sent by an affiliate in a misleading manner. The court responds that:

the plain text of 17529.5 indicates that its application is not limited to entities that 'send' the offending emails nor does it require plaintiff to establish that defendant had knowledge of such emails. Rather, the statute imposes liability on any 'person or entity' that 'advertises' in an email containing any of the forms of deceptive content described in section 17529.5 [(a)(1)-(3)].

Do the emails Violate the Statute?: Although plaintiffs asserted that the emails at issue violated three different prongs of section 17529.5, the court doesn't discuss the other two prongs, and merely focuses on the subject line prong. Section (a)(3) is the no misleading subject line prong, and the court finds that the following representative subject lines potentially violate the statute:

Get a FREE Golf Retreat to 1 of 10 destinations;

Let us know your opinion and win a free gift card;

Do you think Hillary will win? Participate now for a Visa card

In support of its summary judgment burden, Hypertouch put forth the testimony of its president (?) who says that he clicked on links in these emails and found out that in order to receive anything for free, you had to purchase something. As the court phrases it, the statute requires the subject line to mislead a recipient about a "material fact," and

if a subject line "creates the impression that the content of the email will allow the recipient to obtain a free gift by doing one act (such as opening the email or participating in a simple survey) and the content of the email reveal [sic] that the 'gift' can only be obtained by undertaking more onerous tasks . . . the subject line is misleading about the contents of the email.

1 year statute of limitations on liquidated damages claims: The California statute allows for statutory damages or actual damages. If the statutory damages are considered a penalty, then they are subject to a one year statute of limitations under California law. Hypertouch argued that statutory damages should not be subject to the one year time-bar because they are discretionary, but the court disagrees, holding that although the court has discretion with respect to the amount of damages it awards, it must award some amount of damages. Therefore, the court concludes that Hypertouch may seek actual damages for emails within three years of their receipt, but may only seek statutory damages for emails within one year of their receipt.

___

This is a big ruling on several levels.

The big practical effect is that it provides an avenue for California spam plaintiffs to seek relief under the California statute. Previous spam cases have backfired on spam plaintiffs due to over-reaching, but I wonder if the preemption argument backfired on defendants due to their over-reaching. Arguing that the preemption clause only saved claims which sounded in actual fraud was a stretch, and both Ethan and I expressed discomfort with rulings that embraced this standard. The court almost has an easy argument to knock down, and it happened to be an aggressive interpretation of the preemption clause that defendants were responsible for pushing.

The even bigger effect of this ruling is the fact that persons or entities who do not themselves send email but who are advertised in non-compliant email can now be held liable, without a showing that they knew or should have known that they were being promoted via non-compliant spam. This is going to throw a big monkey wrench in affiliate programs. Previous cases dealing with affiliate liability in the CAN-SPAM context required plaintiffs to show some sort of knowledge or facts sufficient to impute knowledge. ("Affiliate Spam Liability is Fact Question--US v. Cyberheat"; "Affiliate Liability Extravaganza".) .

In fact, the court expressly embraces a strict liability standard for affiliate liability. This is going to lead to some wacky results - for example, think of the case where a company located outside California is being promoted via email but does not know that its affiliates are emailing to California residents (the affiliates themselves may not know). All of a sudden, they find themselves subject to liability in California for violations of the California spam statute? (Does this present a section 230 issue, since neither of the defendants created the copy which allegedly violated the statute?)

The court's assessment of the substantive violations of the statute is cursory. The court tackles the subject line violations but where's the court's assessment of the violations of subsections (a)(1) (the domain name prong) and (a)(2) (misleading or forged header information prong). Setting aside the fact that the court's interpretation of the subject line prong is charitable (and aimed at protecting people who take on face value a claim via email that the recipient is getting something for free), there's no discussion from the court on how the emails violate the prong which prohibits the use of third party domain names without permission. The court similarly doesn't deal with the misleading header information prong, but Hypertouch's claims sound similar to the claims the Ninth Circuit rejected in virtumundo ("there is . . . nothing inherently deceptive in Virtumundo's use of fanciful domain names").

Interestingly, the California Supreme Court weighed on its spam statute just once. In a ruling last year in (Kleffman v. Vonage) the court held that use of random and multiple domain names even if they were intended to bypass spam filters does not violate California spam statute. ("Use of Multiple (Even Random or Garbled) Domain Names to Bypass Spam Filter Does not Violate Cal. Spam Statute -- Kleffman v. Vonage.")

Additional coverage: "C.A. Revives Action Charging Advertiser Under Anti-Spam Law" (Metropolitan News-Enterprise)
______

Comments by Eric:

This is an incredibly noteworthy opinion for several reasons.

First, published opinions on Internet law from California appeals courts are becoming rarer than a hen's tooth, so this is likely to be one of the few citable opinions by a California state court on spam issues for the foreseeable future (unless the Supreme Court takes it on appeal). As a practical matter, then, this opinion not only sets California law, but all federal courts interpreting federal law will also have to acknowledge this opinion. I anticipate this will be a heavily cited opinion in the future.

Second, the court's imposition of strict liability for advertisers promoted by spam is breathtaking. The court says "imposing strict liability on the advertisers who benefit from (and are the ultimate cause of) deceptive e-mails, forces those entities to take a more active role in supervising the complex web of affiliates who are promoting their products." Well, that's true in theory, but it's completely divorced from reality. Because of strict liability, even advertisers who undertake substantial efforts to police their affiliate network ARE STILL LIABLE FOR ANY PROBLEMS CREATED BY AFFILIATES. Maybe the court got confused about what it meant to impose STRICT LIABILITY. In reality, many advertisers won't rely on affiliates at all if they are strictly liable for what they do. I bet this court would view that as a perfectly fine outcome, but the it's disingenuous to say that strict liability will ratchet up the policing effort. A negligence standard might have done that; strict liability squashes the endeavor altogether.

For that reason, the strict liability standard for advertisers is the #1 thing (of a pretty long list) that needs to get fixed on appeal.

Venkat raised the issue of 47 USC 230's role here. I haven't had a chance to see if the issue was raised by the litigants, but my initial instinct is that an advertiser's 230 defense for ad copy written by a third party sounds pretty meritorious.

Overall, rulings like this reinforce to me how desperately we need to get states out of the business of trying to regulate the Internet. First, Congress built a structure to hold advertisers should be liable for spam violations in CAN-SPAM (a narrow liability scope, although I question the wisdom of even that). If California can impose a supplemental and much more expansive advertiser liability doctrine, Congress clearly did a crummy job with its preemption clause (so what else is new?). Second, this liability rule, if it sticks, is terrible policy destined to generate lots more of wasteful profit-seeking litigation. Third, it's unclear how California's policy would affect interstate advertising campaigns--a question we shouldn't even have to ask when dealing with Internet activities. We really, desperately, need to rethink our governance scheme that puts states in the business of regulating the Internet. IT DOESN'T WORK, and we lose a lot in the process.

Finally, a gossipy note. This is an unusual spam opinion in that it had big firm lawyers on both sides (Steptoe on the plaintiff side; Gibson Dunn on Valueclick's defense). I wonder if the court's decision to write a lengthy, detailed, footnoted and published opinion is the result of that.

Posted by Venkat at 05:22 PM | Derivative Liability , E-Commerce , Marketing , Spam

January 05, 2011

Lawyer-Spam Plaintiff Loses in the Sixth Circuit Over Allegedly Misleading DISH Network Emails -- Ferron v. Echostar

[Post by Venkat Balasubramani]

Ferron v. Echostar Satellite LLC, 09-4407 (6th Cir.; Dec. 28, 2010)

Ferron brought claims against Dish Network and its retail and marketing partners alleging that he had been deceived by the terms of email offers sent by defendants. According to defendants, Ferron's strategy was to actually sign up to receive emails which he claimed were deceptive. However, prior to receiving any emails, he allegedly called to verify the terms of Dish Network's service:

according to defendants, Ferron purposefully provided his email address to the approximately twelve satelitte dish websites from which he later received advertisements. Before he provided his email address to the websites, Ferron contacted Dish network call centers to obtain information about the terms and conditions of various Dish Network products and services. Accordingly, Ferron was aware of the terms allegedly excluded from the deceptive emails before he received them.

The trial court granted summary judgment, and the Sixth Circuit affirms in an unpublished opinion.

Ohio Consumer Protection Statute: Ferron claimed that he did not need to have been deceived personally to bring a claim under the OCSPA - it was sufficient that the emails contained objectively misleading information. The court disagrees. Citing overwhelming precedent in defendants' favor, the court concludes that a plaintiff must have been actually deceived in order to bring a claim under the OCSPA (i.e., individual plaintiffs cannot take the private attorney general route). Although Ferron argued that a ruling to this effect would foreclose legitimate claims, this argument didn't get much traction with the court:

Simply put, the only persons foreclosed by today's ruling are individuals who solicit emails from an advertiser after having researched and discovered the additional terms the advertisement allegedly excludes.

Ouch!

The Publisher Exception to the OCSPA: The Sixth Circuit also affirmed the trial court's ruling that one of the defendants (Hydra) who was a mere intermediary was entitled to the "publisher exception" to the OCSPA. As an initial matter, the court concludes that Hydra "was not involved in the creation of the . . . advertisements," and thus was precisely the type of entity who could take advantage of the publisher exception. Ferron argued that Hydra was not the type of publisher the legislature intended to fit within the exception, because Hydra received a referral fee each time a customer signed up (instead of a flat fee per ad, or a monthly fee). The court rejects this argument, reasoning that regardless of the fee structure, the publisher always has an interest in ensuring that customers respond to advertisements. Ferron also argued Hydra should not be entitled to take advantage of the publisher exception with respect to any ads transmitted by Hydra after the filing of the lawsuit. The court rejects this argument as well, since the mere filing of Ferron's complaint is not indicative of a violation of the statute (just that Ferron alleged that defendants violated the statute).

Request for Sanctions: Ferron requested sanctions on the basis that defendants did not maintain the ads in their native form (i.e., he could not click through and access the underlying links and graphics). The Sixth Circuit affirms the district court's rejection of Ferron's request for sanctions, noting that Ferron himself had the emails in question and should have saved them.
__

The court's description of the facts makes me think a section 230 defense may have been available to Hydra, not that it ended up needing it anyway.

The bigger takeaway? When it comes to spam litigation at least, courts seem more than able to ferret out what they see as unworthy claims. This is one of a long line of losses by plaintiffs who seem to have made it a part of their business to seek out and sue people to send them unsolicited email (see Gordon v Virtumundo, Mummagraphics, etc.).

A couple of days after the Sixth Circuit issued its opinion in this case, it issued its ruling in Charvat v. Echostar, a case where Ferron was counsel for the plaintiff. This case involved alleged do-not-call violations against Echostar and third parties brought by Philip Charvat, whom the court describes as not being "shy in taking on the role of private attorney general under the Telephone Consumer Protection Act" and listed him as a plaintiff in 13 TCPA lawsuits. The Sixth Circuit delves into the thorny jurisdictional issues, but ultimately ends up punting to the FCC on the interesting issue of whether Echostar could be liable for TCPA-violating calls made by third party independent contractors/affiliates. The FCC's amicus brief in this case suggests that it has an expansive (and perhaps troubling) view of such imputed liability.

Previous post: "Email Ad Network Isn't Liable for Unsolicited Email--Ferron v. Echostar"

Coverage of an earlier Ferron lawsuit: "Q1 2009 CAN-SPAM Quick Recaps"

Posted by Venkat at 02:14 PM | Content Regulation , Derivative Liability , E-Commerce , Spam

January 02, 2011

Nov.-Dec. 2010 Quick Links, Part 5

By Eric Goldman

Taxes

* Amazon.com, LLC v New York State Dept. of Taxation & Fin., 2010 NY Slip Op 07823 (N.Y. App. Div. Nov. 4, 2010). A NY appellate court rejected Overstock's/Amazon's facial challenges to "affiliates tax" but revived the as-applied challenge. The court distinguishes between "solicitation" of business for Amazon (collection obligation imposed) and passive advertising for Amazon (no collection obligation), but doesn't clearly explain why Amazon affiliates are engaged in solicitation and not passive advertising. Among other things, the court says [I reordered quotes]:

An advertisement in a newspaper is clearly not solicitation, as it is geared to the public at large. Likewise, the maintenance of a Web site which the visitor must reach on his or her own initiative is not, under the statute, or the advisory opinions, a solicitation. On the other hand, the targeting of a potential customer by the transmission of an e-mail is no different from a direct telephone call or a mailing to a customer. Both constitute active initiatives by a party seeking to generate business by pursuing a sale...When a representative can only receive compensation for an actual sale, it is much more likely that the representative will actually solicit, rather than passively maintain a Web site.....Nevertheless, we remand for further discovery so that plaintiffs can make their record that all their in-state representatives do is advertise on New York-based Web sites.

Although I think the court's analysis is wrong, it is not fatal to affiliate programs. For example, it seems like Amazon could fix its program by (1) prohibiting email marketing by affiliates, or (2) moving to a CPC model for affiliates.

* Colorado FYI Sales 79:

"If such retailers have total annual gross sales in Colorado of $100,000 or more, such retailers must: Provide notice with each purchase (the “transactional notice”). The transactional notice must:
• State that the retailer does not collect Colorado sales or use tax.
• State that the purchase is not exempt from Colorado sales or use tax merely because it is made over the Internet
or by other remote means.
• State that State of Colorado requires Colorado purchasers to file a sales or use tax return at the end of the year
for all taxable Colorado purchases that were not taxed, and pay tax on those purchases
• The notice must be easily seen and located near the total price.”

Miscellaneous

* Ars Technica on the Comcast/Level 3 spat. Is it a Net Neutrality red flag or a garden-variety peering disputes?

* Putting an end to one of the most over-hyped stories of the year, Craigslist shut down its adult services category globally.

In an unrelated development, Craigslist got a $6M+ judgment against ezadsuite.com, which "developed, advertised, and sold software programs to automate posting ads on Craigslist’s website and utilized other automated devices and related services meant to circumvent Craigslist’s security measures." This is one of those doctrinally troubling rulings that I choose to ignore because it's a default judgment. See the magistrate report and the judge's adoption.

* Latest NYT article hand-wringing about cyberbullying. WaPo has a myth-busting article on bullying.

