FTC Fines $800,000 for Harvesting Addresses from Customer Phones Costs

| February 14, 2013

Operator of the Path social networking application agreed to settle Federal Trade Commission charges that it deceived users by collecting personal information from their mobile device address books without their knowledge and consent.  Path agreed to establish a comprehensive privacy program to obtain an independent privacy assessment every other year for the next 20 years and to pay $800,000 to settle charges that it illegally collected personal information from children without first getting their parents’ consent.

The app allows users to upload, store and share photos, written “thoughts,” location updates and the names of songs to which the user is listening.  For each contact in the user’s mobile device address book, Path automatically collected and stored any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames.

Path was also charged with violating the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from an estimated 3,000 children under the age of 13 without first getting parents’ consent.  COPPA requires operators of online sites or services directed to children, or operators who have actual knowledge of child users to notify parents and obtain their consent before they collect, use, or disclose personal information from children under 13.  The FTC also charged Path with violating the COPPA rule by:

  • • Not spelling out its collection, use and disclosure policy for children’s personal information;
  • • Not providing parents with direct notice of its collection, use and disclosure policy for children’s personal information; and
  • • Not obtaining verifiable parental consent before collecting children’s personal information.

For each contact in the user’s mobile device address book, Path automatically collected and retained user information, including any available first and last names, addresses, phone numbers email addresses and other available user names and dates of birth.  Path must now delete information collected from children under the age of 13 and no longer make misrepresentations about the extent of its privacy and confidentiality.

To prevent app developers from encountering similar issues in the future, the FTC introduced the Mobile App Developers.  The guide is designed to encourage developers to aim for reasonable data security and evaluate the app ecosystem before development.

Hopefully the Path settlement will serve as an example for future developers and raise awareness of COPPA concerns.

The Children’s Online Protection Act Evolves

| February 14, 2013

Even if website owners don’t think they need to be concerned about the amendments to the Children’s Online Privacy Protection Act (“COPPA”), the new regulations may prove otherwise.  As indicated by the FTC, the final amendments are as follows:

  • • modify the list of “personal information”  that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
  • • offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
  • • close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
  • • extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
  • • extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
  • • strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential;
  • • require that covered website operators adopt reasonable procedures for data retention and deletion; and
  • • strengthen the FTC’s oversight of self-regulatory safe harbor programs.

Third parties are required to take “reasonable measures” to delete a child’s information before going public, on sites like Facebook – they are also required to delete it from their records.  The newly enacted changes have mostly evolved to protect children from third-party sites such as mobile phone applications and social networking sites.  With the onset of new technology, the new amendments were enacted to account for the risks that accompanied the many advances in technology.

New gTLD Developments

| January 5, 2013

Prioritization Draw

Because of the huge number of applications submitted for the first round of new gTLDs and internationalized domain names (“IDNs”), the Internet Corporation for Assigned Names and Numbers (“ICANN”) held a “Prioritization Draw” on December 17 to randomly choose the order for the release of initial evaluation results of new applications. IDN applications were selected first, followed by non-IDN applications. The first non-IDN application chosen (109th in priority) was Amazon EU S.a.r.l’s application for “.PLAY.” Results of the drawing, along with more information about each application, can be found on ICANN’s web site.

The Objection Period for new gTLDs has been extended to March 13, 2013. To date there have been no objections filed against any applications.

 

Trademark Clearinghouse “Strawman Solution”

A Trademark Clearinghouse “Strawman Solution” has been posted for public comment. Go here for more information. The Strawman Solution was developed in a series of meetings with various stakeholders to discuss the implementation of the Trademark Clearinghouse (“TMCH”) and its associated rights protection mechanisms. The TMCH is designed to facilitate the protection of trademark rights during the initial allocation and registration periods for domain names in new gTLDs. Trademark owners can register their rights in various strings with the TMCH, subject to verification.

