First, what current requirements – laws, agency regulations and quasi-laws – require obtaining consent, even if not “uniformly applicable”?

1. Government Enforcement.  The Federal Trade Commission’s November 2011 consent decree with Facebook user express consent to sharing of nonpublic user information that “materially exceeds” user’s privacy settings.  The FTC was acting under its authority under Section 5 of the FTC Act against an “unfair and deceptive trade practice”, an authority the FTC has liberally used in enforcement actions involving not just claimed breaches of privacy policies but also data security cases involving managing of personal data without providing adequate security.

2. User Expectations Established by Actual Practice.  The mobile space offers some of the most progressive (and aggressive) examples of privacy rights seemingly established by practice rather than stated policy.  For example, on the PrivacyChoice blog, the CEO of PlaceIQ explained that “Apple and Android have already established user expectations about [obtaining] consent.  Location-based services in the operating system provide very precise location information, but only through a user-consent framework built-in to the OS.  This creates a baseline user expectation about consent for precise location targeting.”  (emphasis added)

3. User Expectations Established by Widely-Adopted Self-Regulatory Standards.  Again, not a government-issued mandate, so for example, the Network Advertising Initiatives (NAI) Principles provide for transparency – in disclosure – of how information is collected and to be used (including in particularly, for online behavioral advertising targeting) and for opt-in consent for collection and uses of sensitive personal information (and opt-out consent for any other type of personal information).

A challenge here is determining what constitutes a widely-adopted standard, and what “standard” is (effectively) legal guidance.  While government may not provide guidelines or “safe harbors” for best practices, the marketplace will tend to migrate toward adoption of standards.  This is potentially perilous for businesses because in a rapidly-changing industry dealing with constantly evolving technologies, who’s to really say what practices are “best practices” or industry standard?

And quite quickly, industry codes can take on the clothes of actual law.  In its March 26, 2012 privacy report, the FTC stated that it “will work with the Department of Commerce and stakeholders to develop industry-specific codes of conduct.  To the extent that strong privacy codes are developed, when companies adhere to these codes, the FTC will take that into account in its law enforcement efforts.  If companies do not honor the codes they sign up for, they could be subject to FTC enforcement actions.” (emphasis added)

On the other hand, the technology industry is certainly familiar with “best practice” guidelines used to benchmark “commercially reasonable” practices for contract breach disputes.  Some examples are here, here and here.

Second, even if legal requirements for obtaining consent are not uniformly applicable, it may still be a good idea to get user consent before collecting users’ personal information.  Here’s are six reasons why:

1. The FTC has frequently and increasingly demonstrated its interest in pursuing privacy enforcement for activity areas well beyond egregious data security breaches.  The Commission’s enforcement cases against Facebook (see above), Twitter and Google are high-profile but hardly aberrations.

2. State Attorneys General, acting under their states’ “baby FTC” versions of the FTC Act, have also become increasingly interested in using their enforcement arms to advance user expectation and information collection consent rights.

3. Congress is interested, and various user disclosure and consent legislative efforts have advanced in the House and Senate, with some sort of legislative enactment all but certain following the 2012 elections.  (See for example, Justin Brookman’s analysis of the McCain-Kerry Privacy Bill here, and Arent Fox’s good discussion of Representative Boucher’s House bill here.)

4. Brand reputation, or put in plainer terms. When privacy is so prominently in the news, when companies are increasingly promoting themselves as privacy-sensitive, when for-profit businesses are sprouting everywhere promoting privacy “seal” certification services, ignoring privacy concerns is becoming bad business.  Put another way, why piss people off?  Good privacy practice bespeaks good business practice and risk management.

5. Class action and common law.  Forget the FTC and federal and state laws, because even without these, businesses are still exposed to all sorts of common law rights of action under tort law particularly when it comes to handling of personal information.  As John Heitman recently wrote, in a fine discussion of the controversy involving Groupon’s recent aggressive changes to its privacy policy:

An online marketing business using consumers’ personal information must do so carefully in order to limit its exposure to private class action litigation, Federal Trade Commission (FTC) investigations and enforcement, state attorneys general actions, and more.  Groupon’s changes won’t satisfy everyone, but they certainly take the company in the right direction and much of what’s been done can serve as an example for others mindful of (or needing to be mindful of) their corporate privacy posture and the risks that come with it.