* Specht v. Google, 2010 WL 5288154 (N.D. Ill. Dec. 17, 2010). Google wins a trademark battle over the term "Android." Some interesting parts:
- "on its own, the use of a domain name or e-mail address to identify an Internet host computer does not constitute a bona fide use in commerce. The use of a website address containing a trademark is not the same as use of the mark."
- "The androiddata.com website served as a remnant of a closed business. A "ghost site" such as this is not a bona fide use in commerce that can prevent the abandonment of a mark. The cost is small to maintain a domain name registration and host a several-page promotional website without e-commerce functionality, such as that which Plaintiffs contend existed at androiddata.com....Allowing a mark owner to preserve trademark rights by posting the mark on a functional yet almost purposeless website, at such a nominal expense, is the type of token and residual use of a mark that the Lanham Act does not consider a bona fide use in commerce."

* Oklahoma HB 2800: Executors can take over web accounts of the deceased.

* In theory ending another one of the year's most overhyped stories, the Borings got $1 for their trespass claim against Google. Previous blog coverage (1, 2, 3).

* Reuters: “A Reuters Legal analysis found that jurors' forays on the Internet have resulted in dozens of mistrials, appeals and overturned verdicts in the last two years.” Previous blog coverage.

* The Starwood v. Hilton Hotels corporate espionage lawsuit has settled. I tested this dispute on my IP course last year (see the exam and sample answer).

* California State Bar Standing Committee on Professional Responsibility and Conduct Opinion No. 2010-179:

Whether an attorney violates his or her duties of confidentiality and competence when using technology to transmit or store confidential client information will depend on the particular technology being used and the circumstances surrounding such use. Before using a particular technology in the course of representing a client, an attorney must take appropriate steps to evaluate: 1) the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security; 2) the legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information; 3) the degree of sensitivity of the information; 4) the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; 5) the urgency of the situation; and 6) the client’s instructions and circumstances, such as access by others to the client’s devices and communications.

* Another ill-conceived California law: large companies have to disclose on their websites their efforts to reduce slavery and human trafficking in their supply chains. Are you kidding me???

* Fun with Google Books Ngram viewer: cyberlaw vs. other terms; but different results when the terms are capitalized.

* Inside Higher Ed: "professors ‘caught on tape’ is a growing genre, and some think it could have a chilling effect on academe."

* HuffPost: You're Out: 20 Things That Became Obsolete This Decade.

* Tell your favorite male bloggers (besides Venkat and me, of course) how you really feel about their strengths.

Posted by Eric at 07:54 AM | E-Commerce , Marketing , Privacy/Security , Trade Secrets | TrackBack

January 01, 2011

Nov.-Dec. 2010 Quick Links, Part 4

By Eric Goldman

Blogs and Boards

* Reuters on the wild-and-wooly world of investor message boards.

* KingCast.net v. Friends of Kelly Ayotte, 2010 WL 4683829 (D.N.H. Nov. 2, 2010). Blogger's unsuccessful lawsuit to gain mandatory access to a candidate's campaign events as a journalist.

* Mealer v. GMAC Mortg. LLC, 2010 WL 4586183 (D. Ariz. Nov. 2, 2010). A lawsuit against General Motors for an employee's allegedly disparaging blog post is dismissed because the new GM isn't liable for the old GM's activities.

* ABA Journal: some attorneys are using independent contractors to “ghost write” blog posts for them. This seems like a practice filled with legal landmines.

Contracts

* Florencia Marotta-Wurgler, Does Disclosure Matter? The abstract:

Disclosure has long been the preferred regulatory approach to curtail one-sided standard form contract terms....The appeal of disclosure is that it is relatively low cost, improves consumer decision-making and preserves consumer choice. For disclosure to be effective, however, it must increase readership and understanding of contracts to a meaningful rate, and, conditional on readership, contract content must be relevant to purchase decisions. This paper tests both these necessary conditions. We follow the clickstream of 47,399 households to 81 Internet software retailers to measure contract readership as a function of disclosure. We find that making contracts more prominently available does not increase readership in any significant way. In addition, the purchasing behavior of those few consumers who read contracts is unaffected by the one-sidedness of their terms. The results suggest that mandating disclosure online should not on its own be expected to have large effects on contract content.

* S. 3386, Restore Online Shoppers' Confidence Act, signed into law Dec. 29, 2010. The bill prevents online merchants from passing shoppers' credit card numbers to other merchants without requisite consent. It also restricts negative option sales without adequate disclosure, consent and ability to terminate.

Jurisdiction

* Penachio v. Benedict, 2010 WL 4505996 (S.D.N.Y. Nov. 9, 2010). "Defendants are not subject to personal jurisdiction in this Court. The preparation and dissemination of the defamatory material occurred outside of New York. Although the [YouTube] videos bear a relationship to the proceedings in New York and Defendants' alleged commercial interest in New York, Defendants' interaction with New York during the publication of the videos is too marginal to rise to the level of purposeful availment."

* Miller v. Kelly, 2010 WL 4684029 (D. Colo. Nov. 12, 2010). "Defendant's LiveJournal blog appears to the Court to have been merely a passive website that allowed internet users to access and view information posted by Defendant. Accordingly, the Court finds that Defendant's authorship of a LiveJournal blog is an insufficient basis for the exercise of general personal jurisdiction over her....the Defendant's authorship of an entry on the blog was not an act purposefully directed at Colorado. Although the blog entry was allegedly accessed by Plaintiff in Colorado, no allegation or evidence has been presented to indicate that Defendant expressly aimed the entry at Colorado."

* State v. Pierce, 2010 WL 4941473 (Minn. App. Ct. Dec. 7, 2010). A man was ordered not to contact his ex-girlfriend. He violated the order by sending her a MySpace message, but prosecutors could not establish that he sent or she received the message in their county, so the conviction was reversed.

Posted by Eric at 01:14 PM | Content Regulation , E-Commerce , Licensing/Contracts | TrackBack

December 22, 2010

Court Rejects Plaintiff's Proposal of Class Notice via Twitter, SMS, and Email -- Jermyn v. Best Buy

[Post by Venkat]

Jermyn v. Best Buy, No. 08-Cv-00214-CM-DCF (S.D.N.Y.; Dec. 06, 2010)

Plaintiffs brought a class action against Best Buy alleging that Best Buy failed to honor its price-match guarantee. The court certified the class with respect to New York residents who had bought certain items from Best Buy since 2002 and who were denied Best Buy's price guarantee.

The named plaintiff suggested several forms of notice to potential class members, including notification via: (1) Best Buy's "Twelpforce" Twitter account, (2) SMS, and (3) email. Noting that overinclusive individual notice is not required, and that Best Buy is only required to undertake "reasonable steps" to identify individual affected class members, the court rejects all three suggestions.

Notice via Twitter: The court conducted a random sample of Best Buy's "Tweplforce" account and concluded that it was primarily a medium for providing technical support to customers:

As an online help desk--primarily focused on providing technical advice-- Twelpforce is not tied to Best Buy's price-match guarantee in any way and therefore there is no evidence that customers denied a valid price match use or even know of Twelpforce. Further, as Best Buy points out, Twelpforce is a nationwide help desk and Best Buy cannot limit its "tweets" by geographic area. Thus, a "tweet" about the pending class action will likely reach a nationwide audience--a group that is significantly broader than the defined class.

The courts rejects this form of notice, observing that:

Notice via Twitter is a form of individual notice (akin to notice via mail).

Notice via SMS: As with respect to the suggested notice via Twitter, the court accepts Best Buy's argument that notice via SMS was overinclusive, based on Best Buy's argument that:

Best Buy is unable to restrict its text messages to class members. Best Buy's list of mobile telephone numbers includes the telephone numbers of employees (who are excluded from the class) and select high-level Reward Zone members (i.e., members of Best Buy's loyalty program). Although Best Buy may be able to restrict its text messages to New York customers, there is no link between the list of mobile telephone numbers (which includes individuals excluded from the class definition) and class members. Moreover, the list of mobile telephone numbers is underinclusive because it contains only a select group of Reward Zone members and Best Buy employees.

Notice via email: The proposed email notice suffered the same fate, since Best Buy was "unable to restrict notice via email to only class members . . . [it] only collected customer emails when a customer makes a purchase on bestbuy.com; when a customer obtains a protection or service plan for an item purchased at bestbuy.com or at a Best Buy store; or when a customer voluntarily shares her email address when visiting bestbuy.com."
__

The court's treatment of Twitter as an form of individual notice was interesting, and not entirely accurate. Tweets are not "individualized messages" in the sense that the list of recipients is not controlled by the sender (there's not a finite list) - the list of recipients includes people who follow the general stream of Tweets as well as those who have opted in to receive messages. Additionally, tweets can be disseminated further by those who see initial tweets, increasing the odds that the word would get out to its intended audience.

It's also worth noting that the "Twelpforce" account is not Best Buy's only Twitter account. For some reason, plaintiff didn't suggest notice via Best Buy's main account, which has approximately 123,000 followers. Given that the costs involved in disseminating notice via Twitter are de minimis, I'm surprised the court wasn't more open to the suggestion. Also, I was surprised that neither party brought up Facebook as a possibility. Best Buy's Facebook page is approaching 2 million followers, and offers a similarly inexpensive way to get the notice out to a broad group of interested people. I would think Best Buy's resistance stems from not wanting to suffer any negative branding implications from including news of this class action in its overt marketing channels, but I would have thought the minimal cost would have swayed the court.

The accepted form of class action notices will evolve over the years (the court agreed that notice via Best Buy's website was proper, and Best Buy did not object to class counsel setting up a website where it would disseminate notice). Interestingly, the court approves notice via the New York Times, and suggests a few other local newspapers where notice is appropriate, even though there's no empirical evidence that these methods of notice are any better targeted to reach prospective class members than the ones proposed by class counsel, and undoubtedly they are more expensive. (I don't know where revenue from this notice fits into a newspaper's revenue stream, but it's nice to see that the court is looking out for the dying print media.)

I was somewhat surprised - given the infinite degree of targeting and consumer tracking companies are portrayed as engaging in - that the court did not push Best Buy to take additional steps to identify individual customers within the class. Under the rules as articulated by the court, only class members that can be identified through "reasonable steps" should receive individual notice, but I would have thought Best Buy would have ample "reasonable" means at its disposal to identity affected customers.

Posted by Venkat at 01:53 PM | E-Commerce , General

November 12, 2010

Amazon Isn't Liable for Rogue Affiliate's Keyword Ad Buys--Sellify v. Amazon

By Eric Goldman

Sellify Inc. v. Amazon.com, Inc., 2010 WL 4455830 (S.D.N.Y. Nov. 4, 2010). The initial complaint.

Christopher Maki runs Sellify, which in turn runs a website/eBay store called OneQuality.com. An Amazon affiliate, "Cutting Edge Designs," purchased the keywords "onequality" and close variants in Google AdWords and displayed ads saying “Don't Buy from Scammers” or “Beware the SCAM Artists” and linking to Amazon (presumably using CED's Amazon affiliate ID in the link). Sellify contacted Amazon regarding these ads but reached the wrong internal department, which was unsurprisingly unhelpful. Sellify then sent Amazon a demand letter, which prompted Amazon to tell CED to cut it out. Apparently CED didn't, so Sellify sent Amazon a second demand letter, and Amazon then terminated CED's affiliate status and withheld accrued commissions. The ads stopped shortly thereafter.

Logically, the matter should have ended there. Instead, Sellify sued Amazon under the Lanham Act and ancillary claims, seeking $2.4M in damages.

Legal Analysis

The court quickly rejects Amazon's direct liability for a Lanham Act violation because Amazon didn't buy the ads in question.

The court then discusses Amazon's vicarious liability for any Lanham Act violations. The court's discussion is a little confusing because it never establishes that CED violated the Lanham Act, nor does it resolve the test for vicarious liability. Instead, it says that some courts establish vicarious Lanham Act liability based on either actual authority over the agent or apparent authority:

Actual Authority: CED did not have actual agency authority from Amazon. Amazon's affiliate agreement (the "Operating Agreement") expressly disclaims such authority. "Further, Amazon did not control the form or substance of Cutting Edge's ads, and it is undisputed that Amazon had no authority to remove the Cutting Edge ads from the Internet. "

Apparent Authority: The court rejects apparent authority because Amazon never communicated anything validating CED's ability to act as its agent. Amazon only communicated that affiliates like CED could link to its site.

The court also rejects Amazon's contributory Lanham Act liability, citing the Tiffany v. eBay case. The court says "In this case, there is no evidence that Amazon had particularized knowledge of, or direct control over, Cutting Edge's disparaging ads." The court disregards Sellify's initial misdirected contact with Amazon. Then, "upon receipt of Sellify's May 2009 demand letter, Amazon promptly initiated enforcement action against Cutting Edge, and eventually terminated its contractual relationship with the company in large part because it continued to infringe on plaintiff's mark." Once again, although trademark law doesn't have a statutory notice-and-takedown procedure akin to 17 USC 512, adhering to a trademark notice-and-takedown procedure is clearly a best practice.

The court rejects all of Sellify's state law claims, saying they require "proof that either Amazon itself placed the Cutting Edge ads or that Cutting Edge acted as Amazon's agent in placing the ads," and the court already said that Sellify couldn't show that. This is a good move, but it would have been even better if the court discussed how 47 USC 230 immunized Amazon for its affiliates' acts.

Implications

Affiliate Tax. I wonder how this ruling might bear on the Amazon affiliate tax battles? In NY, Amazon and Overstock are battling over whether their affiliates are "sales representatives" that allow the state to impose sales tax collection obligations on them. Here, we get a federal judge in NY saying that affiliates aren't "agents" for purposes of a variety of legal doctrines. The efforts to use affiliates as a basis to impose sales tax collection obligations has always a crock; this opinion indirectly reinforces that.

TM Liability for Affiliate's Ads. Other lawsuits have tried to impose trademark liability on an affiliate program operator for the ads placed by affiliates. See my recap here. I can't recall any of the other cases reaching a final conclusion. I don't think this case is the final word on the subject, but it may reinforce that those cases are meritless.

Keyword Ad Lawsuits Are Economically Irrational. As I've repeatedly indicated, keyword advertising lawsuits usually make no economic sense. See, e.g.:
- King v. ZymoGenetics. The defendant advertiser got 84 clicks.
- Storus v. Aroa. The defendant advertiser got 1,374 clicks over 11 months.
- 800-JR Cigar v. GoTo.com. The search engine defendant generated $345 in revenue from the litigated terms.

