Document View

Online business risk management is an area often overlooked by businesses large and small but can result in significant exposure to business assets. In this article, Adam R. Bialek and Scott M. Smedresman of Wilson Elser Moskowitz Edelman & Dicker LLP discuss the various methods businesses use to minimize these risks while maintaining a robust and effective online presence. The authors first discuss the regulatory framework surrounding privacy policies and address what is required to be included in them. They then discuss the benefits of instituting Web site terms of use and review the clauses that may be desirable to include. The authors next review the immunities offered to Web site operators by various statutory frameworks and the steps that Web site operators should take to ensure that they obtain and retain those immunities. Finally, the authors conclude with a discussion of the protection of Web site design and appearance through copyright registration and the substantial benefits that such a strategy can provide. [PUBLICATION ABSTRACT]

Copyright Aspen Publishers, Inc. Nov 2008

A hole in a media company's security measures is discovered by a user, resulting in the dissemination of highly confidential development content to the public and competitors. The pricing data appearing on the Web site of a business is "scraped" and later used and disseminated by its competitors. A large corporation receives a round of negative publicity based on deficiencies in the notification of its privacy practices. An online merchant is sued by one of its customers unhappy with a purchase, and the merchant is forced to defend the claim in an unfriendly jurisdiction. A social networking site is fined $1 million for failing to comply with online data collection laws. The design of a reputable business is copied wholesale by a pornographic Web site, tarnishing the business' reputation by implying a false connection between the entities.

These are just a few examples, based on actual events, of some of the potential exposures and liabilities associated with operating a business with an online presence. Whether in the form of promotional Web sites or direct online sales, businesses are broadly integrating the Internet into overall growth strategies. However, the potential exposures associated with engaging in Web site sales and cyber-advertising campaigns are frequently overlooked. These risks include cyberintrusion, unauthorized use of material appearing on a company's public Web site, regulatory compliance regarding the proper treatment of personal data, copyright and trademark infringement, sales disputes, and various similar issues.

By taking simple steps, such as developing comprehensive Web site terms of use and a privacy policy, instituting a reporting system for unlawful uses of another's trademark and copyright, and registering a Web site's design for copyright protection, businesses can significantly minimize some of these risks. These policies not only help to ensure the proper handling of customer data and to limit sales disputes but also provide businesses with strong tools for use in pursuing individuals and entities that violate their rights. Additionally, these policies can help to insulate businesses from the conduct of their users by providing immunity to various laws, such as copyright and defamation, if certain procedures and Web site structures are managed. Moreover, under certain circumstances, privacy policies and data disclosure procedures are in fact required by some national and state laws, and a failure to institute such policies and practices may result in the conduct of unfair business practices or fines by administrative agencies.

Online business risk management is an area often overlooked by businesses large and small but can result in significant exposure to business assets through diminished value of assets, theft of trade secrets, and litigation brought by third parties, clients, and regulatory agencies. Risk avoidance strategies are not limited to defensive positions and can provide businesses with the proper tools to pursue violators to seek redress on their own behalf.

The various methods that businesses use to minimize these risks while maintaining a robust and effective online presence will be discussed in this article. This article first discusses the regulatory framework surrounding privacy policies and will address what is required to be included in them. Then this article discusses the benefits of instituting terms of use and will review the clauses that may be desirable to include. This article next reviews the immunities offered to Web site operators by various statutory frameworks and the steps that Web site operators should take to ensure that they obtain and retain those immunities. Finally, this article concludes with a discussion of the protection of Web site design and appearance through copyright registration and the substantial benefits such a strategy can provide.

Privacy Policy

With the expansion of online business, it has become commonplace for users to reveal personal and financial information about themselves on Web sites that allow others to identify them. In other instances, personal information is used to target advertisements and promotions directly to users. This increase in information collection has correlated with an increase in identity theft, spam email, and junk faxes.

As a result, various state and federal laws require certain businesses to post a privacy policy on their Web sites, if they meet certain criteria, notifying visitors of their rights and advising them of the information collected and the intended uses of such information. These laws generally direct specific conduct to be followed and provide for civil remedies for non-compliance as well as enforcement by the Federal Trade Commission (FTC). The FTC has not been shy in enforcing some of these statutes and has levied significant penalties against non-compliant businesses in the past.1 From a compliance perspective, the requirements of these laws should be implemented upon generation of a Web site, as they are affirmative obligations, not merely recommended practice.

The materials provided in this article are merely summaries of the main clauses of various relevant laws, as complete outlines are beyond the scope of this article. Rather, these summaries are presented to demonstrate why a risk manager needs to pay attention to these potential exposures.

Children's Online Privacy Protection Act

One major federal statute in the area of Internet privacy is the Children's Online Privacy Protection Act (COPPA).2 COPPA provides for strict disclosure of data collection practices and uses and requires explicit parental consent before personally identifiable information (PII) may be collected from individuals below the age of 13. COPPA defines PII as information that will allow any method of contacting such an individual, online or offline.

Although COPPA does not specifically delineate the manner and location where the required disclosures must be made, the FTC requires that these disclosures be placed on a Web site's homepage, as well as at the points of collection of data from users below the age of 13. 3 In addition, the FTC requires that, if a Web site has certain sections directed at children and others that are not, the Web site must supply minors with a specific privacy policy in the area directed at them.4 The link to the privacy notice must be prominent and distinguishable from other material on the site.5

The law applies to any Web site that is marketed or directed to individuals below the age of 13 and to any Web site with actual knowledge of the collection of PII from such a child. In determining whether a Web site is directed at children, multiple factors are used, such as the feel of the site, the content of the site, and the subject matter of the site.6

A Web site to which the COPPA applies has a duty to obtain verifiable parental consent before collecting PII from underage individuals.7 Additionally, the Web site operator has a duty to disclose its data collection and disclosure practices on its site.8 COPPA defines "verifiable parental consent" as:

any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that a parent of a child receives notice of the operator's personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that child.9

Although COPPA offers no specifics, one method used in complying with this provision is the requesting of a parent's email address at the time that a child signs up for a service. The parent is then contacted to verify or deny consent to the child's disclosure of PII to a Web site.

