Table of ContentsCopyright
Communications Decency Act (CDA)
Computer Fraud and Abuse Act (CFAA)
Electronic Communications Privacy Act (ECPA)
Copyright is the workhorse of the Internet from the point of view of applicable law.This doctrine protects expressions that are manifested in a fixed and tangible medium. In the United States it is controlled predominantly by federal law (via the 1976 Copyright Act and the U.S. Constitution) and internationally (via the Berne Convention). The author of a copyrighted work acquires a set of exclusive enforceable rights including: 1) the right to make copies; 2) the right to distribute; 3) the right to make derivative works; and 4) the right to public performance.
There are now few formalities attached to obtaining a copyright. However, in the U.S., registration is required if the author wants to bring an infringement suit in federal court. Registration prior to an alleged act of infringement is also required if an author wants to get statutory damages, as opposed to having to prove actual damages. Proving actual damages in a copyright action can be quite difficult as a practical matter. So it turns out that registration is an important consideration that often gets overlooked by online entrepreneurs. Unlike trademarks and patents, copyright registration is relatively straightforward and inexpensive.
Copyright attaches to websites, photos, videos, blogs, music, books and a myriad of other artifacts of expression captured in a fixed medium. Almost any imaginable use of the Internet as a medium will expose an individual or organization to copyright implications, either as a user or creator of content. Much has been written about the intersection of copyright law and the Internet. Our copyright tutorial provides a good overview for online entrepreneurs and should get you grounded with respect to basic doctrinal issues.
However, what gets little coverage is how obscenely expensive it is to prosecute and/or defend a copyright infringement action. Although this report from the U.S. Copyright Office does not mention hard dollars, a copyright infringement lawsuit in federal court can easily take two or more years and costs hundreds of thousands of dollars. Here's the money quote from the report:
We are sympathetic to the concerns of individual authors about the high cost of litigation and how, in many cases, the individual creator may have little practical recourse in obtaining relief through the court system, particularly against infringements involving small amounts of actual damages. This problem, however, has existed for some time and goes beyond the orphan works situation, extending to all types of infringement of the works of individual authors. While there are some mechanisms in place to help address the problem, such as enforcement by collective organizations or timely registration to secure the availability of statutory damages and attorneys fees, we believe that consideration of new procedures, such as establishment of a “small claims” or other inexpensive dispute resolution procedure, would be an important issue for further study by Congress. It is not, however, within the province of this study on orphan works.
Most online startups and small businesses simply cannot afford to engage in this type of litigation. Therefore, from a practical economic perspective the best practice is to adopt a defensive posture that mitigates liability and to protect intellectual property rights as much as possible within existing budgetary constraints. A topic related to costs but often not discussed under the economic rubric is the copyright fair use defense. Fair use is an affirmative defense, which means that you only get to assert it once you have been sued. In short, you are already in litigation and it will be quite expensive to assert this defense even if you are right. Litigating a copyright action is so expensive that most online startups and small businesses risk bankruptcy in pursing such actions. It is little consolation that your position was legally correct if litigation destroys the economic foundation of your online business.
Trademarks are yet another form of intellectual property ("IP") that have implications for online businesses. In the U.S. protection is provided both by Federal statute (i.e. the Lanham Act) and state statutory and common law (see What Law Controls?). Under the Lanham Act, a seller of goods and services must register with the U.S. Patent and Trademark Office ("USPTO") in order to get the desired protection. The registration with the USPTO can be done completely electronically and the agency's website provides many useful tools for conducting trademark searches, as well as providing other helpful information that guides the registration process. That said, the casual user should be forewarned that there is a "hierarchy of complexity" with respect to various Federal IP registrations, with copyright residing at the low end of the complexity hierarchy and patents at the high end. Trademark registration falls somewhere in between.
The trademark implications for online businesses take many forms and are often much more complex than online copyright issues. Further, there are no online safe harbors that exists under federal trademark law.Online trademark issues include, but are not limited to: 1) domain names; 2) advertising; and 3) secondary liability (both vicarious and contributory). Of particular interest to online startups is selecting a desirable name and corresponding trademark for their legal entity. This is a case where "a rose by any other name" definitely may not smell as sweet. Why is that? It turns out this if you want to use the name of your legal entity as part and parcel of your trademark (and brand), then the name you select at the onset carries signficant weight. The bottom line is that some names are easier to trademark than others.
