Significant revisions to Children’s Online Privacy Protection Rule triggers supplement review

In 1998 Congress responded to the growing demand for protection from invasions of privacy and the potential for marketers or predators to target young children by passing the Children’s Online Privacy Protection Act (COPPA). The Children’s Online Privacy Protection Rule (16 CFR part 312) provides the rules governing the implantation of the law.

As described in the Federal Register, the COPPA Rule include three key features:

Among other things, the Rule requires that operators provide notice to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under 13 years of age. The Rule also requires operators to keep secure the information they collect from children and prohibits them from conditioning children’s participation in activities on the collection of more personal information than is reasonably necessary to participate in such activities. The Rule contains a ‘‘safe harbor’’ provision enabling industry groups or others to submit to the Commission for approval self-regulatory guidelines that would implement the Rule’s protections.

In April 2010 the FTC began a process to update the Rules. A notice was sent out in September 2011, generating 350 comments regarding the proposed changes. After receiving the comments and reviewing its own proposal, the FTC substantially changed the proposed update to the Rule. As a result, the FTC has issues a Supplemental Notice of Proposed Rulemaking under which comments will be accepted until September 10, 2012.

Instructions for submitting comments are found in the Notice. Comments can be submitted electronically by clicking here.

The FTC explains the changes as follows:

The proposed modifications to the definitions of “operator” and “website or online service directed to children” would allocate and clarify the responsibilities under COPPA when third parties such as advertising networks or downloadable software kits (“plug-ins”) collect personal information from users through child-directed websites or services. The Commission proposes to state within the definition of “operator” that personal information is “collected or maintained on behalf of” an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator. This change would make clear that an operator of a child-directed site or service that chooses to integrate the services of others that collect personal information from its visitors should itself be considered a covered “operator” under the Rule.

The Commission also proposes to modify the definition of “website or online service directed to children” to:

  1. Clarify that a plug-in or ad network is covered by the Rule when it knows or has reason to know that it is collecting personal information through a child-directed website or online service;
  2. Address the reality that some websites that contain child-oriented content are appealing to both young children and others, including parents. Under the current Rule, these sites must treat all visitors as under 13 years of age. The proposed definition would allow these mixed audience websites to age-screen all visitors in order to provide COPPA’s protections only to users under age 13; and,
  3. Clarify that those child-directed sites or services that knowingly target children under 13 as their primary audience or whose overall content is likely to attract children under age 13 as their primary audience must still treat all users as children.

Finally, the Commission proposes to modify the Rule’s definition of “personal information” to make clear that a persistent identifier will be considered personal information where it can be used to recognize a user over time, or across different sites or services, where it is used for purposes other than support for internal operations. In connection with this change, the Commission proposes to modify the definition of “support for internal operations” in order to explicitly state that activities such as: site maintenance and analysis, performing network communications, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual advertisements, and protecting against fraud and theft will not be considered collection of “personal information” as long as the information collected is not used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising, or for any other purpose.

Taken together, these changes attempt to deal with the increasing use of cross-platform sign-ins and authentication. They do not, however, deal directly with social media or other websites that have no provisions for compliance with the Rule but instead encourage users under the age of 13 to mis-identify themselves to the benefit of the website operator.

As the Washtington Post noted, “vague language … could allow companies supplying online ads — or even Facebook and Twitter which sometimes appear as little icons on Web sites — to avoid the parental consent process.”

Still, the update addresses at least some of the important changes to the structure of internet communications and the importance of mobile apps as a platform for communications.

September 10th is coming fast. Public comments will be critical in effectively shaping the update to the Rule.

Advertisements

Fourth Circuit Joins Ninth in Limiting CFAA – Setting Stage for More Action

In 1986, Congress amended its earlier attempt to combat computer crime with the Computer Fraud and Abuse Act of 1986. It was further expanded in 2001 under the USA Patriot Act. The CFAA serves as both a criminal and civil statute.  It has both strong criminal penalties for unauthorized entry into computer systems and provides an express private cause of action – enabling injured parties to sue intruders using the federal law as the basis for their claims.

The most controversial aspect of the CFAA has been the meaning of unauthorized access. Among the violations, Congress has made it a crime to “intentionally accesses a computer without authorization or exceeds authorized access….” The statute provides some additional guidance. The addition of exceed has its own definition. It means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” § 1030(e)(6). So it seems fairly clear that using one’s password to acquire documents for which one has no right to read is a violation of the statute.

But data theft is more nuanced than just this. What about downloading documents when the person downloading has authority to use the material, but then uses that material in an unauthorized manner. Put another way – if an employee is fired and then takes the files she has had at home and brings them to her next employer, it is unlikely an CFAA claim can be made. Conversely, if she returns to work the day after being fired and downloads all the company documents, she has certainly violated the CFAA since her termination ending her authorized access to the computer. But what about the situation when one downloads the documents intending trade secret theft prior to being fired or quitting the company?

In a recent Fourth Circuit opinion, WEC Carolina Energy Solutions LLC v. Miller, 2012 U.S. App. LEXIS 15441 (4th Cir. July 26, 2012) faced this situation.