Put another way, is it simply a question of disclosure – so long as a business tells users what it intends to do with their personal information, can the business pretty much do anything it wants with personal information?  This would be the privacy law equivalent of the “as long as I signal, I am allowed to cut anyone off” theory of driving.

Much high-profile enforcement (via the Federal Trade Commission and State Attorneys General) has definitely focused on breaches by businesses of their own privacy statements.  Plus, state laws in California and elsewhere either require that companies have privacy policies or require what types of disclosures must be in those policies, but again focus on disclosure rather than mandating specific substantive actions that businesses must or must not take when using personal information.

As The Economist recently noted in its Schumpeter blog, “Europeans have long relied on governments to set policies to protect their privacy on the internet.  America has taken a different tack, shunning detailed prescriptions for how companies should handle people’s data online and letting industries regulate themselves.”   This structural (or lack of structural) approach to privacy regulation in the United States can also been seen – vividly – in legal and business commentary that met Google’s recent privacy overhaul.  Despite howls of displeasure and the concerted voices of dozens of State Attorneys General, none of the complaints relied on any particular violations of law.  Rather, arguments (by the AGs) are made about consumer expectations in advance of consumer advocacy, as in “[C]onsumers may be comfortable with Google knowing their search queries but not with it knowing their whereabouts, yet the new privacy policy appears to give them no choice in the matter, further invading their privacy.”

Again, there’s little reliance on codified law because, for better or worse, there is no relevant codified law to rely upon.  Google, Twitter and Facebook have been famously the subjects of enforcement actions by the states and the Federal Trade Commission, and accordingly Google has been careful in its privacy rollout to provide extensive advance disclosures of its intentions.

As The Economist also reported, industry trade groups have stepped in with self-regulatory “best practices” for online advertising, search and data collection, as well as “do not track” initiatives including browser tools, while the Obama Administration last month announced a privacy “bill of rights” that it hopes to move in the current or, more realistically, a future Congress.

This also should not ignore common law rights of privacy invasion, such as the type of criminal charges successfully brought in New Jersey against the Rutgers student spying on his roommate.   These rights are not new and for the time being remain the main source of consumer recourse for privacy violations in the absence of meaningful contract remedies (for breaches of privacy policies) and legislative remedies targeted to online transactions.

More to come on this topic shortly.

First, the background.  Federal and state securities laws govern the sales – including the solicitation of sales – of securities, affecting all efforts to raise capital for startups.  This includes any public efforts to raise money, and includes raising small or large amounts of money.  Generally, sales and solicitations of sales of stock require compliance with SEC and various state securities law, and more particularly the registration requirements of those laws.

The applicable federal laws are SEC regulations governing how capital can be solicited and from whom capital can be raised.

Advertising and Solicitation Rule. SEC Rule 502(c) prohibits “any form of general solicitation or general advertising” for the sale of securities, except as permitted by other rules.  These rules traditionally prohibited general fundraising through radio, television and newspaper advertisements, but for the same reasons would bar the same conduct through Twitter, Facebook and other social media.

Accredited Investor Rules. SEC Rules 504, 505 and 506 permit sales of securities to “accredited investors” without compliance with the securities registration requirements.  Accredited investors” is defined in SEC Rule 501, individuals with net worth exceeding $1 million or with annual income exceeding $200,000.

Now, the current context.  Social media is not new nor are calls to relax the capital raising rules, but noise for changes has come from increased start-up activity and, in particular, increased popularity of public fundraising sites seeking to “crowdsource” capital for ownership purposes beyond donations.  The Wall Street Journal reported in April that the SEC is considering revising its advertising and solicitation Rule, if not necessarily to permit unfettered general solicitations, then at least to allow increased recognition of some use of social media for startup companies and small businesses seeking to raise relatively small amounts of capital.  SEC chairman Mary Schapiro sent a letter in April to Darrel Issa, Chairman of the House Committee on Oversight and Government Reform, stating that the Commission was considering new Rules or relaxing existing Rules.  Schapiro noted that she had received a widely-supported petition to ease rules for crowd-funding capital raises of up to $100,000.

The Journal noted, however, that in the early 1990s the SEC relaxed registration requirements for capital raises of up to $1 million, as well as accredited investor rules for wealthy individuals.  The story also noted that those relaxed requirements had been abandoned at the end of that decade out of revived concerns about investor fraud – perhaps not coincidentally, around the same time as the dot-com crash.

