Header graphic for print

New Media and Technology Law Blog

SONY Pictures Breach Stresses Need to Revisit Document and Email Retention Policies

Posted in Data Security, E-mail

The SONY Pictures cybersecurity breach playing out in public over the last few weeks is just the latest in a series of high profile cybersecurity breaches.  This one is a little different than some of the other commercial breaches we have been learning about recently, because in addition to sensitive personally identifiable information, it also involves highly confidential and personal emails, communications written with the expectation that only the sender and receiver of the email would ever see them.

Two excellent articles in today’s Wall Street Journal highlight some of the expanding implications of the breach. First, one article highlights the concern that while companies have focused on cybersecurity with respect to “sensitive” information, the focus has not been as vigorous on general email data. The article points out that since the SONY breach, executives are taking steps to reduce or control the use of email so that if communications are leaked, it is not as harmful to an organization.   For example, the article cites an executive recommending picking up the phone or visiting someone’s office rather than sending an email. I personally am not sure that is a practical alternative for all organizations, particularly for a large multi-national corporation or a company with a sizeable number of employees working remotely.

The second article cites the risk associated with emailing a business partner, as those communications are only as secure as the partner’s level of security for such communications.

In the wake of the incident, I expect that we will see a renewed focus on the security of all electronic data, including email.  One suggestion is that companies update their record retention practices in light of the security incidents of the last few years.  This includes updating their record retention policies, and perhaps implementing technical means to enforce those policies.  A reasonable record retention policy, instituted in good faith and properly managed to retain documents as required by law, can allow for the lawful, periodic deletion of non-essential business emails like the ones that came to light in the SONY breach.  See generally Rattray v. Woodbury County, Iowa, 761 F.Supp.2d 836 (N.D. Iowa 2010) (discussing a document retention policy with respect to the spoliation of evidence during litigation).

Also, I suspect that we will see organizations seek to mitigate this risk through other approaches, including technical approaches (systems and audits),more focused training, contractual approaches and governance initiatives, as well as, if necessary, through the prospect of litigation (as SONY recently did by instructing their attorney to send a letter to news organizations demanding, among other things, that they destroy any leaked information in their possession).

QVC Sues Shopping App for Web Scraping That Allegedly Triggered Site Outage

Posted in Contracts, Internet, Online Commerce

Operators of public-facing websites are typically concerned about the unauthorized, technology-based extraction of large volumes of information from their sites, often by competitors or others in related businesses.  The practice, usually referred to as screen scraping, web harvesting, crawling or spidering, has been the subject of many questions and a fair amount of litigation over the last decade.

However, despite the litigation in this area, the state of the law on this issue remains somewhat unsettled: neither scrapers looking to access data on public-facing websites nor website operators seeking remedies against scrapers that violate their posted terms of use have very concrete answers as to what is permissible and what is not.

In the latest scraping dispute, the e-commerce site QVC objected to the Pinterest-like shopping aggregator Resultly’s scraping of QVC’s site for real-time pricing data.  In its complaint, QVC claimed that Resultly “excessively crawled” QVC’s retail site (purpotedly sending search requests to QVC’s website at rates ranging from 200-300 requests per minute to up to 36,000 requests per minute) causing a crash that wasn’t resolved for two days, resulting in lost sales.  (See QVC Inc. v. Resultly LLC, No. 14-06714 (E.D. Pa. filed Nov. 24, 2014)). The complaint alleges that the defendant disguised its web crawler to mask its source IP address and thus prevented QVC technicians from identifying the source of the requests and quickly repairing the problem.  QVC brought some of the causes of action often alleged in this type of case, including violations of the Computer Fraud and Abuse Act (CFAA), breach of contract (QVC’s website terms of use), unjust enrichment, tortious interference with prospective economic advantage, conversion and negligence and breach of contract.  Of these and other causes of action typically alleged in these situations, the breach of contract claim is often the clearest source of a remedy.

