Gavin Law Offices Recognized in Legal Elite 2017

Gavin Law Offices is pleased to announce, Pamela Gavin has been recognized for the eighth time in the Virginia Business Magazine among Virginia’s Legal Elite for 2017. Each year, the honor of Virginia Legal Elite recognizes the top Virginia lawyers as voted by their peers and in cooperation with the Virginia Bar Association.

This is truly an honor!

Consumer Review Fairness Act

The Consumer Review Fairness Act (the “Act”) became effective in March 2017 and has significant implications for most companies offering consumer products or services, especially for those with interactive websites.  The Act limits what companies can include in their standard contracts, including the terms and conditions of some websites.  Beginning on December 14, 2017, the Federal Trade Commission (the “FTC”) and state attorneys general will treat the use of contracts violating the Act as an unfair and deceptive trade practice, making it subject to potential financial penalties or other enforcement.

What Does the Act Do?

The definitions included in the Act are fairly technical, but in short, the Act protects consumer reviews of products and services when a purchase is made under a non-negotiated form contract.  To accomplish this, the Act prohibits the use of “form contracts” lacking meaningful negotiation and containing terms that (i) prohibit or restrict reviews of the seller’s products/services, (ii) impose a penalty or fee for such reviews, or (iii) transfer certain intellectual property rights in reviews. The Act also voids the provisions of any “form contracts” that do any of the foregoing.  However, the contracts can still prohibit the posting of certain content, such as trade secrets, confidential information, certain personal information, offensive language, and computer viruses, to name a few.

What Does the Act Apply to?

The Act applies to all “form contracts” used in the course of a sale to consumers that cannot reasonably be negotiated.  The Act never defines “goods and services,” so the Act has no real limitation on what type of seller it applies to.  It would seem to include websites that provide an interactive service for which they charge a fee as well as traditional sellers and service providers.  The Act also neglects to specify exactly what situations fall within the Act’s reach. It could include only contracts for sale, or it could also include terms of use for a website that advertises products or services.  While this is unclear from the Act itself, it would be safer to assume maximum applicability until we see how the Act is actually enforced.

Does the Act Prohibit Deletion of Social Media Posts or Other Reviews?

The Act never actually states that it is unlawful to remove reviews, but rather that it is unlawful to have “form contracts” restricting reviews in the manner described.  However, the FTC states on its website that the Act applies to social media (at  The terms described in the Act do clearly seem to include posts on social media accounts.  Still, because there is no blanket restriction in the Act from removing reviews, the Act seems only to prevent companies from including terms in their “form contracts” that limit social media posts (or any other reviews described in the Act).  None of this seems to limit a company’s ability to actually delete social media posts, so long as none of the company’s “form contracts” restrict or prohibit covered communications.  However, it should be noted that the FTC may attempt to enforce this Act broadly, and courts have not yet had significant opportunity to interpret its reach.

Important Notes:

  • The Act covers any oral, written, or pictorial review, whether electronic or not. This includes more than just online reviews, although online reviews are likely to be the main area the Act will be applied.
  • The limitation against “prohibiting or restricting” reviews could apply broadly. Terms of use reserving a broad ability to remove or censor posts could violate the act, even if they do not specifically impose a penalty or restriction.
  • “Form contracts” can still transfer some intellectual property rights in reviews, so long as they meet the requirements of the Act.
  • The Act does not limit a business from bringing claims of defamation, libel, or slander over a review.

How Do I Comply with the Act?

  • Website terms of use and policies for sites that allow any type of reviews or customer comments should be reviewed and revised for compliance with the Act, even if the website does not have an e-commerce component.
  • All contracts with consumers that are (for all practical purposes) non-negotiable should be reviewed and revised for compliance with the Act. This includes most electronic contracts, such as e-commerce contracts, and paper contracts that are standard forms, such as pre-printed contracts used in over-the-counter sales or rentals.
  • Although it seems unclear at this point whether deleting negative social media posts could bring on an FTC enforcement action, the best practice would be to not delete any negative posts or reviews made by customers unless they are clearly false, misleading, or meet one of the other specifically permissible reasons. Although the Act does not specifically prohibit this, the FTC may view it as within the scope of the Act and may pursue such activity.  Even if you are ultimately successful in defending a challenge, that could be a costly and embarrassing fight.
  • To ensure best practices, you may consider developing an internal policy that meets these standards.