Compliance with COPPA is a serious matter, as the FTC has been known to aggressively pursue Web sites that do not comply. In one instance, in United States v. Xanga,10 a $1 million fine was levied against a Web site operator that collected personal information without receiving parental consent from more than 1 million individuals who indicated that they were under 13 years old.

The California Online Privacy Protection Act of 2003

With the Internet expanding the reach of businesses that were once strictly local in scope, entities must now be mindful of an array of international and local rules that were once of no concern. Online privacy law has greatly proliferated since the rise of the Internet, and there are now multiple statutes, both local and international, that businesses should be aware of before collecting and using customer data obtained through a company Web site.

One of the broadest privacy protection laws relating to Internet privacy policies to be enacted is the California Online Privacy Protection Act of 2003 (CAOPPA).11 Although it is a California state law, Web site operators that knowingly or unknowingly approach California residents may be subject to these requirements. CAOPPA applies to any operator of a commercial Web site that collects PII from any California resident. The statute defines PII as "individually identified information about an individual consumer,"12 including categories of information such as, among other more specific categories, a name, a physical address, or an email address.13 The clause contains a catchall that states that PII includes any information by which an individual may be contacted, either online or offline.14

Once a Web site operator collects such covered information, the requirements of CAOPPA take effect. CAOPPA requires that Web site operators "conspicuously post [a] privacy policy on its Website."15 This policy must identify the categories of PII that the Web site collects, disclose the categories of third-party entities with whom the operator shares such information, describe the process by which the operator notifies Web site users of a change in the policy, and indicate the effective date of the policy16 Additionally, if the Web site has a process by which users may access and update the PII stored by the Web site, the procedure for exercising that right must be supplied.17 CAOPPA, however, does not make the offering of such a right an affirmative requirement.

CAOPPA defines "conspicuously postting]" a privacy policy as, among other less popular options, having an icon or link to the policy on a site's homepage or the first significant page after entering the site, so long as the text of such link or icon includes the word "privacy"18

CAOPPA states that a failure to comply with its terms is actionable if such failure was knowing and willful or negligent and material.19 Additionally, CAOPPA stipulates that a Web site operator becomes liable if it fails to remedy its site's non-compliance with CAOPPA within 30 days of receiving notice of such non-compliance.20 Although not explicitly stated, a violation of CAOPPA would likely give rise to an individual right of action based on California's Unfair Competition Law.21

As can be seen from these details, CAOPPA is a very broad statute. It has the potential to apply to any Web site that collects information as mundane as an email address from a user located in California who contacts the Web site with a question. If that user's email is collected, such collection potentially triggers CAOPPA.22

CAOPPA has a knowing or negligent standard, which may insulate out-of-state Web sites from complying if they can show that there is no reasonable means by which the location or residency of the individual can be ascertained. However, there is the potential that such information may be disclosed by the individual themselves upon contacting the Web site, or such knowledge may be imputed if the Web site directs itself to California residents. Under such circumstances, the operator of a commercial Web site may be left to guess if it is required to comply with CAOPPA and risks liability if it fails to adequately monitor communications for clear evidence of the Californian origin of an email. In light of this potential doubt, best practice would appear to dictate in favor of compliance with CAOPPA, even if a Web site operator is not sure if such compliance is strictly required.

This is particularly true given the low requirements for compliance. The most rudimentary of privacy policies will likely comply with CAOPPA, making the cost of compliance low. However, as will be seen, various other disclosure23 requirements add to the amount of information that should be placed in a privacy policy.

Proactive compliance with this law may seem unnecessary given the 30-day window for compliance before liability attaches. However, there are extra-legal considerations, such as public relations concerns, which counsel in favor of complying prior to notification. Recently, Google, Inc. became the target of a number of prominent complainants, including from the Electronic Privacy Information Center, the Privacy Rights Clearinghouse, and the World Privacy Forum, arguing that Google was not in compliance with the California law24 A public relations problem developed, and Google relented, modifiying its homepage. Although legal damages might be small, the public relations dimension of compliance counsels in favor of posting a policy before negative publicity occurs.

The California "Shine the Light" Law

Continuing its pattern of implementing unique online privacy laws, California implemented the "Shine the Light" law in January of 2005. 25 Among other clauses, this law implemented new requirements for the disclosure to California customers of the manner in which businesses use their PII.26 The law applies to any entity that has customers in California and transfers such customers' PII to any third party, if the business knows or reasonably should know that the transferee will use the information for direct marketing purposes.27 Businesses with less than 20 employees are exempt from this law, as are businesses that provide their customers with a method of opting out of having their PII disclosed to entities that will use it for direct marketing purposes.28 This law explicitly provides that a civil action may be brought against a business by any customer who is injured as a result of a business 's violating this law.29

The law provides a laundry list of data points that are considered PII30 and include matters as simple as an email address. Upon request, the law requires a business to disclose to a customer all the parties to whom that customer's PII was disclosed within the last calendar year. The law requires that, if the business collects any PII through a Web site, such business must post the details of this law on its site and designate a mailing address and an email address for receipt of requests for disclosures pursuant to this law. Furthermore, this information should be posted to the site on a page titled "Your Privacy Rights" or via a link to a page containing this information with the words "Your Privacy Rights" in the text of such link.

Once again, this is a fairly simple law with which to comply. So long as a Web site gives its users the right to opt out of having their information included in any disclosures, a business may be compliant with this law. However, as with CAOPPA, the consequences of noncompliance counsel strongly in favor of implementing a privacy policy that makes the appropriate disclosures. Should a business not wish to allow users to opt out of its data-sharing practices, setting up a simple procedure for customers to make a request pursuant to this law can be done at a low cost. Additionally, the requirement to have the term "Your Privacy Rights" on either the page containing the policy itself or in the text of a link leading to such a policy is fully compatible with CAOPPA.

Additional Considerations

In addition to the laws outlined earlier, which represent the broader legislation in the area of Internet privacy policies, there exist other statutes that address specific categories of information, such as personal health information31 and financial information,32 which also must be safeguarded, regardless of whether the information is held in the paper business records of a company or on a Web site. These laws must be complied with regarding Web-based disclosures just as a business would comply outside the virtual world. Penalties for non-compliance with these statutes can be serious.