This case is a particularly interesting scraping case because QVC is seeking damages for the unavailability of their website, which QVC alleges to have been caused by Resultly.  This is an unusal theory of recovery in these types of cases.   For example,  this past summer, LinkedIn settled a scraping dispute with Robocog, the operator of HiringSolved, a “people aggregator” employee recruting service, over claims that the service employed bots to register false accounts in order to scrape LinkedIn member profile data and thereafter post it to  its service without authorization from Linkedin or its members.  LinkedIn brought various claims under the DMCA and the CFAA, as well as state law claims of trespass and breach of contract, but did not allege that their service was unavailable due to the defendant’s activities.  The parties settled the matter, with Robocog agreeing to pay $40,000, cease crawling LinkedIn’s site and destroy all LinkedIn member data it had collected.  (LinkedIn Corp. v. Robocog Inc., No. 14-00068 (N.D. Cal.  Proposed Final Judgment filed July 11, 2014).

However, in one of the early, yet still leading cases on scraping, eBay, Inc. v. Bidder’s Edge, Inc., 100 F. Supp. 2d 1058 (N.D. Cal. 2000), the district court touched on the foreseeable harm that could result from screen scraping activities, at least when taken in the aggregate.  In the case, the defendant Bidder’s Edge operated an auction aggregation site and accessed eBay’s site about 100,000 times per day, accounting for between 1 and 2 percent of the information requests received by eBay and a slightly smaller percentage of the data transferred by eBay. The court rejected eBay’s claim that it was entitled to injunctive relief because of the defendant’s unauthorized presence alone, or because of the incremental cost the defendant had imposed on operation of the eBay site, but found sufficient proof of threatened harm in the potential for others to imitate the defendant’s activity.

It remains to be seen if the parties will reach a resolution or whether the court will have a chance to interpret QVC’s claims, and whether QVC can provide sufficient evidence of the causation between Resultly’s activities and the website outage.

Companies concerned about scraping should make sure that their website terms of use are clear about what is and isn’t permitted, and that the terms are positioned on the site to support their enforceability. In addition, website owners should ensure they are using “robots.txt,” crawl delays and other technical means to communicate their intentions regarding scraping.  Companies that are interested in scraping should evaluate the terms at issue and other circumstances to understand the limitations in this area.

Music Publishers Bring Contributory Copyright Claims Against ISP for Infringing Activities of Subscribers

Posted in Copyright

In a novel lawsuit that tests the bounds of service provider liability, two music publishers brought suit against an ISP for contributory copyright infringement for allegedly facilitating infringement by failing to terminate the accounts of broadband subscribers who were purportedly repeat infringers that had unlawfully downloaded copyrighted music from BitTorrent sites. (BMG Rights Management (US) LLC v. Cox Enterprises, Inc., No. 14-01611 (E.D. Va. filed Nov. 26, 2014)).

The lawsuit raises many issues:

  • What are the obligations of a broadband provider that receives a notice from a copyright holder about a suspected repeat infringer?
  • How reliable are the infringement notices sent to the ISP?  How can an ISP decide when a subscriber is a repeat infringer?
  • Does this dispute implicate the voluntary “six strikes” Copyright Alert System implemented by certain ISPs?
  • Can the ISP claim immunity under the DMCA §512 safe harbor?  How would a court interpret DMCA §512(i), regarding implementing a “repeat infringer” termination policy, with respect to an ISP?
  • What are the bounds of vicarious liability with respect to an ISP having paid subscribers who allegedly commit infringement?

While many of these issues have not been directly addressed recently by U.S. courts, the lawsuit brings to mind the pre-DMCA decision in Religious Technology Center v. Netcom On-Line Communication Services, Inc., 907 F.Supp. 1361 (N.D. Cal. 1995).  There, the court held that an ISP serving as a passive conduit for copyrighted material was not liable as a direct infringer, but allowed contributory copyright infringement claims to go forward based upon disputed issues of fact as to whether the operator had sufficient knowledge of infringing activity.  Obviously, with the enactment and interpretation of the DMCA and the evolution of new business models, the world has changed and it will be interesting to see how a court views these issues 20 years later.

The current dispute also is reminiscent of the Australian decision in Roadshow Films v iiNet Limited [2012] HCA 16, where the High Court of Australia ruled that an ISP did not “authorise” the infringement of copyrighted films by its customers, despite its inactivity after receiving notices from a copyright association about suspected ongoing infringement by the ISP’s customers.