Current advocates for relaxing the rules – see for example, Joe Wallin’s StartupLawBlog – suggest that the SEC’s rules “don’t make sense”, although without offering much support other than that Depression-era legislation and accompanying Rules never contemplated social media.  That narrow point in and of itself is almost certainly correct.

Presumably, though, rules designed to prevent fraud still accomplish exactly that in light of the proliferation of ways for fundraisers to reach a broader investing public.  The advocates of changing the rules seem to be principally the same people who have always loathed the SEC, namely people trying to raise money from the public.  A better argument against the SEC’s existing rules might be simply that investors do not need these protections anymore, not that the existing rules aren’t adaptable to the medium.  That may or may not be true, but that does seem to be Wallin’s real argument when he writes, “If folks are willing to acknowledge that they are willing to lose their money on a highly speculative venture, let’s let them.”

Interestingly, the National Venture Capital Association has already publicly opposed any such broad regulatory relaxation.  From the NVCA’s perspective, securities law changes that incentivize small capital raises will discourage ultimate interest in companies seeking to tap into the broader public capital markets through traditional initial public offerings (IPOs).  Since IPOs are the most common form of payday for venture capital, this of course diminishes the attractiveness of venture capital, for investors and for entrepreneurs.

Here, then, the first of several Frequently Asked Questions about privacy policies.  Or to be more precise, here now some practical answers on privacy practices:

FAQ #1: Can I simply post a privacy policy and forget about it?  Short Answer: No.  Longer Answer: No, because as between posted statements and actual compliance, actual compliance is what’s required.  In that sense, posting a privacy policy matters only in that it commits you to honoring the commitments you make in your posted policy.  Which is important and can cause grief down the road if you breach your own posted policy, often the bane of companies that post a “boilerplate” policy lifted verbatim from another website which they haven’t actually read.

But what really matters is actual compliance, meaning compliance with privacy laws.   So … how do you know what laws to worry about, and which aspects of those laws?  Is it really helpful to answer “all laws”?  Yes, in the sense that you always have to comply with “all laws”.  But not all laws apply equally in all cases, and the same is true with privacy practices.

FAQ #2: What laws govern privacy practices?  This is a huge topic, so where to begin?

Industry-Specific Privacy Laws. You follow laws applicable to your particular type of industry.  Examples:

• Financial Data, including the various federal laws covering privacy of financial data, such as the Gramm-Leach-Bliley Financial Modernization Act of 1999.  Gramm Leach-Bliley is one of a number of laws that apply if your business deals with loans, financial or investment advice, insurance, or any type of financial product or service.

• Medical Information, particularly privacy laws like HIPAA, which deals with handling and security of patient medical and healthcare information.  HIPAA itself is an enormous topic obviously applicable to physicians and medical practices, hospitals and insurance companies, but also to any number of service providers including software and systems providers to the healthcare and pharmaceutical industries.

• Children’s Privacy Laws. If your business has products or services targeted to an audience that will likely include children, the Children’s Online Privacy Protection Act (referred to as COPPA) kicks in.  But again, like HIPAA, COPPA applies whether or not children are your intended audience.  The reach and pervasiveness of the internet – and lack of real ability to guarantee age access restrictions – make COPPA applicable to a larger swath of online activities than you might otherwise think.

Advertising Privacy Laws. Advertising law itself is a large topic, but certain advertising laws specifically cover privacy practices.  2 in particular to note:

• Section 5 of the FTC Act.  The FTC Act is certainly not a new law, but its general provisions against fraudulent business practices also regulate fraudulent privacy practices.  The FTC Act is the general framework under which the government and consumers can seek redress for deceptive or misleading practices, commonly where a privacy policy’s disclosure is inconsistent, deceptive or misleading with respect to actual privacy practices.

• The Federal “SPY Act” (Securely Protect Yourself Against Cyber Trespass Act).  Among other privacy matters, the SPY Act governs use of “information collection programs” that collect personally identifiable information and either send the information to anyone other than the user, or use the information to display advertising.  The SPY Act requires not only disclosure of use of these types of programs, but also affirmative user consent to their use.  Where does the Spy Act really kick in?  The Act requires that disclosure – and consent – to use of the collection of personal information be “clear, conspicuous, written in plain language, and clearly distinguished from any surrounding text or information”.  What is unclear is whether affirmative consent through clickthrough acceptance of privacy terms and terms of use would satisfy the acceptance requirements, although I have yet to see a website require anything further.

