First, the background.  Federal and state securities laws govern the sales – including the solicitation of sales – of securities, affecting all efforts to raise capital for startups.  This includes any public efforts to raise money, and includes raising small or large amounts of money.  Generally, sales and solicitations of sales of stock require compliance with SEC and various state securities law, and more particularly the registration requirements of those laws.

The applicable federal laws are SEC regulations governing how capital can be solicited and from whom capital can be raised.

Advertising and Solicitation Rule. SEC Rule 502(c) prohibits “any form of general solicitation or general advertising” for the sale of securities, except as permitted by other rules.  These rules traditionally prohibited general fundraising through radio, television and newspaper advertisements, but for the same reasons would bar the same conduct through Twitter, Facebook and other social media.

Accredited Investor Rules. SEC Rules 504, 505 and 506 permit sales of securities to “accredited investors” without compliance with the securities registration requirements.  Accredited investors” is defined in SEC Rule 501, individuals with net worth exceeding $1 million or with annual income exceeding $200,000.

Now, the current context.  Social media is not new nor are calls to relax the capital raising rules, but noise for changes has come from increased start-up activity and, in particular, increased popularity of public fundraising sites seeking to “crowdsource” capital for ownership purposes beyond donations.  The Wall Street Journal reported in April that the SEC is considering revising its advertising and solicitation Rule, if not necessarily to permit unfettered general solicitations, then at least to allow increased recognition of some use of social media for startup companies and small businesses seeking to raise relatively small amounts of capital.  SEC chairman Mary Schapiro sent a letter in April to Darrel Issa, Chairman of the House Committee on Oversight and Government Reform, stating that the Commission was considering new Rules or relaxing existing Rules.  Schapiro noted that she had received a widely-supported petition to ease rules for crowd-funding capital raises of up to $100,000.

The Journal noted, however, that in the early 1990s the SEC relaxed registration requirements for capital raises of up to $1 million, as well as accredited investor rules for wealthy individuals.  The story also noted that those relaxed requirements had been abandoned at the end of that decade out of revived concerns about investor fraud – perhaps not coincidentally, around the same time as the dot-com crash.

Current advocates for relaxing the rules – see for example, Joe Wallin’s StartupLawBlog – suggest that the SEC’s rules “don’t make sense”, although without offering much support other than that Depression-era legislation and accompanying Rules never contemplated social media.  That narrow point in and of itself is almost certainly correct.

Presumably, though, rules designed to prevent fraud still accomplish exactly that in light of the proliferation of ways for fundraisers to reach a broader investing public.  The advocates of changing the rules seem to be principally the same people who have always loathed the SEC, namely people trying to raise money from the public.  A better argument against the SEC’s existing rules might be simply that investors do not need these protections anymore, not that the existing rules aren’t adaptable to the medium.  That may or may not be true, but that does seem to be Wallin’s real argument when he writes, “If folks are willing to acknowledge that they are willing to lose their money on a highly speculative venture, let’s let them.”

Interestingly, the National Venture Capital Association has already publicly opposed any such broad regulatory relaxation.  From the NVCA’s perspective, securities law changes that incentivize small capital raises will discourage ultimate interest in companies seeking to tap into the broader public capital markets through traditional initial public offerings (IPOs).  Since IPOs are the most common form of payday for venture capital, this of course diminishes the attractiveness of venture capital, for investors and for entrepreneurs.

Here, then, the first of several Frequently Asked Questions about privacy policies.  Or to be more precise, here now some practical answers on privacy practices:

FAQ #1: Can I simply post a privacy policy and forget about it?  Short Answer: No.  Longer Answer: No, because as between posted statements and actual compliance, actual compliance is what’s required.  In that sense, posting a privacy policy matters only in that it commits you to honoring the commitments you make in your posted policy.  Which is important and can cause grief down the road if you breach your own posted policy, often the bane of companies that post a “boilerplate” policy lifted verbatim from another website which they haven’t actually read.

But what really matters is actual compliance, meaning compliance with privacy laws.   So … how do you know what laws to worry about, and which aspects of those laws?  Is it really helpful to answer “all laws”?  Yes, in the sense that you always have to comply with “all laws”.  But not all laws apply equally in all cases, and the same is true with privacy practices.

