The Communications Decency Act Suddenly Is Center Stage Again

Today’s internet users who might not be familiar with the Wild West that was the early internet might wonder how social media and other online service providers (and their users) “get away with” saying or publishing all manner of content on the web, including incendiary, defamatory, or just plain false information. The administration’s recent suggestion that it might assert executive power over social platforms has brought this issue back to the fire in an interesting way. This post is not meant to be a deep dive into the evolution of the law around expression on the web – but is intended to provide some guideposts for those who are watching this space.

Constitutional Freedom of Expression

Under the first amendment to the U.S. Constitution, everyone gets to say whatever they want, right? That’s more or less correct, but over the years courts have also limited your rights of expression with what are called “time,” “place,” and “manner” restrictions.  So you can’t go into a movie theatre and yell “fire,” because doing so might endanger the lives of others.  Analogously, when you express yourself in a public forum, including on the web, your freedom of speech doesn’t mean you are … Keep reading

Consumer Rights and an Organization’s Responsibilities Under the CCPA

As we’ve previously blogged about, the California Consumer Privacy Act (“CCPA”) is an exhaustive piece of legislation requiring organizations to heed and defend consumer rights relating to access to, sharing of, and deletion of personal information that is collected by businesses. In particular, the CCPA requires organizations to notify California consumers of the rights newly afforded to them under the CCPA. These rights are summarized in the graphic below.

Summary of Consumer Rights and Organization’s Related Responsibilities:

In addition to notifying California residents of their consumer rights, organizations need to provide at least two methods– including a toll-free phone number—for consumers to submit requests to exercise their rights.  If the organization maintains a website, one of those methods needs to be a website address.  If an organization operates exclusively online and has a direct relationship with the consumer, it does not need to provide a toll-free number and only needs to provide an email address as a designated method for submitting requests.

Response Requirements When Consumer Exercises a CCPA Right

Once an organization obligated to comply with the CCPA receives a California consumer request to exercise a CCPA right, it must disclose and deliver the information free of charge … Keep reading

CCPA Enforcement Begins July 1, 2020: Do You Need to Comply?

Prior to the unique data security and privacy challenges unexpectedly presented as a result of a mass movement to remote working earlier this year, the California Consumer Privacy Act (“CCPA”) was one of the most highly anticipated regulation organizations were (or, should have been) preparing to comply with.  Despite industry pressure to delay enforcement of the CCPA so organizations could continue to focus on mitigating further disruptions and damage to their operations caused by the COVID-19 pandemic, the California Attorney General has maintained his commitment to begin enforcement of the CCPA on July 1, 2020.

In preparation for the enforcement date, Burns & Levinson will be doing a series detailing some of the highlights of the CCPA, which technically went into effect on January 1, 2020.  If the CCPA applies to your organization and you had not previously taken steps to bring your organization into compliance with Europe’s General Data Protection Regulation (“GDPR”), you may have significant work to do in order to bring your organization into compliance with the CCPA.  If your organization has previously engaged in GDPR compliance, you may still have work to do.  While there is some overlap between the regulatory and statutory requirements of … Keep reading

Domain Name Offer: Helpful Service, or Marketing Scam?

In 2013, I blogged about a common deceptive technique used by some publishers around the world that send apparently official invoices to trademark applicants in the hopes that people will reflexively pay outrageous sums for a listing of their brand in a catalog few will read. I wanted to follow up on that post and summarize another common scam that befalls trademark owners and applicants.  I get an inquiry from a client at least 2-3 times per month: “Is This Domain Name Email Legitimate?”The ruse works like this: Trademark owner applies for a trademark in the U.S. or with another office in another country.  Information about the mark and the owner is publicly available to scammers through simple searches. The scammer sends an email to the trademark owner purporting to warn the mark owner of the ill behavior of a potential domain name squatter. Below is an actual email received recently by a client.  I have changed the names in the email to avoid any embarrassment of the recipient, but I otherwise have left the text, including the grammatical errors of the original, intact.Dear CEO/Principal,We are the department of [Domain Name] Service in China. Here I Keep reading
How Many Website Privacy Policies to Maintain in Preparation for GDPR?

Under the GDPR, data controllers are tasked with communicating to data subjects how their data is processed in a way that is both concise and transparent. From a consumer-protection perspective, this is undoubtedly one of the regulation’s more commendable requirements; as many who have drafted website privacy policies understand, there is often tension between the twin goals of concision and transparency. Providing fully transparent disclosure about data-processing activities, while keeping such disclosures brief and easily readable, can be a tricky balance to strike.

One question the GDPR may prompt is whether it makes sense for an organization to maintain separate residency-dependent privacy policies, or a single, all-encompassing policy. There are pros and cons to each, and what works best for a particular organization will often depend on the operational impact of each, as well as the usability of each by the relevant data subjects.

The Multiple Privacy Policies Approach

Organizations that treat data-subject information differently depending on its origination point, or that opt not to extend the enhanced protections offered under the GDPR to non-European data subjects, may prefer to maintain separate residency-dependent privacy policies.

