Why Us?

We know the law and we know the web.

We help companies safely and securely do business on the web.

Starting an Online Business: Applicable Law

    This section of the tutorial will review laws that play a prominent role with respect to doing business online. Depending on your business model and/or the vertical that your online business targets, some will be more important to you than others. For similar reasons some may not apply to you at all. However, business models evolve and often change dramatically over time. We encourage online entrepreneurs to develop a basic legal literacy in all of these areas so that you are not blindsided down the road. The intent here is not to provide exhaustive coverage of the applicable law, but rather to provide an introduction and point to additional resources, where appropriate, that provide more in depth coverage.

    Table of Contents

    Communications Decency Act (CDA)
    Computer Fraud and Abuse Act (CFAA)
    Electronic Communications Privacy Act (ECPA)


    Copyright is the workhorse of the Internet from the point of view of applicable law.This doctrine protects expressions that are manifested in a fixed and tangible medium. In the United States it is controlled predominantly by federal law (via the 1976 Copyright Act and the U.S. Constitution) and internationally (via the Berne Convention). The author of a copyrighted work acquires a set of exclusive enforceable rights including: 1) the right to make copies; 2) the right to distribute; 3) the right to make derivative works; and 4) the right to public performance.

    There are now few formalities attached to obtaining a copyright. However, in the U.S., registration is required if the author wants to bring an infringement suit in federal court. Registration prior to an alleged act of infringement is also required if an author wants to get statutory damages, as opposed to having to prove actual damages. Proving actual damages in a copyright action can be quite difficult as a practical matter. So it turns out that registration is an important consideration that often gets overlooked by online entrepreneurs. Unlike trademarks and patents, copyright registration is relatively straightforward and inexpensive.

    Copyright attaches to websites, photos, videos, blogs, music, books and a myriad of other artifacts of expression captured in a fixed medium. Almost any imaginable use of the Internet as a medium will expose an individual or organization to copyright implications, either as a user or creator of content. Much has been written about the intersection of copyright law and the Internet. Our copyright tutorial provides a good overview for online entrepreneurs and should get you grounded with respect to basic doctrinal issues.

    However, what gets little coverage is how obscenely expensive it is to prosecute and/or defend a copyright infringement action. Although this report from the U.S. Copyright Office does not mention hard dollars, a copyright infringement lawsuit in federal court can easily take two or more years and costs hundreds of thousands of dollars. Here's the money quote from the report:

    We are sympathetic to the concerns of individual authors about the high cost of litigation and how, in many cases, the individual creator may have little practical recourse in obtaining relief through the court system, particularly against infringements involving small amounts of actual damages. This problem, however, has existed for some time and goes beyond the orphan works situation, extending to all types of infringement of the works of individual authors. While there are some mechanisms in place to help address the problem, such as enforcement by collective organizations or timely registration to secure the availability of statutory damages and attorneys fees, we believe that consideration of new procedures, such as establishment of a “small claims” or other inexpensive dispute resolution procedure, would be an important issue for further study by Congress. It is not, however, within the province of this study on orphan works.

    Most online startups and small businesses simply cannot afford to engage in this type of litigation. Therefore, from a practical economic perspective the best practice is to adopt a defensive posture that mitigates liability and to protect intellectual property rights as much as possible within existing budgetary constraints. A topic related to costs but often not discussed under the economic rubric is the copyright fair use defense. Fair use is an affirmative defense, which means that you only get to assert it once you have been sued. In short, you are already in litigation and it will be quite expensive to assert this defense even if you are right. Litigating a copyright action is so expensive that most online startups and small businesses risk bankruptcy in pursing such actions. It is little consolation that your position was legally correct if litigation destroys the economic foundation of your online business.

    [Table of Contents]


    Trademarks are yet another form of intellectual property ("IP") that have implications for online businesses.  In the U.S. protection is provided both by Federal statute (i.e. the Lanham Act) and state statutory and common law (see What Law Controls?). Under the Lanham Act, a seller of goods and services must register with the U.S. Patent and Trademark Office ("USPTO") in order to get the desired protection. The registration with the USPTO can be done completely electronically and the agency's website provides many useful tools for conducting trademark searches, as well as providing other helpful information that guides the registration process. That said, the casual user should be forewarned that there is a "hierarchy of complexity" with respect to various Federal IP registrations, with copyright residing at the low end of the complexity hierarchy and patents at the high end. Trademark registration falls somewhere in between.