FAQ #2: What laws govern privacy practices?  This is a huge topic, so where to begin?

Industry-Specific Privacy Laws. You follow laws applicable to your particular type of industry.  Examples:

• Financial Data, including the various federal laws covering privacy of financial data, such as the Gramm-Leach-Bliley Financial Modernization Act of 1999.  Gramm Leach-Bliley is one of a number of laws that apply if your business deals with loans, financial or investment advice, insurance, or any type of financial product or service.

• Medical Information, particularly privacy laws like HIPAA, which deals with handling and security of patient medical and healthcare information.  HIPAA itself is an enormous topic obviously applicable to physicians and medical practices, hospitals and insurance companies, but also to any number of service providers including software and systems providers to the healthcare and pharmaceutical industries.

• Children’s Privacy Laws. If your business has products or services targeted to an audience that will likely include children, the Children’s Online Privacy Protection Act (referred to as COPPA) kicks in.  But again, like HIPAA, COPPA applies whether or not children are your intended audience.  The reach and pervasiveness of the internet – and lack of real ability to guarantee age access restrictions – make COPPA applicable to a larger swath of online activities than you might otherwise think.

Advertising Privacy Laws. Advertising law itself is a large topic, but certain advertising laws specifically cover privacy practices.  2 in particular to note:

• Section 5 of the FTC Act.  The FTC Act is certainly not a new law, but its general provisions against fraudulent business practices also regulate fraudulent privacy practices.  The FTC Act is the general framework under which the government and consumers can seek redress for deceptive or misleading practices, commonly where a privacy policy’s disclosure is inconsistent, deceptive or misleading with respect to actual privacy practices.

• The Federal “SPY Act” (Securely Protect Yourself Against Cyber Trespass Act).  Among other privacy matters, the SPY Act governs use of “information collection programs” that collect personally identifiable information and either send the information to anyone other than the user, or use the information to display advertising.  The SPY Act requires not only disclosure of use of these types of programs, but also affirmative user consent to their use.  Where does the Spy Act really kick in?  The Act requires that disclosure – and consent – to use of the collection of personal information be “clear, conspicuous, written in plain language, and clearly distinguished from any surrounding text or information”.  What is unclear is whether affirmative consent through clickthrough acceptance of privacy terms and terms of use would satisfy the acceptance requirements, although I have yet to see a website require anything further.

State Laws

It is certainly true that state laws apply in whatever business and whatever field you operate.  This will definitely be true of the state of your business location, of course.  A great place to start is The American Institute of CPAs (AICPA), which has a fine online resource of state privacy laws.

At a minimum, the AICPA’s resource will guide you on what’s applicable in your home state and the states in which you clearly operate.

Beyond that threshold issue, privacy is an area of particular state-law sensitivity for many reasons.  Many states have privacy laws applicable to businesses operating in their jurisdictions, and some states have famously enacted aggressive privacy legislation.  Many of those same states have taken quite liberal positions on the applicability of their laws to online activities.

A more generous view is that certain states are simply leading the country in privacy activities.  Privacy practices – not just policies, but actual practices – that comply with the laws of these states will tend to be compliant with the laws of most states, making attention to them a useful exercise.  These states include California, Massachusetts, North Carolina and New York.  But they also include states like Vermont and Maine, two New England states that just recently found themselves defending state laws allowing physicians to opt out of publicly disclosing patient prescription drug information.  Indeed, Vermont’s case will be argued in the US Supreme Court this spring, illustrating the national significance of seemingly narrowly-applicable state laws.  These are important laws for business activities in these states, of course, but equally so because many other states are following their leads.  And many states – Vermont and Maine included – are aggressively policing the activities of online businesses even remotely touching upon their jurisdictions.

FAQ #3: So … What Do Businesses Actually Do?

How do you “do your best” when you’re potentially exposed to a gazillion laws and regulations, many of which seem so much like “gotcha” laws aimed simply to trip you up?  One answer is best practices.  The Better Business Bureau and TrustE are two among many reputable organizations that develop and update privacy guidelines and “model” policies.  Industry-specific groups publish best practices and guidelines for their industry members.  The Direct Marketing Association has a good example on its website, www.the-dma.org.

