Welcome to Our New Associate, Collin Atkins!

We’re excited to announce that Collin Atkins, a graduate of the Marshall-Wythe School of Law at the College of William and Mary, has joined our team as part of our expanding business law practice. Collin has spent the last several years working as in-house counsel, giving him an insider’s perspective into the needs of businesses and the legal pitfalls they face. Collin has drafted and negotiated a wide variety of commercial contracts and has advised businesses on issues ranging from formation, to employment issues and sales tax concerns.  With experience serving businesses at all stages of growth, Collin brings additional business expertise to our growing practice.  We are also pleased to offer our clients competitive business law rates for Collin where intellectual property specialization is not needed.

Collin Atkins

Secrets to a Successful Privacy Policy

Privacy policies may seem like a snooze, but they can actually be a key tool in protecting your business and communicating with customers.  A privacy policy explains your entity’s views and procedures regarding privacy and provides information about how you will use a website user’s personal information and/or data.  It also details the steps you take to maintain user information securely.

Privacy policies must:

  • Be specifically tailored to your industry, business, and circumstances
  • Have clear and accessible explanations understandable to the average consumer
  • Provide enough information that users have informed consent
  • Be strictly adhered to once published
  • Be updated to reflect any changes

A recent case underlines the importance of a well-crafted privacy policy.  In Carlsen v. GameStop, Inc., the plaintiff brought a lawsuit against GameStop regarding the video game retailer’s information sharing practices.[1]  The appeals court dismissed the plaintiff’s claims and proposed class action because of GameStop’s privacy policy.

The plaintiff subscribed to GameStop’s monthly publication Game Informer magazine, including both print and online versions.  GameStop provides a feature that allows subscribers to log in to the magazine content through their personal Facebook accounts.  The plaintiff filed suit because once he logged in to the magazine through Facebook, his Personal Facebook ID and Game Informer browsing history were transmitted to Facebook.

In order to access the online content of Game Informer, a subscriber must agree to the site’s terms and conditions, which includes GameStop’s privacy policy.  GameStop’s policy stated that “Game Informer does not share personal information with anyone.”

The court held that the transmission of Game Informer subscribers’ Facebook IDs and browsing history did not constitute “personal information” under GameStop’s privacy policy because these items were not included in the explicit list in the privacy policy detailing “personal information” and because the information at issue was not specifically solicited by Game Informer or voluntarily submitted in response to such a solicitation, as specified in the privacy policy.  Because the Facebook IDs and browsing history were not included in the privacy policy as protected personal information, GameStop did not act wrongly in sharing that information, and thus there was no breach of contract.  GamerStop’s clear and well-written policy was key in extricating GameStop from this lawsuit.

Privacy policies have become a common business practice for many websites.  These days, website users are keenly aware of privacy concerns and protective of their personal information.  The prevailing view is that a credible website will operate with at least minimal privacy standards in place.  Privacy policies are especially necessary when you are engaged in e-commerce or data collection.  If your prospective and current clients are likely to have concerns about privacy, then they will expect you to have a policy that details the various protections and procedures that you have in place.

Every website will have different elements to cover, and some websites will need more comprehensive policies than others. This is likely dependent on what kind of user information is collected and how much/to what extent it will be shared with third parties.

Regulated industries, like banking, medical, and others, are required by law to maintain a privacy policy that applies both on and off the internet.  Entities in these industries should address all issues covered under industry regulations in an online privacy policy as well.

We advise against copying a policy from another business, even if that business is similar to yours.  A poorly written or inapplicable policy taken from another website can expose you to liability.  You want to make sure that your privacy policy specifically covers the individual needs of your business.

Often websites will have full terms and conditions with a separate privacy policy integrated into the terms.  A privacy policy needs to be easy to understand even though it is a legal document.  Your policy should be also clearly and prominently displayed on your site and accessible from key pages like the homepage and shopping cart, if not every page.

You want to make sure that as your business or technology evolves (say you launch a related app or pair with a social media platform), your privacy policy is updated to address the same.  Anytime a change to your policy is made, you should provide clear notice to users and in some cases obtain consent from users for material changes.