The extent to which any given mark (e.g. a business name in this case) is deserving of protection usually depends on what is referred to as the "strength of the mark." The strength lies along a classification continuum as follows: (1) arbitrary (and fanciful) marks; (2) suggestive marks; (3) descriptive marks; and (4) generic marks. Arbitrary marks qualify for the most protection (if other requirements are met) and generic marks qualify for no protection (descriptive marks also qualify for no protection unless the mark has acquired "secondary meaning" (see What are the requirements?). Each node of the continuum is a legal term of art defined by both statutory authority and case law. The name Apple, for computers, is often an example given of a fanciful mark. Google and Twitter would also be considered either fanciful or arbitrary marks for their respective businesses. These names, in general, experience very little (if any) difficulty in acquiring a federal tradenmark registration. Depending on the arbitrariness of the name, these organizations probably had little trouble obtaining the corresponding domain names as well (i.e. simply because they were likely to be available).
Of course, there is no requirement that a business use its name as its trademark. In fact, businesses can obtain any number of marks (e.g. one per product) as long as the requirements are met. In practice however, an online startup is usually focused on a single product or service, and entrepreneurs' first inclination is to use the business/product name as the trademark. Therefore, it is important to give serious consideration to business/product names very early in the launch cycle. It may also be tempting to pick a business or domain name that is similar to a competitor's. However, this strategy should generally be avoided at all costs, because the aspiring online entrepreneur is inviting a lawsuit, something that he or she can ill afford. A better strategy, as discussed above, is to pick a completely arbitrary or fanciful name for your entity, product or service. Trademark litigation is as expensive as copyright litigation. A defensive posture is a best practice here as well, for obvious reasons.
The discussion above highlights one of a number of legal issues that confronts an online entrepreneur with respect to trademarks. Our trademark tutorial provides an overview of basic trademark doctrine and should provide enough information to assist you in asking the right questions prior to launching your online business.[Table of Contents]
Digital Millennium Copyright Act (DMCA)
The Digital Millennium Copyright Act ("DMCA") is a complex piece of legislation that contains a "hodgepodge" of legislative themes including: the implementation of WIPO treaties, the criminalization of anti circumvention technologies (i.e. digital rights management technologies or DRM) and the limitations of liability contained in Title II. The DMCA amended Title 17 of the U.S. Code (i.e. the copyright statute) and consists of five titles.
Essentially Title II added section 512 to the copyright statute which is located here. Sectiion 512 creates four new limitations on liability for copyright infringement by online service providers. The limitations are encomapassed in the following categories: (1) transitory communications; (2) system caching;(3) storage of information on systems or networks at direction of users; and (4) information location tools. They each mitigate liability based on the conduct of the service provider.
Communications Decency Act (CDA)
Section 230 of the Communications Decency Act of 1996 codified at 47 U.S.C. § 230. Section 230(c)(1) provides immunity from liability for providers and users of an "interactive computer service" who publish information provided by others:
(c) Protection for “Good Samaritan” blocking and screening of offensive material
Essentially Section 230 of the CDA provides a "safe harbor" (i.e. immunity) from defamatory statements made by third parties on a website. In order to qualify for the safe harbor a website owner must meet each of the following prongs:
What this means in practice is that a website owner (i.e. an Information Service Provider) cannot be sued if a third party user posts defamatory comments about a person or entity on the website's blog, as long as it is not the website owner doing the posting. The third party user obviously does not receive immunity and can still be sued. In short, the website owner (e.g. Facebook) receives immunity from user generated content.
There are limitations to Section 230. For example, it does not apply to federal crimes, intellectual property, or if the website owner contributes to the development of the offending content. Ripoff Report has been sued numerous times for defamatory third party content as has yet to lose a Section 230 case.[Table of Contents]
Computer Fraud and Abuse Act (CFAA)
The Computer Fraud and Abuse Act ("CFAA") is a law passed by the United States Congress in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses. Although the CFAA is primarily a criminal law intended to reduce the instances of malicious interferences with computer systems and to address federal computer offenses, an amendment in 1994 allows civil actions to brought under the statute, as well. It is now often used by employers to go after employees that misuse corporate computer systems.