We will be watching this dispute and await any judicial rulings that might unpack some of the above copyright issues.

California Supreme Court Denies Review of Ruling Allowing Restaurant Owner’s False Advertising Claims to Proceed Against Yelp

Posted in Online Commerce, Online Content

On November 12, 2014, the California Supreme Court denied review of the California Court of Appeals decision in Demetriades v. Yelp, Inc., 2014 WL 3661491 (Cal. App. July 24, 2014), which allowed a restaurant owner to proceed with false advertising and other claims against the consumer review site Yelp based upon Yelp’s marketing claims regarding the accuracy and efficacy of its automated “filter” that removes unreliable  or biased consumer reviews.

Companies, frustrated with their portrayal on online review sites, have mostly struck out when seeking to hold website operators liable for managing and displaying user-generated reviews.  However, the Demetriades case is one example where a court refused to dismiss claims against a consumer review site related to marketing representations. For a fuller treatment of the decision and a larger discussion of the interplay between marketing statements and immunity under CDA Section 230, see our prior post — Website Marketing Statements: The Achilles’Heel to CDA Protection?  

FinCEN Releases Two Rulings Classifying a Bitcoin Payment System and Virtual Currency Trading Platform as MSBs

Posted in Digital Currency, Regulatory, Technology

In its opening salvo bringing bitcoin under the watchful eye of the federal government, the Financial Crimes Enforcement Network (FinCEN) issued a Guidance (FIN-2013-G001) in March 2013 clarifying that anti-money laundering regulations concerning record keeping and recording apply to digital currency exchanges.  Under this initial guidance, a bitcoin exchange that allows users to buy bitcoin with real currency and sell bitcoin for real currency must file as a money services business (MSB) as defined under the Bank Secrecy Act (BSA) with FinCEN (but a user who simply obtains virtual currency and uses it to purchase real or virtual goods or services would not be subject to FinCEN regulations).

Yesterday, FinCEN issued two additional rulings that answer questions submitted by two companies seeking guidance on whether they must register as MSBs and be subject to the accompanying reporting, recordkeeping and monitoring requirements.  These rulings are important in further clarifying the scope of its initial March 2013 guidance.

In FIN-2014-R011, “Request for Administrative Ruling on the Application of FinCEN’s Regulations to a Virtual Currency Trading Platform,” one company asked whether its plans to set up a virtual currency trading and booking platform would make it subject to FinCEN regulations.  Specifically, the company’s plan involved a trading system to match offers to buy and sell convertible virtual currency for real currency anonymously among the platform’s customers (inter-account transfers or payments from customer accounts to third-parties would be prohibited).  In response, the agency ruled that such a trading platform would be considered an MSB:

A person that accepts currency, funds, or any value that substitutes for currency, with the intent and/or effect of transmitting currency, funds, or any value that substitutes for currency to another person or location if a certain predetermined condition established by the transmitter is met, is a money transmitter under FinCEN’s regulations.” […] The Company is facilitating the transfer of value, both real and virtual, between third parties.

The method of funding the transactions is not relevant to the definition of money transmitter. An exchanger will be subject to the same obligations under FinCEN regulations regardless of whether the exchanger acts as a broker (attempting to match two (mostly) simultaneous and offsetting transactions involving the acceptance of one type of currency and the transmission of another) or as a dealer (transacting from its own reserve in either convertible virtual currency or real currency). Therefore, FinCEN finds that the Company is acting as an exchanger of convertible virtual currency, as that term was described in the Guidance.

In FIN-2014-R012, “Request for Administrative Ruling on the Application of FinCEN’s Regulations to a Virtual Currency Payment System,” another company asked whether a proposed convertible virtual currency payment system for the hotel industry that accepted customers’ credit card payments and transferred the payments to the merchants in the form of bitcoin (presumably to avoid substantial foreign exchange risks in Latin America) would make the company a MSB.  Under such a payment system, the merchants would be paid using the company’s own large reserve of bitcoins.  FinCEN responded that if the company sets up such a payment system, the company would be a money transmitter and subject to regulations because “it engages as a business in accepting and converting the customer’s real currency into virtual currency for transmission to the merchant.”