In this case, CED's ads generated about 1,000 ad impressions and 61 clicks. No matter how you slice it, bringing a lawsuit against Amazon over the diversionary effect of 1,000 ad impressions and 61 clicks is a terrible economic decision. The court especially guffawed at the $2.4M damage request--even more farcical given that OneQuality.com was generating a total of about $50k of annual profits. No matter what, Sellify should have dropped the issue once it succeeded with the takedown. Running to court was an unnecessary waste for everyone.

Rebecca's post on this ruling.

Posted by Eric at 11:30 AM | Derivative Liability , E-Commerce , Marketing , Trademark | TrackBack

November 05, 2010

October 2010 Quick Links

By Eric Goldman

Copyright

* Greg Sandoval discusses copyright trolls with Cindy Cohn. You may recall I had an "interview" with Cindy as a guest lecture in my Internet Law course. And a belated congratulations to Cindy for her recognition by the CA State Bar IP Section. BTW, have you considered supporting the EFF financially? I do, because I sleep better at night knowing Cindy and her colleagues are on the beat looking out for our interests.

* Triton Media settles with movie studios for providing too much support to pirate movie websites.

* Did you know that California has a law (Educ. Code 66450-66452) prohibiting the commercialization of class notes from academic courses? It raises interesting First Amendment, copyright preemption and 47 USC 230 issues.

Trademarks

* The initial interest confusion doctrine appears to be infecting EU trademark law.

* Reuters reports on buying counterfeit goods from China over the Internet.

* News.com: Trademark issues on Etsy.

* DSPT v. Nahum (9th Cir. Oct 27 2010). "Even if a domain name was put up innocently and used properly for years, a person is liable under 15 U.S.C. § 1125(d) if he subsequently uses the domain name with a bad faith intent to profit from the protected mark by holding the domain name for ransom. The evidence sufficiently supported the jury’s verdict that Nahum did so, causing $152,000 in damages to DSPT."

* Hearts on Fire v. Blue Nile settled in January. Prior blog post.

* WaPo on universities cracking down on high school teams copying the university's logos.

* An interview with Google's chief trademark counsel Terri Chen.

Content Regulation

* Lichter v. Martin, 2010 WL 3913601 (Cal. App. Ct. Oct. 7, 2010). Blog post protected by anti-SLAPP laws.

* Eoin O'Dell discusses secondary online defamation liability in Ireland. The post illustrates why we should be grateful for 47 USC 230.

* Kash Hill reports on a professor who got busted for possessing child porn, some of which allegedly was collected for an academic research project.

* The Register published an important and thought-provoking article on restitution in child porn cases.

* Doe v. Shurtleff (10th Cir.). Utah law requiring sex offenders to turn over their usernames to the government survives First Amendment challenge.

Consumer Protection

* NYT: "Under the deal with the French Competition Authority, Google agreed to adopt conditions, including a three-month notification period, when it rejected some ads from appearing next to its search results in France. The specific conditions apply only in France, and concern only ads for tools aimed at helping drivers avoid speeding tickets." Search Engine Land has more.

* Target avoids class certification in lawsuit over its website's allegedly inaccurate but obscurely presented references to "Made in the US." Rebecca's coverage.

* PA Bar Opinion: "It is the opinion of the Pennsylvania Bar Association Unauthorized Practice of Law Committee that the offering or providing [in Pennsylvania] of legal document preparation services as described herein (beyond the supply of preprinted forms selected by the consumer not the legal document preparation service), either online or at a site in Pennsylvania is the unauthorized practice of law and thus prohibited, unless such services are provided by a person who is duly licensed to practice law in Pennsylvania retained directly for the subject of the legal services."

* Rebecca on the Ewert v. eBay class certification.

* The Supreme Court denied cert in Tricome v. eBay, Inc., 2010 WL 3525737 (U.S. Nov. 1, 2010)

Miscellaneous

* Streaming video version of Alex Macgillivray's lecture at SCU from a month ago.

* Mike Godwin has left his role as Wikimedia's GC.

* Virtual world enthusiast Greg Lastowka has posted his new book Virtual Justice under a CC license.

* Pelican Trading Inc. v. Proskauer Rose LLP, 2010 WL 3905750 (D. Nev. Sept. 28, 2010). A law firm's blog post about a Nevada law did not help confer jurisdiction in Nevada.

* School district settles spy webcam case. Surprise! Lawyer gets 70% of the money.

Posted by Eric at 06:51 AM | Copyright , Domain Names , E-Commerce , Trademark , Virtual Worlds | TrackBack

November 01, 2010

Auction Platform Protected by 47 USC 230 for a Rogue Auction--Simmons v. Danhauer

By Eric Goldman

Simmons v. Danhauer & Associates, LLC, 2010 WL 4238856 (D. S.C. Oct. 21, 2010)

Proxibid provides an online auction platform similar to eBay, except that Proxibid vets auctioneers before they can conduct an auction. Danhauer used Proxibid's platform to conduct an auction. Simmons cast the high bid in a Danhauer auction that had two alleged irregularities. First, with the help of a Proxibid CSR, Danhauer unilaterally extended the auction's closing time. Second, Danhauer allegedly cast shill bids in the auction under a different account. The plaintiffs were understandably miffed, and they sued both Danhauer and Proxibid. Simmons apparently settled with Danhauer, leaving open for this ruling the claims against Proxibid. The court dismisses those claims on summary judgment.

The court buzzes through Simmons' claims based on the prima facie elements. It dismisses the negligence claim because the core harm here is an alleged breach of contract (Danhauer's failure to consummate the transaction with the high bidder), and the contract breach can't support a tort claim. Without a tort claim, the unfair practices claim also fails. The conversion claim fails because Simmons had not yet obtained a possessory interest in the goods. The fiduciary breach claim fails because Proxibid only provided customer support to Danhauer. The contract interference claim fails because, at most, Proxibid simply followed Danhauer's instructions.

In addition to the claims' failures on their faces, the court concludes that Proxibid qualifies for 47 USC 230 immunity. The court's entire discussion of the issue:

Plaintiffs have essentially asserted that Proxibid is liable to them in tort for tortious interference with a contract, aiding and abetting a breach of a fiduciary duty, negligence, unfair trade practices, and conversion because Proxibid allegedly helped Danhauer deprive Plaintiffs of the items for which they were the highest bidder in the auction at 4:00 a.m. Plaintiffs' sole bases for maintaining these claims against Proxibid arise from Proxibid's facilitation of Danhauer's reopening of the auction and Proxibid's alleged failure to thwart Danhauer's efforts to bid in its own auction in violation of the website rules. Plaintiffs do not dispute the fact that Proxibid is a website service provider, much like Ebay. Plaintiffs also do not dispute that Danhauer was responsible for conducting all aspects of the auction. There is no evidence that Proxibid posted any information or conducted any actions other than those provided by or at the direction of Danhauer. In this case, Proxibid is nothing more than an interactive computer service provider and cannot be held liable for the information and actions originating from Danhauer. Accordingly, Proxibid is also entitled to the immunity provided under the CDA, and Plaintiffs may not pursue the tort claims in their Complaint against Proxibid.

The case doesn't break much new ground. It's just another easy defense win in an obvious 230 case.

Posted by Eric at 06:50 AM | Derivative Liability , E-Commerce | TrackBack

October 18, 2010

First Sale and Exhaustion Doctrines in IP Conference, Nov. 5, SCU

By Eric Goldman

I've mentioned our First Sale and Exhaustion in IP conference before, but now it's less than 3 weeks away. If you were thinking about coming, now is a good time to confirm your spot.

As regular readers know, first sale issues are swirling around us. On the copyright front, we are working through a troika of Ninth Circuit cases in Vernor v. Autodesk (now subject to an en banc hearing request), UMG v. Augusto and Blizzard v. MDY. I've also blogged about some transborder importation cases involving cheap textbooks (e.g., Pearson v. Liu). On the importation topic, the US Supreme Court granted cert in another Ninth Circuit case, Costco v. Omega, and oral arguments are imminent. [UPDATE: I've been informed the oral arguments will be on Nov. 8, just a few days after the conference!] And many folks continue to lament the absence of a first sale doctrine for digital files.

On the trademark front, we've discussed how manufacturers are battling back against unwanted eBay sales (see Mary Kay v. Weber and Beltronics v. Midwest). Simultaneously, manufacturers are embracing minimum resale prices following the Supreme Court opinion in Leegin. We haven't blogged too much on patent exhaustion, but the recent Quanta v. LGE Supreme Court ruling casts a large shadow over both patent exhaustion as well as other types of exhaustion. Interwoven into all of these topics are questions about whether statutory first sale/exhaustion rights are waivable or conditionable by contract.

As you can see, we have a lot to talk about.

I'm particularly excited about this conference because that we won't look at IP exhaustion principles in doctrinal "silos." Instead, we've taken an holistic approach to the topic, so that we can see how the exhaustion principles might be similar and different across the various IPs. We hope this will yield some powerful insights that otherwise would be lost in a silo-by-silo analysis.

Our agenda for the day:

8:15 – 8:45 Registration

8:45 – 9:00 Welcome Remarks

9:00 – 10:20 Justifications for the First Sale/Exhaustion Doctrines
Moderator: Lee Ann Lockridge, Louisiana State University Law Center
Vince Chiappetta, Willamette University College of Law
Anne Layne‐Farrar, LECG
Rahul Telang, Heinz College, Carnegie Mellon University
Molly Shaffer Van Houweling, UC Berkeley School of Law

10:20 – 10:40 Break

10:40 – 12:00 Channel Management Issues
Moderator: Mark P. McKenna, Notre Dame Law School
Dale D. Achabal, Santa Clara University
Mary Huser, Bingham McCutchen
Ariel Katz, University of Toronto
Catherine Sandoval, Santa Clara University School of Law

12:00 – 1:10 Lunch
12:40 Mark A. Lemley, Stanford Law School

1:20 – 2:40 Transborder and Comparative Issues
Moderator: Colleen Chien, Santa Clara University School of Law
Frederick M. Abbott, Florida State University College of Law
John A. Rothchild, Wayne State University Law School
Irene Calboli, Marquette University Law School
Cynthia Ho, Loyola University Chicago School of Law

2:40 – 3:00 Break

3:00 – 4:20 Copyright Issues
Moderator: Brian Carver, UC Berkeley School of Information
Neel Chatterjee, Orrick, Herrington & Sutcliffe LLP
Raymond T. Nimmer, University of Houston Law Center
Tyler T. Ochoa, Santa Clara University School of Law
Jason Schultz, UC Berkeley School of Law

4:20 – 4:30 Closing Remarks – Eric Goldman, Santa Clara University School of Law

4:30 – 5:30 Reception

Please register at the conference page. Hope you can join us on Nov. 5.

Posted by Eric at 09:15 AM | Copyright , E-Commerce , Licensing/Contracts , Patents , Trademark | TrackBack

October 11, 2010

Class Action for Misleading Pop-up Ads Against McAfee Survives Motion to Dismiss -- Ferrington v. McAfee

[Post by Venkat]

Ferrington v. McAfee, Case No. 10-cv-01455-LHK (N.D. Cal. Oct. 5, 2010)

There have been a few rulings involving class actions from customers alleging that an online merchant partnered with a third party who improperly piggybacked on to the merchant's transaction (and in the process the customer ended up buying something he or she did not want to purchase). (See In re: Easysaver Rewards Litigation -- Internet Rewards Program Class Action Survives Initial Motion to Dismiss and Fifth Circuit Blesses Vistaprint's Rewards Program Sign-Up Process.) Congress is taking a look at these types of practices and New York's Attorney General has settled with several companies who allegedly engaged in these types of practices. A lawsuit against McAfee alleging similar claims recently survived a second motion to dismiss.

Background: As alleged by the plaintiffs, McAfee, the computer security software seller partnered with

Arpu . . . a company that places online advertisements that enable consumers to purchase products 'with a single click, using credit card information already on file'. . . . Arpu partnered with McAfee to place ads on McAfee's website that would appear after a customer completed a purchase of a McAfee product. If a customer chose to subscribe to the product or service offered in the Arpu ad, McAfee transmits [the customer's] billing information to Arpu for use in the purchase of the Arpu product. . . . . After [plaintiffs] completed their transactions, but before they downloaded the McAfee product, an Arpu pop-up ad appeared on their computer screens with the button reading 'Try it Now.' Believing that clicking on 'Try it Now' would download the McAfee software they had just purchased, plaintiffs clicked on the button. They later learned that clicking on 'Try It Now' authorized McAfee to transfer their billing info to Arpu, enrolled them in a 30-day free trial of a non-McAfee product called PerfectSpeed, and authorized Arpu to charge them a $4.95 monthly subscription fee after the expiration of the free trial period.

Plaintiffs brought claims under California's unfair competition law and the California Consumer Legal Remedies Act, along with a few other claims.

The Court's Ruling:

Screenshots: As an initial matter, McAfee tried to rely on screenshots of the online sign-up process and have these screenshots judicially noticed. Predictably, the court declines McAfee's offer, because among other things, McAfee itself admitted that it "recreated the image Plaintiffs would have seen . . . [since] the pop-up [ads at issue were] no longer running." [emphasis added] Plaintiffs also disputed McAfee's representation that the ads were identical to what the plaintiffs saw during the purchase process. McAfee also tried to rely on documents from Arpu (e.g., terms of use, purchase confirmation emails, etc.). This request suffered the same fate, because among other things, McAfee failed to provide an explanation of the source of the documents. (Even if McAfee explained where they came from, these documents were not properly subject to judicial notice. They would have been contested anyway, so I'm not sure why McAfee thought it could have the court judicially notice these documents.) As in the Easysaver Rewards case, plaintiffs requested the court to judicially notice a Senate Report titled "Aggressive Sales Tactics on the Internet and their Impact on American Consumers," and two similarly themed FTC reports. The court acknowledged that these reports were prepared, but did not take notice of the findings and opinions contained in those reports.

Unfair Competition Claim: McAfee initially argued that plaintiffs could not obtain damages under 17200 since they had not paid McAfee any money - i.e., plaintiffs paid money to Arpu which plaintiffs were improperly trying to recover from McAfee. The court rejects this argument, concluding that if plaintiffs had paid money to a third party as a result of McAfee's unfair trade practices, plaintiffs could recover this money as restitution, even though they paid it to a third party. It was not lost on the court that McAfee and Arpu likely had some sort of financial arrangement pursuant to which Arpu would pay McAfee amounts for customers that clicked through.