The court explained the split of authority interpreting the statute:

In short, two schools of thought exist. The first, promulgated by the Seventh Circuit … holds that when an employee accesses a computer or information on a computer to further interests that are adverse to his employer, he violates his duty of loyalty, thereby terminating his agency relationship and losing any authority he has to access the computer or any information on it. Thus, for example, the Seventh Circuit held [in Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006)] that an employee who erased crucial data on his company laptop prior to turning it in at the end of his employment violated the CFAA. It reasoned that his “breach of his duty of loyalty terminated his agency relationship . . . and with it his authority to access the laptop, because the only basis of his authority had been that relationship.”

The second, articulated by the Ninth Circuit … interprets “without authorization” and “exceeds authorized access” literally and narrowly, limiting the terms’ application to situations where an individual accesses a computer or information on a computer without permission. Thus, in [United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) (en banc)] the Ninth Circuit, sitting en banc, held that the defendant’s coconspirators, a group of employees at an executive search firm, did not violate the CFAA when they retrieved confidential information via their company user accounts and transferred it to the defendant, a competitor and former employee. It reasoned that the CFAA fails to provide a remedy for misappropriation of trade secrets or violation of a use policy where authorization has not been rescinded.

The Fourth Circuit opinion attempts to make sense of the language with a simple, plain language approach. “Congress has not clearly criminalized obtaining or altering information ‘in a manner’ that is not authorized,” the court explained. “Rather, it has simply criminalized obtaining or altering information that an individual lacked authorization to obtain or alter.”

This separates the Fourth Circuit from the Seventh Circuit and even distinguishes it somewhat from other courts. Employees who hack into their employers’ computer systems to steal data or who use the username and password of other employees to gain greater access to computer systems will remain liable under the CFAA. But those who take electronic files home to work on them at night without express permission were beyond the scope of the CFAA. Similarly, those disgruntled employees who steal electronic files while on the job may be violating their terms of employment, company policies, and state laws but they are not violating the CFAA in the Fourth Circuit.

Since it is better that the interpretation of a statute does not turn on the language in the employee handbook, this is a better result. Companies can still protect themselves by limiting access to sensitive information. Other laws protect theft of trade secrets and other torts provide remedy for breach of fiduciary duties. On the other hand, the distinction between the circuits need not be as stark. An employee who erases all company data before returning equipment has likely exceeded the authority to alter the data. This result is consistent with the outcome in the WEC and a court can still reach such misconduct under the cleaner interpretation of the Fourth Circuit.

While it remains to be seen whether the Fourth Circuit opinion invites Supreme Court review, it may be sufficiently well reasoned to invite other circuits to reconsider interpretations of the statute that go beyond the language Congress enacted.

NKU Chase Law + Informatics Institute

2013 Informatics Symposium announced – focusing on informatics in labor and employment issues.

NKU Chase Law + Informatics Institute2013 Law + Informatics Symposium on Labor and Employment Issues The annual NKU Chase Law + Informatics Symposium will be held this academic year on February, 15, 2013 focusing on issues in labor and employment related to informatics, including such topics as candidate screening practices, employee privacy, data security and appropriate policies, gamification in training, and social media use. The program will include a day-long seminar and reception. Presentations delivered at the conference will be published by the Northern Kentucky Law Review. More information is provided below in the conference call for papers. A PDF of the Call for Papers is available.

Call for Papers The Northern Kentucky Law Review and Salmon P. Chase College of Lawseek submissions for the Law + Informatics Symposium on February 15, 2013. The focus of the conference is to provide an interdisciplinary review of issues involving privacy, data aggregation, security, communications, social media management and related topics affecting the legal and business practices involving labor and employment law. The symposium is an opportunity for academics, practitioners, consultants, and students to exchange ideas and explore emerging issues in informatics law as it applies to working conditions and employment practices. Interdisciplinary presentations are encouraged. Authors and presenters are invited to submit proposals on topics such as the following:

Privacy

  • Application of the Americans with Disabilities Act
  • Federal/state employment regulations regarding privacy
  • HIPAA, FERPA, COPPA, GLBA & other sector-specific privacy issues
  • EU & global privacy laws & policies
  • Bioinformatics in the workplace
  • Data mining of employee information
  • Social media and political change

Collective Bargaining

  • Use of informatics tools for collective bargaining
  • Collective bargaining positions on internet usage, data aggregation and social media
  • Online dispute resolution
  • Ownership of databases & data
  • Contracting & enforcement of agreements over sharing of data
  • Assessment of significant commercial expansions of informatics practices affecting public expectations & norms
Social Media

  • Employee discipline for internet and social media use
  • NLRB responses to social media
  • Use of social media in employee screening
  • Implications for privacy and discrimination lawsuits

  Training and Security

  • Gamification in training
  • Computer security
  • Data protection & obligations regarding data breaches
  • Data reliability, including people’s rights to review & correct collected data
  • Retraining and employee obsolecense

  Other Issues

  • Discrimination and access to public and semi-public information
  • Employee ownership of intellectual property and data information
  • Post-termination obligations of employers and employees
  • Employee contracting and end user license agreements
  • Global issues for similarly situated employees in multiple jurisdictions

Submissions & Important Dates: 

  • Please submit materials to Nkylrsymposium@nku.edu
  • Submission Deadline for Abstracts: October 1, 2012
  • Submission Deadline for Articles: February 1, 2013
  • Symposium Date: February 15, 2013

Law Review Published Article:  The Northern Kentucky Law Review will review, edit and publish submissions in the 2013 Spring Symposium issue.  Articles, as well as case studies and abstracts of research in progress, will be considered for the symposium program for presentation purposes.  Only complete articles, however, will be published in the law review.  Abstracts for these papers will be due no later than the October 1, 2012 deadline and will be accepted on a rolling basis until that time.

