Social Media Advertising Tools And User Consent: What Are The Requirements?

Perhaps you’ve seen them, those television and radio ads that talk about the “creepy” nature of some adverting on the Internet that follows consumers across their social media. According to Pew Research, most Americans believe their online activities are being tracked and monitored. 

The fact is, most companies can and do share data with social media platforms to ensure targeted advertising reaches receptive audiences. As more tools become available and the variety of data sources grows globally, platforms and advertisers are re-examining their rights and obligations when it comes to something as simple as matching customers’ email addresses with their Facebook accounts. 

Facebook’s Customer List Custom Audiences (“Custom Audiences”) tool is one such tool that has the potential to expand an advertiser’s liability for unauthorized use of customer data. For EU customers, a German Data Protection Authority ruling requires a individual’s explicit consent to such sharing.

The Facebook Custom Audiences tool enables advertisers to create targeted advertisements to Facebook users by combining Facebook data with the advertiser’s data such as email addresses and phone numbers. To use marketing tool the advertiser must comply with the consent and privacy expectations of individuals who have provided email addresses.

Consent to Use Email Addresses

While the use and disclosure of email addresses is regulated in some countries, the U.S. does not have a uniform data privacy protection scheme. U.S. privacy rights are protected through a patchwork of laws addressed to specific types of harm, such as unauthorized access and disclosure of financial (Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681) or healthcare-related (Health Insurance Portability and Accountability Act of 1996 (HIPAA) 42 U.S.C. § 1320d–2) data. While the CAN SPAM Act (15. U.S.C. § 7701 et seq.) specifically regulates email, the Act excludes communications based on a previously existing relationship. 

Importantly, for most purposes, permission of the e-mail recipient is not required. However, messages MUST contain a mechanism to request to opt-out of future email messages. If email addresses are acquired from third-party sources, such as marketing databases or social media, ensure users are given reasonable notice and choice about the use of such data.

The Federal Trade Commission endorses a market-style model of ensuring the fair use of information that allows individuals to participate in decisions on the disclosure and use of their personal information. As articulated by the FTC, the elements of this approach are notice, choice, access, security and enforcement.

Contractual Requirements of Facebook Custom Audiences 

In order to use the Custom Audiences tool, the advertiser must agree to additional terms and conditions. Facebook’s Custom Audiences terms require that the advertiser have both “all necessary rights and permissions” as well as a lawful basis to disclose and use the email addresses “in compliance with all applicable laws, regulations, and industry guidelines.” 

Recommendations

Review your Privacy Policy, Website Terms & Conditions, and membership/subscription applications to confirm the existence of a clear mechanism to opt-out of future email messages. If email addresses are acquired from third-party sources, such as marketing databases or social media, review data gathering practices, review scope of permissions granted to the sources of data and ensure users are given reasonable notice and choice about the use of such data.

What Is Cyberlaw?

On November 13, I had the honor of providing a lecture on Cyberlaw to students at the Boston College Law School. Virtually, of course. I had been asked to talk about trends in Cyberlaw with a specific focus on issues related to intellectual property.

So what is Cyberlaw? Simply put, it is the “Rules of the Road” for the “information superhighway.” Cyber law is the law that governs rights, obligations and remedies of people and transactions conducted over global computer networks.

In a year that has seen hyperbolic growth in technology, commerce, and communications, this topic couldn’t be more timely. In order to frame the discussion, the scope featured a discussion of the Three Cs of Cyberlaw: Connections, Content and Commerce.

The first part of the discussion centered around Content, or issues related to Copyright, such as Free Speech/First Amendment CDA Sec. 230, Creative Works, Media and Entertainment, UGC and the DMCA.

The Second part of the discussion centered around Commerce or issues related to Trademarks, marketing and branding, such as: Marketing/Advertising, Domain NamesCyberpiracy prevention, Keyword Advertising and Social Advertising.

The third and final part of the discussion focused on Connections and Communications and issues related to Personal Data, Stalking, Harassment, Surveillance and Sovereignty, issues around Social Media Freedom of Speech v. Freedom of Reach, and the latest developments around Political speech online.

The lecture closed with a Q&A focused primarily on Navigating Law School and Professional Practice.

COVID-19 is changing consumer behavior in important and probably permanent ways.

COVID-19 is changing consumer behavior in important and probably permanent ways. This is why marketers should take notice.

Sparked by the coronavirus pandemic, consumer and business e-commerce transactions accelerated the ongoing shift toward online commerce. This enables even more marketing opportunities that create real time connections with customers. From pink ribbons to Product Red, social feeds are full of calls to support those in need. In this way, online cause marketing can drive “consumption philanthropy” replacing mindless buying with virtuous action. Tying cause-worthy buying with the latest ecommerce boom creates new opportunities for marketers.