A further area of important consideration is international privacy laws. Foreign laws relating to individual privacy and PII are often far stricter and more comprehensive than those of the United States. Companies that direct their Web sites abroad or which have subsidiaries in foreign countries that may transfer information to their US counterpart should be mindful of these regulations, particularly if they collect data from foreign jurisdictions, such as Canada33 or the European Union.34 These jurisdictions may have laws that apply to US entities, even in the absence of a physical presence in their territory. Businesses should consider consulting with counsel before collecting and using more sensitive PII, such as health and financial information, or any PII collected from a foreign jurisdiction, as there may be steps that can be taken to minimize exposure.35

Terms of Use

The other common Web site document, the terms of use or terms and conditions statement, while not mandated by any laws, can be equally important as a privacy policy to businesses in limiting the risks associated with operating a Web site. In some ways, a terms of use statement is a more powerful tool than a privacy policy in that it is a document geared toward both offense and defense, as opposed to a privacy policy, which is primarily defensive. This section will discuss the subjects that should be addressed in the terms of use, as well as proper strategy to increase the likelihood that a Web site's terms of use are found enforceable.

Offensive Uses

Unlike a traditional store that can monitor the use of its inventory by customers, most Web sites lack supervision and control over the use of the information contained therein. Yet, like a traditional store, a Web site can post guards and security to thwart unauthorized access. These precautions however, do not always work. Unauthorized uses of a Web site can range from using data or materials on the site without permission to hacking into or otherwise accessing unauthorized and possibly sensitive areas of a business' computer server. Much like a bricks-and-mortar store, a business' Web site must protect itself. While there are means to pursue violations of these kinds without having terms of use in place,36 terms of use provide simple tools to pursue users who make unauthorized uses of a business' Web site.

In the event of a security breach or other access to unauthorized Web site areas by a user, a Web site operator could seek redress for a violation of the Computer Fraud and Abuse Act (CFAA).37 The CFAA provides that any individual who intentionally accesses a "protected computer" without authorization and causes damages of more than $5,000 is liable for a violation of the CFAA.38 "Protected computer" is defined very broadly, as any computer used in interstate commerce, likely applying to almost every computer connected to the Internet in the United States.39 The damages threshold of the CFAA is not generally a difficult bar to meet, being satisfied even by the corrective action required to investigate or remedy a breach.40

Drafting terms of use that delineate those specific areas of a Web site that are public and that are not and what parts of a business computer server may be accessed can be of great assistance in bringing an action against an intruder based on the CFAA. A Web site user will generally be charged with knowledge of the information in the terms of use and will therefore likely have the knowledge of what areas of the computer system they are not authorized to enter. If a user subsequently accesses an unauthorized area, they will likely be in violation of the CFAA if damage is caused. The disclosure of any confidential information discovered in such an unauthorized area may be considered sufficient damage.

This specification of unauthorized areas can be important in cases when it otherwise might not be clear that unauthorized access has taken place. When a security hole is discovered that does not require a complex circumvention technique, a user might mount a defense based on a theory that they thought access to such an area was authorized. In order to avoid the use of such a defense, a Web site operator should clearly delineate in the terms of use those areas of a Web site or computer server that may be accessed and those which may not. By following this strategy, a Web site operator can greatly strengthen a claim under the CFAA.

A further offensive use of the terms of use is the inclusion of terms limiting the uses of Web site materials by others for commercial purposes. Web sites will frequently disclose valuable content to the public, such as pricing data, which might not otherwise be protected by copyright laws. The inclusion of a clause limiting the commercial use of such data by Web site users can be enforced against competing businesses that collect or use such data in an unauthorized manner.41

The process of "scraping" a Web site, harvesting valuable information from its public areas either through an automated program or via manual transcription, has been subject to litigation, with businesses often succeeding in protecting their intellectual property.42 Courts have consistently held that automated agents have the capacity to enter into binding contracts on the Internet,43 perhaps even if the director of such a program had no knowledge of the existence of the terms.44

By having strong and comprehensive terms of use, a business can gain a strong security tool that can be used not only to thwart the efforts of competitors engaging in competitive counter-intelligence gathering or the attempts of cyber-criminals but also to take back control of its intellectual property.

Defensive Uses

On the defensive side, terms of use can be valuable in that they can help a business select the exclusive forum and applicable law applying to disputes against them arising out of the use of the Web site. This permits businesses to defend cases brought against them in a friendly forum close to their headquarters and/or their chosen counsel. When properly drafted, courts have been generally willing to uphold these clauses and force plaintiff's to either file in the selected forum or grant a motion to move the forum to the designated venue.45

Additionally, a Web site operator should consider inclusion of clauses limiting the site's liability from harm caused to users and require an indemnity from users for harm that they cause through use of the Web site. An indemnity clause generally recites that a Web site visitor will indemnify the Web site for any damage that a visitor causes through or by the use of the business' Web site. While there are a number of nearly total immunities available to Web site operators from the damages caused by their visitors' uses,46 an indemnity clause may further protect a Web site by requiring a user who causes damage to a third party to reimburse the Web site for any penalties levied against it should these immunities fail.

In addition, a clause placing a limitation on liability, if properly drafted, may be able to cap the recovery that plaintiffs might be able to collect for damages that they incur as a result of their use of the Web site. This can be a useful clause for Web vendors because, if it is held enforceable by the jurisdiction in which suit is brought, it may help to ensure that a Web site is not responsible for consequential damages for unforeseen harm done by, for example, a failure to timely deliver goods. These clauses, however, are largely untested, and it is yet to be seen whether courts will be willing to liberally enforce them.

