Recent Court Decisions Provide Some Clarity in Ever-changing Techlaw Landscape

As every CIO knows, today all business is digital business.  From the corner mom and pop bodega using Square to process credit cards up to Cisco Systems global network of devices supporting Zetabytes of data over an increasing number of devices.

What began as largely static website e-commerce at the turn of the millennium is now every day operations across multiple devices and the many different brands of platform and content delivery network.  In case you missed it, two recent cases will have a wide impact regardless of industry period

Law Enforcement Access To Cell Phone Location Data Requires Warrant

In the case of Carpenter v. United States, the Supreme Court ruled that law enforcement must obtain a warrant to have access to location and other data contained on a suspect’s cell phone.  In case you’re not familiar with the case, the facts in the Carpenter case are worth mentioning. In 2011, the government, conducting a criminal investigation in Detroit, obtained months’ worth of time-stamped records known as cell-site location information (CSLI) for suspects.  Wireless carriers produced CSLI for petitioner Timothy Carpenter’s phone, and the Government was able to obtain 12,898 location points cataloging Carpenter’s movements over 127 days—an average of 101 data points per day.  Carpenter moved to suppress the data, arguing that the Government’s seizure of the records without obtaining a warrant supported by probable cause violated the Fourth Amendment.  The District Court denied the motion, and prosecutors used the records at trial.  Carpenter was convicted, based in part on the cell-site records, and he appealed. holding that the government’s acquisition of historic cell-site location information (HCSLI) – at least to the extent it includes 7 days or more of cell-site records – was a search and thereby required a warrant.

In reversing the conviction, a majority of the Court has recognized that individuals have a reasonable expectation of privacy in the whole of their physical movements and a warrant is required only in the rare case where the suspect has a legitimate privacy interest in records held by a third party.  The Court downplayed the significance of its ruling, calling its decision “a narrow one” that “does not express views on “real-time CSLI” or question the application to … a range of other information-gathering tools, such as security cameras.”

What this means for business.  While pundits are wisely praising the decision as a victory for privacy, I for one, do not believe it applies that broadly. Even so, there is a tangible benefit for corporate counsel at technology companies, especially those that maintain location information about their customers. Lawyers and compliance pros will feel some relief knowing that they do not have to scramble, prevaricate or litigate with law enforcement when a company receives a subpoena or other demand for location data without a warrant attached.

For additional views on this decision, please see an article from the International Association of Privacy Professionals here, and another from the Electronic Frontier Foundation here.

States Can Now Require That Internet Retailers Collect Sales Tax

The other notable decision to come down from the Supreme Court involves the long-simmering issue of state taxation on internet sales.

The decision, in South Dakota v. Wayfair Inc., was a victory for brick-and-mortar businesses that have long complained they are put at a disadvantage by having to charge sales taxes while many online competitors do not. And it was also a victory for states that have said that they are missing out on tens of billions of dollars in annual revenue.

The South Dakota Legislature enacted a law requiring out-of-state sellers to collect and remit sales tax “as if the seller had a physical presence in the State” to address the erosion of its sales tax base causing a corresponding loss of critical funding for state and local services (“Act”).  The Act covers only sellers that, on an annual basis, deliver more than $100,000 of goods or services into the State or engage in 200 or more separate transactions for the delivery of goods or services into the State.  Top online retailers with no employees or real estate in South Dakota who met the Act’s minimum sales or transactions requirement, but do not collect the State’s sales tax opposed the Act. South Dakota filed suit in state court, seeking a declaration that the Act’s requirements are valid and applicable to respondents and an injunction requiring respondents to register for licenses to collect and remit the sales tax. At trial and on appeal, courts held that the Act is unconstitutional.

The ruling effectively overturned a system that it created.  In 1992, the Supreme Court held that the Constitution bars states from requiring businesses to collect sales tax unless they have a substantial connection to the state. That case was Quill Corporation v. North Dakota.  The Quill decision helped pave the way for the growth of online retail by letting companies sell nationwide without navigating the complex patchwork of state and local tax codes.

South Dakota’s attorney general, called the ruling “a big win for South Dakota and Main Streets across America.”  The case should benefit both rural businesses where local businesses have been hit hard by competition from online retailers and municipal coffers as well, because in some states local sales taxes are collected at the state level.  Owners of brick-and-mortar stores like the decision as a means of leveling the playing field because they feel they often missed out on sales of big-ticket items since sales tax could have had an amplified effect on the price.  For consumers, this could mean paying more for products bought online.  Although most have a “use tax” that works like a state sales tax for online purchases, few if any consumers actually pay it.

Since the beginning of my practice in 1999, I suggested businesses take a state-by-state approach when it comes to issues like sales tax, since it can vary widely by jurisdiction.  No business is entirely virtual. All businesses will need to examine their ecommerce strategy to see whether and to what extent this case affects the business model.