These really are great resources because they tend to be sensitive to national and leading-state trends in privacy while encouraging implementation of policies that match actual privacy practices.

I will separately write more about this “do your best” topic as well as major points that privacy policies – and actual privacy practices – should reflect.

In today’s podcast, we cover trademark cases from both U.S. and European Union courts involving major search engines such as Google and Yahoo.  In particular, we look at whether and how search engines can be held responsible for trademark infringement when advertisers buy search result advertisements using the trademarked names of their competitors.

My guest is Howard Hogan, a partner in Gibson, Dunn, & Crutcher’s Washington, DC office.  Howard’s practice focuses on intellectual property litigation and counseling, including trademark, copyright, patent, false advertising, licensing, media and entertainment, and trade secret matters.

The trademark issue arises because in many countries, including the US, the search engines allow companies to advertise next to search results using their competitors’ trademarks.  We have seen a major shift in the last year.  Before 2010, it was clear that at least in France and Germany, it was not appropriate for search engines to sell marks, and Google’s policy reflected that.  In the US, there was a divide between the district courts of the Second Circuit and the rest of the country as to whether buying and selling trademarks for search engine advertising constituted a “use in commerce,” but there was very little law on whether that use was likely to cause confusion.

Now, in Europe, the law seems to have shifted against holding search engines liable, but leaving open the potential for trademark holders to go after the advertisers.  In the U.S. the “use in commerce” question has been resolved decisively against the search engines, and the debate has shifted to the “likelihood of confusion” question.  On one hand, we are starting to see more decisions finding that their sale of the marks are not confusing (Rosetta Stone, Boston Duck Tours, College Network) at the same time as other courts are finding that the use of marks by an advertiser are likely to cause confusion (Storus, Skydive Arizona).

Please press play on the audio player to hear the podcast.

What types of activities must be monitored and policed?  Infringement and dilution.  Or in other words, any third party uses of the same trademark or confusingly similar versions that might cause confusion in the marketplace about the source of the goods or services represented by the trademark.

Trademark Duty to Monitor and Police

2 basic reasons to monitor and police: First, the government won’t do it for you.  The Trademark Office is actually quite explicit about stating this, see here.  Second and more to the point, unchallenged third party uses of a trademark could legally – and actually – weaken the strength of the trademark as an identifier of the owner’s goods or services, which in turn weakens the owner’s ability to later enforce the trademark and devalues the worth of the mark.

I previously discussed the problems raised by generic or descriptive trademarks, types of marks that cannot even be registered under trademark in the first place, or at best only under the trademark office’s Supplemental Register (rather than the Principal Register), with its very limited protection.

Sustained multiple common uses of a trademark risks the mark being deemed – or actually becoming – in-distinctive or descriptive of a class of goods or services, rather than being principally identified with the owner of the trademark.  (I previously suggested the example of “KLEENEX”.)

And that neatly sums up the real reason why monitoring and policing is so important: Not only can common usage of your name or brand prevent you from obtaining trademark registration in the first place.  Indeed, registration can be lost or (more practically) made worthless by a prospective inability to enforce.

The duty to monitor and police is not a statutory requirement under the federal Lanham Act or any similar state law.  Nonetheless, good trademark practice and intellectual property asset management demands attention to it.  In rejecting or sustaining trademark owners’ claims of infringement, published caselaw involving some prominent trademarks has relied on evidence of a trademark owner’s failure to perform the duty (Hard Rock Café Int’l (USA) Inc. v. Morton, 1999 U.S. Dist. LEXIS 13760, No. 97 Civ. 9483, 1999 WL 717995 (S.D.N.Y. Sept. 9, 1999)) or a trademark owner’s successfully performing that duty (Coca-Cola Co. v. Purdy, 382 F.3d 774 (8th Cir. 2004)).

How to Monitor and Police

A good primer on this subject, including various avenues of monitoring and policing, can be found here from a cyberlaw class at the University of North Carolina Law School.

Many companies offer trademark monitoring services, including large data firms like Thomson Compumark and Trademark Express.  Intellectual property law firms also provide this service to clients, including my firm and many others.  Organizations with large intellectual property portfolios often dedicate in-house legal or paralegal staff to the process.