State Laws

It is certainly true that state laws apply in whatever business and whatever field you operate.  This will definitely be true of the state of your business location, of course.  A great place to start is The American Institute of CPAs (AICPA), which has a fine online resource of state privacy laws.

At a minimum, the AICPA’s resource will guide you on what’s applicable in your home state and the states in which you clearly operate.

Beyond that threshold issue, privacy is an area of particular state-law sensitivity for many reasons.  Many states have privacy laws applicable to businesses operating in their jurisdictions, and some states have famously enacted aggressive privacy legislation.  Many of those same states have taken quite liberal positions on the applicability of their laws to online activities.

A more generous view is that certain states are simply leading the country in privacy activities.  Privacy practices – not just policies, but actual practices – that comply with the laws of these states will tend to be compliant with the laws of most states, making attention to them a useful exercise.  These states include California, Massachusetts, North Carolina and New York.  But they also include states like Vermont and Maine, two New England states that just recently found themselves defending state laws allowing physicians to opt out of publicly disclosing patient prescription drug information.  Indeed, Vermont’s case will be argued in the US Supreme Court this spring, illustrating the national significance of seemingly narrowly-applicable state laws.  These are important laws for business activities in these states, of course, but equally so because many other states are following their leads.  And many states – Vermont and Maine included – are aggressively policing the activities of online businesses even remotely touching upon their jurisdictions.

FAQ #3: So … What Do Businesses Actually Do?

How do you “do your best” when you’re potentially exposed to a gazillion laws and regulations, many of which seem so much like “gotcha” laws aimed simply to trip you up?  One answer is best practices.  The Better Business Bureau and TrustE are two among many reputable organizations that develop and update privacy guidelines and “model” policies.  Industry-specific groups publish best practices and guidelines for their industry members.  The Direct Marketing Association has a good example on its website, www.the-dma.org.

These really are great resources because they tend to be sensitive to national and leading-state trends in privacy while encouraging implementation of policies that match actual privacy practices.

I will separately write more about this “do your best” topic as well as major points that privacy policies – and actual privacy practices – should reflect.

In today’s podcast, we cover trademark cases from both U.S. and European Union courts involving major search engines such as Google and Yahoo.  In particular, we look at whether and how search engines can be held responsible for trademark infringement when advertisers buy search result advertisements using the trademarked names of their competitors.

My guest is Howard Hogan, a partner in Gibson, Dunn, & Crutcher’s Washington, DC office.  Howard’s practice focuses on intellectual property litigation and counseling, including trademark, copyright, patent, false advertising, licensing, media and entertainment, and trade secret matters.

The trademark issue arises because in many countries, including the US, the search engines allow companies to advertise next to search results using their competitors’ trademarks.  We have seen a major shift in the last year.  Before 2010, it was clear that at least in France and Germany, it was not appropriate for search engines to sell marks, and Google’s policy reflected that.  In the US, there was a divide between the district courts of the Second Circuit and the rest of the country as to whether buying and selling trademarks for search engine advertising constituted a “use in commerce,” but there was very little law on whether that use was likely to cause confusion.

Now, in Europe, the law seems to have shifted against holding search engines liable, but leaving open the potential for trademark holders to go after the advertisers.  In the U.S. the “use in commerce” question has been resolved decisively against the search engines, and the debate has shifted to the “likelihood of confusion” question.  On one hand, we are starting to see more decisions finding that their sale of the marks are not confusing (Rosetta Stone, Boston Duck Tours, College Network) at the same time as other courts are finding that the use of marks by an advertiser are likely to cause confusion (Storus, Skydive Arizona).

Please press play on the audio player to hear the podcast.

What types of activities must be monitored and policed?  Infringement and dilution.  Or in other words, any third party uses of the same trademark or confusingly similar versions that might cause confusion in the marketplace about the source of the goods or services represented by the trademark.

Trademark Duty to Monitor and Police

2 basic reasons to monitor and police: First, the government won’t do it for you.  The Trademark Office is actually quite explicit about stating this, see here.  Second and more to the point, unchallenged third party uses of a trademark could legally – and actually – weaken the strength of the trademark as an identifier of the owner’s goods or services, which in turn weakens the owner’s ability to later enforce the trademark and devalues the worth of the mark.