Advertisements

David Adler continues focus on Cyber Security Conferences

Soem prior conferences:

Data at Risk: Regulatory and Privacy Concerns in a Data Breach. – Enfuse Conference 2018, Las Vegas, NV, May 23, 2018.

Trends in Cyber-Law 2017– ISACA CSX North America 2017, Washington, DC October 2-4, 2017

The Human Side of IT Acquisitions– Assoc. of Technology Acquisition Professionals CAUCUS IT Procurement Summit, New Orleans, LA, November 7-8, 2017

My topic, Assessing and Responding to Cyber Legal Risk,was chosen for presentation at the 2018 New York State Cyber Security Conference. 

#nyscyber 

Tips for a Successful & Legal Influencer Marketing Campaign

On September 25, 2017, I gave a presentation at Influencer Marketing Days in NY on how to avoid unnecessary legal risks when using Influencer Marketing.

Media consumption is moving from traditional outlets to other platforms. Explosive growth for social media and declining TV viewership means that advertising dollars are migrating with the eyeballs.

Due to popularity and reach of platforms like Instagram, Snapchat, YouTube and even a resurgent Twitter, brands are partnering with “influencers” to help the grow through views, impressions and “likes.” Online advertising is an active legal enforcement area and influencer marketing presents potential legal issues.

Since most lawsuits focus on consumer awareness (or lack thereof), legal compliance requires appropriate and adequate disclosures. The presentation focused on when disclosures are required and what constitutes adequate disclosure.

FTC

Best Practices EU/US Privacy Shield

In case you missed it, Ken Dort at Drinker Biddle held a discussion covering high points of the EU/US Privacy Shield. Talking points covered:

1. Application Overview
2. Certification Issues
3. Privacy Shield Principles and Supplemental Principles
4. Implementation Timelines (Expected)
5. Best Practices Going Forward Pending Implementation

The draft EU-U.S. Privacy Shield “adequacy decision” includes the Privacy Shield Principles companies must follow. Suggested Best Practices for compliance with EU-U.S. Privacy Shield Principles include: evaluating disclosures about data collection and use to determine whether they are sufficiently clear and evident to consumers, and 2) giving strong consideration for implementation of a formal opt-in mechanism. European government trade regulators are concerned about whether consumers are being sufficiently informed about the nature and scale of data collection.

Ken graciously provided this great list of resources for the discussion:

* Full text of the Privacy Shield can be found here.

* European Commission draft adequacy decision can be found here.

* Department of Commerce Fact Sheet can be found here.

* European Commission Fact Sheet can be found here.

* European Commission FAQs can be found here.

* Statement from U.S. Secretary of Commerce Penny Pritzker on release of the Privacy Shield text can be found here.

* European Commission statement on the Privacy Shield text can be found here.

Article 29 Working Party statement on the Privacy Shield can be found here.

As part of Adler Law Group’s Privacy & Information Security Practice, we continue to follow the developments in this area. We can help you review, enhance and adopt standardized contracts and implement methodologies for approaching these challenges by setting objectives, determining scope, allocating resources, and developing agreements that will efficiently and effective manage risks.

Tracking Tech Case Provides Guidance on Customer Opt Outs

From healthcare apps, to mobile devices, to utilities, services are collecting and aggregating customer data across many different types of connected devices. Many mobile apps and services rely on a consumer’s location information. As more mobile apps connect to the Internet to send and receive location data, the FTC, legislators, privacy advocates, and others have identified location information as a particularly sensitive category of data. A recent study conducted by Carnegie Mellon University contained shocking revelations about the frequency with which location information is gathered and transmitted to companies through their mobile apps. At the same time, the recent settlement with in-store retail customer tracking provider Nomi highlights the FTC’s increased scrutiny of data gathering practices and disclosures of mobile application developers.

It is no secret that retailers could derive significant business intelligence from the real-time moments through stores. This is one of the areas around which companies innovate around customers’ private information. For example, Nomi Technologies, a company whose technology allows retailers to track consumers’ movements through their stores, made headlines when it agreed to settle Federal Trade Commission charges that it misled consumers about opting out of their tracking services. This is not why you want to have your company’s innovations in the news.

Business counsel both inside and outside of companies developing applications that leverage mobile geolocation data of consumers and employees should be aware of the many issues that are developing around this area such as: How is geolocation information gathered and how does data flow from device, to app to, third party? How is it shared and used in mobile advertising? When is consent required and how should stakeholders obtain such consent?