As many commentators note, monitoring for and early detection of infringing uses can be cost-effective in nipping problems in the bud, simply by facilitating contact with potential infringers early in the life of their infringing use, and thus presumably at a lesser level of investment and other commitment to their continued infringing use.

Since there is no statutory requirement to monitor and police, the required scope of the monitoring is nowhere mandated.  Nonetheless, certain procedures are commonplace.  These include:

1. Regular monitoring of the US Patent and Trademark Office’s trademark database, Trademark Electronic Search System (TESS), on a regular, scheduled basis.

2. Prominent use of the “®” symbol for registered trademarks, and “TM” or “SM” symbols for unregistered (or pending registered) trademarks, on all public uses of your goods or services, to formally establish your own public claims on your marks.

3. Establishing and implementing a company-wide trademark usage policy.  This is typically made part of a company’s Personnel Policy or Employee Manual, though sometimes separate.  The trademark policy alerts all company management, staff, vendors, business partners, contractors and subcontractors, agents, and others on both the rights established by the company’s marks and proper usage of the marks.

4. Conducting a thorough search of your trademarks in the top internet search engines (Google, YouTube, Yahoo!, Bing and AOL), on a regular, scheduled basis.

5. Setting up Google Alerts to automatically monitor trademarks.

6. Contacting potentially infringing third parties to alert them of your trademark rights, and requesting compliance with changing or stopping usage.

7. Sending “cease and desist” letters.

8. As necessary and appropriate, and commensurate with cost and situational expectations, commencing legal action.

While premature to draw any broad conclusions on the enforcement environment for the new rules, a philosophical problem with the FTC’s new blogger framework is its willful ignorance of the advertising underpinnings of traditional media.

So, for example, while established newspapers like the New York Times and Washington Post depend for their credibility on perceived soundness of the journalistic “church-state” divide, readers are almost never proactively alerted to major advertising support from common story subjects in business and politics.  Disclosure more typically comes from investment or ownership relationships, in the form of “full disclosure” statements like that from Ezra Klein when reporting about Facebook (“Disclosure: Washington Post Co. Chairman Donald E. Graham is on Facebook’s board, and The Post markets itself on Facebook.”).  Not, though, from advertising relationships, even major advertisers.

At least not with newspapers.  PBS’ Newshour, NPR and other public news broadcasts commonly disclose underwriting relationships involving story subjects.  However, the same cannot be said of commercial television news broadcasts unless they involve investment or ownership relationships.

Since the underwriting structure of public broadcasting is substantively no different than the advertising relationships of newspapers, commercial television and most media websites, editorial disclosure of the financial support – of any kind – of such media outlets seems equally appropriate.

Citizen Media Law Project, in its coverage of Anne Taylor action, notes that the FTC guidelines limit disclosure to cases where the sponsorship relationship is not “reasonably expected by the audience”.

Put in the context of audience reasonable expectation, this seems rather generously written for the benefit of old-line media, which has relied for generations on the presumption of credibility by its readership much more so than disclosure.

Why then, shouldn’t bloggers be afforded the same benefit of the doubt that newspaper publishers have been given for generations?  Yes, there will always be egregious cases of paid-for “earned media” such as the Reverb case with iTunes.  But it used to be that time and dedicated readership was the ultimate arbiter of media influence.

This all begs the question of why the expectation of the relationship – rather than actual influence – is the measuring stick.

Google’s popular and dominant advertising service, AdWords, allows companies to place auction-style bids on search keywords.  If a company bids the highest amount on a keyword, that company’s ad comes up first when someone searches the keyword.  The company then pays Google on a pay-per-click basis.  In many countries, including the United States, Google lets companies advertise next to search results from use of their competitors’ trademarks.

Let’s say you want to buy a Louis Vuitton bag.  You know it’s expensive, so you might not want to buy it directly from the company’s website.  Instead, you might search “Louis Vuitton bags” on Google and assess other options.  As you can see in a search of “Louis Vuitton bags”, you may find some “Sponsored links” to the right of your search.  Sponsored links such as the “Louis V. Bags Handbags” come from the AdWords service.A search for “louis vutton handbags” turns up a sponsored link from something like Handbags.Smarter.com that says they have great deals on the product you’re searching.  For your purpose of buying an LV bag on the cheap, it sounds promising.  But what if the site sells counterfeit Louis Vuitton bags?