Implementation and Enforceability

Terms of use agreements are subject to the same rules of contract formation as other contracts negotiated between live parties. When live parties are negotiating a contract and executing it, it is presumed that they are affirmatively agreeing to the terms therein, or at least their understanding of the terms. Since a Web site's terms of use agreement is proposed by the Web site operator and not usually subject to interaction between the parties, the validity of implied assent in forming a contract must be considered. There are typically two types of terms of use agreements implemented on the Internet, clickwrap agreements and browsewrap agreements.47

As the Internet became the new marketplace for businesses, certain unique issues were created, and rules of implied contract formation needed to be developed. Members of the ABA Joint Working Group on Electronic Contracting Practices published an article titled "Browse-Wrap Agreements: Validity of Implied Assent in Electronic Form Agreements,"48 which outlines a general method for determining the validity of online agreements. The article laid out a four-part test that has been accurate in predicting what types of agreements courts have been willing to uphold. The prongs of this test include determination of whether,

1. The user is provided with adequate notice of the existence of the proposed terms;

2. The user has a meaningful opportunity to review the terms;

3. The user is provided with adequate notice that taking a specified action manifests assent to the terms; and

4. The user takes the action specified in the latter notice.49

Of these factors, the first has generally been the most significant in determining whether an Internet agreement is valid, as the predominant cause courts have found in striking down the terms of use as unenforceable has been a lack of notice to the user.50 As such, this factor will be the predominant focus of this section.

Of the two general types of terms of use mentioned, clickwrap agreements are the more conservative approach to Internet contract formation. The defining feature of a clickwrap agreement is that users are required to check a box or take some other affirmative action indicating that they assent to the terms of the agreement before the contract is formed. The general format for these agreements is usually a box stating "I Agree" to the terms of use that a user is required to click before the user is permitted to proceed to the site. Under this format, the terms of use text is generally a hyperlink to the full text of the agreement. An even more conservative approach is to display the entire agreement in a scroll box with a check box beneath it displaying some variation of the statement that "I have read and agree to the above Terms of Use." A user would be required to check this box and click the "I Agree" box below it before being permitted to proceed.

Clickwrap agreements of these kinds are generally accepted as sufficient to form a contract, as the notice to the user of the existence of a contract and that contract's terms cannot be questioned. If the user clicks a box labeled "I Agree," that user is hard-pressed to argue that they were not aware that a contract existed and that their actions bound them to such an agreement. There are general rules that should be followed for these agreements, such as presentation of the terms before requiring assent, allowing sufficient time to review the terms before requiring assent and ensuring that the terms are clear, understandable, and conscionable.51 As long as these general rules are followed, a clickwrap agreement will generally be enforced. It is therefore recommended that any sale of goods or services be made subject to this form of clickwrap assent.

The vast majority of Web site terms of use agreements, however, do not require a user to click an "I Agree" button. Instead, these agreements are generally posted in small type at the bottom of a Web site with the text "Terms of Use," "Terms of Service" or "Terms and Conditions." This standard placement and custom is most likely due to Web site aesthetics and the reality that, if a Web site had a landing page that required agreement to a clickwrap license before allowing entry to the site, user traffic would likely decrease. As such, the determination of the validity of the more common form of terms of use, the browsewrap form, is more difficult to resolve.

Browsewrap agreements rely on implied assent in formation, as no affirmative action other than use of the Web site at issue is generally required to form a binding agreement. Currently, there has not been significant litigation regarding Web site terms of use, and those cases that have addressed it have come to somewhat conflicting results.52 These cases have indicated that the enforceability of browsewrap agreements largely depends on what type of notice users are given to their existence. However, these cases may be explained, in part, based on the equities of the cases where there may have been clear "bad actors" involved. As such, the case law thus far offers limited guidance for more general risk-management purposes.

The current predominant practice on the Internet is to place the terms of use notice at the bottom of a Web site's homepage, regardless of whether the homepage is one screen or is a scrolling homepage. This format, however, carries with it the risk that a court will determine that, because the notice is not plainly visible upon immediate entry into the Web site, a user would not necessarily be aware that the agreement exists.

In Ticketmaster Corp. v. Tickets.com, Inc.,53 the court granted the defendant's motion to dismiss, even though the Web site's terms of use specifically restricted the conduct engaged in by the defendant. The terms of use were placed at the bottom of a long scroll page on Ticketmaster s homepage. Ticketmaster argued that, since the terms explicitly restricted the defendant's conduct, the issue could not be dismissed. In granting the motion with leave to amend, the court found that, without further proof that the defendant was aware of the contract, it could not be bound by it. The court stated that knowledge of the agreement could not be imputed when a "customer needs to scroll down the home page to find and read"54 the agreement. Instead, the court held that "many customers ... are likely to proceed to the . . . page of interest [rather] than reading the 'small print.' It cannot be said that merely putting the terms and conditions in this fashion necessarily creates a contract with anyone using the website."55 Other courts have similarly held that, when the notice of the terms of use was not clearly visible to users, it could not be enforced.56

In contrast, when the link to the terms of use is visible, a court will be more likely to enforce that agreement. After Ticketmaster was dismissed, Ticketmaster altered its Web site design by placing the link to its terms of use at the top of its homepage and then refiled against Tickets.com.57 This time, the court held that the agreement was enforceable, in part due to the prominent placement of the link to the terms of use at the top of the homepage.58 However, the defendant in this case was shown to have actual knowledge of the Web site's terms of use, thus making this decision difficult to rely upon for the position that terms of use at the top of a homepage will always be enforced.

Based on the case law available at this time, it is difficult to predict how a court will rule concerning the enforceability of a Web site terms of use agreement that is linked to on a homepage. As stated, it appears as though the extent of notice that a user is given as to the existence of these terms can greatly influence their enforceability. Therefore, the common practice on the Internet of placing the terms of use notice at the bottom of a long scrolling homepage in small letters may currently be insufficient to effectuate these agreements. It may not be long, however, before courts And that this placement is not only acceptable but expected due to predominant current practice.

In the interim, Web site operators may wish to consider placing the terms "above the fold" of a Web site's homepage so that the notice is clearly visible to users as soon as they enter a business' Web site. Web site operators may also wish to consider placing the notice of the terms at the bottom of the scroll page in addition to its placement at the top, because a court may hold that users expect to find these agreements at the bottom of a Web site due to currently common practice. An additional step that a conservative business can take is to label the link to the terms of use as "Mandatory Terms of Use," thus reinforcing the mandatory nature of agreeing to the terms before using the site.

Ultimately, since there is still no convention on placement, it is a business' choice as to how best to balance Web site aesthetics with legal notices; however, as is clear from the otherwise unclear case law surrounding browsewrap agreements that, the more prominent the placement and phrasing of these policies, the more effective they might be.