However, before turning your blog, social media accounts, or website into a funnel to raise money for First Responders, it is important to understand that all states have laws that govern charitable solicitations. Running promotions and undertaking solicitations for charities means that unless the business itself is set up as a tax exempt charitable entity, these activities are considered “Commercial co-ventures.” Generally this is a person (or business) who, for profit, is primarily engaged in commerce other than in connection with soliciting for charities and who conducts a charitable sales promotion.

In Illinois, Sec.3. (b) of the Solicitation for Charity Act provides the following persons shall not be required to register with the Attorney General: 3. “Persons requesting any contributions for the … benefit of any individual, specified by name at the time of the solicitation, if the contributions collected are turned over to the named beneficiary, first deducting reasonable expenses for costs of banquets, or social gatherings, if any, provided all fund raising functions are carried on by persons who are unpaid, directly or indirectly, for such services.” Emphasis mine.

Even if you are not raising money for a good cause, consider using disclaimer s to let your audience know product and company names are trademarks of the respective owners and does not imply any affiliation with or endorsement by them.

Is It Necessary To Register A Design Copyright?

A client was asking “is it necessary to fill out all the paperwork to register a design even though the law says you already own it?”

It’s a good question. Technically, under the Copyright Act as amended in 1976, the author (creator) of a work owns the copyright. The 1976 Act states that copyright protection extends to original works that are fixed in a tangible medium of expression. This wording broadens the scope of federal statutory copyright protection from the previous “publication” standard to a “fixation” standard. No further action is necessary. Under previous versions of the law, there were publication requirements to perfect ownership.

Under section 102 of the Act, copyright protection extends to “original works of authorship fixed in any tangible medium of expression, now known or later developed, from which they can be perceived, reproduced, or otherwise communicated, either directly or with the aid of a machine or device.”

Until the ’76 statutory revision to U.S. copyright law the Copyright Act of 1909 governed, under which federal copyright protection attached only when those works were 1) published and 2) had a notice of copyright affixed. In addition, state copyright law governed protection for unpublished works creating inconsistencies.

Despite the successful streamlining and efficiency of rights creation and enforcement, some challenges and inconsistencies remained. Most noticeably, there had been spit in the federal courts. Some courts required the certificate to litigate, some courts only required proof that an application had been filed.

Last year, the US Supreme Court ruled that in order for a copyright owner to enforce its rights against infringers, the copyright owner must have a registration certificate for the works that are being infringed.

In Fourth Estate Public Benefit Corp. v. Wall-Street.com, LLC, 586 U.S. ___ (2019) (PDF here) decided March 4, 2019, the US Supreme Court resolved this split among courts around the country by holding that the mere filing of a copyright application is not sufficient to allow a copyright owner to file suit – actual approval of a copyright application by the United States Copyright Office is required before suit can be filed. Approval comes only in the form of a Registration Certificate.

Returning to the client’s question, while it is true that the Copyright Act says  one owns the copyright in a work when it is fixed, it is no longer true that one can ignore the registration requirements. Yes, one does not have to do anything formal to own a copyright in a work one creates. However, one cannot enforce those rights without the registration certificate in hand. For all practical purposes, there is no reason not to register the copyright in any design, pattern or other distinctive element you create. The fees are relatively low ($65.00) and completing/filing the form can be done electronically.

A word to the wise, like all areas of Intellectual Property, there are nuances that are easily overlooked by the uninitiated. You should always consult with an experienced copyright lawyer when evaluating any individual situation.

Why Now is the Time to Buy or Sell a Business

Looking for Business Opportunities Ahead of the Economic Fallout

In this difficult time of staying at home, people may be looking to buy or sell a business. We have all been impacted in different ways, each of which may be a reason to make a change. Traditional reasons people exit a company arise because of changing economic conditions, a tragic family event, a loss of passion, or simply the desire to retire. At the same time, buyers may be seeking to expand in a sector or industry, add talent, enlarge the customer base, or acquire technologies or resources that can provide a competitive advantage. Witness the unprecedented overnight shift to tele-work, tele-health, remote online primary school education, and live-streamed happy hours and family gatherings.

Thinking of Buying or Selling a Business?

If you are thinking of buying or selling a business, here are three key reasons to act now. First, labor is in flux, and available. As retailers, restaurants, travel companies and other service sectors that employ tens of millions of Americans get squeezed, the tech sector, which tends to have relatively few employees, has surged. Many target businesses may have a lower headcount while retaining a leaner operating infrastructure and access to a ready, willing, and trained talent pool.