I previously discussed the problems raised by generic or descriptive trademarks, types of marks that cannot even be registered under trademark in the first place, or at best only under the trademark office’s Supplemental Register (rather than the Principal Register), with its very limited protection.

Sustained multiple common uses of a trademark risks the mark being deemed – or actually becoming – in-distinctive or descriptive of a class of goods or services, rather than being principally identified with the owner of the trademark.  (I previously suggested the example of “KLEENEX”.)

And that neatly sums up the real reason why monitoring and policing is so important: Not only can common usage of your name or brand prevent you from obtaining trademark registration in the first place.  Indeed, registration can be lost or (more practically) made worthless by a prospective inability to enforce.

The duty to monitor and police is not a statutory requirement under the federal Lanham Act or any similar state law.  Nonetheless, good trademark practice and intellectual property asset management demands attention to it.  In rejecting or sustaining trademark owners’ claims of infringement, published caselaw involving some prominent trademarks has relied on evidence of a trademark owner’s failure to perform the duty (Hard Rock Café Int’l (USA) Inc. v. Morton, 1999 U.S. Dist. LEXIS 13760, No. 97 Civ. 9483, 1999 WL 717995 (S.D.N.Y. Sept. 9, 1999)) or a trademark owner’s successfully performing that duty (Coca-Cola Co. v. Purdy, 382 F.3d 774 (8th Cir. 2004)).

How to Monitor and Police

A good primer on this subject, including various avenues of monitoring and policing, can be found here from a cyberlaw class at the University of North Carolina Law School.

Many companies offer trademark monitoring services, including large data firms like Thomson Compumark and Trademark Express.  Intellectual property law firms also provide this service to clients, including my firm and many others.  Organizations with large intellectual property portfolios often dedicate in-house legal or paralegal staff to the process.

As many commentators note, monitoring for and early detection of infringing uses can be cost-effective in nipping problems in the bud, simply by facilitating contact with potential infringers early in the life of their infringing use, and thus presumably at a lesser level of investment and other commitment to their continued infringing use.

Since there is no statutory requirement to monitor and police, the required scope of the monitoring is nowhere mandated.  Nonetheless, certain procedures are commonplace.  These include:

1. Regular monitoring of the US Patent and Trademark Office’s trademark database, Trademark Electronic Search System (TESS), on a regular, scheduled basis.

2. Prominent use of the “®” symbol for registered trademarks, and “TM” or “SM” symbols for unregistered (or pending registered) trademarks, on all public uses of your goods or services, to formally establish your own public claims on your marks.

3. Establishing and implementing a company-wide trademark usage policy.  This is typically made part of a company’s Personnel Policy or Employee Manual, though sometimes separate.  The trademark policy alerts all company management, staff, vendors, business partners, contractors and subcontractors, agents, and others on both the rights established by the company’s marks and proper usage of the marks.

4. Conducting a thorough search of your trademarks in the top internet search engines (Google, YouTube, Yahoo!, Bing and AOL), on a regular, scheduled basis.

5. Setting up Google Alerts to automatically monitor trademarks.

6. Contacting potentially infringing third parties to alert them of your trademark rights, and requesting compliance with changing or stopping usage.

7. Sending “cease and desist” letters.

8. As necessary and appropriate, and commensurate with cost and situational expectations, commencing legal action.

While premature to draw any broad conclusions on the enforcement environment for the new rules, a philosophical problem with the FTC’s new blogger framework is its willful ignorance of the advertising underpinnings of traditional media.

So, for example, while established newspapers like the New York Times and Washington Post depend for their credibility on perceived soundness of the journalistic “church-state” divide, readers are almost never proactively alerted to major advertising support from common story subjects in business and politics.  Disclosure more typically comes from investment or ownership relationships, in the form of “full disclosure” statements like that from Ezra Klein when reporting about Facebook (“Disclosure: Washington Post Co. Chairman Donald E. Graham is on Facebook’s board, and The Post markets itself on Facebook.”).  Not, though, from advertising relationships, even major advertisers.

At least not with newspapers.  PBS’ Newshour, NPR and other public news broadcasts commonly disclose underwriting relationships involving story subjects.  However, the same cannot be said of commercial television news broadcasts unless they involve investment or ownership relationships.