Web Site Immunities

The manner in which a Web site is designed can greatly affect the liability exposures it may represent. A Web site must be careful not to promote or provide content to or by its users that may violate a law. Further, these potential liabilities greatly increase when Web site users are permitted to upload content to a business'Web site, whether such content is a user-generated video, a copyrighted movie, a section of a novel, a review of a business, or even a simple feedback comment. There are various statutes in place that offer Web sites immunity from the liabilities that these risks represent; however, the design of a Web site and the specifics of the statutes can dictate when and to what extent immunity is offered. If the statutory predicates are not followed carefully, a Web site can lose these immunities and be subject to serious liability.

The Digital Millennium Copyright Act

Once a business allows others to post content to its Web site, the potential for exposure arises. While many people are familiar with the YouTube model, where users upload significant amounts of content as the main purpose of visiting the site, many other businesses have Web sites that give users far more modest, but legally significant, abilities to upload content, and thus face similar issues to the video-sharing giant.

Any site that permits a user to post content faces the potential for contributing to copyright infringement, trade libel, defamation, or violations of the rights of others. Having a user feedback board, even if it is monitored and edited, can open the door to a copyright claim. For example, if a feedback page permits a user to upload photographs, text, or other such content, there can be copyright liability for the manager of the feedback page, should infringing content be posted. Management will often have no way of knowing whether the content is infringing or properly posted, which can lead to liability.

In response to just this sort of problem, Congress passed the Digital Millennium Copyright Act (DMCA).59 Enacted in 1998, the DMCA made various changes to the Copyright Act to better address copyright infringements through digital technologies and to protect online service providers from the potential copyright liability created by their users. Among the most important clauses in the DMCA is Title II, the Online Copyright Infringement Liability Limitation Act, or OCILLA.60

OCILLA creates a system that can exempt from liability certain online service providers, generally defined as providers "of online services or network access, or the operator of facilities therefore,"61 from much of the difficult to police conduct that occurs by Web site visitors. To be eligible for this protection a service provider must:

1. Adopt and implement a policy of terminating the accounts of users who repeatedly commit copyright infringement through the use of the Web site;62

2. Must not interfere with the standard technical measures, such as Digital Rights Management (DRM) software or code, used by a true copyright holder to police misconduct;63 and

3. Must designate an agent with the US Copyright Office to receive notices of infringing uses of the Web site and disclose that agent's information on the provider's Web site.64

The disclosure of this information and the policy of terminating repeat offenders are generally noticed in a Web site's terms of use; however, for businesses that concentrate in having user-supplied content available on their sites, a separate DMCA notice section might be considered.

Once it is established that a service provider is eligible for O CILLA's protection and that provider complies with the DMCA's agent registration requirement, the provider should be protected from much of the copyright infringement committed by its users. However, there are additional measures that the service provider must take to ensure that this protection continues to apply. A service provider must not directly benefit from the posting of infringing content, the provider must not be aware that infringing content has been posted to its system, and if the provider becomes aware that infringing content has been posted, it must act with reasonable swiftness to remove the content.65

If a service provider pre-screens all content before it is posted, the provider must be vigilant not to post content that it knows to be infringing. This can be implemented in some cases by simply not posting obviously infringing content. However, in the cases of many message or feedback boards, the service provider will usually not have a level of knowledge sufficient to identify infringements, especially when the infringed work is not widely known. Posting content of this kind, which later turns out to be infringing on another's rights, will not lead to immediate liability.

If content is posted that infringes another's copyright, the copyright holder has the option of contacting the service provider with specific information as to the infringing content and a demand that the content be removed. At this point, the service provider is charged with knowledge of the potentially infringing conduct and must act or risk losing its liability protection. The service provider can follow strict DMCA take-down procedure, which involves removing the material and providing the user/poster of the allegedly infringing work with prompt notification of its removal and the opportunity to respond. If the user responds, the copyright owner must file suit or the service provider must re-post the content within a specified period of time.66

Although somewhat complicated, this procedure can be effective in shielding service providers from the unknown of the Internet, while allowing them to operate beneficial elements of their businesses.

For companies that routinely create copyrightable content, it is desirable to have a plan in place to combat the unauthorized use of such materials, particularly in the case of unauthorized leaks of proprietary materials. Swift action in transmitting take-down letters to widely linked-to content-sharing Web sites can have the effect of significantly limiting the exposure that such material is given. By targeting these central disseminators, the spread of the content can sometimes be effectively controlled. This plan should include having template DMCA take-down letters available to immediately send to an infringing Web site. If a company wishes their ownership status to remain confidential, counsel need not disclose the identity of the copyright owner to effectuate a take-down request. Additionally, attorneys should be contacted as soon as possible after learning of the exposure of sensitive material so that swifter communication or stronger action than DMCA letter can be explored and executed if necessary.

Communications Decency Act

Another area of concern for Web site operators involves the ability of users to post content that may result in potential violations of laws other than copyright, such as trade libel, defamation, and invasion of privacy. In the traditional publisher context, an entity that disseminates the defamatory statements of another is liable for making those statements themselves.67 In the early days of the Internet, many major service providers, such as America Online and Prodigy, were held to be constructive publishers if they monitored any of the content being posted to their sites.68 This left service providers with the difficult choice of burdensome monitoring of all content or abandoning all monitoring of content, which would inevitably lead to uses of their services in ways that they did not condone.

In response, Congress passed the Communications Decency Act of 1996 (CDA),69 which among other things provided that "no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider."70 The CDA serves to insulate Web site operators from almost all liability created by content posted at the direction of the Web site's users. This protection applies even when material is prescreened or edited by a Web site operator, provided that the material was initially submitted by a user.71

There is, however, a limit to this liability shield. The CDA insulates Web site operators only against material that the operator itself does not supply. If the Web site operator supplies content or encourages the supplying by others of violative content, that Web site operator can be held liable.72 One example of such a case is Fair Housing Council of San Fernando Valley v. Roommates.com, LLC73 in which a roommate location Web site solicited answers to questions that violated the federal Fair Housing Act (FHA).74 The Web site required users to create a profile by answering questions about their roommate preferences, and among those questions was their preference as to the race and sexual orientation of their potential roommates.75 The court found that, because the Web site was soliciting and encouraging its users to violate the FHA by requiring users to submit information in these categories before proceeding, it was deemed to be the "content provider" of this information. As such, the defendant was found not to be entitled to the immunity offered by the CDA.