The agency further stated:

The fact that the Company uses its cache of Bitcoin to pay the merchant is not relevant to whether it fits within the definition of money transmitter. An exchanger will be subject to the same obligations under FinCEN regulations regardless of whether the exchanger acts as a broker (attempting to match two (mostly) simultaneous and offsetting transactions involving the acceptance of one type of currency and the transmission of another) or as a dealer (transacting from its own reserve in either convertible virtual currency or real currency).

As the bitcoin ecosystem matures and new business models develop, the reach of federal anti-money laundering regulations may be unclear in certain circumstances.  We will keep you posted as we learn more and work through these issues with our clients.

Landmark Oracle-Google Android Copyright Dispute May End Up In Supreme Court

Posted in Copyright, Mobile, Software

While many smartphone users were gazing upon their new iPhone 6 Plus’s 5.5-inch screen with wonder, there was another notable development in the mobile/tech world – the ongoing software copyright dispute between Oracle and Google over the development of the Android mobile platform just heated up again.

This past week, Google filed a petition for a writ of certiorari asking the Supreme Court to overturn the Federal Circuit’s ruling that the declaring code and the structure, sequence, and organization of 37 Java API packages are entitled to copyright protection (the Federal Circuit had also directed the lower court to reinstate the jury’s prior infringement finding as to the Java packages, subject to Google’s fair use defense). See Oracle America, Inc. v. Google Inc., 750 F.3d 1339 (Fed. Cir. 2014).

In its petition, Google framed the issue on appeal as:

Whether copyright protection extends to all elements of an original work of computer software, including a system or method of operation, that an author could have written in more than one way.

Essentially, Google argued that, contrary to the Federal Circuit’s interpretation, the Copyright Act excludes systems and methods of operations from copyright protection and that the appeals court “erased a fundamental boundary between patent and copyright law.” Google repeatedly stressed the “certworthiness” of this dispute and the “exceptional importance” of the outcome to future innovation and software development – sometimes with expansive statements such as:

If the Federal Circuit’s holding had been the law at the inception of the Internet age, early computer companies could have blocked vast amounts of technological development by claiming… copyright monopolies over the basic building blocks of computer design and programming.

A more complete picture of the potential issues and arguments will arrive when Oracle files its response.

We await the Court’s decision on whether it will accept the petition and perhaps bring added clarity to the sometimes murky contours of copyright protection of software.

Emerging Technology and Existing Law: Can Geofencing Provide Radio Webcasters a Workaround of Digital Performance Royalties?

Posted in Copyright, Licensing

New technology continues to generate business models that test the limits of intellectual property laws enacted before such technologies were ever contemplated.  The latest example is the use of “geofencing” in an attempt to avoid certain obligations to pay certain digital performance royalties.

In February 2014, VerStandig Broadcasting, the owner of several radio stations in Virginia, sent a letter to SoundExchange, the entity responsible for administering statutory licenses and collecting digital performance royalties for sound recordings.  The letter stated that VerStandig intended to use geofencing (explained below) to stream radio broadcasts to a limited area within 150 miles of each station’s transmitter using geofencing technology.  This method, VerStandig Broadcasting said, would fall into an exemption under Section 114(d)(1)(B)(i) of the Copyright Act (17 U.S.C. §114(d)(1)(B)(i)), that would excuse it from paying digital performance royalties to recording artists.

A month later SoundExchange responded that the referenced exemption did not apply to simulcasts over the internet and urged VerStandig to seek a statutory license for such online streaming, regardless of whether such signal was “geofenced” to a limited 150-mile area.  Six weeks later, VerStandig filed a declaratory judgment action against SoundExchange, seeking a judicial interpretation of whether its radio stations could avoid paying digital performance royalties by using geofencing to restrict online streaming (WTGD 105.1 FM v. SoundExchange, Inc., No. 14-00015 (W.D. Va. filed Apr. 30, 2014)).