Earlier this year, Louis Vuitton’s parent company, LVMH Moet Hennesy Louis Vuitton, raised this concern in the French courts, and France’s highest court referred the matter for guidance to EU’s European Court of Justice (ECJ). The French luxury goods company claimed that by allowing other companies to advertise next to searches on its trademark, Google was enabling trademark infringement.  LVMH argued that only it or those acting with its permission should be permitted to buy ads for searches on trademarked names.

Google argued that allowing third parties to bid on ads benefits consumers, as it can give them useful resources for making decisions on a purchase.  Plus, Google added, trademark owners can still submit a complaint if they think consumers might confuse a third-party ad as having their brand name or stamp of approval.

The ECJ ruled for Google, and beginning in September its AdWords policy in Europe will be similar to those in the United States and the United Kingdom.  Advertisers in Europe will be able to bid on ads next to searches for their competitors’ trademarks.

Google’s victory in the ECJ has caveats and important exceptions.  For example, consistent with a trademark owner’s infringement claims of likelihood of confusion or dilution, the European court warned against instances where advertisers create an impression that they are “economically linked” with the trademark owner.  More problematic for Google, though, is the ruling’s confusing ambiguity and its inconsistency with a subsequent ruling in the same matter by France’s highest court last month.  As the Los Angeles Times commented at the time of the ECJ ruling,

The [ECJ] said that Google is merely a provider of advertisements, not a company infringing trademark rights.  The court ruled that only advertisers are liable for infringing a trademark, and not the company providing a place for ads.

The distinction is significant because of its narrowing effect: While AdWords in itself might not infringe trademark, that’s only because (and limited to) the passive facilitator role Google’s service plays in the process.  In the United States, Google has successfully argued in other contexts of its immunity from copyright infringement under the Digital Millennial Copyright Act (most obviously in its litigation with Viacom over YouTube).  The DMCA does not apply to trademark infringement, but the philosophy of Google’s argument is consistent: We are simply a vehicle for advertisements and content.

The limitation in the trademark context on Google’s claimed immunity as purely a platform was underscored by the ECJ.  While not directly liable for infringing, Google must be responsive to valid claims of infringement by trademark owners.

In July, the French Supreme Court revoked a 2006 ruling of the French Court of Appeals against Google for trademark infringement in the same case, in light of the ECJ ruling.  The French court ordered the case back to the Court of Appeals for review and assessment of damages (if any) against Google.  Nonetheless, the court was somewhat less qualified than the ECJ in rejecting Louis Vuitton’s claims against Google for trademark infringement, leaving little wiggle room for possible arguments against Google based on vicarious, contributory or secondary liability.

The first will be Monday April 19th at 2pm, and called “Is this Barack Obama’s Real Facebook Page? Domains, Twitter Handles, Online Presence – real or fake? Intellectual Property, Cyber Identity, and More!”.  I will be joined on the panel by Jason Torchinsky of Holtzman-Vogel, Matt Sanderson of Caplin & Drysdale and Neal Seth of Baker Hostetler.

The second will be Tuesday April 20th at 10:30am, and called “Laws Affecting Digital Communications – Copyright, Privacy, Elections/FEC, Advertising, Libel, Contract Law, etc.  Rules, Regs, Fines and Community “Standards” Applicable to Communicating in Digital Media.”  On this panel, I will be joined by Jason Torchinsky of Holtzman-Vogel and John Stewart of Crowell & Moring.

Details at polc2010.com/.

A Privacy Policy might typically say something like this:

“A ‘cookie’ is a small text file on your computer’s hard drive that our Web site uses to collect information about how you use our site.  The cookie transmits this information back to our Web site each time you visit a page on our site, thus allowing us to identify our most popular pages, features and data.”

To someone not working for an ad agency or at a publisher or for, say, Google, reading these terms, what they might read could be summarized like this: “Software … embedded in my computer … I have no choice … it stays there forever and ever … it will watch my every move and report back to its masters and possibly the government … my wife might find out.”

Kind of makes one think of that great Far Side cartoon called “What the Dog Hears” (or something like that), with the first panel showing the human saying to her dog Wendell, “That’s a good boy, Wendell, you are such a smart dog, Wendell, why don’t you show everybody how you roll over, Wendell”.  While the second panel shows what Wendell actually hears: “Blah blah blah, Wendell, blah blah blah, Wendell, blah blah blah blah blah, Wendell.”