Businesses should be careful as to how they organize their Web site content and what information they solicit from users to make public. Additionally, there is case law suggesting that the CDA immunity is not available when a Web site describes the conduct or contents of its site, which is largely controlled by its third-party users, and such representation turns out to be inaccurate.76 As such, businesses must be wary as to how their Web site content is organized and presented and particularly wary as to what claims they make about the conduct of their users.

An additional limitation of the CDA is that it does not insulate Web site operators against violations of "intellectual property laws" by its users.77 As such, in order to be immunized from the copyright infringement committed by its users, a Web site operator must comply with the provisions of the DMCA. There is no equivalent immunization for violations of trademark law, and as such, Web site owners must be vigilant in ensuring that their users do not commit trademark infringement through the use of a business' Web site. Web site operators have not typically been held liable for the trademark infringement committed by their users,78 and as long as such operators institute means by which trademark owners can assert their rights, liability may be avoided without resorting to extensive monitoring.79

The question of whether the CDA preempts state intellectual property law is unresolved as of this time. The issue has been addressed twice in the last two years, with courts in the Ninth Circuit and First Circuit reaching opposite results.80 In light of this uncertainty, a Web site operator may consider taking a more proactive monitoring role of their sites for violations of state intellectual property law.

Trademark Infringement

There is no comprehensive federal statute that provides Web site operators with immunity for the trademark infringement committed by its users. Web site operators can be exposed to secondary trademark infringement based on the acts committed by its users. The law, however, has generally held third parties liable for the infringement committed by their customers only when such third party had reason to know of the infringement taking place and did nothing to stop it.81 The law requires, among other things, that a business cannot be willfully blind to trademark infringement occurring on its premises.82 If the requisite knowledge of infringement on a company's Web site is imputed to a business, that business must act to remove the infringing content or face liability.83 There have not been many cases with decisions based on this fact pattern in the context of the Internet, and as such, this area of the law remains somewhat uncertain.

Recently, Tiffany (NJ), Inc. v. eBay, Inc.,84 has shed some light on the somewhat unaddressed issue of Internet risk management related to trademark infringement. At issue in the case was whether the generalized knowledge of trademark infringement by a Web site's operator is enough to trigger liability in the absence of actual knowledge of specific infringing material. Tiffany alleged that because a large portion of Tiffany branded items on eBay were counterfeit at any given time, eBay's generalized knowledge of trademark infringement, as opposed to knowledge as to specific infringements, should support liability85

In ruling for eBay, the court stated that generalized knowledge of infringement does not give rise to liability for specific instances of trademark infringement, in part because eBay was not "willfully blind" to the infringement taking place on its Web site.86

The court based this conclusion in part on evidence of eBay's notice-and-takedown procedure. eBay had instituted a program, similar to the statutory framework set up by the DMCA, whereby rights owners could notify eBay of trademark infringement being committed on eBay's site. eBay's program provided that, if a trademark owner had a good faith belief that an eBay user was engaging in trademark infringement by falsely identifying a product, that owner could notify eBay as to the appearance of the unlawful trademark use. In response, eBay would institute an investigation and often remove the allegedly infringing content. The court stated that, in part because of this program, eBay was not liable for secondary trademark infringement.87

In light of this important ruling, a business that grants Internet users the ability to post content to its Web site may consider instituting a program similar to eBay's notice-and-takedown procedure for trademark infringements. Taking this step may not only support the defense of a charge of secondary trademark infringement but also assist a Web site by providing trademark owners with a clear and simple procedure by which they can submit a notification of trademark infringement upon which a business may act. As of now, it appears that this can provide trademark owners an outlet by which to notify Web businesses, which will in turn better permit such businesses to effectively comply with notifications of trademark infringement. As the district court level of this case is still new, it remains to be seen whether other courts will adopt this view. In the interim, adopting such a plan may provide a Web site operator some protection from exposure.

Design Protection

In addition to terms of use that limit commercial uses of data obtained from a company's Web site, copyright registration can be a useful and inexpensive tool in pursuing competitors that have copied a business' Web site or are possibly attempting to divert or confuse consumers through the use of a similar Web site design.

Web site designs can be extremely valuable to a business, as they are not only the product of substantial investment but also the embodiment of the goodwill of a business on the Internet. What was once a large but relatively safe investment in the bricks-and-mortar world, store design can be easily copied by competitors and stolen by counterfeiters due to the ease of copying on the Internet. Not only is such copying and theft unlawful in its taking advantage of the investments of others, but identical Web sites can divert a business' customers or trade off an untruthful affiliation. Just as businesses take the precaution of hiring security for their bricks-and-mortar establishments, so too should the Web site of a business be protected.

Of course, these copiers and counterfeiters can be pursued with common law trade dress infringement or unfair competition claims. These options, however, can be time consuming and costly to pursue. This is particularly the case with unregistered trade dress, which the plaintiff bears the burden of proving is non-functional,88 and possibly has acquired secondary meaning.89 Furthermore, a claim based on an unregistered trade dress does not offer attorney's fees or statutory damages to a successful plaintiff.

Copyright registration for a Web site design is an inexpensive alternative to trademark registration and is a powerful tool in pursuing unauthorized duplication of a Web site's design, offering many of the advantages in this context as a trademark registration would. Unlike trade dress protection, copyright registration is relatively inexpensive to obtain, relatively simple to enforce, and could possibly offer statutory damages and attorney's fees to a successful plaintiff. Additionally, a cease-anddesist letter asserting rights to a copyright registration can be a powerful enforcement tool which may avert the need to bring suit altogether.

Conclusion

While the Internet is no longer a new frontier, there are new uses being promoted and developed that give rise to new exposures that outpace the law. Until recently, social networking was a novelty for the young or computer savvy user. Today, businesses are entering the fray and capitalizing on the power that Internet connectivity brings to close the distance between worldwide partners and customers. While a small store in Anywhere, US, would rarely encounter a visitor from the middle of Europe, it is common for visitors from around the world to frequent Web sites operated by those same businesses in Anywhere, US. While the law races to catch up to the differing cultural influences and provincial rules, new exposures are created that must be addressed by the risk manager/owner for the business operating on the Internet.

