In a situation where an online forum allows creation of profiles with commenting capabilities, a user may take the initiative to defame an individual personally or professionally.  The user may perform illegal actions using the online forum’s website, and in attempting to retrieve damages he/she has suffered, the defamed individual sues the online forum for providing a platform for defamation.  However, Congress has provided an exception towards interactive computer services through Section 230 of the Communications Decency Act (CDA).  What does Section 230 of the CDA do?  What can you do, as an individual, to recover from defamatory material?

What is Section 230 of the CDA?

It’s a sub-part of a federal statute that essentially dictates that an online forum (e.g., Facebook, Twitter, Tumblr) is not liable as a publisher or speaker of online defamatory comments made by its users.  For example, if a defamatory comment was posted on Facebook, then Facebook would not be liable for the defamation.  Essentially, this would protect a website from anything that its users would publish.  This is not necessarily just towards defamatory content, although, it could be expanded to “any information” provided by an entity or person using the interactive computer service’s platform. There are, however, exceptions to this broad liability, as we’ll discuss in future blogs.  Also, the exact nature of a “publisher” is still unclear.  in general, there is a difference between a publisher, which initially produces the comment, and a distributor, which is not covered, that repeats the comment.

A new economy has been developing for a while, opening a unique market, with new opportunities. This is what’s called the new “sharing” economy with an entrepreneur presenting a way to connect willing participants for an economic transaction.  This has evolved from something like Craigslist, to a more user-friendly and app-based operation.  Namely, this includes businesses like Uber, Lyft, and AirBnB.

Yet now, it has opened a question with Uber via a proposed settlement about whether the service providers are employees or independent contractors.  So, what happens when you begin to question the standards of a business operation?  To what end can you control the product to ensure that there is a strong method to your brand?  How long can a settlement keep service providers from claiming they are employees and not independent contractors?

The Business Model

After establishing the issues of preemption and standing, how can you sue for violations of CAN-SPAM? Is there any way for spam to be combated by an individual?  Yes, there is by suing for fraud or deception, which are not explicitly covered under the CAN-SPAM Act.  So, how do you plead fraud?  And how much do you need to plead?

How to plead fraud to avoid preemption?

In ASIS Internet v. Subscriberbase, which was heard by the Northern District of California, the court examined preemption and the question of fraud in relation to a motion to dismiss that was filed by defendants.  Plaintiff was suing under the California Business & Professional Code Section 17529.5, otherwise known as the False Advertising Law.  In its claim, plaintiff pleaded the following three factors California has in a fraud claim: (a) misrepresentation; (b) knowledge of falsity; and (c) intent to defraud.  However, plaintiff left out reliance and damage in its claims.  In general, the CAN-SPAM Act does not coincide with laws that prohibit falsity or deception, as well as, some other laws that overlap with it, but are extended to subject matter outside of email.  Here, that aspect of CAN-SPAM was specified to state that a claim containing the common law elements of fraud would not be prohibited.  Hence, the court decided that the complaint satisfied fraud allegations, pending the question of if all the factors were required to be alleged in the complaint.

So, now that we know more about preemption in the CAN-SPAM Act, then what more is there to consider?  There is actually quite a lot of other factors, namely standing.  Now that you know how the federal CAN-SPAM Act and state laws may interact, there leaves the question of “standing.”  Standing is essentially a way for individuals to claim that they can sue under the law.  Without standing, a lawsuit cannot occur.  So, can you sue as an individual under the law?  Can you sue as a business?  Who can sue?

Can an individual sue under CAN-SPAM?

In general, individuals likely cannot sue under this federal law.  We can revisit the case of Gordon v. Virtumundo where the plaintiff had setup a business to profit off of violations of anti-spam legislation.  He was a Verizon subscriber for his internet access, and had started his business through GoDaddy.  In the trial, the court revisited the standing provisions of the CAN-SPAM Act and made three determinations.  First, the federal statute was not made to stamp out all spam.  Second, it was not specifically implemented to allow private right of actions.  Third, plaintiff had not suffered adverse effects due to spam.

Spam, for those lucky enough to be unfamiliar about it, are those unsolicited commercial emails that often clutter up inboxes with offers of sales and services that range from the reliable to the questionable.  Due to the issues presented to consumers, Congress, in its wisdom, enacted a law called the CAN-SPAM Act, and began enforcing it in 2004. First, what is the CAN-SPAM Act and what does it prohibit?  Second, as a federal law, does the CAN-SPAM Act override, or preempt those laws a state may already have in place?  How can you tell if that may happen?

What is the CAN-SPAM Act?

The CAN-SPAM Act places prohibitions on transmission of any email that contains false or misleading headers or “from” lines.  For example, a business that is not Facebook, and has nothing to do with Facebook, would be prohibited from sending an email with the subject “Your Facebook account has been compromised” or send an email from www.facebook.com.  In addition, this law places a requirement for three disclosures: (1) clear and conspicuous identification that the message is an advertisement or solicitation; (2) clear and conspicuous notice of the opportunity to decline to receive further commercial email messages from the sender; and (3) a valid physical postal address of the sender.  This is done, in part, due to the interest of the legislation in helping consumers under the principle that they should not be misled and should have a right to say no to unsolicited commercial emails.

As the implementation of the European Union Privacy Shield comes closer, other elements of the shield come into influence and place restrictions on businesses that transfer data between the United States and Europe.  Further adding onto this, is the General Data Protection Regulation.  This can be a major issue in cases where data transfers may occur, but more specifically, it impacts the cloud computing sphere, and services like Dropbox and Google Docs.  So, how do these services work?  What would the General Data Protection Regulation do?  How can they be used with the Privacy Shield in effect?

How do these services work?