Privacy policies typically include sections that address:

  • user information that is collected
  • method of collection
  • how that information is shared and/or stored

A policy should address not only the required personal information that a user enters into the website but also any data logged automatically by your website, application, servers, etc.  A privacy policy should also address any use of cookies.

Once you have a policy in place, it is essential that you abide it and make sure that your practices actually match the statements in your policy. Your policy creates a contract with your users. If your policy and practices do not align, you open yourself up to liability, both from lawsuits by users and actions by regulators like the FTC, who scrutinize unfair or deceptive trade practices.

If your website is directed toward children under the age of 13, additional requirements apply to your website under the Children’s Online Privacy Protection Act and should be detailed in your privacy policy.

As demonstrated by the GameStop case, a clear privacy policy drafted to meet your needs and circumstances can not only provide your users with a transparent explanation of your privacy practices, but also protect your entity from liability. — Rina Van Orden

[1] 833 F.3d 903 (8th Cir. 2016).

The Digital Millennium Copyright Act: The Copyright Office Examines Whether it Needs Revamping

As most internet users of today know, music, videos, poems, photographs, and various other creative works are often posted on social media and other sites without the permission of the work’s creator.  These postings violate the creator’s exclusive right to distribute his or her own work, one of the central rights protected by copyright law and based on the Constitution.[1]  To address concerns of increasing copyright infringement online, Congress enacted the Digital Millennium Copyright Act (the “DMCA”) in 1998.  The DMCA allows copyright owners to submit takedown notices to internet service providers (who provide the platforms for postings, think YouTube, SoundCloud, Twitter, etc., abbreviated in this article to “ISPs”), demanding that access to an infringed work be blocked or the work removed.  In exchange for compliance with the DMCA and the swift removal of infringing materials, ISPs are exempted from liability for copyright infringement.

Although the DMCA may have provided a sufficient[2] remedy for copyright holders in 1998, copyright owners in recent years have complained that the increase in infringing posts resulting from the proliferation of user-upload sites such as eBay, SoundCloud, Vimeo, and others makes the takedown process onerous.  For example, since 2012 the music recording industry has sent takedown notices for over 17 million infringements.[3]  Google receives on average over 75 million URL takedown requests per month, and must use computer programs to sift through them all.[4] In response to the uproar from copyright holders, Congress has requested the Copyright Office conduct a study to determine the effectiveness of the DMCA.[5]  The study is currently ongoing, with the Copyright Office receiving more than 92,000 submissions in its first round of comments.[6]

In reviewing comments submitted during the first round, battle lines have clearly been drawn between the creators of works and ISPs.  In support of its position that the DMCA sufficiently protects the various parties’ interests, in its comment Amazon focused on the economic growth driven by the DMCA’s safe harbor provision, noting that, because of the safe harbor, ISPs have not been required to conduct the “difficult” task of policing posted content, a policy that has been “crucial to the growth of the Internet.”[7]  Amazon further asserted that the DMCA strikes “the right balance” between providing rights holders with the ability to remove infringing content while allowing ISPs the ability to “innovate and host ever-increasing amounts and types of content without fear of massive liability based on the activities of their users.”[8]  Other ISPs argue that, in fact, the takedown system is being abused, with a “guilty until proven innocent” approach often leading to misuse and overreach.[9]  One Google-backed study, conducted by the Berkeley School of Law, found that almost 30 percent of takedown requests received in a six month period had validity issues.[10]

Creators of copyrighted works, however, assert that the take down provisions are not an adequate deterrent to infringement, [11] particularly when a majority of takedown notices are for infringing uses previously the target of a notice.[12]  To counteract the cycle of takedown-repost-takedown, many creators are arguing for a “takedown, stay down” provision, which would allow copyright holders to submit a takedown notice for a work once with the expectation that the work never appear again on the same platform.[13]  Indeed, in support of its position that the DMCA needs strengthening, the Artists Rights Society argues that the current takedown provisions, contrary to Congressional intent, favor ISPs, who profit from infringing posts through listing fees, advertising, and/or increased traffic.[14]  To restore balance, the Artists Rights Society recommends that online service providers be required to pay a percentage of the quantifiable revenues received from an infringing third-party user to the copyright owner.[15]  The Artists Rights Society does not elaborate on how these fees would be collected and dispersed.