Contact us for more information on the Act or to get specific advice on how to comply. — Collin Atkins

New Online Registration Requirements for Designated Agents Under the Digital Millennium Copyright Act

The U.S. Copyright Office has developed a new electronic system for registering your designated agent under the Digital Millennium Copyright Act (“DMCA”).  As of December 2016, the U.S. Copyright Office has begun transitioning to an online registration system which allows online service providers to register a designated DMCA agent in a centralized public directory.  Any new registrations must be completed through this online system.  Most importantly, even if a service provider has previously registered its designated DMCA agent with the Copyright Office through the previous paper filing system, the service provider must re-register through the Copyright Office’s new online system before December 31, 2017.

Registering and maintaining a designated agent with the Copyright Office for copyright infringement takedown requests is necessary to obtain safe harbor protection under the DMCA.  Safe harbor protection can help shelter online service providers from potential copyright liability for any third party content posted on or transmitted via their websites.  In order to qualify for safe harbor protection under the DMCA, any online service provider that has a website or application which allows users to post, share, transmit, or comment on content must designate a Copyright agent.  To designate an agent, an online service provider must not only provide the contact information for the agent to the Copyright Office as part of its online public directory, but also make the contact information for the agent available to the public on the online service provider’s website so that users can notify the service provider of allegedly infringing material.

On the Copyright Office’s online registration system, online service providers must create an account and provide all necessary information regarding the service provider itself, the designated agent, and the associated websites.  Registration costs $6 per online service provider submission.

While the registration forms seem relatively simple, they raise additional issues that need to be considered carefully.  For example, related companies that are separate legal entities (parents, subsidiaries, etc.) and own related but separate websites must register separately.  An online service provider must also provide all alternate names under which the service provider is doing business, such as any of its associated website names and/or domains, software application names, or any other commonly used name that the public would be likely to use to search for the service provider’s designated agent.  In many cases a website owner can submit multiple websites/alternate names in one submission, but it depends on the specific circumstances.  The DMCA must be strictly complied with in order to receive full safe harbor protection, so it is essential that the registration forms are properly and fully completed.

Once the DMCA agent has been designated through the Copyright Office’s online system, online service providers must ensure that all of the registered information remains up to date.  Any failure to maintain accuracy in this information could result in losing the protection of the DMCA safe harbor provisions.  For example, if an online service provider’s designated agent changes, the service provider must make sure that the agent registration information is updated not only with the Copyright Office, but also in all places on the service provider’s website where the designated agent is identified.

Online service providers can amend their registrations at any time for an additional $6 per submission.  Additionally, the Copyright Offices requires online service providers to renew their agent designation at least every 3 years.  To do this, service providers must resubmit their registration before it expires, either with the same information if still accurate or with any updated information.  Renewals are also $6 per submission.  Any amendment filed will begin a new 3-year period before a renewal is due.

All online service providers should carefully review their current DMCA policies and materials and determine whether they may need assistance with drafting online DMCA policies for consumers, establishing and maintaining a designated agent with the Copyright Office, and/or drafting internal policies and procedures on reviewing and addressing DMCA takedown notices.  Online service providers do not want to miss out on compliance with the DMCA’s safe harbor provisions and potentially face copyright infringement liability for user content.  — Rina Van Orden

Secrets to a Successful Privacy Policy

Privacy policies may seem like a snooze, but they can actually be a key tool in protecting your business and communicating with customers.  A privacy policy explains your entity’s views and procedures regarding privacy and provides information about how you will use a website user’s personal information and/or data.  It also details the steps you take to maintain user information securely.