As far as the merits were concerned, the court looked to two tests for evaluating plaintiffs' 17200 claim that McAfee engaged in an "unfair" trade practice: (1) the amorphous balancing test (where the harm to the consumer is balanced against the utility of the defendant's practice) and (2) the test that looked to whether the defendant's conduct was unfair in light of public policy "tethered" to an actual law or statutory provision that was intended to carry out public policy. With respect to the tethering test, the court found that plaintiffs could not point to any statute or rule to which they could tether their unfairness claim. However, the court found that plaintiffs could assert a claim under the balancing test. Here the court balanced the harm to the plaintiffs from the allegedly misleading statements against the utility of the advertising by McAfee. Surprisingly, the court seemed to struggle with the balancing, in light of the purported utility of pop-up ads. Not shockingly, McAfee could not argue that pop-up ads served a useful purpose, beyond pointing out that the pop-up ads were useful in the same way that any garden variety advertisement was "useful." [I'm not sure who will testify on McAfee's behalf that this is actually the case, but I'm sure some internet user exists out there somewhere that can testify to this.]

Plaintiffs also asserted a claim under the "unlawful prong" of 17200, which allows plaintiffs to borrow from other statutes and use violations of these other statutes to support a 17200 claim. The court held that a plaintiff could assert a 17200 claim based on a Lanham Act violation because the Lanham Act cases do not reflect an intent to bar an independent private right of action. Nevertheless, the court held that the plaintiffs did not adequately state a claim here, because the plaintiffs had not alleged "the existence of a valid and protectable mark that is being used [by McAfee] without authorization." Plaintiffs also asserted that McAfee engaged in an unlawful trade practice alleging that McAfee violated the Consumer Legal Remedies Act.

CLRA Claim: The CLRA prohibits unfair practices undertaken in the context of a transaction involving the "sale or lease of goods or services." McAfee argued that the CLRA did not apply because the McAfee transaction involved software which is not a good or service covered by CLRA. As McAfee notes, the CLRA defines goods as "tangible chattels." McAfee analogized software to insurance and credit, which courts have previously held are "intangible chattels," and not covered by the CLRA. McAfee also cited to secured transaction provisions of California's version of the Uniform Commercial Code, which defines "general intangibles" to include software and which exclude computer programs from the definition of "goods."

The court noted the mixed authority on this issue but ultimately concluded that "the software [plaintiffs] purchased is not a good covered by the CLRA." The court additionally concluded that software "generally is not a service for purposes of the CLRA." (CLRA defines service as "work, labor, and services . . . including services furnished in connection with the sale or repair of goods.") In addition, the court rejected plaintiffs' argument that the particular subscription provided by Arpu should be considered a service, on the basis that plaintiffs had not alleged "sufficient facts as to the nature of the services provided by [Arpu] to allow the court to draw that conclusion." The court granted plaintiffs leave to allege this in an amended complaint.
__

My first reaction is . . . what the heck were McAfee's marketing folks thinking signing up Arpu's services? McAfee, as a provider of computer security software, offers a third party's product that customers are prompted to purchase through a pop-up ad at the point of sale? Worse yet, McAfee allegedly transferred the plaintiffs' credit card information to a third party based on plaintiffs' assent to terms that were vaguely displayed in a pop-up ad? As detailed in the post about Vistaprint, a robust disclosure may insulate an internet merchant who refers its customers to a rewards program at the point of sale, but the plaintiffs' allegations (and the dispute as to the terms that were presented to the consumers) easily take this case outside this category. Again, setting aside the legal issues, where - other than out to lunch - was McAfee's brand manager in this transaction? McAfee bills itself as a company who makes available products to protect consumers from shady websites and software, but taking plaintiffs' allegations as true, isn't McAfee engaging in the very conduct that its services are designed to protect against? Regardless of how the lawsuit pans out, plaintiffs' allegations put McAfee and its brand in an uncomfortable spot.

The case offers teaching similar to Vistaprint and Easysaver: if you are going to inject a third party transaction in the context of an online sale, your documentation better be bulletproof and should make crystal clear to the consumer that a third party is involved. And if you are going to seek judicial notice, the online terms have to be truly indisputable. The court in this case contrasts Vistaprint by noting that in Vistaprint, (1) customers were required to enter their email addresses, (2) the pop-up offer terms were presented in close proximity to where consumers had to enter their email addresses, and (3) the ads in Vistaprint "clearly identified the third party receiving" the billing information from Vistaprint. Regardless of the disclosure, the whole "transferring a customer's payment information to a third party" sounds like a practice that internet merchants may want to steer clear of.

I'm not sure what to make of the Lanham Act ruling, but the CLRA ruling is interesting. Article 2 of the UCC contains a broad definition of goods, and software (particularly off-the-shelf software) has been classified as a good for Article 2 purposes. A finding that this type of software is not subject to the CLRA certainly narrows the scope of remedies available to consumers, but is defensible in light of the narrow definition for goods employed by the CLRA. (“Goods” are defined as “tangible chattels,” and “services” are defined as “work, labor and services . . . ” under Cal Civ. Code §§ 1761(a) and (b).)

Posted by Venkat at 11:14 AM | E-Commerce , Licensing/Contracts , Marketing

September 28, 2010

Washington Anti-Online Gambling Law Survives Dormant Commerce Clause Challenge -- Rousso v. State

[Post by Venkat, with brief comments from Eric]

Rousso v. Washington, Case No. 8040-1 (Wash. S.Ct. Sept. 23, 2010)

Professor Goldman blogged recently about a case from the Washington state Supreme Court interpreting the state's online gambling laws: "P2P Gambling Site is Illegal Bookmaker." The same court just issued an opinion rejecting a dormant commerce clause challenge to Washington state's online gambling laws.

Lee Rousso, an online poker aficionado and Washington state resident, brought a declaratory judgment lawsuit seeking a declaration that Washington's online gambling statute violates the dormant commerce clause. The trial court and the court of appeals rejected this challenge, and the Washington Supreme Court affirmed.

No delegation of authority

The court first noted that existing federal laws regulating online gambling did not delegate to the states authority to regulate online gambling. The court rejected the State's argument that the Unlawful Internet Gambling Enforcement Act of 2006 and the Wire Act contained language from which the court could find that Congress delegated the matter to the states.

Court finds that the statute does not discriminate

The court next applied the traditional discrimination test to determine whether the Washington law discriminated in language or effect against out-of-state commerce. The language of the statute was not discriminatory - "it equally prohibits internet gambling regardless of whether the person or entity hosting the game is located in Washington, another state, or another country." The court could not find any discriminatory effect on interstate commerce, since the statute prohibits internet gambling "evenhandedly, regardless of whether the company running the web site is located in or outside the state of Washington." Rousso argued that in reality, since there were no Washington-based internet gambling sites, the effect of the ban was to favor in-state brick and mortar gambling services. Citing CTS Corp v. Dynamics Corp, 481 U.S. 69, 87-88 (1987), the court rejected this argument.

Rousso also argued direct discrimination because banning internet gambling will "have a secondary effect of promoting in-state, Internet gambling substitutes . . . ." The court rejects this argument as well, noting that internet gambling and brick and mortar gambling are "two different activities, presenting risks and concerns of a different nature . . . ." According to the court, purchasing substitute goods and services (whether that is brick and mortar gambling or "buying more snacks for an in-person poker game among friends") is not a direct discriminatory effect.

The burden is not "clearly" excessive in relation to the local benefit

Finding no overt discrimination, the court engaged in commerce clause balancing and asked whether there is a legitimate state purpose for the ban, and whether the burden imposed as a result of the ban is "clearly excessive" in relation to the local benefit. Interestingly, the court credits the State's arguments regarding the State's interest in regulating online gambling on the basis that online gambling (as opposed to in-person gambling) presents unique harms:

Internet gambling introduces new ways to exacerbate [the same threats to health and welfare as off-line gambling] . . . . Gambling addicts and underage gamblers have greater accessibility to on-line gambling--able to gamble from their homes immediately and on demand, at any time, on any day, unhindered by in-person regulatory measures. Concerns over ties to organized crime and money laundering are exacerbated where on-line gambling operations are not physically present in-state to be inspected for regulatory compliance. Washington has a legitimate and substantial state interest in addressing the effects of Internet gambling.

The court found that the burden on interstate commerce is "comparable" to the substantial state interest in protecting health, welfare, safety, and morals.

Regulation vs. an outright ban

Rousso argues that the State had a less restrictive alternative to address these concerns: regulating (rather than banning) internet gambling. The court again recited the "unique dangers and pitfalls" presented by online gambling, and concluded that it wasn't clear regulation could adequately address these issues, and in any event, it wasn't up to the court to second guess the legislature's decision to ban, rather than regulate, online gambling. The court further noted that regulating online gambling would be "an interstate-commerce burdening nightmare." [It wasn't clear to me that an outright ban presents less of a burden than regulation.] Regulation would require Washington to inject itself into the universe of non-Washington (and off-shore) online gambling entities, and "foreign operations would need to be reorganized in conformity to Washington regulations. . . . When a foreign operation failed to conform, all Washington commerce on that web site would be precluded."
__

I wasn't sold on the Court's conclusion. The Washington Supreme Court previously rejected a dormant commerce clause challenge to Washington state spam laws (See State v. Heckel, 24 P.3d 404, 406 (Wash. 2001)), but as the court of appeals noted, Heckel differs from this case since the law here applies to "passive" websites. Also, Washington's spam statute (like most others) also contains a geographic limitation. In fact, I may be missing something pretty basic, but I don't see an express geographic limitation in the statute. RCW 9.46.240 states:

Whoever knowingly transmits or receives gambling information by telephone, telegraph, radio, semaphore, the internet, a telecommunications transmission system, or similar means, or knowingly installs or maintains equipment for the transmission or receipt of gambling information shall be guilty of a class C felony . . . . However, this section shall not apply to such information transmitted or received . . . relating to activities authorized by this chapter . . . .

Not only does the statute not contain an express geographic limitation, it also exempts the identical conduct when engaged in by brick and mortar retailers. As I read the statute I wonder whether it allows gambling establishments that are authorized in the State of Washington to conduct operations on the internet? I think the State's argument breaks down here, because entities that are authorized (i.e., regulated) can engage in the conduct, but 100% of them will be in the state.

It was also interesting that the court so quickly and easily concluded that a ban did not affect out-of-state and foreign businesses because of their ability to screen customers geographically:

those businesses can easily exclude Washingtonians. If an individual during registration marks his or her location as the state of Washington, the gambling web site can end the registration there.

The court of appeals also mentions this ease with which an online business can exclude a resident from a particular state, but neither the court of appeals nor the Washington State Supreme Court cite much evidence for this proposition. (Here's a pdf link to the opinion: Rousso v. State, which discusses American Libraries Ass'n. v. Pataki, 969 F.Supp. 160 (S.D.N.Y.1997), and other decisions that came after it.)

The fact that this is a criminal statute dealing with the transmission of information makes this problematic. Would an out of state business violate the statute because a patron happen to use the service without disclosing that the patron was a Washington resident? The statute does not provide a simple answer to this.

I think this case is much tougher than the court gives it credit for being. It's worth noting that Justice Sanders, who authored the opinion, is well known for his libertarian leanings.

I also think the statute raises First Amendment concerns, but a quick online search did not turn up any challenges to the statute on this basis.

Related:

"State Efforts to Regulate the Internet" (Cyberlaw Cases) (discussing court of appeals opinion)

"Washington State Supreme Court Upholds Internet Gambling Law" (PokerNewsDaily) (discussing Rousso)

"No On-line Gambling for You, Minnesotans" (Info/Law) (discussing 2009 effort by Minnesota to impose filtering on ISPs)
______

Eric's comments: I continue to believe that any state regulation of the Internet presumptively violates the dormant commerce clause, especially when the statute does not contain any geographic limitations in its express terms.

It's true that a gambling website can block a state's residents if the site asks the user to report the geography and if the user accurately self-reports. However, a state law requiring websites to ask users to self-report geography governs conduct wholly outside the state because websites located outside the state who serve non-state residents would still have to comply. This extraterritorial reach, in turn, makes the law presumptively violative of the DCC, negating the applicability of the Pike balancing test. So from my perspective the court badly whiffed this ruling.

For my other ruminations on the problems with states regulating the Internet, see Geolocation and A Bordered Cyberspace (Nov. 2007).
______

UPDATE: John Ottaviani sent the following:

After rereading a number of dormant Commerce Clause Internet cases, I just come down on the side that the Internet is an inherently interstate entity, incapable of regulation by the states, as did the courts in Pataki and Dean (Am. Libraries Ass'n v. Pataki, 969 F. Supp. 160 (S.D.N.Y 1997); Am. Booksellers Found. v. Dean, 342 F.3d 96 (2d. Cir. 2003)). So I never get to the Pike balancing test. Even on the Pike balancing test, the Washington court gives short shrift to its treatment of the burden on interstate commerce, and is overly glib in its assertion that the websites can simply block the Washington users by refusing to register users with a Washington zip code. One of the reasons state lotteries and other "legal" forms of gambling have not proliferated on the Internet in the United States is the fear of criminal prosecution due to the inability to restrict users by geographic location to the degree felt necessary to avoid criminal prosecution. Users can lie about their address, or can be using service providers located in a different state than the user. The problem is exacerbated now with the proliferation of mobile devices, as users are no longer even tied to a particular fixed location. If a Washington resident is gambling on his Blackberry while on vacation in San Francisco, is that considered a violation of the Washington statute? What if the user lies and provides a California address and zip code?

The Rousso decision is consistent with the Washington court's decision in State v. Heckel, 24 P.3d 404 (Wash. 2001), where the Washington court rejected a dormant commerce cause challenge to its anti-spam law (prior to the enactment of the federal CAN-SPAM law). In Heckel, the court also gave a cursory treatment to the burden on interstate commerce, finding the only burden was the burden for spammers to refrain from deception, which the court found did not burden interstate commerce at all.

I'm not sure how the case would come out if the Supreme Court accepts a cert petition. Scalia is on record as not liking the Pike balancing test.

Posted by Venkat at 09:57 AM | E-Commerce

September 20, 2010

Fifth Circuit Blesses Vistaprint's Rewards Program Sign-Up Process -- Bott v. Vistaprint USA Inc.

[Post by Venkat]

Bott v. Vistaprint USA Inc., No. 09-20648 (5th Cir.; Aug. 23, 2010).