Could be described as a bit of a marketing problem for an industry famous for … marketing.  Ironic isn’t it?  I wrote previously about the uniquely private culture of privacy in America, in this century (at least) drawing from the fount of Louis Brandeis’ wish for a simple right “to be let alone”.  On the face of it, therefore, what could possibly be more instinctively offensive to that sense of privacy than a pitchman’s calming missive of “don’t worry about this little thing we’re putting into your home”?

So, agencies and advertisers squabble over who gets to keep that very valuable consumer data derived from online advertising campaigns and consumer activities.  Meanwhile, Congress threatens to lay its blunt and heavy hand on the ability of publishers, agencies and ad networks to use cookies, beacons, profiling and other increasingly improving ad serving technologies to better match advertisements with readers.

Publishers will argue – perhaps justifiably – that cookies are essential to ad serving.  (Which technically is not correct, since there are customizable techniques used across the industry with varying degrees of success.)  But as one prominent Washington publisher told me, the standard for serving is Google-Doubleclick’s DART service – which requires use of cookies.  And since the industry tends to rely heavily – and comfortably – on the reporting consistency of DART, use of cookies remains essential.

Put another way, DART is the standard for ad buyers, cookies are required by DART, and therefore cookies are essential.  Not to mention the more structural problem with removing or restricting targeting from an advertising-dependent publishing medium, which would directly impact CPMs and the basic ability to publish.

Facebook was recently sued by Power.com over issues that could be distilled to who owns user personal information and usage data.  This is a complicated dispute involving conflicting motivations of Facebook (depending on the legal question involved) to claim or disclaim ownership of user data.  Facebook might plausibly argue that a certain amount of data ownership is necessary for Facebook to provide its service in the first place.  They’d have a point to the extent content and ads are targeted to users, which of course they are all the time in a network that “suggests” and “recommends” and “connects”.  Of course, Facebook’s user agreement (like, say, YouTube’s) doesn’t actually claim any right to a user’s data, instead essentially taking a license to the data for purposes of performing necessary site functions.

The data fights tend to pit advertisers, agencies, ad networks and publishers in a grudge match which ignores the very source of the data itself, people using the internet.  Exhibit A is Power.com versus Facebook, and privacy advocates easily recognize that neither adversary has users’ interests at heart.  Privacy might be passé, as Maureen Dowd writes in today’s New York Times, but that would argue that noone owns data, and noone can control it.

In other words, expectations were governed by historical industry practice.  Copyright and contract law didn’t play much a part.

But what about campaign performance?  What about reports and research and metrics and all the “data” compiled by the agency to make its case?  Forrester and Gartner Group and Corporate Executive Board and their ilk have been selling research reports for years on these sorts of things, but agencies typically didn’t bother with industry best practices-type studies or reports.  Work was done for clients, and work product was owned by the clients (or again, was assumed to be).

Fast forward many years beyond the traditional Madison Avenue construct to the age of advertising networks.  Now, as Advertising Age described [requires registration] earlier this year , “on each ad deal, there is push-pull among publisher, agency/advertiser and, in some cases, an ad network.  And until recently, ad networks helped themselves to data because no one bothered to stop them.”  And noone cared enough anyway.

The two developments that have changed things entirely are the explosion of data available, and the maturing of the internet.  They’re intertwined developments, of course.  Now, the advertiser or agency or network manages a campaign for a client or (more likely) numerous clients.  The fight today will not be about who owns the ad copy or the brilliant webisode.  The smart client will want to know – and be able to control – what works and why it works.  But so will the agency and so will the network.

And as James Othmer described in the Washington Post recently, “Ads in the [1960s] “Mad Men” day were about the art of persuasion.  Advertising today is about the art of engagement.”  Othmer neatly illustrates this point with its own compelling data: “[T]he average American living in a city 30 years ago saw up to 2,000 ad messages a day.  Today, estimates range from 5,000 to 20,000 ad impressions a day.”  Data has driven impression explosion and the demand for market engagement and hypertargeting has driven a demand for data.