In this instance, the benefit is that each policy can be tailored, … Keep reading

Licenses, SaaS, and the Cloud

Some Legal Issues to Consider When Migrating to Become a Service Provider

Although everyone’s into blockchain and the Internet of Things, believe it or not, there are still plenty of traditional software developers out there, and some of them still distribute physical software under traditional licenses to end users. Many of these vendors are in the midst of migrating their business models to distribution of their software as a service (SaaS), or via related models (platform or infrastructure as a service [PaaS and IaaS], among others). For vendors moving in that direction, there is a tendency to try to shortcut changes to standard license agreements by merely amending existing license terms to refer to SaaS environments. However, that attempt to “make do” with a software license when vendors move to the cloud can lead to potentially significant legal problems down the road.

License or Not?

Commentators on the legal consequences of SaaS distribution of software are quick to point out that a license grant to software provided over the web is probably ill-advised (although that analysis may be over-simplified). Technically, because the software is not installed locally, and users are merely accessing it in the cloud or at a … Keep reading

Data Mining and GDPR Compliance: Dealing with Obtaining EU Personal Information from Third Parties Under the GDPR (Including a Notification Checklist!)

As the effective date of the General Data Protection Regulation (GDPR) draws near, companies that collect, process, and use data relating to EU citizens need to be thinking proactively about issues they will face under the new directive. This post summarizes the discrete issue of how companies should start to manage data mining and data usage activities. Stay tuned as we continue to keep you updated in this space.

As most are probably by now aware, the GDPR seeks to regulate the use and disclosure of the personal data of all individuals within the 28 EU member states. Though passed into law in May 2016, it does not become enforceable until May 25, 2018. Unlike most privacy regulations in the U.S., the EU defines the term “personal data” broadly—it includes “any information relating to an identified or identifiable natural person (the ‘data subject’).” This means that even the most basic contact information, such as business card details or simply a name and email address, falls under the GDPR’s protections. Public sources of information, such as a residential phone listing, are not exempted from the GDPR’s restrictions.

To legally handle EU personal information harvested from third-party sources after May 25, … Keep reading

Test Your GDPR Preparedness: 7 Questions to Ask Your Team

With only 100 days to go until the General Data Protection Regulation becomes enforceable on May 25, it is increasingly imperative for organizations that process information relating to an identified/identifiable European person to have a firm grasp on what the regulation entails, as well as any associated impacts on business that can be reasonably expected. Here are seven key questions to ask yourself, your team, or your project manager, to gauge how prepared your organization is to meet the requirements under the GDPR.

  1. Has our data been inventoried and mapped, such that we have a complete understanding of our data flow?

An essential prerequisite to developing a GDPR compliance plan is to have a detailed understanding of the lifecycle of the personal data processed by the organization. It is impractical to implement a reasonable GDPR compliance plan if the organization does not thoroughly understand the personal information it processes, how it was collected, where it is stored, and where and to whom it is transferred. The GDPR identifies specific categories of information that it expects organizations to keep records on, with respect to data processing.

  1. When personal information about people is collected indirectly from third-party sources (e.g., public databases,

Keep reading
What's In a Name?

Question: What do Sean Combs, J.K. Rowling, LeBron James, Lionel Messi, and Mark Wahlberg have in common? Two things, actually. First, they are all listed on the Forbes 2017 Celebrity 100 List; second, they all have gone to the trouble of registering their personal names as trademarks with the U.S Trademark Office. Indeed, of the first 20 celebrities on this “A” list, 19 have sought registration of their names as trademarks.

Trademark Protections For Personal Names

Under Federal law, everyone is entitled to seek protection of his or her name as a brand. The Lanham Act expressly provides that:

No trademark by which the goods of the applicant may be distinguished from the goods of others shall be refused registration on the principal register on account of its nature unless it … consists of or comprises a name, portrait, or signature identifying a particular living individual except by his written consent.

As indicated by the language of the statute, in addition to names, likenesses (portraits) and signatures of individuals are entitled to trademark registration. Several well-known entertainers have taken advantage of this right, including Meryl Streep, Robert De Niro, and Anthony Hopkins Keep reading

Alert to Privacy Shield Participants: You Could Lose Your Privacy Certification If You Ignore This Warning

Does this look familiar?

Recently, Privacy Shield participants started receiving these troubling alerts, purportedly from the International Trade Administration, warning that the recipient organization owes a new fee, and threatening to cancel that participant’s Privacy Shield certification if payment is not remitted by February 16, 2018. These alerts have all the classic markings of a phishing scam—appearing very official but containing a generic salutation, demanding payment for some otherwise unheard of fee, threatening dire consequences for failure to remit payment—so some of these alerts have undoubtedly gone ignored.

Unfortunately, this is not another blog post about a new fraud alert. Rather, this post is an alert that, if you participate in the Privacy Shield program, you may need to take action before February 16, 2018, to maintain your certification.

Alternative Dispute Resolution Under Privacy Shield Prior to September 13, 2017

The EU-U.S. Privacy Shield is a self-certification program run through the Department of Commerce that provides a safe harbor for U.S. companies that process or transfer heavily regulated personal data of EU citizens in the U.S. Because the U.S. has comparatively lax laws on privacy and data security, to comply with EU regulations, its businesses must voluntarily agree to … Keep reading