I recently blogged about an online rewards program class action which survived a motion to dismiss. (In re: Easysaver Rewards Litigation: "Internet Rewards Program Class Action Survives Initial Motion to Dismiss.") Defendants in that case tried unsuccessfully to rely on a trial court's dismissal of a similar class action against Vistaprint. The Fifth Circuit recently affirmed the district court's decision in Vistaprint, endorsing Vistaprint's process for signing up online and its disclosures. The Fifth Circuit issued a per curiam decision, highlighting the reasoning of the district court in Vistaprint.

The Vistaprint and Easysaver cases differ in one important procedural respect: in Vistaprint, there was no dispute about the sign up process and consumer experience. In Easysaver, partially because the sign up process seemed to change over time, the court did not accept as fact the webpages put forth by Easysaver that supposedly represented the consumer experience. [It would be helpful for the court to have actually reproduce the webpages in question in an appendix to the court order.] In both cases, defendants brought an initial motion to dismiss. In Vistaprint, the court granted the motion and dismissed the case. In Easysaver, the court held that motion was properly brought as a summary judgment motion and declined to dismiss the case at the initial stage. (In contrast to Easysaver, in Vistaprint, the plaintiffs did not dispute the authenticity of the webpages submitted by Vistaprint along with its motion to dismiss.)

The Vistaprint district court decision is worth reading because it shows how details in an online transaction matter, and what types of thing courts point to when they decide to not credit the "I didn't read the online disclaimer" argument:

1. the text itself indicated that the rewards program offer was presented after the transaction with Vistaprint;
2. the Vistaprint program had a disclosure which was presented to consumers above the space for entry of the consumers' email address;
3. consumers had to check the box indicating that they had read and agreed to the (rewards program) offer details;
consumers had to enter their email address twice, the second time to confirm that they wished to enroll;
4. the "offer details" specified the terms of the offer and were "in the same size and color as most of the [other] print on the webpage except that the title [was] in bold print . . . ."

The court held that the disclosures were provided in a "clear, prominent, and conspicuous manner," and that:

a consumer cannot decline to read clear and easily understandable terms that are provided on the same webpage in close proximity to the location where the consumer indicates his agreement to those terms and then claim that the webpage, which the consumer has failed to read, is deceptive.

The court also rejected plaintiffs' Electronic Funds Transfer Act claims. With respect to the class of plaintiffs who used credit cards, the court held that the EFTA does not apply to these claims. With respect to the plaintiffs who used debit cards, the court held that there was no EFTA claims because the initial transfers were authorized and defendants did not continue any transfers after plaintiffs provided notice to their financial institutions that the transactions were not initially authorized. In addition to the EFTA claim, the court also dismissed a slew of ancillary claims.

[Oddly, the Vistaprint terms had a forum selection clause which provided for venue in Bermuda (??). The court rejected Vistaprint's attempt to rely on the forum selection clause on the basis that Bermuda's consumer protection rules did not have extraterritorial application.]

I'd slot this case (roughly) in the same category as Scherillo v. Dun & Bradstreet, discussed by Professor Goldman here: "Clickthrough Agreement With Acknowledgement Checkbox Enforced." Both cases contain useful teaching on how careful drafting of online terms can undercut a plaintiff's argument that they didn't read an online contract.

Posted by Venkat at 02:08 PM | E-Commerce

September 07, 2010

Online Ticket Resellers Get Significant 47 USC 230 Win--Milgram v. Orbitz

By Eric Goldman

Milgram v. Orbitz Worldwide, LLC, ESX-C-142-09 (N.J. Super. Ct. Aug. 26, 2010)

Introduction

It's been a relatively quiet year for 47 USC 230, in a good way. We've had a few minor aberrational rulings (Subway v. Quiznos, Cornelius v. DeLuca, Scott P v. Craigslist) but, for the most part, the immunity has been working exactly as we'd expect.

Given the quiet year, this could be the most interesting 47 USC 230 decision of 2010 so far. Orbitz and TicketNetwork (part of CheapTickets) get a decisive 230 win against the New Jersey attorney general for reselling third party tickets. In addition to reaching the right result, the opinion is thoughtfully drafted and well-structured. It would make a great teaching case. It's worth reading.

Facts

This lawsuit relates to a private label site operated by CheapTickets (TicketNetwork) and branded by Orbitz. (Is it this site?). Orbitz specified the branding and design elements of the private label site. Orbitz also had the power to request content be removed from the site; to insert text and links for specific ticketed events; and to set prices of the offered tickets.

TicketNetwork hosted and operated the private label site as well as its own site. It sent confirming emails to buyers, processed the credit cards, and handled customer support inquiries. Perhaps most importantly, TicketNetwork handled the relations with third party ticket brokers who submitted offers to the site. It pre-approved brokers and attempted to factually verify the event information in submitted offers. TicketNetwork also provided consumers with various performance guarantees, including that the tickets would be valid and would arrive on time.

The specific offers giving rise to this lawsuit relate to Bruce Springsteen's Fall 2009 concert tour, which made a multi-date stop at the now-demolished Giants' stadium in East Rutherford, NJ. I imagine this event had significant local interest; the Boss is a native son of NJ, and his music has (for decades) addressed issues that relate to NJ. The NJ AG alleged that the sites offered 900 concert tickets 6 days before the official on-sale date; some of those tickets were not actually in the seller's possession/control before being offered for sale; and a few of the tickets listed seat numbers that didn't actually exist. The investigator purchased two tickets and confirmed that the seller pre-sold them before he/she had the tickets in hand; although band insiders and other dignitaries may have legitimately gotten ticket commitments before the on-sale date.

Legal Analysis

The state AG sued TicketNetwork and Orbitz for violations of NJ's Consumer Fraud Act and Advertising Regulations. Orbitz and TicketNetwork defended on 47 USC 230 and other grounds.

The court does a textbook 3 pronged 230 analysis:

1) Orbitz and TicketNetwork were providers of interactive computer services.

2) The claim treats them as publishers/speakers. The NJ AG argued 230 does not apply because of the defendants' "commercial" conduct--including charging service/administrative fees to ticket sellers. The court does not cite many of the cases upholding a publisher's 230 eligibility for advertising (I last aggregated 230-and-advertising cases in this post), but citing the Jurin ruling, the court nevertheless makes it clear that web publishers aren't liable for third party advertisements. The court says:

The fact that the defendants charge "service" or "administrative" fees is irrelevant to the CDA analysis. Plaintiffs seek to enjoin defendants from "advertising and selling concert tickets to consumers without actually having those tickets in their possession or control." This conduct, however, conduct [sic] fits squarely within the CDA's purview.

3) Orbitz and TicketNetwork don't qualify as "information content providers." Citing Donato v. Moldow (an NJ case from 2005 binding on the court here) and the Carafano case, the court rejects the NJ AG's efforts to treat Orbitz and TicketNetwork as ICPs because they helped create/develop the content at issue. The court correctly says the potentially liability-creating content at issue (the offer of misleading/inaccurate tickets) came from third parties, and Orbitz/TicketNetwork did not make "a material, substantive contribution to the ticket listings" sufficient to change its third party character.

The court distinguishes Roommates.com by reading its holding narrowly. The court says "the linchpin of the Ninth Circuit's decision was the fact that Roommates.com was actively participating in creating the objectionable content, i.e., by providing the illegal questions and by requiring users to answer them." In contrast, here the defendants "do not supply the content to which plaintiffs object -- the inaccurate or misleading ticket listings....Defendants do not ask ticket sellers to provide any information for any unlawful purpose, nor have they designed its [sic] Internet marketplace to violate any federal or state laws." Yet another case where the court ultimately cites Roommates.com in siding with the defense.

The court also distinguishes a pretty similar case, NPS v. StubHub. The StubHub case arose in a very different context--the New England Patriots were trying to get control over secondary ticket resales--but both lawsuits involve a website allegedly violating the law by reselling tickets. This court first questions the StubHub court's factual predicates and then rejects the case as "in contradiction with the spirit of Donato, and [thus it] cannot be relied upon by the court."

The court's conclusion is worth highlighting:

Defendants' services help to create and maintain a vibrant, competitive, market for consumers looking to purchase travel and entertainment related products and services online. As a result, defendants' services are consistent with the Congress's intent to encourage commerce over the Internet and ensure interactive computer services are not held responsible for how third parties use their services. Accordingly, defendants' motions for summary judgment are granted as plaintiffs' state law claims are barred by the CDA as a matter of law.

A subtle but unmistakable rebuke to the state consumer watchdogs that they barked up the wrong tree.

Implications

There are a number of interesting implications of this ruling:

* Rare defeat for a consumer protection agency. Many consumer protection agencies (both state and federal) are in partial denial that 47 USC 230 might apply to their enforcement actions. This ruling reminds them that 230 is a powerful restriction on their enforcement territory.

Further, consumer protection agencies usually win if they get into court. Judges are very sympathetic to consumer protection issues when the government raises them. Here, the clear-thinking judge recognized that NJ's enforcement action was not necessarily in the consumers' best interests.

* NPS v. Stubhub rejected. We've had a very small number of post-Roommates.com plaintiff wins where Roommates.com was cited favorably for the plaintiff. The NPS v. StubHub case is one of them. Here, the court rejects that precedent, potentially limiting the case's incursion into 230's immunity.

* 230 protects e-commerce sites. Curiously, the court doesn't mention FTC v. Accusearch, one of the other plaintiff wins post-Roommates.com, which had some factual resemblances. In the Accusearch case, the defendant resold pretexted phone records. Unlike Orbitz/TicketNetwork, Accusearch actually fulfilled the purchase. However, I've seen some discussion that the Accusearch case signals that e-commerce sites will get limited protection under 230. Here, TicketNetwork processed the payments and provided sales guarantees, yet the listings were still third party content. This case reinforces that e-commerce marketplaces still get 230 for third party commercial activity, even if the marketplace provides services to the vendors.

* Legal battles over online tickets aren't going away. Online tickets have become a major subfield of cyberlaw. Consider some of the following posts we've made over the past 3 years:

- Online Sports Ticketing Exchange Wins Dismissal Under Website User Agreement -- Duffy v. The Ticketreserve, Inc. (July 2010)
- NPS LLC v. StubHub, Inc. (April 2009)
- StubHub Wins 230 Dismissal in Anti-Scalping Case (Sept. 2008) [note: this one also involved Springsteen's tour]
- StubHub Denied 230 in Hannah Montana Ticket Scalping Case--Hill v. StubHub (July 2008)
- Ticketmaster Wins Big Injunction in Hannah Montana Case, But Did the Public Interest Get Screwed?--Ticketmaster v. RMG (Oct. 2007)

We've also mentioned the various state legislation governing online ticket sales (mostly along the lines of squelching line-jumpers).

Perhaps 2010 being a down year for concerts will help take some of the legal edge off the battle for tickets. Otherwise, I expect more litigation over the online resale of hot tickets until we see one of two structural changes in the ticket sales market: (1) ticket buyers can't transfer their tickets easily because they are just a database code attached to the initial buyer, or (2) tickets are sold via auction. Personally, I hope we see more of #2 rather than the continued litigation madness.

Conference Reminder

It's still 6 months away, but we've opened registration for our 47 USC 230 blowout party on March 4. I anticipate a possible sell-out situation, so get your tickets while there are still plenty. We aren't auctioning the tickets off, and I'm not sure if our anti-gaming devices will be strong enough to suppress robo-buyers if they sweep through.

Posted by Eric at 12:10 PM | Derivative Liability , E-Commerce , Marketing | TrackBack

September 03, 2010

P2P Gambling Site is Illegal Bookmaker--Betcha v. Washington

By Eric Goldman

Internet Community & Entertainment Corp. v. Washington State Gambling Commission, 82845-8 (Wash. Sup. Ct. Sept. 2, 2010)

Betcha is one of those too-clever-by-half dot com ideas that practically beg VCs to roll the dice. Rather than allow illegal gambling on its site, Betcha styles itself as a P2P betting platform. Effectively, it is a messaging service for people making bets with each other, where Betcha charges the parties to talk with each other. Betcha also escrows the wager, but it allows the losing bettor to renege. Exercising that right, however, has bad reputational consequences that I suspect are tantamount to on-site seppuku.

From a realpolitik perspective, we all know what's going on here (i.e., illegal gambling). Betcha crapped out at the district court, but the appellate court reversed in a split opinion. Unfortunately, Lady Luck has stopped smiling on Betcha as the Washington Supreme Court reversed 9-0. I guess if you're going to lose, you might as well lose big. This makes me wonder: did any Betcha users make bets on the outcome of this case? Maybe someone other than the lawyers got lucky from Betcha's legal misfortune.

The court's opinion makes it clear that expansive anti-gambling laws leave almost no room for entrepreneurial yet legal Internet gambling enterprises. Here, Betcha is tripped up by the definition of "bookmaking," defined as "accepting bets, upon the outcome of future contingent events, as a business or in which the bettor is charged a fee or ‘vigorish’ for the opportunity to place a bet." This strikes at Betcha's model of charging the parties to communicate with each other regarding betting. The court is not swayed by Betcha's formalist argument that because the loser could renege on the bet, the wager did not meet the statutory definitions for gambling. The court says the bookmaking definition applies whether the bets are made for money or not.

The statute also restricts sending or receiving "gambling information." The court said that because Betcha was running a professional gambling site (under the statutory definitions), it also tripped over this definition. This confused me because this provision should be preempted by 47 U.S.C. 230, at least as applied to Betcha. The court says the "information on wagers and odds it received from its users must be presumed, under the plain terms of the statutes, as intended for use in professional gambling," but that goes straight into a 230 immunity. However, 230 wasn't discussed at all. Because this was only one of several legal problems for Betcha, a 230 immunity on this point would not have changed the outcome.

The court also said that Betcha illegally possessed "gambling records." It wasn't clear if this referred solely to user information or to Betcha's own business records, so I couldn't tell if 230 (also not discussed) would have been relevant.

With the court's expansive definitions of bookmaker, gambling information and gambling records, my not-so-creative mind could not easily think of any easy ways to circumvent the statute and legally run a P2P site enabling betting or gambling. However, I would love to see a more cogent discussion about the 230 overlay before reaching a definitive conclusion.

Posted by Eric at 08:57 AM | Content Regulation , Derivative Liability , E-Commerce | TrackBack

August 26, 2010

Internet Rewards Program Class Action Survives Initial Motion to Dismiss -- In re Easysaver Rewards

[Post by Venkat]

In re: Easysaver Rewards Litigation (S.D. Cal.) (Aug. 13, 2010)

Plaintiffs brought a class action lawsuit against Provide-Commerce (which operated Pro.Flowers.com). The lawsuit alleged that effecting transactions on the Proflowers website resulted in plaintiffs being unwittingly enrolled in a rewards program and being charged credit card fees. The court denied the motion to dismiss brought by defendants.