Since the underwriting structure of public broadcasting is substantively no different than the advertising relationships of newspapers, commercial television and most media websites, editorial disclosure of the financial support – of any kind – of such media outlets seems equally appropriate.

Citizen Media Law Project, in its coverage of Anne Taylor action, notes that the FTC guidelines limit disclosure to cases where the sponsorship relationship is not “reasonably expected by the audience”.

Put in the context of audience reasonable expectation, this seems rather generously written for the benefit of old-line media, which has relied for generations on the presumption of credibility by its readership much more so than disclosure.

Why then, shouldn’t bloggers be afforded the same benefit of the doubt that newspaper publishers have been given for generations?  Yes, there will always be egregious cases of paid-for “earned media” such as the Reverb case with iTunes.  But it used to be that time and dedicated readership was the ultimate arbiter of media influence.

This all begs the question of why the expectation of the relationship – rather than actual influence – is the measuring stick.

Google’s popular and dominant advertising service, AdWords, allows companies to place auction-style bids on search keywords.  If a company bids the highest amount on a keyword, that company’s ad comes up first when someone searches the keyword.  The company then pays Google on a pay-per-click basis.  In many countries, including the United States, Google lets companies advertise next to search results from use of their competitors’ trademarks.

Let’s say you want to buy a Louis Vuitton bag.  You know it’s expensive, so you might not want to buy it directly from the company’s website.  Instead, you might search “Louis Vuitton bags” on Google and assess other options.  As you can see in a search of “Louis Vuitton bags”, you may find some “Sponsored links” to the right of your search.  Sponsored links such as the “Louis V. Bags Handbags” come from the AdWords service.A search for “louis vutton handbags” turns up a sponsored link from something like Handbags.Smarter.com that says they have great deals on the product you’re searching.  For your purpose of buying an LV bag on the cheap, it sounds promising.  But what if the site sells counterfeit Louis Vuitton bags?

Earlier this year, Louis Vuitton’s parent company, LVMH Moet Hennesy Louis Vuitton, raised this concern in the French courts, and France’s highest court referred the matter for guidance to EU’s European Court of Justice (ECJ). The French luxury goods company claimed that by allowing other companies to advertise next to searches on its trademark, Google was enabling trademark infringement.  LVMH argued that only it or those acting with its permission should be permitted to buy ads for searches on trademarked names.

Google argued that allowing third parties to bid on ads benefits consumers, as it can give them useful resources for making decisions on a purchase.  Plus, Google added, trademark owners can still submit a complaint if they think consumers might confuse a third-party ad as having their brand name or stamp of approval.

The ECJ ruled for Google, and beginning in September its AdWords policy in Europe will be similar to those in the United States and the United Kingdom.  Advertisers in Europe will be able to bid on ads next to searches for their competitors’ trademarks.

Google’s victory in the ECJ has caveats and important exceptions.  For example, consistent with a trademark owner’s infringement claims of likelihood of confusion or dilution, the European court warned against instances where advertisers create an impression that they are “economically linked” with the trademark owner.  More problematic for Google, though, is the ruling’s confusing ambiguity and its inconsistency with a subsequent ruling in the same matter by France’s highest court last month.  As the Los Angeles Times commented at the time of the ECJ ruling,

The [ECJ] said that Google is merely a provider of advertisements, not a company infringing trademark rights.  The court ruled that only advertisers are liable for infringing a trademark, and not the company providing a place for ads.

The distinction is significant because of its narrowing effect: While AdWords in itself might not infringe trademark, that’s only because (and limited to) the passive facilitator role Google’s service plays in the process.  In the United States, Google has successfully argued in other contexts of its immunity from copyright infringement under the Digital Millennial Copyright Act (most obviously in its litigation with Viacom over YouTube).  The DMCA does not apply to trademark infringement, but the philosophy of Google’s argument is consistent: We are simply a vehicle for advertisements and content.

The limitation in the trademark context on Google’s claimed immunity as purely a platform was underscored by the ECJ.  While not directly liable for infringing, Google must be responsive to valid claims of infringement by trademark owners.

In July, the French Supreme Court revoked a 2006 ruling of the French Court of Appeals against Google for trademark infringement in the same case, in light of the ECJ ruling.  The French court ordered the case back to the Court of Appeals for review and assessment of damages (if any) against Google.  Nonetheless, the court was somewhat less qualified than the ECJ in rejecting Louis Vuitton’s claims against Google for trademark infringement, leaving little wiggle room for possible arguments against Google based on vicarious, contributory or secondary liability.