Taking a slightly different course from both their fellow creators and the ISPs, the American Photographic Artists (“APA”) propose turning the tables on the oft-anonymous infringers who are benefitting from, according to the APA, a “de facto immunity” under the DMCA.  This de facto immunity is the product of the high cost of pursing a copyright infringement claim and the potentially low damages return (particularly for unregistered works),[16] making the pursuit of infringers essentially pointless.  Although it does not appear from its comment that the APA is advocating for one particular measure to shift the risk of infringement, one possibility the APA discusses is requiring an infringer to reimburse the copyright holder’s costs spent on a takedown.[17]

As the Copyright Office weighs these competing interests, it will also need to keep in mind how evolving technology may continue to impact takedown proceedings.  We will keep you updated on developments as the Copyright Office prepares its report. — Stephanie Martinez


[1] 17 U.S.C. § 106; U.S. Const. art. I § 8 cl. 8.

[2] Many would argue the DMCA never worked well and was instead poorly thought out and poorly executed.  See Chris Mills, These Three Dumb Examples Prove that Copyright Is Broken, BGR (May 24, 2016), http://bgr.com/2016/05/24/dmca-abuse-copyright-issues/.

[3] Randolph J. May & Seth L. Cooper, Copyright ‘Notice and Takedown’ System Needs Fixing (May 9, 2016) http://thehill.com/blogs/pundits-blog/technology/279179-copyright-notice-and-takedown-system-needs-fixing.

[4] Google, Transparency Report, https://www.google.com/transparencyreport/removals/copyright/.  Requests sent to Google are to remove links from Google’s search results due to infringing content on the website, not to remove the allegedly infringing content from the site itself.

[5] See United States Copyright Office, Section 512 Study, http://www.copyright.gov/policy/section512/.

[6] See United States Copryight Office, Requests for Public Comments: Digital Millennium Copyright Act Safe Harbor Provisions, https://www.regulations.gov/#!docketBrowser;rpp=25;so=ASC;sb=title;po=0;dct=PS;D=COLC-2015-0013;refD=COLC-2015-0013-0002.

[7] Amazon.com, Inc., Section 512 Study: Notice Docket No. USCO-2015-7 and Request for Public Comment, p. 3.

[8] Id.

[9] Caroline Craig, DMCA ‘Reform’ Harbors Return of SOPA, InfoWorld (May 20, 2016), http://www.infoworld.com/article/3072456/internet/dmca-reform-bill-harbors-return-of-sopa.html.

[10] Id.; Jennifer M. Urban, Joe Karaganis, & Brianna L. Shofield, Notice and Takedown In Everyday Practice, 11 (2016), available at http://poseidon01.ssrn.com/delivery.php?ID=847004104083015079003097000087118126055092036006058054127082102102096125010084120011039049035031006028001088081018024096080127018007025078012087102086098102098094112018040048025114126122121121117028006069023030065090123077101074065106086070087025106064&EXT=pdf.

[11] See American Photographic Artists, Inc., Initial Response to Notice of Inquiry 78 F.R. 13094 (Docket No 2015-7) Section 512 Study: Notice and Request For Public Comment, p. 2.

[12] In fact, the Federation of the Phonographic Industry has reported that 94% of its takedown notices are for “recordings uploaded repeatedly” to sites already notified of the infringing posting.  Randolph J. May & Seth L. Cooper, Copyright ‘Notice and Takedown’ System Needs Fixing, The Hill (May 9, 2016), http://thehill.com/blogs/pundits-blog/technology/279179-copyright-notice-and-takedown-system-needs-fixing.

[13] TorrentFreak, Ten Websites Hit With 70M DMCA Complaints In A Year, TorrentFreak (May 29, 2016), https://torrentfreak.com/ten-websites-hit-with-70m-dmca-complaints-in-a-year-160529/.

[14] See Artists Rights Society, Comments of Artists Rights Society, p. 2.

[15] Id.

[16] See American Photographic Artists, Inc., Initial Response to Notice of Inquiry 78 F.R. 13094 (Docket No 2015-7) Section 512 Study: Notice and Request For Public Comment, p. 3.

[17] Id.