Geofencing is a location-based technology that creates a virtual perimeter around an area or location ranging in size from a single building to an entire state and then allows an entity to determine if a user’s mobile phone, device or computer is within this perimeter based upon the user’s IP address, WiFi and GSM access points, and GPS coordinates.  The technology has many applications.  For example, a company might use it for fleet management to determine when a vehicle has left a certain zone, a business might use it for BYOD security by limiting network access to employees’ devices within a certain geographical area, or a retailer might use it to interact with registered mobile customers who have entered a store. The state of New Jersey, which passed a law allowing Atlantic City casinos to offer intrastate online gaming, uses geofencing technology to make sure that only users located within the state’s borders are able to gamble online.  Recently, the anonymous messaging app Yik Yak used geofencing to build virtual “fences” around middle and high schools to block teenagers from accessing the app from school property in the hope of limiting instances of cyberbullying.

Under existing law, AM/FM radio stations are exempt from paying performance royalties to performers and record labels, but pay royalties to songwriters or their publishers.  Congress struck this balance many decades ago based on the assumption that radio stations could play music and earn advertising revenue and the recording industry could capitalize from the airplay with increased song and album sales (though, in recent years, recording artists groups have advocated for reform).  Enter the digital age, and the online simulcast of AM/FM broadcasts (or “webcasting”).   In the mid-1990s, Congress amended the Copyright Act and granted copyright holders in sound recordings the right to perform their works publicly “by means of a digital audio transmission,” 17 U.S.C. § 106(6), along with an accompanying statutory licensing scheme to calculate and collect these digital performance royalties.

In general, radio webcasters are subject to statutory licenses, which require the transmitter to make royalty payments to SoundExchange, the collective responsible for obtaining and distributing digital royalties to the copyright holders.  However, §114 of the Copyright Act outlines several exemptions to this digital performance right, such as when a radio station’s AM/FM broadcast is being transmitted no more than 150 miles from the station’s transmitter (note, this is a simplification of the statutory exemption, as the text references a number of terms defined under the statute, such as “retransmission,” and “subscription” and “nonsubscription” transmissions, and should generally be read in context of the entirety of §114).

The plaintiffs contend that their geofenced webcasts would essentially be exempt retransmissions of a nonsubscription broadcast transmission under 17 U.S.C. §114(d)(1)(B).  Of course, when this provision was drafted, geofencing technology did not exist and content streamed over the internet could not be restricted geographically, requiring station owners that streamed their broadcasts online to pay digital performance royalties.

In its Memorandum supporting its motion to dismiss, SoundExchange argued that the court lacks jurisdiction to hear this action because the plaintiffs have not presented an “actual controversy” or “real and substantial” dispute that touches parties with adverse legal interests.  On a more substantive level, SoundExchange also countered that geofenced streams of radio content are not exempt from the statutory license provisions, pointing out that the Copyright Office previously ruled that the 150-mile exemption does not apply to radio retransmissions made over the internet, even if such transmissions were restricted geographically.  In a 2002 ruling setting royalty rates for internet streaming, the Copyright Office ruled that, based on the interplay between sections 112 and 114 of the statute, “the better interpretation of the law is that the exemption does not apply to radio retransmissions made over the Internet.” Moreover, SoundExchange argued that the 150-mile exemption was intended to apply to “cable radio” and similar satellite transmission systems and that Congress did not contemplate that such an exemption would be available to retransmissions via the internet.  In its opposition, the plaintiffs stated that the statutory exemption is unambiguous and should be interpreted without resorting to legislative history, and that the Copyright Office’s interpretation is nonbinding on the court, unpersuasive and drafted during an earlier technological era.

Unfortunately for those interested in the court’s interpretation of the Copyright Act, it looks like, at least in the short term, an answer will not be forthcoming.