    The trademark implications for online businesses take many forms and are often much more complex than online copyright issues. Further, there are no online safe harbors that exists under federal trademark law.Online trademark issues include, but are not limited to: 1) domain names; 2) advertising; and 3) secondary liability (both vicarious and contributory). Of particular interest to online startups is selecting a desirable name and corresponding trademark for their legal entity. This is a case where "a rose by any other name" definitely may not smell as sweet. Why is that? It turns out this if you want to use the name of your legal entity as part and parcel of your trademark (and brand), then the name you select at the onset carries signficant weight. The bottom line is that some names are easier to trademark than others.

    The extent to which any given mark (e.g. a business name in this case) is deserving of protection usually depends on what is referred to as the "strength of the mark." The strength lies along a classification continuum as follows: (1) arbitrary (and fanciful) marks; (2) suggestive marks; (3) descriptive marks; and (4) generic marks. Arbitrary marks qualify for the most protection (if other requirements are met) and generic marks qualify for no protection (descriptive marks also qualify for no protection unless the mark has acquired "secondary meaning" (see What are the requirements?). Each node of the continuum is a legal term of art defined by both statutory authority and case law. The name Apple, for computers, is often an example given of a fanciful mark. Google and Twitter would also be considered either fanciful or arbitrary marks for their respective businesses. These names, in general, experience very little (if any) difficulty in acquiring a federal tradenmark registration. Depending on the arbitrariness of the name, these organizations probably had little trouble obtaining the corresponding domain names as well (i.e. simply because they were likely to be available).

    Of course, there is no requirement that a business use its name as its trademark. In fact, businesses can obtain any number of marks (e.g. one per product) as long as the requirements are met. In practice however, an online startup is usually focused on a single product or service, and entrepreneurs' first inclination is to use the business/product name as the trademark. Therefore, it is important to give serious consideration to business/product names very early in the launch cycle. It may also be tempting to pick a business or domain name that is similar to a competitor's. However, this strategy should generally be avoided at all costs, because the aspiring online entrepreneur is inviting a lawsuit, something that he or she can ill afford. A better strategy, as discussed above, is to pick a completely arbitrary or fanciful name for your entity, product or service. Trademark litigation is as expensive as copyright litigation. A defensive posture is a best practice here as well, for obvious reasons.

    The discussion above highlights one of a number of legal issues that confronts an online entrepreneur with respect to trademarks. Our trademark tutorial provides an overview of basic trademark doctrine and should provide enough information to assist you in asking the right questions prior to launching your online business.

    [Table of Contents]

    Digital Millennium Copyright Act (DMCA)

    The Digital Millennium Copyright Act ("DMCA") is a complex piece of legislation that contains a "hodgepodge" of legislative themes including: the implementation of WIPO treaties, the criminalization of anti circumvention technologies (i.e. digital rights management technologies or DRM) and the limitations of liability contained in Title II. The DMCA amended Title 17 of the U.S. Code (i.e. the copyright statute) and consists of five titles.

    Essentially Title II added section 512 to the copyright statute which is located here. Sectiion 512 creates four new limitations on liability for copyright infringement by online service providers. The limitations are encomapassed in the following categories: (1) transitory communications; (2) system caching;(3) storage of information on systems or networks at direction of users; and (4) information location tools. They each mitigate liability based on the conduct of the service provider.  

    If complied with, each category will prevent a plaintiff from recovering money damages from a service provider and may also restrict a plaintiff's ability to get injunctive relief. The categories are independent from each other, qualifying under one does not imply a qualification under the others. Finally, failure to qualify does not mean that other defenses are not available to the provider (e.g. fair use). The key phrase with respect to the DMCA is "if complied with" which means much more than having the appropriate language in your websites terms of use. Although you certainly need certain pertinent language in your terms of use, equally important is to register an agent with the U.S. Copyright Office and follow the statutory processes and procedures.