Second, the federal government will do what it takes to stabilize the economy and accelerate the recovery. Nevertheless, there is a real risk of many “main-street” companies going bankrupt – making them easy acquisition targets. Opposite that, large-scale public companies (consumer-packaged goods, media) are boosting the broader recovery. Companies on either side of this equation may benefit from the changing market dynamics and opportunities for what comes next. As of this writing, nine states have lifted the stay-at-home orders or will let them expire, with many others soon to follow. The window is closing.

Third, one of few benefits of the current crisis is the acceleration of investment and escalation of consumer-facing products, services, and technologies. Reports indicate that 2020 shows a year-over-year (YoY) increase of over 15% in use of contactless payments.  This is a real opportunity for companies to not only “get lean” but also digitize business practices that can improve the customer experience.

Changing consumer behavior will continue to force this along. According to Forbes, U.S. YoY online retail revenue growth is up 68% in April, surpassing the earlier peak of 49% in early January. U.S. & Canadian e-commerce orders grew 129% with 146% growth in all online retail orders. Online conversion rates increased 8.8% in February, an increase of shopping intensity usually seen only during rare events such as Cyber Monday.

Bottom Line

Most people are sitting around waiting for things to shift and change around them, while others are moving through it all and pivoting on their own. Don’t wait for your competitors to invest in the next generation technologies. Working with experienced legal counsel will help you identify the opportunities and act quickly to negotiate and close a deal. If you are interested in learning more about buying or selling a business, please get in touch.

Does My Business Need A “Button” To Comply With The CCPA’s Do Not Sell Rule?

The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 and went into effect in 2020. Among many concerns about the ability of small businesses to comply with obligations imposed by the CCPA is the requirement that a company allow Californians to access the information held about them, or, in some situations, request that the information that they provided to a company be deleted.  Your clients may be asking you about the CCPA.  While each business should evaluate the law in terms of its own specific situation, here are some general guidelines to start the process.

Does the CCPA Apply to My Business?

If your business satisfies one or more of the following, then the CCPA applies:

(i) annual gross revenue in excess of $25 million?

(ii) buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices, (a) for commercial purposes (assume always true), (b) alone or in combination (assume always true), (c) annually, and

(iii) derives fifty percent (50%) or more of its annual revenues from selling consumers’ personal information.

Even if the business does not collect personal information, as long as is collected on behalf of a business (such as through a third party), the business could be covered by the CCPA, assuming the other requirements are satisfied.

What is the Do Not Sell Rule?

The Do Not Sell rule is a key part of the regulation. It states that businesses must give consumers the option to opt-out of the sale of their personal data.

Specifically, the regulation says that businesses must:

  • Have a page on their website titled “Do Not Sell My Personal Information.” On this page, consumers based in California can opt-out of the sale of their personal data.
  • The business must clearly link to the “Do Not Sell My Personal Information” webpage from the homepage.
  • The website must describe the consumer’s rights to opt-out of the sale of personal data and provide a link to the “Do Not Sell My Personal Information” page in its privacy policy.
  • Once a user requests that a business not sell their personal information, the business must respect this decision for a minimum of 12 months.
  • Finally, websites should have a way to prove that they are respecting these customer requests.

Businesses and website owners need to put processes in place that will help them adhere to the above guidelines.

For more information about the impact of the CCPA on your business, please contact the lawyers at Adler Law Group to schedule a consultation.

Privacy Law – How Do You Verify the Identity of a Data Requestor?

The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 and will go into effect in 2020. Among many concerns about the ability of small businesses to comply with obligations imposed by the CCPA is the requirement that a company allow Californians to access the information held about them, or, in some situations, request that the information that they provided to a company be deleted.  Whether or not your practice involves regular questions of Privacy Law, your clients may be asking you about the CCPA.  By keeping data minimization objectives in mind and not over-thinking compliance obligations, verifying the identity of a data requestor may be straight-forward.

 

The ability to control how one’s data is used is a cornerstone of the CCPA. However, this puts a burden on a business to ensure that only a “verified” consumer accesses the requested data and avoid fraudulent requests. To access or delete information, a consumer must submit a “verifiable consumer request.” While the term implies that a business must take steps to “verify” the individual making the request, the CCPA does not specify what steps it considers to be sufficient (or that it considers to be inadequate) to accomplish the verification.

 

With little to go on, a business might be tempted to act over-cautiously and require more information than is actually necessary to verify identity.   With data minimization principles in mind, it is important to recognize privacy risks to avoid.  Don’t over-reach; avoid obtaining more sensitive or potentially harmful information than is necessary to complete the request.  Also, avoid asking for sensitive documents such as a passport.

 

A good rule of thumb is try to use the same method that was used to gather the data in first place. For example, your client operates a consumer website featuring information and users are required to provide a username and password to register with the site. Ask the requestor to provide a username and password to verify. If two-factor authentication was used, then challenge that requestor using the same method. Don’t ask for a driver’s license.