The Act (codified as 18 U.S.C. § 1030) governs cases with a compelling federal interest, where computers of the federal government or certain financial institutions are involved, where the crime itself is interstate in nature, or where computers are used in interstate and foreign commerce. It was amended in 1988, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act. Subsection (b) of the act punishes anyone who not just commits or attempts to commit an offense under the Act, but also those who conspire to do so.
Clearly computers used within a business to conduct Internet transactions would fall under the category of computers used in interstate and foreign commerce and that is part of the reason that employers have begun to use the CFAA against allegedly rogue employees. The Ninth Circuit held as follows in US v. Nosal (9th Cir.; Apr. 28, 2011), regarding exceeding "authorized access" under the CFAA:
as long as the employee has knowledge of the employer's limitations on that authorization, the employee 'exceeds authorized access' when the employee violates those limitations. It is as simple as that.
In Nosal, the authority was execeeded because the employer had a written computer usage policy which the employee allegedly violated. It is important that these type of policies be part of the employment agreement that the employee signs upfront, if the employer wants to leverage the agreement in a subsequent dispute.[Table of Contents]
Electronic Communications Privacy Act (ECPA)
Under the Electronic Communications Privacy Act ("ECPA") "electronic communication" means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce, but does not include (A) any wire or oral communication; (B) any communication made through a tone-only paging device; (C) any communication from a tracking device (as defined in section 3117 of this title); or (D) electronic funds transfer information stored by a financial institution in a communications system used for the electronic storage and transfer of funds. Other key ECPA definitions can be found here. The ECPA is codified as Title 18 U.S.C. Sections 2510-2522.
Electronic communications as defined by the ECPA arguably encompasses nearly all messaging that occurs on the Internet and therefore, with respect to an online business, its scope is quite broad.
Title I of the ECPA, which is often referred to as the Wiretap Act, prohibits the intentional actual or attempted interception, use, disclosure, or “procure[ment] [of] any other person to intercept or endeavor to intercept any wire, oral, or electronic communication.” Title I provides exceptions for operators and service providers for uses “in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service” and for “persons authorized by law to intercept wire, oral, or electronic communications or to conduct electronic surveillance, as defined in section 101 of the Foreign Intelligence Surveillance Act (FISA) of 1978.” 18 U.S.C. § 2511.
Employers are starting to use the ECPA and the SCA in action against former employees. However, these are murky waters. Employers should see the advice of a Technology Lawyer before proceeding.
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
The CAN-SPAM Act of 2003 was signed into law by President George W. Bush on December 16, 2003. It established the United States' first national standards for the sending of commercial e-mail and requires the FTC to enforce its provisions. The CAN-SPAM Act sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.
Despite its name, the CAN-SPAM Act doesn’t apply just to bulk email. It covers all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” including email that promotes content on commercial websites. The law makes no exception for business-to-business email. That means all email – for example, a message to former customers announcing a new product line – must comply with the law. Each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $16,000, so non-compliance can be costly. Here's what the FTC has to say regarding compliance with the Act:
CAN-SPAM expressly preempts all state laws that are designed to regulate unsolicited commercial email. The effect of the preemption is to eliminate many state law regimes that are inherently more restrictive than CAN-SPAM. The primary exception is that state laws are not preempted to the extent that they prohibit misleading or deceptive advertising. For example, a state’s unfair trade practices statute can still be applied to an email advertisement with false or misleading content.
WIth a few exceptions only the FTC or State Attorney Generals can bring an action under CAN-SPAM. The Act provides no private right of action against violators. The primary exception is that an Internet Service Provider has a private right of action under the new law, presumably because an ISP's business is most directly affected (i.e. its bandwidth) by spam based commercial emai.
The United States Supreme Court (USSC) transformed the common law of libel via a series of cases that essentially provided a first amendment overlay to the doctrine. Under the common law of libel a plaintiff was required to show the following four elements: (1) defamatory statement; (2) identification—“of and concerning the plaintiff;” (3) a publication of the statement; and (4) damages, but only for slander.