The US government (as well as other countries) has established rules to protect its citizens. State legislatures have also addressed the potential issues that may impact their residents. It is important for companies and individuals who wish to transact business outside of the friendly confines of their own locales to be familiar with the laws of the jurisdictions where they seek to do business. With regard to Web site operation, it has become critical not only to maintain a comprehensive privacy policy that complies with the state and federal laws but also to properly notify users of the policy and provide users with certain information at their request.

The government has also established rules to protect business that offer the public a way to expand their freedom of speech by offering certain immunities to Web site operators that may violate the rights of others unwittingly. Provided that a Web site operator takes reasonable steps to ensure that violative content is expunged from the site upon notice, the Web site operator can typically continue to offer its users the ability to provide feedback.

While Web site operators offer the public a service to access, Web site operators should make clear to the users the rules for visiting the site. These rules, incorporated in the terms of use, should set forth the boundaries for which the user may make use of the Web site and the grounds upon which conduct is prohibited. By specifying clear rules, both the visitor and the operator should be able to understand the terms by which the Web site operator is willing to host the visitor. Having a clear understanding can avoid disputes and provide a basis for a host to pursue a visitor for improper conduct.

Regardless of whether a Web site is ancillary to a business' operations or the primary focus of the enterprise, protection of the intellectual property is critical for the Web site operator to maximize its investment. Through comprehensive terms of use and federal copyright registration, a business can protect its intellectual capital in the Web site.

For a business with an online presence to succeed, the Web site operator must protect not only its investment but also itself from third-party liability and government regulatory problems. Proper risk management techniques, as discussed herein, should assist a business in protecting itself from the potential exposures of operating a business with an online presence.

[Footnote]

Notes

1. See United States v. Xanga, Civ. Act. No. 1:2006cv06853 (S.D.N.Y., Sept. 7, 2006) (fining social networking site $1 million for violation of COPPA); see also United States v. Mrs. Fields Famous Brands, Inc., Civ. Act. No. 2:2003cv205 JTG (D. Utah, filed Feb. 27, 2003) ($100,000 in civil fines); and United States v. UMG Recordings, Inc., Civ. Act. No. CV-01-1050 (C.D.C.A., filed Feb., 18, 2004) ($400,000 in civil fines).

2. 15 U.S.C. § 6501-6506; 112 Stat. 2581-728 (1998).

3. 16 C.F.R. § 312.4.

4. Id.

5. Id.

6. Id. at § 312.2.

7. 16 U.S.C. § 6502(b).

8. Id.

9. Id. at § 6501(9).

10. Xanga, Civ. Act. No.l:2006cv06853.

11. Cal. Bus. & Prof. Code § 22575-22579.

12. Id. at § 22577(a).

13. See id.

14. See id.

15. Id.

16. Id. at § 22575(b).

17. Id.

18. Id. at § 22577(b).

19. Id. at § 22577.

20. Id. at § 22575(a).

21. California Unfair Competition Law (see Cal. Bus. & Prof. Code § 17204) provides that any individual may bring an action against a business for violation of Unfair Competition Law if such business engages in acts "which violate California law.

22. Cal. Bus. & Prof. Code § 22577(a)(3) (listing email address of individual as sufficient to trigger applicability of Act).

23. Such as COPPA (see supra n.2) and the Shine the Light Law (see infra n.2 5).

24. Saul Hansell, "Google Changes Home Page, Adding Link to Privacy Policy," July 4, 2008, at http://bits.blogs.nytimes.com/2008/07/04/google-changes-home-page-adding-link-to-privacy-policy/; see also Natalie Weinstein, "Privacy Advocates Praise Google's New Link," July 5, 2008, at http://news.cnet.com/8301-10784_3-9984175-7. html?hhTest=1.

25. Cal. Civ. Code § 1798.83.

26. Id. at § 1798.83(a).

27. Id.

28. Id. at § 1798.83(c).

29. Cal. Civ. Code § 1798.84.

30. Id. at § 1798.83(e)(6), listing "(i) Name and address; (ii) Electronic mail address; (iii) Age or date of birth; (iv) Names of children; (v) Electronic mail or other addresses of children; (vi) Number of children; (vii) The age or gender of children; (viii) Height; (ix) Weight; (x) Race; (xi) Religion; (xii) Occupation; (xiii) Telephone number; (xiv) Education; (xv) Political party affiliation; (xvi) Medical condition; (xvii) Drugs, therapies, or medical products or equipment used; (xviii) The kind of product the customer purchased, leased, or rented; (xix) Real property purchased, leased, or rented; (xx) The kind of service provided; (xxi) Social security number; (xxii) Bank account number; (xxiii) Credit card number; (xxiv) Debit card number; (xxv) Bank or investment account, debit card, or credit card balance; (xxvi) Payment history; (xxvii) Information pertaining to the customer's credit-worthiness, assets, income, or liabilities."

31. See Health Insurance Portability and Accountability Act, Pub. L. 104-191, 110 Stat. 1936 (1996).

32. See Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (1999).

33. See Personal Information Protection and Electronic Documents Act, Statutes of Canada 2000, Chapter 5,BillC-6, (Assented to 13th Apr. 2000).

34. See Directive 95/46/EC on the protection of individuals "with regard to the processing of personal data and on the free movement of such data.

35. Such as the safe harbor program to the EU database directive, operated by the Department of Commerce, see www. export.gov/safeharbor/.

36. Such as possible common law claims for trespass to chattels or unfair competition.

37. 18 USC § 1030; 98 Stat. 2190 (1984) as amended.

38. 18 USC § 1030(a)(5)(A)(iii).

39. Id. at § 1030(e)(2)(B), defining "Protected Computer" as any computer "'which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States."

40. Frees, Inc. v. Phil McMillian, Civil Act. No. 05-1979, 2007 U.S. Dist. LEXIS 66814 (W.D. La., Aug. 6, 2007) (the hiring of a consultant to determine the manner in "which the defendant used the computer system constitutes a "loss" within the meaning of the Act).