The Strawman Solution includes a proposed implementation of Sunrise and Trademark Claims and addressed a number of the elements that were included in a set of recommendations by the Intellectual Property and Business Constituencies (“IPC/BC”) of the Generic Names Supporting Organization (“GNSO”). The Strawman proposals include:

  • Requiring a 30-day notice period prior to opening the required 30-day sunrise registration period for new domains (during which registrations are limited to those who can demonstrate rights in applied-for strings).
  • Extending the initial “Trademark Claims” period (the “Claims 1 Period”) from 60 to 90 days – i.e., the first 90 days of open (post-sunrise period) registration. During this period, anyone who attempts to register a domain name that matches a record in the TMCH will receive a notice informing the would-be registrant of the trademark owner’s claim of rights. For example, if Brand Owner, Inc., owner of the trademark BRAND, had registered its rights in the mark with the TMCH, and those rights were verified, anyone who attempts to register BRAND.would be given notice of Brand Owner’s claim of rights to the mark and would have to acknowledge the notice in order to proceed. In addition, Brand Owner would receive a notice of the registration of BRAND..
  • Adding a further 6-12 month “Claims 2” period that rights holders could participate in for an additional fee. During this period, anyone attempting to register a string contained in the TMCH (such as BRAND) would receive a notice that the string matches a record in the TMCH and a reminder of their responsibilities to avoid trademark infringement, but would not have to acknowledge the notice to proceed. The rights holder would receive a notice that the domain name has been registered.
  • Allowing rights holders to associate up to 50 strings with their TMCH record that previously have been adjudicated as having been abusively registered or used (such as in a domain name dispute proceeding or a court case). For example, if Brand Owner previously brought a successful UDRP proceeding against the domain name BRAAND.com, it would be able to associate the string “BRAAND” with its BRAND TMCH record, and the string would trigger alerts during the Claims 1 and Claims 2 Periods.

In addition, the Strawman Proposal discussed a proposal by GNSO’s IPC/BC for a “Limited Preventative Registration Mechanism.” This proposal, also posted for comment, is designed for rights holders who have verified claims in the TMCH and are qualified to register domain names during the Sunrise Period but who do not wish to actively use a domain name consisting of their mark in the new gTLD. Instead, if their mark is not registered during the Sunrise Period by another rights holder, the first rights holder could make a preventative registration of the domain name for five years (eligible for renewal) which would prevent any third-party from registering the domain name (similar to the program included in the .xxx rollout). The domain name would resolve to a notice page.

New Social Media Privacy Law Has Wide-Ranging Possible Consequences

| November 28, 2012

Following the lead of states like California, Illinois, and Maryland, New Jersey has become another state to pass legislation aimed at protecting employees from privacy concerns in the social media arena.  Particularly, the New Jersey bill, recently passed by its Senate, would prohibit an employer from (1) requiring a current or prospective employee to provide usernames, passwords or any other means for granting an employer access to one’s personal social networking account(s); or (2) even inquiring as to whether the current or potential employee even has any social networking accounts.

This law is important because it is designed to prevent employers from retaliating or discriminating against individuals who choose to refuse to disclose one’s personal social networking account information.  Furthermore, upon a company’s first violation, the penalty is $1000 and the second penalty is $2500.  Companies located in states with that sort of new legislation must update and revise their workplace and hiring policies and practices, in accordance with the new law to avoid penalties.

ICANN Takes Steps to Provide gTLD Owners With Added Protection

| November 28, 2012

ICANN, the organization charged with overseeing various internet-related tasks, including the new global top-level domain name (gTLD) system, recently began implementing a “Proof of Use” verification process.  New gTLDs and their marks will be given protection through the Trademark Clearinghouse during its sunrise periods.  A sunrise period is a set amount of time where Clearinghouse data is used to determine whether any conflicting word marks exist.  Rights holders who take advantage of the sunrise period must also show proof of use which requires both a signed Declaration of Use and a single sample of current use ( i.e. labels, tags, containers or products or advertising and marketing materials).

With this added protection, the process of registering for a new gTLD is becoming more like the trademark registration process which includes a period for objection and a method for determining the level of protection one gains depending on the status of a mark.  When registering for a trademark, applicants distinguish between marks currently being used in commerce and those that they intend to use in commerce.

Ultimately, the new Proof of Use requirements will likely be quite burdensome on trademark holders.  For instance, the rule requires renewal once a year and a Declaration of Use with current samples to be provided every five years.  Not all countries require proof of use which makes this new rule an added burden on its registration process.  But, even for those countries that do have similar rules, an annual renewal can become onerous for larger organizations which own numerous trademarks.

Additionally, ICANN provides a list of examples of samples of use.  Consequently, if it is found that ICANN’s list is exhaustive then trademark holders will have yet another obstacle before them in complying with such a short list.  Rights holders may have one last reprieve once ICANN has responded to the feedback received during its comment period on the new regulations, depending on those responses.  Only time will tell.  It will also be interesting to see whether ICANN imitates any other aspects of the trademark registration process and if it creates an “intent to use” exception for rights holders who have not acquired adequate Proof of Use.