Data includes traditional online metrics like numbers of impressions, numbers of clicks, purchase response, where domains are coming from, who they are.  But now it’s much more than this, too, and much more specific.  From the New York Times:

“When someone visits a site like Expedia or Autobytel.com, that site captures valuable information: Someone is a first-class traveler, for instance, or shopping for a hybrid car. Those sites have deals with data companies, like BlueKai and eXelate, to place a … cookie … on that visitor’s hard drive, indicating those preferences. An advertiser like Varick [Media Management, an advertising agency] bids on those cookies, instructing an exchange that it will pay a certain amount for an ad when a certain cookie is for sale.  Other companies, like Media6Degrees and 33Across, analyze the world of social media, using cookies and interaction data to find “lookalike” groups among friends on Facebook, Flickr or other social sites. Their theory is that friends share values and are likely to respond to similar marketing messages.  Finally, companies can add cookies for anyone who visits pages on their sites – if someone gets to the checkout page, then abandons his shopping cart, the company will probably pay lots of money to advertise to him again.”

Advertising agencies have been building up their own “data practices” to compete with the ad networks and with each other, and to take advantage of the reams of data collected through use of cookies and other ad serving technology enabled by the internet.   Again, from the NY Times’ profile of ad agency Varick Media Management, creating value where there may have been none perceived before:

“Varick and its handful of competitors cement their strategies around a system called exchanges, a mechanism that helps online publishers like NBC.com or Yahoo.com sell ad space.  While publishers have some ad space no company would bid on in advance – few advertisers would book a random Yahoo mail page, for instance – publishers still want to show an ad when someone loads that page.  So the publishers let an ad exchange like Right Media, from Yahoo, or DoubleClick Advertising Exchange, from Google, sell that space instantly, through an electronic auction, and get a cut of sales.  Such random, seemingly unwanted space could be virtually worthless.  But because ad agencies can now use multiple sources to gather very specific demographic data about visitors, such space gains value and can be brokered on an exchange.”

In other words, while it actually may be no easier than ever to “know what works” in advertising, there is now data available to at least try to justify an answer.  And in many cases, particularly with take-action campaigns, the data theoretically cuts out much of the guess-work.  (Privacy policies will still fret about limits on personally identifiable information (PII), but regulations on PII can potentially become toothless as simple extrapolation can use non-PII to the same end.)

Why would advertisers be willing to give up the data?  Two immediate reasons come to mind.  First, they may have no interest in it.  Advertisers are in the business of developing products and services, not specifically in the business of advertising or data collecting.  The second reason may be related to the first, in that they may have no idea that this data exists or (more realistically) any real ability to do anything with it if they got it.  They don’t have “data practices” or Wall Street quant analysts on staff to crunch numbers and micro-manage online campaigns.  That’s presumably what Google or Varick does for you, and you’re happy to let them do it.  Besides, how many small businesses are presented with inch-thick briefing reports by consultants only to shrug, “I just want you to sell my product.”  Anyway, who wants to deal with trafficking?

Why would publishers give up the data?  Take the question of ad inventory optimization.  You would think this proprietary, but it’s not exactly clear to whom.  It’s not an issue of confidentiality, but the publishers do want to be able to learn something from their experiences.  Performance data derived from the experience of optimizing inventory would (perhaps) be quite valuable as an end-product in itself.  How to serve ads to best match with context?  How to serve ads to best maximize click-throughs and impressions?  To best satisfy advertiser desires for demographics?  With action performance metrics like point-of-purchase campaigns or other “take action” campaigns?

Since the relationships of ad buyers are with the network and not with the publishers, the publishers don’t own these relationships nor all associated contact information, campaign information, and (perhaps) ad spend dollars.  Publishers may only get aggregate performance reports, rather than identity of specific advertisers, ad spend or specific campaign information.  Besides, in a down economy, many publishers are pleased with the additional traffic and accompanying revenue.  And like the advertisers, publishers may simply lack the resources to best traffic their pages and, especially, monetize their excess inventory.

Is this an arcane – and largely academic – legal issue, or a debate with serious business import?