Presentations (without publication) based on Abstracts:  The Northern Kentucky Law Review will review and select presentations for the symposium.  If you are interested in presenting without submitting a publishable article, an abstract of the presentation must be submitted by the October 1, 2012 deadline and will be accepted on a rolling basis until that time.

About the Law and Informatics Institute:  The Law + Informatics Institute at Chase College of Law provides a critical interdisciplinary approach to the study, research, scholarship, and practical application of informatics, focusing on the regulation and utilization of information – including its creation, acquisition, aggregation, security, manipulation and exploitation – in the fields of intellectual property law, privacy law, evidence (regulating government and the police), business law, and international law. Through courses, symposia, publications and workshops, the Law + Informatics Institute encourages thoughtful public discourse on the regulation and use of information systems, business innovation, and the development of best business practices regarding the exploitation and effectiveness of the information and data systems in business, health care, media, and entertainment, and the public sector.

For More Information Please Contact:

  • ProfessorJon Garon, Symposium Faculty Sponsor: garonj1@nku.edu or 859.572.5815
  • Lindsey Jaeger, Director of Centers and Institutes Administration: JaegerL1@nku.edu or 859.572.7853
  • Brad Andress, Symposium Editor: andressb1@nku.edu or 812.343.6822

Patent Rules Being Revealed

The USPTO announced that on Tuesday, August 14, 2012, it will publish in the Federal Register final rules implementing a number of key provisions for the American Invents Act (AIA). These include

  • the inventor’s oath/declaration,
  • supplemental examination,
  • post-grant review,
  • inter partes review, and
  • covered business method review provisions.

The final rules will be available for public inspection in the Federal Register Reading Room on Monday, August 13, 2012 and available online. The inventor’s oath/declaration, supplemental examination, post-grant review, inter partes review, and covered business method review provisions become effective on September 16, 2012.

In addition, rules relating to section 6, regarding the new post-grant review proceedings affecting both ex parte and inter partes  review. Those final rules are now available here.

The USPTO authors an implementation blog which provides a great amount of information. Janet Gongola, Patent Reform Coordinator, authors the blog and most of the notices regarding the new rules.

Earlier, On July 31, 2012, the USPTO published final rules in the Federal Register implementing the statute of limitations provision for Office disciplinary actions. These final rules as seen in the Federal Register are available here: OED Statute of Limitations Final Rules.

As these regulations are published, the details of the impact of AIA begin to take shape.

Full Disclosure Agreements Coming to California

In Forest Park Pictures v. Universal Television Network, Inc., 683 F.3d 424 (2d. Cir. 2012) (Walker, J.), the Second Circuit vacated a decision pre-empting an implied-in-fact contract claim against Universal Television regarding the development of the USA Network television show “Royal Pains.” The case arose because in 2005, Hayden Christensen along with his brother Tove and their company Forest Park Pictures developed an extensive treatment and character bible for a show they called “Housecall” about a concierge doctor working in the rich Malibu suburb. After an unsuccessful pitch of the show to USA Network, the project was dropped. But later, Royal Pains aired as a conceptually similar concierge doctor series working in the Hamptons. (Clearly, the move from West Coast to East Coast obviated any substantial similarity.)

The district court reviewed only the copyright action and found that no copyrightable material was copied and dismissed on summary judgment. The Second Circuit reversed, holding that the implied-in-fact contract was not pre-empted by copyright law and that under California law, there remains an implied duty to pay.

California has long recognized that an implied-in-fact contract may be created where the plaintiff submits an idea (the offer) that the defendant subsequently uses (the acceptance) without compensating the plaintiff (the breach). … Forest Park alleges that it agreed with USA Network to be paid the industry standard for its idea, which is enough under California law to survive a motion to dismiss. At trial, Forest Park will have to prove that such an industry standard price exists and that both parties implicitly agreed to it.

The Second Circuit has added pricing to the establishment of an understanding, but given union minimum pay scales for at least some components in the sale of a show, the existence of some common practice may be possible.

The effect will likely be greater clarity regarding invitations for pitch meetings. Any studio hosting a meeting would be well served to use a disclaimer stating that while the company will respect the copyright ownership of any material submitted, it does not pay for ideas and does not pay for development services unless those services are specified in a written and fully executed agreement.

Fortunately for plaintiffs, old-Hollywood loves the myth of the deal on the napkin and the handshake agreement. So long as executives continue to work (as well as live) in a fantasy world, there will be room for claims of implied-in-fact contract breaches.