Background: Provide operated ProFlowers.com. At the time of completion of transactions on ProFlowers, consumers were offered a chance to enroll in a "rewards program" which was operated for Provide by Encore Marketing. Plaintiffs alleged that they were "unwittingly" enrolled in the program:

Plaintiffs allege that Provide leads customers to believe they will receive a complimentary $15.00 gift code to use on their next flower order as a thank you gift. After Plaintiffs completed the purchase of flowers on Provide's website by providing their personal and payment information, 'a window popped up that thanked Plaintiffs and Class Members for their order and offered a gift code for $15.00 off their next purchase at ProFlowers. The window also contained a link for Plaintiffs and Class Members to click on to claim the gift code.' Plaintiffs contend the pop-up window is part of an intentionally misleading and deceptive scheme, jointly orchestrated by Provide and EMI.

The named plaintiffs all testified to slightly different experiences. Some closed the pop-up window and did not provide any personal information, others responded to the pop-up by clicking on "I accept" and entering their personal information. Ultimately, plaintiffs were unable to have the charges relating to the EasySaver program reversed, and brought a variety of claims against both Provide and Encore.

Discussion:

Breach of Contract Claims:

Provide first argued that the privacy policy is not "an actionable contract" but was instead a "general statement . . . of policy." The court doesn't treat this as a colorable argument, citing to the alleged user experience and plaintiffs' reliance on the privacy policy and terms of use, which popped up every step of the way. (But see In re JetBlue, discussed in Professor Goldman's post here: "When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue.")

Provide also argued that the applicable privacy policy allowed it to transfer information to third parties, but the court holds that there is a disputed factual issue as to whether Provide agreed to only transfer the information with consumers' "informed consent or authorization," and would not share the information "beyond that which was necessary to complete the flower order."

Finally, Provide argued that the "EasySaver Rewards Policy" was not supported by an exchange of consideration, since it only came up after the flower transaction was complete. The court rejects this argument as well, finding that the rewards program was "part and parcel of the underlying flower purchase."

Provide also tried to disclaim liability for Encore's actions by arguing that it was not responsible for anything Encore did. The court cites to language in the description of the rewards program that indicates the program was jointly operated (the program was described as "our" program and Encore was described as Provide's "partner").

A separate sub-class of plaintiffs brought contract claims against Encore. These plaintiffs argued that they did not "knowingly" consent to the rewards program, and even if they did, Encore breached the terms of the program by not providing the stated benefits. Encore argued that these plaintiffs could not have it both ways - either they enrolled in the program (in which case plaintiffs accepted the terms were clearly stated) or they didn't. The court finds that plaintiffs could plead in the alternative that they did not enter into an agreement, and even if they did, Encore breached the terms of the agreement.

Fraud Claims: Provide raised a variety of arguments against plaintiffs' fraud claims (failure to plead fraud with particularity, failure to allege causation). The court rejects these arguments, holding that whether plaintiffs read the privacy policy or had adequate notice is not something that was amenable to resolution at the motion to dismiss stage.

Conversion: Plaintiffs argued that defendants converted plaintiffs' "private payment information." With respect to plaintiffs' conversation claim, the court notes the historical trend away from limiting conversation claims to tangible property (citing to Kremen v. Cohen, among other cases). The court analogizes conversion of plaintiff's "Private Payment Information" to conversion of bank account information, and finds that plaintiffs adequately state a claim based on conversion of private payment information.

EFTA: The Electronic Funds Transfer Act prohibits, among other things, unauthorized billing. Provide argued that it was Encore and not Provide who engaged in the unauthorized billing. The court agrees and grants Provide's motion to dismiss as to the EFTA claim, finding that there is no liability under the statute for aiding and abetting an EFTA violation. With respect to Encore, the court denies the motion to dismiss. Among other things, the court rejects Encore's argument that the plaintiffs agreed to the membership charges by "entering [their] email address[es] and zip code[s] and clicking the green acceptance button."

___

Defendants will have another opportunity to show that plaintiffs' claims are without merit, but I think the court's resolution at the pleading stage is interesting. A more robust disclaimer and a non-leaky acknowledgment would have no doubt been useful here. (See professor Goldman's post on Scherillo v. Dun and Bradstreet for some good pointers.)

The case also illustrates the importance of the transaction flow and process (the user experience). Often lawyers provide advice, but implementation is left to the business or marketing folks. This case illustrates that in addition to the language of the terms, courts will look to the transaction process to poke holes in the contract formation argument.

Data breach claims alleging a breach of the applicable privacy policy have met with little success. (See, e.g., Ruiz v. Gap, discussed in this post: "9th Circuit Affirms Rejection of Data Breach Claims Against Gap.") Where there is out of pocket loss that is a result of a violation of the privacy policy, plaintiffs have a much easier time bringing claims for violation of the privacy policy. In this case, defendants didn't even raise the argument that plaintiffs had not suffered out of pocket loss or lacked standing - it was a nonstarter.

It was also interesting that defendants tried to rely (and have judicial notice taken of) the online terms, but the court refused to do so, in light of the changing content of the webpages. When defendants pushed this argument, the court predictably trotted out the "[i]nformation from the internet does not necessarily bear an indicia of reliability" argument.

Posted by Venkat at 11:45 AM | E-Commerce

August 18, 2010

The Problems With Google House Ads

By Eric Goldman

[Note: This blog post has taken me 7 months to write, so I'm glad to be sharing it finally. I am cross-posting it to Search Engine Land.]

Introduction

Many publishers run “house ads” to self-promote their own offerings. Google does too. However, Google differs from most publishers because it auctions ad space on its network. Thus, when Google runs house ads, it simultaneously conducts the auction that it is bidding in—an impermissible conflict of interest. This post explains when Google uses house ads, why I think Google house ads undercut the auction integrity, and what Google should do differently.

Google’s House Ads

I have seen Google house ad campaigns in at least three circumstances:

1) Occasionally, Google uses AdWords ads to explain problematic organic search results. Two prominent examples are the search results for “Jew,” which regularly displays an anti-Semitic organization as a top organic result, and “Michelle Obama,” which last year displayed an offensive image as a top organic result. In these situations, Google runs an AdWords ad that links to an explanation of its search algorithms.

2) Google promotes its own services to increase their visibility. In preparing this post, earlier this year I approached Google about its usage of house ads, and a Google spokesperson informed me that Google has “run search marketing campaigns on Google for search products like iGoogle, Google Maps, and mobile products as well as for specific issues in order to provide information to our users.” Barry Schwartz recently gave an example of an image house ad promoting image ads. The latter point may include defensive keyword purchases, such as when it displayed ads for some of the search terms it highlighted in Google’s Super Bowl commercial.

In some cases, Google’s house ads appear in ad spots unavailable to other advertisers, such as its promotion of Nexus One on its home page. Barry Schwartz has catalogued examples of Google’s home page advertisements. This post focuses on house ads in AdWords, but I will come back to these non-traditional ad spots in a bit.

3) As a type of public service announcement, Google runs house ads in AdWords during crises to promote a crisis response page—mostly recently, in response to the BP oil spill.

Why Google House Ads in AdWords Are Problematic

Google characterizes AdWords as an advertising auction system for advertisers to bid on keywords against each other. Google runs these auctions as the auctioneer—a term Google doesn’t use and presumably would avoid, but an appropriate descriptor of Google’s proclaimed role vis-à-vis advertisers. Because Google merely conducts the auctions for advertisers, Google argues that it does not set AdWords advertising prices; instead, the prices are set by the market (i.e., the collection of advertisers’ auction bids). Google’s positioning as an auction conductor has emerged as a central defense to the increasing antitrust attention being paid to Google’s remarkable share of the search advertising market.

However, Google’s positioning breaks down when Google buys house ads via AdWords. In those situations, Google is both running the auction and bidding in that auction as an advertiser. The conflicts of interest in this situation should be self-evident, but let’s look at them in more detail.

Google Can Win Every Auction It Enters.

When Google runs a house ad in AdWords, it does not cost Google anything out-of-pocket. However, those clicks aren’t necessarily “free” because Google’s ads have opportunity costs. Clicks on Google’s house ads may siphon away clicks from revenue-generating ads, which may reduce Google’s revenue from the bidded term.

Google’s spokesperson told me that Google’s house ads “are subject to internal marketing budgets.” I assume this means that a Google department running house ads must “pay” for its clicks by transferring money from its department budget to a different Google department. In theory, the scarcity of marketing budgets forces Google departments running house ads to internalize the opportunity cost, even if no cash changes hands.

However, I don’t believe this cures the defects in auction integrity for at least four reasons. First, Google’s behavior lacks any auditability or verifiability; as outsiders, we have no idea what Google is doing under the hood. Second, Google has access to better information to optimize its bidding than any other bidder. That information may not be functionally available to individual employees placing auction bids, but because of the first point (lack of auditability/verifiability), we as outsiders don’t know that either. Third, because all Google bids just involve internal funds transfers and no out-of-pocket cash payments, Google can easily increase departmental budgets to enable more aggressive bidding—after all, if no cash changes hands, it’s just funny money anyway. Fourth, actual ad placement depends on ad quality scores, and Google has acknowledged that it has “exceptionally high Quality Scores” which should automatically give it a bidding advantage over everyone else. And, once again, no one else can audit or verify Google’s self-designated ad quality scores.

As a result, Google’s advantages over other bidders should allow it to “win” its auctions whenever it decides to bid.

Google’s Bids Can Affect the Prices Paid by Its Advertisers.

As far as I know, Google has never publicly addressed how its house ads affect the prices paid by other bidders. In response to my inquiry, the Google spokesperson opaquely informed me that “Google's ads are not guaranteed to appear in any given spot. How this affects CPCs depends on the quality scores and bids of others in the auction.” I interpret this to mean that Google’s presence in the auction could affect the CPCs paid by other bidders. Let’s take a look at how this might happen.

Google auctions aren’t winner-take-all. Instead, Google runs a “second-price auction.” As Google describes it, each advertiser-bidder pays “the minimum amount necessary to maintain their position on the page,” which is the amount bid by the next-lowest bidder. To illustrate this, assume a keyword with the following bids:

Bidder 1 bids $1.25 per click
Bidder 2 bids $0.75 per click
Bidder 3 bids $0.50 per click

Pursuant to the second-price auction, Bidder 1 pays $0.75 per click (i.e., the amount that Bidder 2 bid). After all, if Bidder 1 had only bid $0.75 per click, it still would have shown up as the top bidder. Bidder 2 pays $0.50 per click, the amount required to stay in the second position.

[Note: my examples assume that the bidders have the same ad quality scores and that one bidder’s presence or behavior does not cause Google to recompute the ad quality scores of other bidders.]

Now, consider what happens when Google enters a bid in this auction.

Google bids more than $1.25 per click [the result is the same if Google bids $1.25 or $1M per click]
Bidder 1 bids $1.25 per click
Bidder 2 bids $0.75 per click
Bidder 3 bids $0.50 per click

I’ll just focus on Bidder 1, who was getting first position for $0.75 per click before Google’s entrance. Due to Google’s entry into the auction, Bidder 1 now pays the same per-click amount to show up in second position rather than first.

Bidder 1’s reduced position may change the commercial value of the consumers who investigate the links. That is, the consumer who clicks on the second ad may have a different profit potential than the person who clicks on the first ad. In some cases, clicks on lower-placed ads may be more profitable per click, so we don’t know a priori if this is good or bad for any particular advertiser.

We can anticipate that Bidder 1’s lower position will reduce the overall volume of clicks it gets at that price. A second position ad usually gets substantially fewer clicks than the first position ad. Further, if Google syndicates the house ad via AdSense, then Bidder 1’s ads may no longer be syndicated in AdSense (for example, if Google syndicates only 1 ad via AdSense). [Note: when Google house ads are syndicated, Google pays the AdSense publisher for clicks out-of-pocket—but presumably Google pays a wholesale discounted price, while all other advertisers must pay the 100% retail price.]

Naturally, some advertisers will seek to reclaim their prior ad position by increasing their bids. Indeed, Google’s AdWords tools will automatically encourage advertisers to pay more to generate more clicks. For advertisers using Google’s automated bidding tool (sometimes called the “Budget Optimizer”), Google may automatically increase an advertiser’s bid to increase click volume. Thus, Google’s entry into the auction could cause other bidders to increase their bid amounts in a variety of ways.

Let’s revisit my discussion about Google’s opportunity cost of clicks on house ads. If the other bidders’ prices stay the same and Google siphons away some clicks from them, Google’s ads have a clear opportunity cost. However, if Google’s entry into the auction prompts other bidders to pay more, some or all of that opportunity cost will be made up by increased revenue on the remaining clicks. It’s even possible that Google’s house ads could create net new profit. From an auction integrity standpoint, it’s unacceptable for Google’s entry into the auction to affect the prices bid or paid by other bidders (its advertisers), whether Google’s profits increase or decrease.

Alternatives for Google

Google’s spokesperson told me that “[l]ike hundreds of thousands of other businesses, we believe in the value of search marketing to connect with web users.” That makes sense to me, and I encourage Google to go for it—just not by bidding against its other advertisers. Google can benefit from keyword advertising other ways without undermining its auctions’ integrity.

First, Google can buy keyword ads from third parties. Apparently Google already does this regularly, including buying ads from Yahoo and Bing. See this comprehensive survey as well as this example.

Second, as Google already does on occasion, Google can create new ad units outside AdWords exclusively for house ads. Running ads in a separate ad unit would obviate the need for Google to compete with advertisers in an auction, although I imagine some advertisers still will be annoyed by any click siphoning.

Third, Google could refuse all advertiser bids on terms that Google chooses to use for house ads. Advertisers wouldn’t be thrilled if Google did this either, but it would maintain the auction integrity for those terms. This would be the most expeditious way for Google to handle objectionable organic search results, although creating a new unit outside AdWords would work as well.

Conclusion

I feel a little silly writing nearly 2,000 words explaining why auctioneers should not bid in the auctions they run. We all already knew that. Yet, Google apparently violates this basic rule every time it runs house ads in AdWords auctions. Google should fix this—and restore integrity to its AdWords auctions—by no longer competing with its advertisers in those auctions.