Last month, a magistrate judge issued a Report and Recommendation to dismiss the action on jurisdictional grounds for lack of Article III standing.  The judge found that while plaintiffs’ desire to know whether geofencing their simulcasts might protect them from copyright liability was understandable, to reach the merits of that question, the court would be issuing an impermissible advisory opinion.  In finding that the plaintiffs’ declaratory action failed to raise a justiciable controversy, the judge found that the issue of copyright liability is not “traceable” to SoundExchange’s role as an organization collecting and distributing royalties because SoundExchange does not own or enforce copyrights or have the authority to bring an action to compel a broadcaster to obtain a statutory license.  As the judge stated: “Any dispute that may arise in that scenario is between the copyright owner and the broadcaster.  Thus, the copyright owners themselves, who are ‘not party to this litigation, must act’ (or not act, as the case may be) in order for this particular injury to be cured.”

It remains to be seen whether the district court will adopt the magistrate’s report and dismiss the lawsuit on procedural grounds (note: the plaintiffs have filed an objection to the magistrate’s report).  In the event the court ultimately dismisses the action, it will be interesting to see whether VerStandig would continue to pursue its plan and make a sizeable investment in geofencing technology without the safety net of a judicial ruling affirming the legality of it under the Copyright Act.

Website Marketing Statements: The Achilles’Heel to CDA Protection?

Posted in Online Commerce, Online Content

It’s no secret that local directory/consumer review websites are popular among consumers looking for recommendations before dining out, hiring a contractor, or even picking a dentist or day spa. Yelp reported around 138 million monthly unique visitors in the second quarter of 2014, searching among over 61 million local reviews.  The bottom line is that solid reviews and multiple stars on local search sites can drive sales; on the other hand, and to the chagrin of business owners, low ratings and a spate of one-star rants displayed prominently at the top of a listing can drive customers away.

Review sites typically have to wrestle with the problem of unreliable or fictitious reviews, which are blurbs written by friends or employees of the listed business, paid reviews, and negative reviews written by business competitors.  Some sites use filtering software to identify and remove unreliable reviews – of course, such software is not perfect, and businesses have complained that some sites have filtered out legitimate reviews, but left in other fake reviews to the detriment of the reviewed businesses.

A number of businesses have brought suit against consumer review sites claiming that they purposely remove positive reviews (but leave up defamatory complaints), arbitrarily reorder the appearance of reviews, or otherwise wrongfully tinker with the algorithms that are supposed to weed out “fake” reviews presumably to encourage or “extort” businesses to purchase advertising or pay for additional features.

Most suits that have sought to hold sites responsible for defamatory content created by third-party users have been rejected by courts based upon CDA Section 230, which immunizes “interactive computer services” – such as a consumer review websites – where liability hinges on content independently created or developed by third-party users.

To get around the broad immunity, some businesses have urged courts to interpret an intent-based exception into Section 230, whereby the same conduct that would otherwise be immune under the statute (e.g., editorial decisions such as whether to publish or de-publish a particular review) would be actionable when motivated by an improper reason, such as to pressure businesses to advertise.  However, several courts have rejected this theory.

  • Reit v. Yelp!, Inc., 29 Misc 3d 713 (N.Y. Sup. Ct.  2010) (Yelp’s selection of the posts it maintains on its site can be considered the selection of material for publication, an action “quintessentially related to a publisher’s role,” and therefore protected by CDA immunity)
  • Levitt v. Yelp! Inc., 2011 WL 5079526 (N.D. Cal. Oct. 26, 2011) (our prior post on the Levitt opinion) (CDA Section 230 contains no explicit exception for impermissible editorial motive, particularly since traditional editorial functions often include subjective judgments that would be “problematic” to uncover, thereby creating a chilling effect on online speech that Congress sought to avoid).  Note, on appeal, the Ninth Circuit affirmed the district court’s dismissal of the plaintiffs’ claims – though not on the basis of CDA Section 230 – alleging Yelp extorted advertising payments from them by purpotedly manipulating user reviews.
  • Kimzey v. Yelp Inc., 2014 WL 1805551 (W.D. Wash. May 7, 2014) (mere fact that an interactive computer service “classifies” user characteristics and displays a “star rating system” that aggregates consumer reviews does not transform it into a developer of the underlying user-generated information)

However, in recent disputes, businesses have sought an end run around CDA Section 230, specifically by bringing claims that do not treat the websites as publishers or speakers of the defamatory or fictitious user reviews, but instead relate to the website’s marketing representations about such content.  At least two courts have allowed such claims to go forward, bypassing CDA immunity.