Privacy policies must:

  • Be specifically tailored to your industry, business, and circumstances
  • Have clear and accessible explanations understandable to the average consumer
  • Provide enough information that users have informed consent
  • Be strictly adhered to once published
  • Be updated to reflect any changes

A recent case underlines the importance of a well-crafted privacy policy.  In Carlsen v. GameStop, Inc., the plaintiff brought a lawsuit against GameStop regarding the video game retailer’s information sharing practices.[1]  The appeals court dismissed the plaintiff’s claims and proposed class action because of GameStop’s privacy policy.

The plaintiff subscribed to GameStop’s monthly publication Game Informer magazine, including both print and online versions.  GameStop provides a feature that allows subscribers to log in to the magazine content through their personal Facebook accounts.  The plaintiff filed suit because once he logged in to the magazine through Facebook, his Personal Facebook ID and Game Informer browsing history were transmitted to Facebook.

In order to access the online content of Game Informer, a subscriber must agree to the site’s terms and conditions, which includes GameStop’s privacy policy.  GameStop’s policy stated that “Game Informer does not share personal information with anyone.”

The court held that the transmission of Game Informer subscribers’ Facebook IDs and browsing history did not constitute “personal information” under GameStop’s privacy policy because these items were not included in the explicit list in the privacy policy detailing “personal information” and because the information at issue was not specifically solicited by Game Informer or voluntarily submitted in response to such a solicitation, as specified in the privacy policy.  Because the Facebook IDs and browsing history were not included in the privacy policy as protected personal information, GameStop did not act wrongly in sharing that information, and thus there was no breach of contract.  GamerStop’s clear and well-written policy was key in extricating GameStop from this lawsuit.

Privacy policies have become a common business practice for many websites.  These days, website users are keenly aware of privacy concerns and protective of their personal information.  The prevailing view is that a credible website will operate with at least minimal privacy standards in place.  Privacy policies are especially necessary when you are engaged in e-commerce or data collection.  If your prospective and current clients are likely to have concerns about privacy, then they will expect you to have a policy that details the various protections and procedures that you have in place.

Every website will have different elements to cover, and some websites will need more comprehensive policies than others. This is likely dependent on what kind of user information is collected and how much/to what extent it will be shared with third parties.

Regulated industries, like banking, medical, and others, are required by law to maintain a privacy policy that applies both on and off the internet.  Entities in these industries should address all issues covered under industry regulations in an online privacy policy as well.

We advise against copying a policy from another business, even if that business is similar to yours.  A poorly written or inapplicable policy taken from another website can expose you to liability.  You want to make sure that your privacy policy specifically covers the individual needs of your business.

Often websites will have full terms and conditions with a separate privacy policy integrated into the terms.  A privacy policy needs to be easy to understand even though it is a legal document.  Your policy should be also clearly and prominently displayed on your site and accessible from key pages like the homepage and shopping cart, if not every page.

You want to make sure that as your business or technology evolves (say you launch a related app or pair with a social media platform), your privacy policy is updated to address the same.  Anytime a change to your policy is made, you should provide clear notice to users and in some cases obtain consent from users for material changes.

Privacy policies typically include sections that address:

  • user information that is collected
  • method of collection
  • how that information is shared and/or stored

A policy should address not only the required personal information that a user enters into the website but also any data logged automatically by your website, application, servers, etc.  A privacy policy should also address any use of cookies.

Once you have a policy in place, it is essential that you abide it and make sure that your practices actually match the statements in your policy. Your policy creates a contract with your users. If your policy and practices do not align, you open yourself up to liability, both from lawsuits by users and actions by regulators like the FTC, who scrutinize unfair or deceptive trade practices.

If your website is directed toward children under the age of 13, additional requirements apply to your website under the Children’s Online Privacy Protection Act and should be detailed in your privacy policy.

As demonstrated by the GameStop case, a clear privacy policy drafted to meet your needs and circumstances can not only provide your users with a transparent explanation of your privacy practices, but also protect your entity from liability. — Rina Van Orden

[1] 833 F.3d 903 (8th Cir. 2016).