UPDATE: A Google spokesperson sent me this response:

"As we've always said, all search engines run ads to inform users about services that they provide. Google is no exception to this practice. We believe in the value of our advertising platform and use it in the same way that other advertisers do."

Posted by Eric at 10:07 AM | E-Commerce , Marketing , Search Engines | TrackBack

August 17, 2010

"Electronically Printed" Does not Include Automated Merchant Email -- Shlahtichman v. 1-800 Contacts

[Post by Venkat]

Shlahtichman v. 1-800 Contacts, Inc., Case No. 09-4073 (7th Cir.; Aug. 10, 2010)

The Seventh Circuit recently concluded that the words "electronically printed," as used in the Fair and Accurate Credit Transactions Act of 2003, does not include a computer generated email receipt sent by a merchant. The opinion is a fun read and offers a look at how courts deal with changing technologies and commercial practices, when construing legislation.

Background: Shlahtichman purchased contact lenses over the internet at 1-800 Contacts. 1-800 Contacts emailed him a confirmation of his order which contained the expiration date for Shlahtichman's credit card. FACTA includes a prohibition on including the expiration dates of a credit card but this prohibition only applies to "receipts that are electronically printed." The question addressed by the Seventh Circuit was whether an automatically generated email confirmation message is a receipt that is "electronically printed."

Discussion: Most courts had construed the term "electronically printed" to refer only to paper receipts, incorporating the ordinary meaning of the term "print," and the court here takes the same route:

What FACTA covers are printed receipts. The Same technological advances that have given consumers multiple means of paying their bills and purchasing goods and services have also made it possible for the receipts confirming those transactions to be provided in the form of a voicemail, email, and text message as well as the traditional paper receipt. But when one refers to a printed receipt, what springs to mind is a tangible document. To "print" a receipt thus ordinarily connotes recording it on paper. That is why [the plaintiff] had to print a copy of his receipt to get it off of his computer; it is why the machine used to transfer text from a computer to paper is called a printer, and it is why a judge who asks a law clerk to print a case does not intend for the clerk to merely display the case on his computer screen. [Wait, Seventh Circuit judges don't read cases on their iPads?]

The court looks to the dictionary definition of "print" and notes that it typically refers to the transfer of information to paper (although, as the court acknowledges, you can "print to pdf"). Shlahtichman argued that the addition of the word "electronically" suggests Congressional intent to modernize the definition of the word "print," but the court disagrees, noting that this suggests intent to capture receipts that are printed by a machine rather than credit card slips or receipts that are imprinted or handwritten. The court notes that where a receipt is automatically emailed by a vendor, the printing is done by the consumer, rather than the vendor (at whom the statute is aimed). Taking Shlahtichman's logic to its conclusion, a vendor "prints" a receipt "simply by sending [an] email to the consumer." As the court notes, this is contrary to the ordinary or natural meaning of the term "print."

The court also looks to the context of the statute and notes that the prohibition on printing expiration dates is aimed at receipts "that are printed and 'provided to the cardholder at the point of the sale or transaction.'" This raises a host of issues - most importantly,

[w]here is the point of sale for such a purchase - the consumer's computer? the vendor's headquarters? the vendor's server? cyberspace generally?

The statute references "cash registers" as a typical point of sale example, as the statute was written during a time when email receipts were not necessarily the norm. Indeed, since the enactment of the statute, consumer-owned devices [you guessed it, the iPad] have emerged that function as the equivalent of the cash register. [The court cites to a TechCrunch article by Erick Schonfeld: "Square Turns Your iPad Into A Cash Register."] Nevertheless, the court notes that even at the time the statute was enacted, e-commerce was "common," and the statute does not contain any references to terms such as "Internet" and "email." Coupled with the fact that the statute expressly refers to cash registers, the court concludes that the absence of any reference to electronic receipts evinces Congressional intent to not capture those types of receipts.

Finally, the statute contains two different effective dates: one effective date for "cash register[s] or other machine[s]" in use before January 1, 2005 and an earlier effective date for "any such machine or device" that is first used on or after January 1, 2005. To the extent electronically printed can include material that is printed on a customer's computer or equipment, having an effective date that is tied to when this equipment is first put into use problematic, since the effective date is made "dependent on a fact . . . that [is] wholly beyond the contemplation and control of the vendor facing liability."
__

I'm not sure where to begin with this one. The first point that jumps out at me is that courts are routinely criticized for not staying up to date on the latest technological advances. This decision makes clear that at least some courts are not so clueless when it comes to the latest technology. If anyone deserves the "out-of-touch-with-tech" label, I think it's the drafters of legislation. Regardless of where you come out on the merits of the case, it's tough to argue with the fact that the court took a careful and informed look at changing practices in construing the statute. [You have to give the court kudos for citing to TechCrunch!]

I didn't see overwhelming evidence cited in the court's opinion for this, but it's possible that Congress intended the statute to cover harm caused by improper access of a paper receipt containing credit card information (such as through dumpster diving). There is risk of harm from improper access to credit card information when stored in electronic (non-paper) form, but as the court noted, other laws are directed towards this (e.g., the Computer Fraud and Abuse Act).

This case is somewhat reminiscent of another case involving the application of a consumer protection statute to changing internet merchant practices: Powers v. Pottery Barn. In that case, the plaintiff brought claims alleging that Pottery Barn improperly collected personal information (an email address) in violation of a California statute that limited the type of information a merchant could collect at the point of transaction. The defendant (Pottery Barn) argued that to the extent the California law extended to the collection of email addresses, it was preempted by CAN-SPAM. The court didn't reach the issue of whether the statute covered email collection and instead concluded that the statute fell under CAN-SPAM's exceptions to preemption. (Ethan's blog post: "CAN-SPAM Doesn't Preempt CA Privacy Law--Powers v. Pottery Barn.")

Finally, FACTA is similar to CAN-SPAM in that often plaintiffs who suffered no apparent "injury" sued to obtain statutory damages under the statute. In the process, they stretched the statute to fit some far out fact patterns. Congress should keep these examples in mind as it enacts statutes which provide for civil causes of action along with statutory damages (particularly in the realm of informational or privacy harms).

[I thought it was also worth noting the court's usage: capital "I" "Internet" and no-hyphen "email" (and "voicemail" as one word). I agree with Tom O'Toole, who favors "internet" and "website" ("Web site, Website, web site, Internet, internet") but neither the prevailing style guides nor the Seventh Circuit (which seems to be a trend-setter of sorts in matters of style) are on board with this.]

Posted by Venkat at 02:30 PM | E-Commerce

August 09, 2010

July 2010 Quick Links, Part 1 (IP Edition)

By Eric Goldman

Trademarks

* Rebelution, LLC v. Perez, 2010 WL 3036217 (N.D. Cal. July 30, 2010). The plaintiff is a band named Rebelution. The defendant is a music performer named Pitbull who released an album "Pitbull Starring in Rebelution" without intending to reference plaintiff. No summary judgment to defendant. Wikipedia has a disambiguation page for "Rebelution."

* Southeastern Pennsylvania Transportation Authority v. Mednick Mezyk & Credo (E.D. Pa. complaint filed June 21, 2010). Interesting trademark lawsuit. A government transit authority, SEPTA, has sued personal injury lawyers for the ways they advertise that they represent plaintiffs against SEPTA. I think SEPTA has a tough argument, and they sure look thin-skinned.

* Ryan Gile: "New York New York Hotel/Casino Successfully Hijacks NewYorkNewYork.com"

* Can Chevrolet get people to stop calling it "Chevy"? Not likely.

* The latest article addressing the Trademark Use in Commerce debate: Lee Ann W. Lockridge, When Is a Use In Commerce a Noncommercial Use?, 37 Florida State University Law Review 337 (2010)

Copyright

* The Copyright Office issued new circumvention exceptions for 17 USC 1201 exceptions. The EFF breaks it down.

* MGE UPS Systems v. GE Consumer and Industrial Inc., 08-10521 (5th Cir. July 20, 2010). A significant (and possibly incorrect) ruling on 1201: “Because the dongle does not protect against copyright violations, the mere fact that the dongle itself is circumvented does not give rise to a circumvention violation within the meaning of the DMCA.”

* Mattel Inc. v. MGA Entertainment Inc., 09-55673 (9th Cir July 22, 2010). Another Kozinski bull-in-the-china-shop opinion, it is studded with important legal statements. Among the most interesting: an employee agreement purporting to assign copyrights from the employee failed when the language read more like a patent assignment. But read the whole thing.

* Teter v. Glass Onion, Inc., 5:08-cv-06097-FJG (W.D. Mo. July 12, 2010). Troubling ruling. An art gallery selling an artist’s painting does not make a fair use when making and then publishing thumbnail images of the paintings on the gallery’s website. No first sale defense for making the thumbnail images, either, although I’m not sure how the gallery can advertise the paintings for sale online without the thumbnails. The trademark infringement claim for referencing the artist’s name also survives because of the possibility the gallery looked like an authorized dealer when it wasn’t.

* We learned how much the Viacom v. YouTube ruling cost Google: $100M. Can you imagine what good things might have come if YouTube and Viacom had poured their legal fees into innovation rather than litigation? Also, this is a prime example of just how much it costs when a well-funded company (Google) decides to treat a lawsuit as bet-your-business. No way that most start-ups could have coughed up $100M for the lawyers.

* Scott v. Scribd settled. My original blog post on the case.

* Cable v. Agence France Presse, 2010 U.S. Dist. LEXIS 73893 (N.D. Ill. July 20, 2010), A professional photographer’s claim for 17 USC 1202 for removal of copyright management information survives a motion to dismiss.

* Las Vegas Sun does a thorough expose on alleged copyright troll Righthaven (look at the "related stories" too).

* Copyright enforcement mill gets caught red-handed committing copyright infringement on its website. Whoops!

* SAP has stopped contesting liability in the Oracle/TomorrowNow lawsuit.

* Miller v. Facebook, 2010 U.S. Dist. LEXIS 75204 (N.D. Cal. July 23, 2010). A software copyright registration for a literary work (i.e., the source code) was sufficient to uphold a pleading that the defense infringed the software's look and feel (i.e., an audio-visual work). My most recent post on this case.

Other IPs

* Bimbo Bakeries v. Botticelli: Bimbo Bakeries [great TM!], makers of Thomas English Muffins, gets an inevitable disclosure injunction against a departed employee who knows how to make their "nooks and crannies" and went to a rival baker. See also this post from Trading Secrets.

* Agora Financial LLC v. Samler, WDQ-09-1200 (D. Md. June 17, 2010). This case is similar to the more high-profile Barclays v. theflyonthewall case. The newsletter publisher plaintiff provides stock recommendations to its readers; the defendant republishes the tips on TipsTraders.com. The magistrate rejects a default judgment against the defendant because (1) the hot news doctrine is preempted by copyright law, and (2) even if it isn’t, the “plaintiffs’ writers’ investment recommendations are copyrightable” and therefore ineligible for hot news protection. Ruh-roh. The judge should have stopped at #1. Even the plaintiff admitted that the recommendations were uncopyrightable facts. So now what? Does this now mean everyone who republishes the recommendations is a copyright infringer?

Posted by Eric at 01:25 PM | Copyright , E-Commerce , Trade Secrets , Trademark | TrackBack

July 28, 2010

E-SIGN Prevents Enforcement of Emailed Contract Terms--Buckles v. Investordigs

By John Ottaviani

Buckles Management, LLC v. Investordigs, LLC, No. 10-cv-00508-LTB-BNB (D. Colo. July 23, 2010).

It has been about 10 years now since Congress adopted the federal Electronic Signatures in Global and National Commerce Act (commonly known as “E-Sign”). Cases interpreting E-Sign have been relatively rare. A Colorado federal court judge last week purported to decide whether an e-mail could constitute an enforceable contract under E-Sign, and concluded that the e-mail in question could not be enforced as a contract. Unfortunately, the Court (and the parties briefing the motion) did not realize that this was not an E-Sign case. The Court should have analyzed the case under the Colorado Uniform Electronic Transactions Act. Had it done so, the result may have been different.

Background

The case involves a failed business relationship that is all too typical. An investor provides money, consulting services, and commercial space to a struggling company, without any legal documents to evidence such terms as whether the transaction is a loan or an investment, etc... When the business relationship falls apart, the parties meet to discuss how to end their relationship. After the meeting, a few e-mails are circulated to memorialize the terms discussed. Attorneys are asked to draft documents, but nothing is ever signed; and the parties disagree as to whether or not there was a final agreement.

The investors filed a lawsuit, asserting claims for enforcement of the purported settlement agreement, breach of loan, breach of a lease agreement, unjust enrichment and accounting. In response, the company and individual defendants asserted counterclaims for breach of contract, unjust enrichment, negligent misrepresentation, breach of fiduciary duty and fraud and false misrepresentation.

Decision

The decision in question arises from defendants’ Motion for Summary Judgment, where they maintain that the Colorado Statute of Frauds, which provides that any agreement not to be performed within one year must be in writing and subscribed by the party to be charged, renders the settlement agreement unenforceable. In response, the plaintiffs argued that the parties exchanged a writing that contained the material terms of the agreement sufficient to satisfy the Statute of Frauds. Specifically, the plaintiffs relied on an e-mail, containing a list of the purported agreed-upon settlement terms, sent from the e-mail account of one defendant (who was a principal of the corporate defendant) to another employee at the company, who in turn forwarded the e-mail to four or five other people (including one of the plaintiffs) with the message “thanks to everyone for participating today.”

The court’s basic framework for analyzing the issue seems correct:

• May an e-mail exchange satisfy the Colorado Statute of Frauds writing requirement?
• If so, does this particular e-mail constitute a “writing subscribed by the party to be charged” within the meaning of the Colorado Statute of Frauds?
• If so, does this e-mail adequately describe the terms of an enforceable contract?

The court embarked on a discussion as to whether the e-mail satisfied the Colorado Statute of Frauds. Initially, the court got the analysis right, and concluded that under Colorado law, an e-mail exchange may satisfy the “writing” requirement of the Statute of Frauds.

With respect to whether the e-mail constituted a writing “subscribed by the party to be charged” under the Colorado Statute of Frauds, here the court got off track, with the help of counsel for the parties. The plaintiffs argued that the e-mail contained an “electronic signature” under E-Sign. Section 106(5) of E-Sign defines an “electronic signature” as “an electronic sound, symbol or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.” The defendants argued that E-Sign did not apply because the settlement agreement did not affect interstate or foreign commerce. The court concluded that E-Sign did apply, but that the e-mail was actually sent by an administrative employee who did not have authority to bind either the corporate defendant or its individual principal. As a result, the court concluded that the signature was not “executed or adopted by [the principal of the defendant] with the intent to sign the record,” so it was not a proper electronic signature under E-Sign. The court concluded that if there was no proper "electronic signature," then the e-mail was not “subscribed by the party to be charged” under the Colorado Statute of Frauds.