The first will be Monday April 19th at 2pm, and called “Is this Barack Obama’s Real Facebook Page? Domains, Twitter Handles, Online Presence – real or fake? Intellectual Property, Cyber Identity, and More!”.  I will be joined on the panel by Jason Torchinsky of Holtzman-Vogel, Matt Sanderson of Caplin & Drysdale and Neal Seth of Baker Hostetler.

The second will be Tuesday April 20th at 10:30am, and called “Laws Affecting Digital Communications – Copyright, Privacy, Elections/FEC, Advertising, Libel, Contract Law, etc.  Rules, Regs, Fines and Community “Standards” Applicable to Communicating in Digital Media.”  On this panel, I will be joined by Jason Torchinsky of Holtzman-Vogel and John Stewart of Crowell & Moring.

Details at polc2010.com/.

A Privacy Policy might typically say something like this:

“A ‘cookie’ is a small text file on your computer’s hard drive that our Web site uses to collect information about how you use our site.  The cookie transmits this information back to our Web site each time you visit a page on our site, thus allowing us to identify our most popular pages, features and data.”

To someone not working for an ad agency or at a publisher or for, say, Google, reading these terms, what they might read could be summarized like this: “Software … embedded in my computer … I have no choice … it stays there forever and ever … it will watch my every move and report back to its masters and possibly the government … my wife might find out.”

Kind of makes one think of that great Far Side cartoon called “What the Dog Hears” (or something like that), with the first panel showing the human saying to her dog Wendell, “That’s a good boy, Wendell, you are such a smart dog, Wendell, why don’t you show everybody how you roll over, Wendell”.  While the second panel shows what Wendell actually hears: “Blah blah blah, Wendell, blah blah blah, Wendell, blah blah blah blah blah, Wendell.”

Could be described as a bit of a marketing problem for an industry famous for … marketing.  Ironic isn’t it?  I wrote previously about the uniquely private culture of privacy in America, in this century (at least) drawing from the fount of Louis Brandeis’ wish for a simple right “to be let alone”.  On the face of it, therefore, what could possibly be more instinctively offensive to that sense of privacy than a pitchman’s calming missive of “don’t worry about this little thing we’re putting into your home”?

So, agencies and advertisers squabble over who gets to keep that very valuable consumer data derived from online advertising campaigns and consumer activities.  Meanwhile, Congress threatens to lay its blunt and heavy hand on the ability of publishers, agencies and ad networks to use cookies, beacons, profiling and other increasingly improving ad serving technologies to better match advertisements with readers.

Publishers will argue – perhaps justifiably – that cookies are essential to ad serving.  (Which technically is not correct, since there are customizable techniques used across the industry with varying degrees of success.)  But as one prominent Washington publisher told me, the standard for serving is Google-Doubleclick’s DART service – which requires use of cookies.  And since the industry tends to rely heavily – and comfortably – on the reporting consistency of DART, use of cookies remains essential.

Put another way, DART is the standard for ad buyers, cookies are required by DART, and therefore cookies are essential.  Not to mention the more structural problem with removing or restricting targeting from an advertising-dependent publishing medium, which would directly impact CPMs and the basic ability to publish.

Facebook was recently sued by Power.com over issues that could be distilled to who owns user personal information and usage data.  This is a complicated dispute involving conflicting motivations of Facebook (depending on the legal question involved) to claim or disclaim ownership of user data.  Facebook might plausibly argue that a certain amount of data ownership is necessary for Facebook to provide its service in the first place.  They’d have a point to the extent content and ads are targeted to users, which of course they are all the time in a network that “suggests” and “recommends” and “connects”.  Of course, Facebook’s user agreement (like, say, YouTube’s) doesn’t actually claim any right to a user’s data, instead essentially taking a license to the data for purposes of performing necessary site functions.

The data fights tend to pit advertisers, agencies, ad networks and publishers in a grudge match which ignores the very source of the data itself, people using the internet.  Exhibit A is Power.com versus Facebook, and privacy advocates easily recognize that neither adversary has users’ interests at heart.  Privacy might be passé, as Maureen Dowd writes in today’s New York Times, but that would argue that noone owns data, and noone can control it.