In one such case, Moving and Storage, Inc. v. Panayotov, 2014 WL 949830 (D. Mass. Mar. 12, 2014), the plaintiffs alleged that a moving company review website (that itself was operated by a moving company) intentionally deleted positive reviews of the plaintiffs’ companies and deleted negative reviews that criticized its own company to gain market share, all the while representing that the site offered “the most accurate and up to date rating information.”  The court concluded that CDA Section 230 did not bar plaintiffs’ false advertising and unfair competition claims because they were not based on information provided by “another information content provider,” and did not arise from the content of the reviews.

Most recently, a California appellate court reversed a lower court’s dismissal of an action against Yelp over alleged false advertising regarding its automated review filter.  In Demetriades v. Yelp, Inc., 2014 WL 3661491 (Cal. App. July 24, 2014), the plaintiff brought state law claims for unfair competition and false advertising alleging that Yelp engaged in false advertising based upon marketing statements stating that user reviews passed through a filter that gave consumers “the most trusted reviews” and only “suppresse[d] a small portion of reviews.”

The plaintiff alleged that Yelp’s statements about its filtering practices were misleading because its filter suppressed a substantial portion of reviews that were trustworthy and favored posts of the “most entertaining” reviews, regardless of the source.  The lower court had previously granted Yelp’s motion to strike the plaintiff’s complaint under California’s anti-SLAPP provisions, which aim to curb “lawsuits brought primarily to chill the valid exercise of the constitutional rights of freedom of speech and petition for the redress of grievances.”  Cal. Code Civ. Pro. §425.16 (a).  The appellate court reversed, holding that false advertising-like claims involving commercial speech fell outside the reach of the anti-SLAPP statute and that Yelp’s representations about its filtering software—as opposed to the content of the reviews themselves—were “commercial speech about the quality of its product.”

Regarding the application of CDA Section 230, the court rejected Yelp’s argument that plaintiff’s claims should be dismissed because courts have widely held that claims based on a website’s editorial decisions (publication, or failure to publish, certain third-party conduct) are barred by Section 230.  In a brief paragraph, the appellate court stated that the CDA was inapplicable because the plaintiff was not seeking to hold Yelp liable for the statements of third-party reviewers, but rather for its own statements regarding the accuracy of its automated review filter.

Companies, frustrated with their portrayal on online review sites, have mostly struck out when seeking to hold website operators liable for managing and displaying user-generated reviews.  However, this past year, some courts have offered companies another potential avenue at obtaining relief.  While the courts merely allowed the claims related to marketing representations to survive dismissal at the early stages of litigation, it is uncertain how either court will rule on the merits.

With this in mind, sites that collect and manage user-generated content, or otherwise use automated filtering software to manage content, should examine marketing statements on their websites for any language that goes beyond mere puffery and might be construed as misleading.

Browsewrap Agreement Held Unenforceable Against Consumer Due to Insufficient Notice

Posted in Contracts, Online Commerce

Many commercial websites rely on “browsewrap” agreements to bind visitors to commercial terms. A recent decision by the Ninth Circuit suggests that a review of how those terms are presented may be in order to ensure enforceability.

A browsewrap agreement is a set of terms which is accessible via a hyperlink located on the pages of a website.  The user does not have to view those terms and does not have to click on a button to agree to the terms expressly, and instead presumably gives his or her assent simply by using the website.

Courts have generally evaluated the validity of browsewrap agreements based on whether the user had actual or constructive knowledge of a website’s terms and conditions and whether the user manifested assent to those terms.

In a significant decision, the Ninth Circuit found that the presentation of a browsewrap agreement on a popular consumer e-commerce site provided insufficient notice of that site’s terms of use, and therefore were not enforceable against a user of the site.  See Nguyen v. Barnes & Noble Inc., 2014 WL 4056549 (9th Cir. Aug. 18, 2014).