    The DMCA "safe harbor" provision is an excellent illustration regarding the importance of people, process and platform with respect to online compliance. It is the people (e.g. training) and processes (i.e. implementation)  that underpin the legal compliance language that makes a real difference with respect to building a "good compliance story." Technology often has a subtle but important role to play as well (e.g. capturing which version of your terms of use a registered user accepted by clicking "I Agree"). An Internet Lawyer, in addition to drafting the appropriate language, must be prepared to discuss the people, process and platform issues. 

    [Table of Contents]

    Communications Decency Act (CDA)

    Section 230 of the Communications Decency Act of 1996 codified at 47 U.S.C. § 230. Section 230(c)(1) provides immunity from liability for providers and users of an "interactive computer service" who publish information provided by others:

    (c) Protection for “Good Samaritan” blocking and screening of offensive material

    (1) Treatment of publisher or speaker No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

    (2) Civil liability No provider or user of an interactive computer service shall be held liable on account of—

    (A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or

    (B) any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph (1).

    Essentially Section 230 of the CDA provides a "safe harbor" (i.e. immunity) from defamatory statements made by third parties on a website. In order to qualify for the safe harbor a website owner must meet each of the following prongs: 

  1. The website owner must be a "provider or user" of an "interactive computer service."
  2. The cause of action asserted by the plaintiff must "treat" the website owner "as the publisher or speaker" of the harmful information at issue.
  3. The information must be "provided by another information content provider," i.e., the website owner must not be the "information content provider" of the harmful information at issue.

    What this means in practice is that a website owner (i.e. an Information Service Provider) cannot be sued if a third party user posts defamatory comments about a person or entity on the website's blog, as long as it is not the website owner doing the posting. The third party user obviously does not receive immunity and can still be sued. In short, the website owner (e.g. Facebook) receives immunity from user generated content.

    There are limitations to Section 230. For example, it does not apply to federal crimes, intellectual property, or if the website owner contributes to the development of the offending content. Ripoff Report has been sued numerous times for defamatory third party content as has yet to lose a Section 230 case.

    [Table of Contents]

    Computer Fraud and Abuse Act (CFAA)

    The Computer Fraud and Abuse Act ("CFAA") is a law passed by the United States Congress in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses. Although the CFAA is primarily a criminal law intended to reduce the instances of malicious interferences with computer systems and to address federal computer offenses, an amendment in 1994 allows civil actions to brought under the statute, as well. It is now often used by employers to go after employees that misuse corporate computer systems.

    The Act (codified as 18 U.S.C. § 1030) governs cases with a compelling federal interest, where computers of the federal government or certain financial institutions are involved, where the crime itself is interstate in nature, or where computers are used in interstate and foreign commerce. It was amended in 1988, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act. Subsection (b) of the act punishes anyone who not just commits or attempts to commit an offense under the Act, but also those who conspire to do so.

    Clearly computers used within a business to conduct Internet transactions would fall under the category of computers used in interstate and foreign commerce and that is part of the reason that employers have begun to use the CFAA against allegedly rogue employees. The Ninth Circuit held as follows in US v. Nosal (9th Cir.; Apr. 28, 2011), regarding exceeding "authorized access" under the CFAA:

    as long as the employee has knowledge of the employer's limitations on that authorization, the employee 'exceeds authorized access' when the employee violates those limitations. It is as simple as that.

    In Nosal, the authority was execeeded because the employer had a written computer usage policy which the employee allegedly violated. It is important that these type of policies be part of the employment agreement that the employee signs upfront, if the employer wants to leverage the agreement in a subsequent dispute.

    [Table of Contents]

    Electronic Communications Privacy Act (ECPA)

    Under the Electronic Communications Privacy Act ("ECPA") "electronic communication" means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce, but does not include (A) any wire or oral communication; (B) any communication made through a tone-only paging device; (C) any communication from a tracking device (as defined in section 3117 of this title); or (D) electronic funds transfer information stored by a financial institution in a communications system used for the electronic storage and transfer of funds. Other key ECPA definitions can be found here. The ECPA is codified as Title 18 U.S.C. Sections 2510-2522.

    Electronic communications as defined by the ECPA arguably encompasses nearly  all messaging that occurs on the Internet and therefore, with respect to an online business, its scope is quite broad. 