Defamation has its roots in two common law torts: slander and libel. Slander is a harmful statement conveyed in a transitory form (e.g. an oral statement). Libel is a harmful statement conveyed in some fixed medium (e.g. a newspaper, magazine, blog, etc.). From the point of view of cyberlaw we are almost exclusively concerned with defamation that is libelous.
The leadings USSC cases are Sullivan v. NYT (Sullivan) and Gertz v. Robert Welch (Gertz). These cases imposed a fault element to the four common law elements whenever the speech was of “public concern.” They also made the status of the plaintiff a controlling factor in the analysis. Under Sullivan the plaintiff, if a “public official,” was now required to show “actual malice” under a clear and convincing evidentiary standard. Under Gertz, a “private” plaintiff was required to show some degree of fault, left up to the discretion of the states (in practice negligence).
A later USSC case, Hepps, added to the plaintiff’s burden by requiring a showing of “material falsity.” That is, post Hepps, for a matter of public concern the plaintiff was required to prove six elements in order to prevail—the four common law elements, either actual malice or negligence, and that the statement was false in a significant way. Hepps shifted the burden from a defendant's burden of proving truth as a defense, to the plaintiff's burden of proving falsity. For plaintiff's that are public officials or public figures, proving all six elements is a high hurdle indeed.
For a private plaintiff (i.e. not a public official or public figure), bringing an action regarding a statement that was not of public concern; the common law of libel remained essentially unchanged. How is defamation law different online? In general, there is not all that much different about the defamation legal regime online, with a few exceptions. As noted above the CDA provides an "interactive computer service" (e.g. a website) with a "safe harbor" from defamation liability for statements made by third parties. That is one of the reasons that Rippoff Report has been universally successful in defending plaintiff defamation claims made against it because of statements made by users of its service.
Although there are no shortage of defamation suits brought because of online activity, the fact of the matter is that the elements of defamation are often difficult to prove. One central reason is that opinions do not count as defmatory statements. The EFF has a good overview of online defamation. Here's what it says about opinions versus assertions of fact:
Courts look at whether a reasonable reader or listener could understand the statement as asserting a statement of verifiable fact. (A verifiable fact is one capable of being proven true or false.) This is determined in light of the context of the statement. A few courts have said that statements made in the context of an Internet bulletin board or chat room are highly likely to be opinions or hyperbole, but they do look at the remark in context to see if it's likely to be seen as a true, even if controversial, opinion ("I really hate George Lucas' new movie") rather than an assertion of fact dressed up as an opinion ("It's my opinion that Trinity is the hacker who broke into the IRS database").
However, as discussed in the online liability section of this tutorial, online entrepreneurs must keep in mind that being right under the law does not mean that you will not be sued. Clearly, Rippoff Report has spent plenty on legal fees defending its online business model. Most online startups do not have this luxury and need to be especially careful with respect to legal liability mitigation strategies. Even an unwarranted suit can cause significant economic hardship for a startup.
Depending on the nature of your online business one of the following statutes might apply: 1) the Heath Insurance Portability and Accountability Act (HIPAA)—protecting medical data, 2) the Gramm-Leach-Bliley Act— protecting financial data, and 3) the Childrens Online Privacy Protection Act (COPPA)—protecting collection of data for children under the age of thirteen. Furthermore, if you are doing business internationally the European Union Directive on Privacy may also be applicable. The EU is interested in promulgating an international standard that would be presumably enforceable in the U.S. and elsewhere.
Under the authority of Section 5 of the FTC Act, which prohibits unfair and deceptive practices, the FTC has brought a number of cases to enforce promises made in website privacy policies, including those promises made regarding the securing of consumer personal data. The FTC is also quite active in research and reporting on privacy issues. Due to recent high profile breaches and growing consumer concern over privacy, expect to see more legislation and/or regulations in this area in the near term.
The list of applicable online laws provided in this section is obviously not exhuastive, but merely representative. Often, depending on an online startup's business model, other laws will apply. For example, industry specific laws apply to healthcare, to the financial services industry, and to the adult entertainment industry. Even within industry niches, online business models vary widely. This is especially true with respect to the online contracts that may be required. Startups that want to mitigate online liability should seek counsel from an Internet Lawyer with in depty knowledge on the online context.
|Starting an Online Business. People. Process. Platform.|