41. See American Airlines, Inc. v. Farechase, Inc., Cause No. 067-194022-02 (Texas, 67th Dist., Mar. 8, 2003); see also Ticketmaster Corp. v. Tickets.com, Inc., 2003 U.S. Dist. LEXIS 6438 (C.D. CA, Mar. 6, 2003) (Ticketmaster II).

42. Id.

43. Id.

44. See Internet Archive v. Shell, 505 F. Supp. 2d 755; 2007 U.S. Dist. LEXIS 10239 (D. Colo. 2007); Register.com, Inc. v. Verio, Inc., 126 E. Supp. 2d 238 (S.D.N.Y. 2000).

45. See Bowen v. YouTube, Inc., 2008 WL 1757578 (WD. Wash., Apr. 15, 2008) (upholding forum-selection clause in YouTube's terms of use). The upheld clause reads: "You agree that: (i) the YouTube Website shall be deemed solely based in California; and (ii) the YouTube Website shall be deemed a passive website that does not give rise to personal jurisdiction over YouTube, either specific or general, in jurisdictions other than California . These Terms of Service shall be governed by the internal substantive laws of the State of California, without respect to its conflict of laws principles. Any claim or dispute between you and YouTube that arises in whole or in part from the YouTube Website shall be decided exclusively by a court of competent jurisdiction located in San Mateo County, California."

46. Such as those offered by the Digital Millennium Copyright Act (see infra n.59) and the Communications Decency Act (see infra n.69).

47. See infra.

48. Christina L. Kunz, John E. Ottaviani, Elaine D. Ziffi Juliet M. Moringiello, Kathleen M. Porter, and Jennifer C. Debrow, "Browse-Wrap Agreements: Validity of Implied Assent in Electronic Form Agreements," 59 Bus. haw. 279 (2003).

49. Id.

50. See Ticketmaster Corp. v. Tickets.com, Inc., 54 U.S.P.Q. 2d 1344 (C.D. Cal., Mar. 27, 2000) (Ticketmaster I); Specht v. Netscape Communs. Corp., 150 E Supp. 2d 585 (S.D.N.Y. 2001).

51. Christina L. Kunz, Maureen F. Del Duca, Heather Thayer, and Jennifer Debrow, "Click-Through Agreement: Strategies for Avoiding Disputed on Validity of Assent," 57 Bus. Law. 401 (2001).

52. Compare Pollstar v. Gigmania, 170 E Supp. 2d 974 (E.D CaI. 2000) (refusing to enforce user agreement where the notice was "small grey text on a grey background") and Ticketmaster II, 54 U.S.P.Q. 2d 1344 (enforcing agreement based on prominent posting and actual knowledge of defendant as to existence of agreement).

53. Ticketmaster I, 54 U.S.P.Q. 2d 1344.

54. Id.

55. Id.

56. See Pollstar, 170 F. Supp. 2d 974 (refusing to enforce user agreement where the notice was "small grey text on a grey background").

57. See Ticketmaster II, 2003 U.S. Dist. LEXIS 6438.

58. Id.

59. Digital Millennium Copyright Act, 17 U.S.C. § 101, § 1; RL. 105-304; 112 Stat. 2860 (1998).

60. 17 U.S.C. § 101, Title 2.

61. 17 U.S.C. § 512(k)(l)(B)(a).

62. Id. at § 512(i)(l)(A).

63. Id. at § 512(i)(l)(B).

64. Id. at § 512(c)(2).

65. Id. at § 512(c)(1)(A).

66. Id. at § 512(g).

67. Stratton Oakmont v. Prodigy Servs. Co., 23 Media L. Rep. 1794 (NY. Sup. Ct., May 25, 1995) (suggesting that an online service provider that edited user postings could be liable as a re-publisher for the content of such posts), motion for renewal /reargument denied, 24 Media L. Rep. 1126 (NY. Sup. Ct., Dec. 11, 1995).

68. Id.

69. Title V, Telecommunications Act of 1996, RL. 104-104, 110 Stat. 56, (1996).

70. 47 U.S.C. § 230(c)(1).

71. Fair Housing Council of San Fernando Valley v. Roommates. Com, LLC, 521 F.3d 1157, 1169 (9th Cir. 2008) ("A website operator "who edits user-created content - such as by correcting spelling, removing obscenity or trimming for length - retains his immunity for any illegality in the user-created content, provided that the edits are unrelated to the illegality").

72. See id. (holding that roommate location Web site was not entitled to CDA immunity as it solicited its users to answer questions to unlawfully posed questions regarding race preference in roommates and that it provided pull-down menus "with unlawful responses to such questions).

73. Id.

74. Part of the Civil Rights Act of 1968, P.L. 90-284; 82 Stat. 73; 42 U.S.C. §3601, et seq.

75. See Roommates.com, 521 F.3d 1157.

76. Mazur v. eBay Inc., 2008 WL 618988 (N.D. Cal., March 4, 2008).

77. 47 U.S.C. § 230(e)(2).

78. See Tiffany (NJ) Inc. v. eBay, Inc., Civ. Act. No. 04 Civ. 4607 (RJS) (S.D.N.Y. July 14, 2008) (holding eBay not liable for traAsnrnvk infringement committed by uaen of its Web site without notice).

79. See iofra.

80. Compare Perfect 10, Inc. v. CCBiII LLC, 488 E3d 1102 (9th Cir. 2007) (holding that state intellectual property law is preempted by the CDA) to Doe v. Priendfsnder Network, Inc., 540 9. Supp. 2d 288 (D.N.H. 2008) (holding that state intellectual property law is not preempted by the CDA).

81. See Inwood Laboratories, Inc., v. Ives Laboratories, Inc., 546 U.S. 844 (1982); see also Tiffany (NJ), Inc. v. eBay, Inc., No. 04 Civ. 4607 (RJS) (S.D.N.Y. July 14,2008).

82. See id.

83. See id.

84. Tiffany (NJ), Inc., No. 04 Civ. 4607 (RJS) (S.D.N.Y. July 14, 2008).

85. Id. at *39.

86. Id. at *53.

87. Id. at *53, 56-57.

88. Traffix Devices, Inc. v. Marketing Displays, Inc., 532 U.S. 23 (2001).

89. Wal-Mart Stores, Inc. v. Samara Bros., Inc., 529 U.S. 205 (2000).