    Title I of the ECPA, which is often referred to as the Wiretap Act, prohibits the intentional actual or attempted interception, use, disclosure, or “procure[ment] [of] any other person to intercept or endeavor to intercept any wire, oral, or electronic communication.” Title I provides exceptions for operators and service providers for uses “in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service” and for “persons authorized by law to intercept wire, oral, or electronic communications or to conduct electronic surveillance, as defined in section 101 of the Foreign Intelligence Surveillance Act (FISA) of 1978.” 18 U.S.C. § 2511.

    It provides procedures for Federal, State, and other government officers to obtain judicial authorization for intercepting such communications, and regulates the use and disclosure of information obtained through authorized wiretapping. 18 U.S.C. § 2516-18. A judge may issue a warrant authorizing interception of communications for up to 30 days upon a showing of probable cause that the interception will reveal evidence that an individual is committing, has committed, or is about to commit a “particular offense” listed in § 2516. 18 U.S.C. § 2518. Title I also prohibits the use of illegally obtained communications as evidence. 18 U.S.C. § 2515.

    Title II of the ECPA, which is called the Stored Communications Act (SCA), protects the privacy of the contents of files stored by service providers and of records held about the subscriber by service providers, such as subscriber name, billing records, or IP addresses. 18 U.S.C. §§ 2701-12.

    Title III of the ECPA , which is called the Pen Register and Trap and Trace Statute, requires government entities to obtain a warrant before collecting real-time information, such as dialing, routing, and addressing information related to communications. Real-time collection of this information is usually done using a pen register or trap and trace device.

    Employers are starting to use the ECPA and the SCA in action against former employees. However, these are murky waters. Employers should see the advice of a Technology Lawyer before proceeding.

    [Table of Contents]

    Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)

    The CAN-SPAM Act of 2003 was signed into law by President George W. Bush on December 16, 2003. It established the United States' first national standards for the sending of commercial e-mail and requires the FTC to enforce its provisions. The CAN-SPAM Act sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.

    Despite its name, the CAN-SPAM Act doesn’t apply just to bulk email. It covers all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” including email that promotes content on commercial websites. The law makes no exception for business-to-business email. That means all email – for example, a message to former customers announcing a new product line – must comply with the law. Each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $16,000, so non-compliance can be costly. Here's what the FTC has to say regarding compliance with the Act:

    1. Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.

    2. Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.

    3. Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.

    4. Tell recipients where you’re located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.

    5. Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.

    6. Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.

    7. Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.

    CAN-SPAM expressly preempts all state laws that are designed to regulate unsolicited commercial email. The effect of the preemption is to eliminate many state law regimes that are inherently more restrictive than CAN-SPAM. The primary exception is that state laws are not preempted to the extent that they prohibit misleading or deceptive advertising. For example, a state’s unfair trade practices statute can still be applied to an email advertisement with false or misleading content.

    WIth a few exceptions only the FTC or State Attorney Generals can bring an action under CAN-SPAM. The Act provides no private right of action against violators. The primary exception is that an Internet Service Provider has a private right of action under the new law, presumably because an ISP's business is most directly affected (i.e. its bandwidth) by spam based commercial emai. 

    [Table of Contents]


    The United States Supreme Court (USSC) transformed the common law of libel via a series of cases that essentially provided a first amendment overlay to the doctrine. Under the common law of libel a plaintiff was required to show the following four elements: (1) defamatory statement; (2) identification—“of and concerning the plaintiff;” (3) a publication of the statement; and (4) damages, but only for slander.

    Defamation has its roots in two common law torts: slander and libel. Slander is a harmful statement conveyed in a transitory form (e.g. an oral statement). Libel is a harmful statement conveyed in some fixed medium (e.g. a newspaper, magazine, blog, etc.). From the point of view of cyberlaw we are almost exclusively concerned with defamation that is libelous.

    The leadings USSC cases are Sullivan v. NYT (Sullivan) and Gertz v. Robert Welch (Gertz). These cases imposed a fault element to the four common law elements whenever the speech was of “public concern.” They also made the status of the plaintiff a controlling factor in the analysis. Under Sullivan the plaintiff, if a “public official,” was now required to show “actual malice” under a clear and convincing evidentiary standard. Under Gertz, a “private” plaintiff was required to show some degree of fault, left up to the discretion of the states (in practice negligence).