 

If a client is asking for additional resources on how to implement policies and procedures, it is useful to look to industry-standard references, such as  NIST. A good (but technical) explanation Guidelines on verifying identity.  If this is too technical, a client should work with a consultant who can explain the framework. One valuable upside is that if a business is required to respond to a regulator or litigant, the business can point to use of the industry standard as reasonable basis for compliance efforts.

 

Are you tasked with advising a client how to craft a CCPA policy or procedure? There is no requirement that companies create a written policy for processing requests. If a company chooses to create an internal policy or procedure for handling data access and deletion requests, the following four topics are relevant:

 

  1. Data subject verification. Before taking any action, a company should verify that the individual that submitted the request is the individual to whom the data belongs. Verifying identity depends upon the type of data maintained. Remember, if the requestor signed up with a username and password, use this to verify.

 

  1. Communications. A business must respond to a requestor, even if the request is a denial. To streamline a timely response, a company may choose to create template communications and procedures.

 

  1. Evaluating the request. The right to be forgotten is not an absolute right. Some companies choose to include a discussion of when the right does, and does not, have to be granted within their internal policy or procedure. If refused: Reply with a reason and provide options: regulator, court?

 

  1. Completing a Request. Upon verification of the identity of a requestor and a determination that a deletion request should be granted, a business can include instructions for technical steps that should be taken in order to erase an requestor’s information.

 

For clients implementing processes and procedures to respond to individuals who invoke their rights under the CCPA, meeting the requirement to verify the requestor’s identity (and reduce the risk of complying with a fraudulent request) can present a risk. However, with data minimization objectives in mind, using verification methods that make sense in the context of the requestor’s data, may reduce some of the burden of verifying the identity of a data requestor.

 

FOR EDUCATIONAL PURPOSES ONLY. NOT LEGAL ADVICE.

Choosing the Right Legal Entity for Your Business – Webinar

Seasoned business owners usually know enough to invest in the protection of some form of business entity. Too often, these individuals fail to engage in the necessary business and tax planning to get the most from their investment.
Whether you are a sole proprietor, partnership, corporation, limited liability company (LLC), limited liability partnership, or hybrid entity, you will gain useful knowledge. This webinar covers why a business owner should consider the benefits and costs of each type of entity, the existence of limited liability for owners, flexibility in terms of governance and ownership structure, and favorable treatment under state and Federal income tax laws. More sophisticated entrepreneurs may find certain advantages in terms of estate and gift planning and flexibility in operations and management.
I want to say thanks to the folks at IVY for giving me the opportunity to present the Ivy Webinar – Choosing the Right Legal Entity for Your Business with David M. Adler. In case you missed it, there is a link to the full webinar details below.
NOTICE AND DISCLAIMER: The webinar content is for informational purposes only. It is not legal advice and does not create a lawyer-client relationship with David M. Adler.
View Webinar Here.

Declaratory Judgment Action for Copyright Infringement

At a time when #media creation & consumption is traveling across a growing number of devices, at increasing speeds, and without care for for borders whether physical, digital, or geographic, licensing, distribution and use of digital content can cause problems.

The case of Fastcase, Inc. v. Lawriter, LLC, Case No. 17-14110 (11th Cir. Oct. 29, 2018) (Tjoflat, J), involved a dispute between two legal publication service companies over the right to re-publish the Georgia Regulations.

The Declaratory Judgment defendant and presumptive rights owner had no enforceable copyright or contract rights in the Regulations. Defendant updated the terms so that unauthorized re-publication of the Regulations would result in liquidated damages of $20,000 per instance, which was relevant to the jurisdictional issues of whether § 411(a) is a jurisdictional bar.

From The National Law Review, source for this story: “Practice Note: A demand letter alleging infringement under the Copyright Act—or even alleging state law claims that would arguably be preempted by the Copyright Act—confers jurisdiction on a federal court to hear the recipient’s declaratory judgment action.”

Illinois Amends the Freedom From Location Surveillance Act

The latest amendments to the Act provide even more privacy positive aspects. The definition of “electronic device” has been clarified to include any device that enables accessto, or useof an electronic communication servicethat provides the ability to send orreceive wire or electronic communications, including wireless communications connecting the device to a telephone network. [Emphasis mine]  Also, “location information” now includes information concerning the location of an electronic device generated by or derived from the possession of the device (rather than onlyoperation of the device). The amendments also remove time-based limits on some law enforcement searches.  No location information – rather than current or future location information – may be obtained without first obtaining a court order based on probable cause. Provides that the Act does not apply to a law enforcement agency obtaining basic subscriber information from a service provider under a valid court order or search warrant (removing prior subpoena requirement). The changes are effective immediately.

The Illinois Freedom From Location Surveillance Act (725 ILCS 168/) can be found here.