 

Mining Data and Privacy: A Primer, Special Areas and State Laws

On Sept. 10, 2015, as part of the Mining Data and Privacy: A Primer Continuing Legal Education presentation moderated by the ISBA Intellectual Property committee, I presented the topic:

ISBA Privacy CLE – “Special Areas”: “Discover the security and privacy issues that have arisen in a number of special areas – HIPAA, COPPA, special state laws and regulations that govern online privacy, protection of personal data in court filings.”

The presentation is available here.

 

Copyright, Fair Use & Media

Digital Media
Digital Media

Media Creation & Consumption is Challenging Traditional Legal Notions.

At a time when #media creation & consumption has transformed, two recent cases, both involving Fox News Network on opposite sides of the “fair use” defense to copyright infringement, highlights the evolving and dynamic legal challenges facing business and content creators. In each case, Fox News loses on Summary Judgment.

Photographs, Fair Use & Social Media

The first case, North Jersey Media Group, Inc. v. Jeanine Pirro and Fox News Network, LLC, involves what many recognize as the “now iconic photograph of the firefighters raising the American flag on the ruins of the World Trade Center on September 11, 2001.” The photograph – which bears a striking resemblance to Joe Rosenthal’s World War II photograph of the Iwo Jima flag-raising – has become a similarly striking symbol of American patriotism.

That similarity was not lost on a production assistant for a Fox News program “Justice with Judge Jeanine” who posted the two images, unaltered, on the show’s Facebook Page, along with the phrase “#neverforget,” allegedly to commemorate the twelfth anniversary of the attack.

The case is noteworthy for its analysis of the “fair use” defense in a social media context. While the Copyright Act grants authors certain exclusive rights, including the rights to reproduce the copyrighted work and to distribute those copies to the public (17 U.S.C. § 106(1), (3)) one often quoted and widely misunderstood limit to those rights is the doctrine of “fair use,” which allows the public to draw upon copyrighted materials without the permission of the copyright holder in certain circumstances. The fair use doctrine is an after-the-fact defense to infringement, not a pre-emptive justification to use another’s work without permission.

Educated in journalism and media studies, the production assistant acknowledged that she understood a copyright to be something that is owned by someone else although she had no training in copyright law either in college or during her tenure at Fox News. She had been working at Fox News for approximately three years, had previously sought legal advice regarding use of photographs on the broadcast, but never in connection with posting images to the program’s Facebook page.

The key take-away for businesses and digital marketers alike is the need for vigilance when using third-party content on social media. Employee education and training on what copyright protects, what it doesn’t, and how it works may help prevent your business form facing a similar situation.

Media Monitoring, Digital Content & Copyright Fair Use

The second case, Fox News Network, LLC v. TVEyes, Inc., involves a company that monitors and records all broadcasts by more than 1,400 television and radio stations twenty-four hours per day, seven days per week. This content is indexed and organized in a searchable database that allows subscribers to search terms, determine when, where, and how those search terms have been used, and obtain transcripts and video clips of the portions of the television show that used the search term.

Fox News Network, LLC sued to enjoin TVEyes from copying and distributing clips of Fox News programs. TVEyes asserted that its system and services are permitted under the doctrine of “fair use.”

The court found that TVEyes service was a fair use. Unlike other services that simply “crawl” the Internet, culling existing content available to anyone willing to perform enough searches to gather it, the indexing and excerpting of news articles, where the printed word conveys the same meaning no matter the forum or medium in which it is viewed, the service provided by TVEyes is transformative. By indexing and excerpting all content appearing in television, every hour of the day and every day of the week, month, and year, TVEyes provides a service that no content provider provides. Subscribers to TVEyes gain access, not only to the news that is presented, but to the presentations themselves, as colored, processed, and criticized by commentators, and as abridged, modified, and enlarged by news broadcasts.

The key take away for technology companies that rely on content is what the court says about features of the Services (as opposed to the technology itself, e.g. the software/platform): the issue of fair use is for the full extent of the service, TVEyes provides features that allow subscribers to save, archive, download, email, and share clips of Fox News’ television programs. The parties have not presented sufficient evidence showing that these features either are integral to the transformative purpose of indexing and providing clips and snippets of transcript to subscribers, or threatening to Fox News’ derivative businesses.”

In other words, evidence that certain features are essential to the use of a service, may be sufficient to show how the features (service) exist above- and-beyond what stale or static content can show.

You Don’t Have to Muddle Through

When it comes to understating evolving technology legal risks, your business can’t simply muddle through. The professionals at the Adler Law Group can help you adopt conduct risk assessments, provide employee training and methodologies for approaching these challenges by setting objectives, determining scope, allocating resources, and developing practices that will efficiently and effective manage risks, while keeping pace with the business.

For a free consultation, call us at (866) 734-2568, send and email to info@ecommerceattorney.com or visit our web site www.adler-law.com