A doctor’s office analogy may be apt (discussed in Davis Wright Tremaine’s Privacy and Security Law Blog): The doctor’s office owns the physical paper chart or the electronic database with a patient’s health information.  The data itself belongs to the patient.  But how do you practically distinguish between the chart and the data?  HIPAA and other privacy laws restrict the doctor’s ability to use the patient’s data, and “ownership” is more or less allocated by implication to the patient.

But those are privacy laws, not copyright, and few would argue that the doctor lacks rights to make use of the chart (albeit a restricted use).  In any event, the analogy breaks down at this point because at least here you have an interested party (the patient, i.e. the end user) who obviously has a direct personal stake in the debate and is sensitive to the issues involved.

Advertising Age has called the fight over user data and media consumption “tectonic”, but what exactly is the legal fight about other than establishing market clout?  Contract rights can give a WPP clear title to certain data, but a contract does not necessarily waive a party’s rights in data that that party inherently owns.  For example, while WPP’s contract states that “[a]ll data generated or collected by [Publisher] in performing under this Agreement shall be deemed ‘Confidential Information’ of Agency/Advertiser”, is that a valid release of a publisher’s interest in site registration data for users?  Or for that matter, is that particular subset of data even covered?  Another subset: much of the same types of user data that a publisher might be able to glean irregardless of the presence of the ad?

Applications of cookies and beacons and other tags to serving of digital ads do not necessarily clearly distinguish among data derived from the ad and data derived from server software or a publisher’s content management system.

Problem number two is that, just because a database compiles data, that doesn’t automatically make that data “owned” by the database.  Publicly available data that is “there for the taking” is not presumptively subject to a land-grab.  For contract rights to be enforceable, all interested parties must consent, and all interested parties must be freely able to do so.  Who is to say (and noone yet has said) that consumers are freely able to give up their rights to their own behavioral data?  And in any event, no site visitor is ever party to advertiser contracts.

The online advertising industry seems to be in a stand-still awaiting the IAB/4A’s weigh-in on the subject, still expected later this year.  In the meantime, behemoths like WPP are dealing with the issue through cramdown contract terms, and you might expect the industry to follow WPP’s lead for the time being.

Like all advertising, web advertising has always been somewhat more art than science (yet), for better or worse, with accompanying difficulties in translating eyeballs into advertising revenue metrics.  Comes now the collapse of the web advertising market.  What then becomes of the willingness to go along with liberal content “scraping”, excerpting and other copying under “fair use” arguments?

Brian Stelter probed this very question in the NY Times recently.  Stelter interviews, among others, Henry Blodget of Alley Insider and Arianna Huffington of The Huffington Post, whose publications are among the most aggressive and overt in the practice of integrating others’ content into their writings.  Ms. Huffington states, honestly, that “we excerpt to add value”, which is probably a fair statement, except that Stelter also notes that these sites “highlight [] what they deem to be the most meaningful parts of newspaper articles and TV segments.”

That is troubling from a fair use perspective, removing any serious reason for a reader to follow the link – even where prominently attributed – to the original source.

Further trouble with a fair use argument comes from the evaporation of any serious financial benefit from any increased traffic that does happen to make its way over.

Stelter goes on to discuss the renewed interest recently in paid-subscription models, alluding to (although not specifically discussing) the micro-payment debate among publishers, particularly newspaper strategists.

The whole issue seems the logical next step (a middle-stage consequence) of the enormous success of news aggregator sites like Huffington Post, Google News and others dependent on a vital supply of fresh – and freely available – original content sources.  When does the argument go from an examination of “fair use” to one of how does this business model continue to sustain itself?

To quote the now somewhat-questionable wisdom of (in-bankruptcy) Tribune Company owner Sam Zell, “If all the newspapers in America did not allow Google to steal their content for nothing, what would Google do?  We have a situation today where effectively the content is being paid for by the newspapers and stolen by Google, etcetera.  That can last for a short time, but it can’t last forever.  I think Google and the boys understand that.  We’re going to see new deals and new formulas in the media space that reflect the reality of cost benefit.”

Zell’s comments were dismissed as the know-nothing crankings of a real-estate tycoon dabbling in a foreign sandbox, but he was clearly on to something.  He may not have anticipated the utter collapse – or the timing of the collapse – of the web advertising market, but he was familiar enough with the axiom that economic turndowns reveal the flaws that auditors miss.

[Originally published in Media Future Now on March 16, 2009]