Analysis

Unfortunately, the court and the parties missed the fact that the case is governed by the Colorado Uniform Electronic Transactions Act (“UETA”), not the E-Sign Act. E-Sign has a peculiar “reverse preemption.” Those who have been around long enough recall that in the late 1990's states were adopting electronic transaction laws, but in a non-uniform manner. In 1999, the National Conference of Commissioners on Uniform State Laws issued its final draft of the UETA, but states continued to enact UETA in a non-uniform manner. These non-uniform enactments were in part responsible for Congress passing E-Sign in 2000. In effect, Congress forced states to adopt UETA in a uniform manner by providing that the state version of UETA would control over E-Sign if UETA were adopted without modification. In most cases, then, if a state has adopted UETA substantially in final form, the state’s version of UETA is controlling over E-Sign. (To date, 47 states, plus the DIstrict of Columbia, Puerto Rico and the U.S. Virgin islands, have adopted UETA).

Would the analysis have been any different under UETA? It might be, because UETA is more comprehensive than E-Sign, including areas not covered by E-Sign.

Under Section 24-71.3-107 of the Colorado UETA, a contract may not be denied legal enforceability solely because an electronic record was used in its formation. So the court was correct in concluding that an e-mail exchange may satisfy the Statute of Frauds “writing” requirement.

But what about the e-mail exchange in this case? The Colorado definition of “electronic signature” is the same as the E-Sign definition. But Section 109 of UETA also allows for signatures to be “attributable” to a person where the person may not have “signed” the record himself (for example, a human agent with authority signs the record). The court concluded that the e-mail was not signed by the indiividual principal of Investordigs, but by an administrative employee. Under Section 24-71.3-109 of the Colorado UETA, whether the e-mail sent by the administrative employee could be attributed to the defendant “may be shown in any manner”. Thus, there is room for the investor to argue that the e-mail was sent on behalf of the principal of the company or that the administrative employee was acting as an agent of the principal. Unless there are additional facts not appearing in the court’s opinion, this would seem to be a classic issue of material fact, sufficient to defeat summary judgment. It is not clear from the record why the plaintiffs did not make this argument.

If the case does not settle, then it is likely that this decision will be remanded on appeal for findings of further fact consistent with the application of UETA, not E-Sign. It may be that, in the end, the investors will not be able to enforce the settlement agreement if they cannot attribute the e-mails to the company itself or the principal, or if the terms are not sufficiently definite to warrant enforcement. But, for the sake of argument, what if the employee was charged with taking notes for the meeting or was otherwise instructed by the principal to send out the e-mails containing the terms? Then it may be that the plaintiffs will be able to resurrect their claims.

Posted by John Ottaviani at 08:32 AM | E-Commerce , Licensing/Contracts | TrackBack

July 20, 2010

Book Review: Building Web Reputation Systems by Farmer & Glass

By Eric Goldman

Building Web Reputation Systems by F. Randall Farmer & Bryce Glass (O’Reilly 2010) [affiliate link]

As you may know, for the past couple of years, I have been researching how we regulate reputation systems. My most recent recap of my progress-to-date. As part of researching other disciplines’ approaches to reputation systems, I was pleasantly surprised to find this book, which discusses web reputation systems from a technical/product development standpoint. I'm not aware of other books directly on point, so that alone makes the book noteworthy. [If you know of analogous books that I should look at, I'd be grateful for the references.]

The word “reputation” is a complex and nuanced word. This book defines reputation as “information used to make a value judgment about an object or a person.” Notice how this definition treats reputation as actionable information (i.e., making a “judgment”). I favor that approach; my work also uses an actionable definition of reputation.

Their definition equally treats both objects and people as having “reputation,” and this does not work. In general, people are dynamic, i.e., they can change behavior; while content is static, i.e., an item of content does not change its character unless subsequently edited. This single definition of "reputation" created significant tension throughout the book. Recognizing this, the authors often bifurcated the discussion to separately address the process of establishing a person’s “reputation” (which they confusingly called “karma”). However, the book primarily focuses on grading and sorting content items, especially user-generated content, and I personally would not describe content items as having a “reputation.” As a result, I think the book is mistitled. It principally addresses content filtering, not “reputation” as I use the term.

Although this analytical tension pervades the book, the book nevertheless contained a lot of useful insights about both content filtering and establishing user trustworthiness. The authors have a lot of experience building filtering systems for different websites, so the book is packed with the kind of first-hand observations that only an insider can offer. There’s no substitute for the voice of experience when designing Web 2.0 UGC systems, and this book provides an easy and accessible way to learn some tips and tricks.

The book emphasizes the authors’ contributions to the reputation system at Yahoo Answers, and rightly so. Yahoo Answers has emerged into a bona fide success story and recently trumpeted its billionth answer. In my opinion, the book’s high point is Chapter 10, a case study of how Yahoo Answers developed a new filtering and reputation system that helped turbocharge the Yahoo Answers community.

Although the book doesn’t say this directly, two key lessons from Yahoo Answers’ evolution are:

1) UGC websites should let users vote on content, but not all user votes should be weighted equally.

2) UGC websites do not need to publish all user-supplied content items in an equally prominent manner. Perhaps some content should be obscure/hard-to-find until other users validate it.

The book pitches these conclusions as novel, but they seemed fairly intuitive to me. We implemented a very similar system embodying these two points back in 2000-01 at Epinions. Epinions allowed users to grade each others’ content; we weighted votes differentially based on users’ credibility; and we displayed ungraded and poorly graded content only to registered users (a small fraction of our readers). The fact that the authors “discovered” these conclusions at Yahoo Answers shows the dire need for books like this to help websites implement best UGC management practices without reinventing the wheel.

The fact that the authors didn’t acknowledge the Epinions precedent (and other systems like it) highlights another weakness of the book. There is a deep academic literature addressing the book’s topics (especially on content filtering and user incentive systems), but the book barely acknowledges this literature. For example, several times the authors cite Dan Ariely's Predictably Irrational for descriptions of human psychology and foibles. That's a perfectly credible citation, but it should be one of many literature citations, not the only citation. Instead of dipping into the rich academic literature, the book almost exclusively relies on the authors’ experience-based impressions. These impressions are a valuable information source that makes the book worth reading. However, because those impressions aren’t tempered with more rigorous academic findings, it’s not clear to me at all that the authors’ conclusions represent true best practices...or even state-of-the-art.

Because of its many structural flaws, this edition will not become a classic. Nevertheless, I have enthusiastically recommended the book to several UGC start-ups because the book provides a good repository of high-value experience-based perspectives that are not readily available elsewhere. Even if the book’s recommendations are debatable, it’s a debate worth having.

Posted by Eric at 06:39 AM | E-Commerce , Internet History | TrackBack

July 15, 2010

eBay Venue Selection Clause Upheld in Texas

By Eric Goldman

In re eBay, Inc., 2010 WL 2695803 (Tex. App. Ct. July 8, 2010)

In Comb v. PayPal, 218 F. Supp. 2d 1165 (N.D. Cal. 2002), PayPal defended a putative class action by invoking the arbitration clause in its user agreement. Judge Fogel tossed the arbitration clause on unconscionability grounds, noting (among other defects) the cost/benefit problem facing plaintiffs: their case values individually were much smaller than the arbitration costs, and arbitration blocked class adjudication. This ruling was quite influential. Since then, online user agreements--and especially mandatory venue selection clauses--have become vulnerable to unconscionability challenges and other collateral challenges on their enforceability. At this point, a vendor's attempt to destroy class consolidation through a mandatory arbitration clause is virtually per se unconscionable.

The Comb case involved PayPal's venue selection clause, but eBay's user agreement had a basically identical clause. With this clear warning sign, eBay revised its venue selection clause. eBay now uses a bifurcated approach. The baseline is mandatory venue in a Santa Clara County, California court. However, if the dispute amount is less than $10,000, the plaintiff can select arbitration that does not involve in-person hearings. I personally think eBay's approach is pretty savvy, and I have modeled some clients' venue selection clauses on it. It responds to the Comb v. PayPal concerns about the arbitration costs for small disputes by creating a "fast lane" for small disputes, while still keeping the important disputes in eBay's home court.

This recent ruling shows the strength of eBay's current approach. Richards is the victim of a busted eBay Motors transaction, apparently incurring an $18,000 loss. eBay apparently takes the position that the transaction took place off-website and therefore outside the scope of eBay's Vehicle Protection Program. Richards sued eBay and the car seller in his home court. eBay responded with its mandatory venue selection clause. Apparently, the trial court rejected eBay's motion, but the appellate court easily reverses the trial court and orders the trial judge to enforce eBay's clause.

Richards attacked the venue selection clause per Comb. The court distinguishes Comb on several bases:

* PayPal had frozen small amounts of money; there is nothing like that at issue here.
* there was no issue about case consolidation. Instead, Richards chose to pursue his case individually.
* Richards didn't show that his unrecoverable costs to litigate in California were greater than litigating in Texas.

From my perspective, the key is that Richards' dispute value of $18,000 exceeds the threshold for efficient ADR option in the user agreement; but it's also a big enough case value for the court to accept that Richards could afford to litigate the case individually (as, in fact, he was doing in Texas).

Search

Archives

Recent Entries

May 09, 2013

Yahoo's User Agreement Fails in Battle Over Dead User's Email Account--Ajemian v. Yahoo

May 07, 2013

Crazy SOPA-Like Attempt to Hold International Banks Liable for Pharmacy Spam Fails on Jurisdiction Grounds--Unspam v. Chernuk

April 17, 2013

Why You'll Soon Be Paying Sales Taxes on All of Your Internet Purchases--Amazon v. NY Taxation Department (Forbes Cross-Post)

April 16, 2013

No Claim Based on Perez Hilton’s Publication of Unsolicited but Inflammatory Reader Email – Wargo v. Lavandeira

March 29, 2013

FTC Warns Nordstrom Over Tweetup Freebies

March 27, 2013

Judge Boots Privacy Lawsuit Against Pandora but Plaintiffs Can Replead – Yunker v. Pandora

March 26, 2013

The Supreme Court's Kirtsaeng Ruling Is Good News for Consumers, but the First Sale Doctrine Is Still Doomed--Kirtsaeng v. John Wiley (Forbes Cross-Post)

March 22, 2013

Another Credit Card Breach Lawsuit Fails – Willingham v. Global Payments

March 19, 2013

IMDB's Disclosure of Actress’s Age Will Go To Trial – Hoang v. Amazon

March 14, 2013

Court Rejects Attempt to Hold Software Company Liable for Surveillance Conducted by Its Customer – Luis v. Zang

March 07, 2013

Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation

March 01, 2013

Amazon's Merchandising of Its Search Results Doesn't Violate Trademark Law (Forbes Cross-Post)

February 05, 2013

California Supreme Court: Retail Privacy Statute Doesn't Apply to Download Transactions – Apple v Superior Court (Krescent)

January 11, 2013

Top Ten Internet Law Developments of 2012 (Forbes Cross-Post)

December 31, 2012

Google's Privacy Policy Integration Initially Defeats Legal Challenge -- In re Google Privacy Policy Litigation

December 27, 2012

Court Dismisses Class Action Against Apple Over Its App Developers’ Information Collection Practices – Pirozzi v. Apple

December 26, 2012

Lawsuit Against Instagram Over Terms of Service Changes Looks Flimsy -- Funes v. Instagram

December 16, 2012

Minors’ Suit Over Facebook Credits Survives in Part – I.B. v. Facebook

December 06, 2012

Useful Article on the First Sale Doctrine in Trademark Law (Guest Blog Post)

November 30, 2012

Court Says Plaintiff Lacks Standing to Pursue Failure-to-Purge Claim Under the VPPA – Sterk v. Best Buy

November 28, 2012

Lawsuit Over "Google Tags" Dismissed--Frezza v. Google

November 25, 2012

Online Data Broker Need not Comply With Licensing Requirements for Private Investigators – Brown v. Intelius

November 20, 2012

Expert Report on the Value of Consumer Review Websites and 47 USC 230

Court Kicks Data Breach Claim Against Valve – Grigsby v. Valve

November 15, 2012

Court: Customer Consents to Receive Texts by Providing Phone Number to Pharmacy – Pinkard v. Wal-Mart Stores, Inc.

November 10, 2012

Email That Says “Done .. thanks!” Doesn't Transfer Copyrights – MVP Entertainment v. Frost

October 31, 2012

Data Breach Claim Survives Based on Allegation of Misuse of Personal Information -- Burrows v. Purchasing Power

October 29, 2012

How Zappos' User Agreement Failed In Court and Left Zappos Legally Naked (Forbes Cross-Post)

October 24, 2012

Q3 2012 Quick Links, Part 5 (E-Commerce, Miscellaneous)

Does the Supreme Court Have a Free Policy Choice in Wiley v. Kirtsaeng? (Guest Blog Post)

October 20, 2012

9th Circuit Zings Best Buy Over Robocalls – Chesbro v. Best Buy

October 19, 2012

A Reward Offer Still An Offer, Even if It's Made on YouTube – Augstein v. Ryan Leslie

October 15, 2012

Sony Network Data Breach Class Action Suffers Setback -- In re Sony Gaming Networks

October 12, 2012

Second Circuit Says Arbitration Clause in Terms Emailed After-the-Fact Not Enforceable – Schnabel v. Trilegiant

October 05, 2012

Judge Dismisses Claims Against Pandora for Violating Michigan’s Version of the VPPA – Deacon v. Pandora Media

September 30, 2012

Lovelorn Plaintiffs Strike Out Against Match.com – Robinson v. Match.com

September 21, 2012

Split 9th Circuit Panel Approves Facebook Beacon Settlement – Lane v. Facebook

Cafepress Suffers Potentially Significant Trademark Loss for Users' Uploaded Designs (Forbes Cross-Post)

September 14, 2012

Another Blow to Banks in ACH Fraud Cases: Funds Transfers Act Preempts Indemnity Agreements -- Choice Escrow v. BancorpSouth

September 05, 2012

Barnes & Noble's Online Contract Formation Process Fails --Nguyen v. Barnes & Noble