In the Nguyen case, the plaintiff attempted to purchase a discontinued tablet computer that was offered at a steep discount on the Barnes & Noble (“B&N”) website, but, after completing the transaction, B&N cancelled the order due to unexpectedly high demand.  The plaintiff, on behalf of a putative class, brought deceptive practices and false advertising claims under state law, alleging that he suffered damages because he could not obtain the tablet at the discounted price and was forced to purchase a similar product at a higher price.

B&N moved to compel arbitration, arguing that plaintiff was bound by the arbitration agreement in the website’s terms of use, which were available via a conspicuous hyperlink on every page of the B&N website and stated, in part, that: “By visiting any area on the Barnes & Noble.com Site, creating an account, making a purchase via the Barnes & Noble.com Site . . . a User is deemed to have accepted the Terms of Use.”  The retailer contended that the placement of the “Terms of Use” hyperlink on its website put the plaintiff on constructive notice of the arbitration agreement and that such notice, combined with the plaintiff’s subsequent use of the website, was enough to bind him to the browsewrap agreement.  [It should be noted that no link to the terms of use, nor reference to them, was presented to the consumer as part of the online transaction].

The lower court disagreed, finding that B&N failed to provide reasonable notice of its terms of use and that the plaintiff did not affirmatively assent to the arbitration clause contained within the terms. Nguyen v. Barnes & Noble, Inc., 2012 WL 3711081 (C.D. Cal. Aug. 28, 2012). The Ninth Circuit affirmed.

The appeals court stated that, particularly in the case of individual consumers, whether a user has inquiry notice of a browsewrap agreement depends on the design and content of the website and the agreement’s webpage, noting that where the link to a website’s terms of use is buried at the bottom of the page or tucked away in obscure corners of the website, courts have refused to enforce such an agreement.  “On the other hand”, the court noted, “where the website contains an explicit textual notice that continued use will act as a manifestation of the user’s intent to be bound, courts have been more amenable to enforcing browsewrap agreements.”

It seems that B&N made it halfway to the finish line of enforceability, but no more.  The court noted:

[I]n keeping with courts’ traditional reluctance to enforce browsewrap agreements against individual consumers, we therefore hold that where a website makes its terms of use available via a conspicuous hyperlink on every page of the website but otherwise provides no notice to users nor prompts them to take any affirmative action to demonstrate assent, even close proximity of the hyperlink to relevant buttons users must click on—without more – is insufficient to give rise to constructive notice.

While the link to its terms were placed on the bottom-left corner of every page in somewhat close proximity to the buttons a user must click on to complete an online purchase, and were positioned on the same screen so a user would not have to scroll down to click the link, it still wasn’t enough for the Ninth Circuit to find an enforceable agreement.

Many website publishers rely on the enforceability of browsewrap agreements. The Nguyen decision suggests that a review be taken to ensure that the presentation of those agreements comport with the Ninth Circuit’s view on web design.

Proposed “Bitlicense” Regulations Published to the New York Register

Posted in Digital Currency, Regulatory, Technology

Today’s New York State Register includes a Notice of Proposed Rule Making from the New York State Department of Financial Services (the “NYSDFS”) regarding the regulation of virtual currency (“Regulation of the Conduct of Virtual Currency Businesses,” No. DFS-29-14-00015-P).  The proposed rule calls for the creation of the “bitlicense” which the NYSDFS has hinted at in the past.   New York is the first state to actually propose such a licensing requirement for virtual currency businesses.

The Notice, which refers to the full text of the proposed rule made available by NYSDFS a few days earlier, marks the beginning of a 45-day window for public comment on the proposed rule.

The proposed rule appears to be drafted to carefully exclude merchants and bitcoin miners from the scope of the licensing requirement, but includes exchanges, digital wallet services, merchant service providers and others in the virtual currency ecosystem.  It imposes many of the same types of requirements that we already have in the area of money transmission and clearing house services, including capital requirements, anti-money laundering safeguards, and “know your customer” type issues. It also includes requirements with respect to business continuity and cyber security issues.

All entities involved in or planning on being involved in virtual currency-related businesses should study this proposed rule carefully. There is still an opportunity to voice concerns and have the final rule reflect any issues that the NYSDFS views as important.  It is likely that whatever is enacted in New York will be used as a model in other states that wish to enact a similar virtual currency licensing structure.