    A later USSC case, Hepps, added to the plaintiff’s burden by requiring a showing of “material falsity.” That is, post Hepps, for a matter of public concern the plaintiff was required to prove six elements in order to prevail—the four common law elements, either actual malice or negligence, and that the statement was false in a significant way. Hepps shifted the burden from a defendant's burden of proving truth as a defense, to the plaintiff's burden of proving falsity. For plaintiff's that are public officials or public figures, proving all six elements is a high hurdle indeed.

    For a private plaintiff (i.e. not a public official or public figure), bringing an action regarding a statement that was not of public concern; the common law of libel remained essentially unchanged. How is defamation law different online? In general, there is not all that much different about the defamation legal regime online, with a few exceptions. As noted above the CDA provides an "interactive computer service" (e.g. a website) with a "safe harbor" from defamation liability for statements made by third parties. That is one of the reasons that Rippoff Report has been universally successful in defending plaintiff defamation claims made against it because of statements made by users of its service.

    Although there are no shortage of defamation suits brought because of online activity, the fact of the matter is that the elements of defamation are often difficult to prove. One central reason is that opinions do not count as defmatory statements. The EFF has a good overview of online defamation. Here's what it says about opinions versus assertions of fact:

    Courts look at whether a reasonable reader or listener could understand the statement as asserting a statement of verifiable fact. (A verifiable fact is one capable of being proven true or false.) This is determined in light of the context of the statement. A few courts have said that statements made in the context of an Internet bulletin board or chat room are highly likely to be opinions or hyperbole, but they do look at the remark in context to see if it's likely to be seen as a true, even if controversial, opinion ("I really hate George Lucas' new movie") rather than an assertion of fact dressed up as an opinion ("It's my opinion that Trinity is the hacker who broke into the IRS database").

    However, as discussed in the online liability section of this tutorial, online entrepreneurs must keep in mind that being right under the law does not mean that you will not be sued. Clearly, Rippoff Report has spent plenty on legal fees defending its online business model. Most online startups do not have this luxury and need to be especially careful with respect to legal liability mitigation strategies. Even an unwarranted suit can cause significant economic hardship for a startup.

    [Table of Contents]


    There is probably no “hotter” cyberlaw issue today than privacy. Consumers often ask, “What are all those e-commerce sites doing with our data?” Businesses need to be aware of the various statutes and regulations that govern the collection and dissemination of personal data. A well drafted website privacy policy (and enforcement of same) is imperative for all online businesses. It should go without saying that whatever information is collected must also be protected. Negligence with respect to how private information is secured may lead to legal liability, not to mention the loss of business and embarrassment in the marketplace.

    Depending on the nature of your online business one of the following statutes might apply: 1) the Heath Insurance Portability and Accountability Act (HIPAA)—protecting medical data, 2) the Gramm-Leach-Bliley Act— protecting financial data, and 3) the Childrens Online Privacy Protection Act (COPPA)—protecting collection of data for children under the age of thirteen. Furthermore, if you are doing business internationally the European Union Directive on Privacy may also be applicable. The EU is interested in promulgating an international standard that would be presumably enforceable in the U.S. and elsewhere.

    Under the authority of Section 5 of the FTC Act, which prohibits unfair and deceptive practices, the FTC has brought a number of cases to enforce promises made in website privacy policies, including those promises made regarding the securing of consumer personal data. The FTC is also quite active in research and reporting on privacy issues. Due to recent high profile breaches and growing consumer concern over privacy, expect to see more legislation and/or regulations in this area in the near term.

    The bottom line here is that organizations cannot afford to be cavalier about the protection of consumers’ personal information. Having no policy or compliance program is probably the quickest route to liability. At a minimum an organization that collects and uses personal information, must do so consistent with their online privacy policy, and be able to show a credible, good faith effort at compliance. This alone may not be enough to avoid liability, but it could prove quite helpful in mitigating it.

    [Table of Contents]


    The list of applicable online laws provided in this section is obviously not exhuastive, but merely representative. Often, depending on an online startup's business model, other laws will apply. For example, industry specific laws apply to healthcare, to the financial services industry, and to the adult entertainment industry. Even within industry niches, online business models vary widely. This is especially true with respect to the online contracts that may be required. Startups that want to mitigate online liability should seek counsel from an Internet Lawyer with in depty knowledge on the online context.

    [Table of Contents]

    < Prev  --  Next >

Starting an Online Business. People. Process.  Platform.

Contact us today