Now, these systems work by allocating computing resources to another location.  Usually, this is done through the internet, by transferring data towards other electronic devices or servers.  Effectively, it allows for individuals or businesses to take advantage of greater resources of other entities, like those of Dropbox or Google, by granting use of their services for a fee.  On the flip side, these services could be compromised by hackers, and cause the loss of personal or confidential information.  We have discussed some of the risks associated with cloud computing before and would ultimately encourage our readers to carefully evaluate the risks of submitting any information to the Cloud.

In recent years, states have continued to collect tax from e-commerce transactions.  Louisiana has recently joined in on the trend and allowed the state to tax businesses without a physical presence there.  This is a trend that we have discussed in the past and we encourage our readers to catch up on previous posts about online taxes in California and the evolving trends.  However, Louisiana’s new regulations has shutdown Amazon’s affiliate program in the state.  So, what is the history of this bill?  Also, aside from retailers like Amazon, who would this legislation impact?

What is the bill’s history?

The bill fundamentally has its basis in something we’ve covered before where we discussed Quill Corporation v. North Dakota.  This case effectively ruled that without a sufficient connection, i.e., nexus, to the state, that state cannot tax it.  This has been interpreted that to tax the entity, the entity usually must have a physical presence in that state.  This would mean “brick-and-mortar” retailers would be taxable, while an entity like Amazon, which may not have any warehouses or physical presence in the state, would be “immune” to taxation.  In response, some states have taken action in legislating a “lowering” of the nexus standard.  For example, Act No. 22, also under HB-30, in the State of Louisiana was authored by Representatives Leger, Carpenter, and White, and enacted into law by the Governor on March 15, 2016.

This one isn’t an April Fools’ prank.  On April 1, 2016, the Federal Communications Commission (“FCC”) announced its proposed rulemaking to create regulation that would bind Broadband Internet Access Service (“BIAS”) providers in the interest of enhancing privacy towards consumers.  This proposal has raised objections from AT&T, Comcast, USTelecom, and the Application Developer’s Alliance, claiming that the ensuing regulations would create a morass of regulation in the privacy sphere.  Yet, the FCC’s regulations are to prohibit the monetization of the information that these providers would have due to the use of their services.  So, what is a BIAS and how could these rules possibly protect privacy?

What is a BIAS provider?

The BIAS providers provide internet service through wire or radio.  The FCC even expands this to any functional equivalents to BIAS providers. Of some note is which entities are not BIAS entities.  For example, companies like Facebook, Apple, and to some extent, Google, would not be bound by the terms here and could use the information that is collected through their services.  This is because none of them actually provide the internet service that their consumers use.  There is some room for Google to be prohibited as it provides internet service in some locations through Google Fiber, but the regulations would only prohibit the information that was gained through the use of its internet services, but not services that it provides towards online consumers.  Thus, Google’s Fiber service would likely be prohibited from using consumer’s personal information, while Google’s YouTube service would not.

Trademarks and branding are an important part of any business organization.  They build the organization’s reputation in providing a product or service.  In late January, the Fine Brothers, had made an attempt to begin a new business venture in licensing their trademarks and intellectual property to create a larger media congregation called “React World.”  The brothers had built a business on producing videos showing the reactions of different subsets of the population, from children to the elderly.  In doing so, they would monetize the videos through sponsorship and advertisement.  To ensure their ability to monetize and license their intellectual property, they applied for trademarks for the words “React,” “Kids React,” and other derivatives.  This prompted a backlash by individuals, fearing that the actions by the Fine Brothers would be used to curtail their activities on the web.  The sheer magnitude from this backlash led to the Fine Brothers withdrawing their application from the process and cancelling their plans.

Notwithstanding the public backlash, the Fine Brothers would likely have their application approved and pushed beyond the public contest phase if they had only waited a little while longer.  The public contest phase is exactly where the Fine Brothers managed to fail.  If they had not brought attention to their trademarking efforts, it would have likely passed through the process.

In general, in the trademark application process, after the trademark examiner tentatively approves a mark, there is a 30-day period to file an opposition. This is open to all individuals that may be harmed by the mark, not just those with similar marks.  As such, the public was able to protest the granting of the “React” trademark.  When seeking a trademark application, the sort of public outcry that occurred in response to the “React” trademark should be avoided.  The 30-day period, while it would be available to the public, did not need to be publicized as with the Fine Brothers.  In filing a trademark that may garner some public opposition, there is no need to draw further attention to it.  If the brothers had not withdrawn their application, this type of opposition would have been heard by the Trademark Trial and Appeal Board, and overcome by the Fine Brothers.

In recent years, the internet has connected the general public across continents.  Notably, it can be expected that data can easily travel across countries in a blink of an eye, without any delay and on a daily basis.  The transfer of data is an important part in business as well.  With any multinational entity, personal data crossing countries is inevitable.  However, each country may have different guidelines that a business must ensure compliance.

Recently, the European Union announced a new change to its privacy laws.  Formerly, it would allow American, and other businesses, to obtain a “pass” for its privacy laws by certifying themselves as compatible for its safe harbors scheme.  This safe harbor scheme requires a business to meet standards for privacy protection.  However, on October 6, 2015, the European Court of Justice ruled that the previous system for allowing corporations to obtain accreditation, and shifting data between the United States and Europe, was improper due to the current intelligence methods in the United States.  This oversight ended the safe harbor provision.

The new rules establish a Privacy Shield register and a free alternative dispute resolution system.  The organizations will have to self certify annually, with verification by the Department of Commerce, and comply with the Privacy Shield framework.  As part of compliance, organizations must provide a response within 45 days and create a no-cost independent recourse system where complaints and disputes will be resolved in a timely manner.  In addition, the European residents will be able to pursue legal action for claims such as, misrepresentation, and the participants must commit to binding arbitration at the European citizen’s request.