Gonzalo Mon writes in Mashable that “Although various bills pending in Congress would require companies to get consent before collecting certain types of information, outside of COPPA, getting consent is not a uniformly applicable legal requirement yet. Nevertheless, there are some types of information (such as location-based data) for which getting consent may be a good idea.  Moreover, it may be advisable to get consent at the point of collection when sensitive personal data is in play.”

First, what current requirements – laws, agency regulations and quasi-laws – require obtaining consent, even if not “uniformly applicable”?

1. Government Enforcement.  The Federal Trade Commission’s November 2011 consent decree with Facebook user express consent to sharing of nonpublic user information that “materially exceeds” user’s privacy settings.  The FTC was acting under its authority under Section 5 of the FTC Act against an “unfair and deceptive trade practice”, an authority the FTC has liberally used in enforcement actions involving not just claimed breaches of privacy policies but also data security cases involving managing of personal data without providing adequate security.

2. User Expectations Established by Actual Practice.  The mobile space offers some of the most progressive (and aggressive) examples of privacy rights seemingly established by practice rather than stated policy.  For example, on the PrivacyChoice blog, the CEO of PlaceIQ explained that “Apple and Android have already established user expectations about [obtaining] consent.  Location-based services in the operating system provide very precise location information, but only through a user-consent framework built-in to the OS.  This creates a baseline user expectation about consent for precise location targeting.”  (emphasis added) Continue reading

For businesses, is there an obligation in the United States to do anything more than simply have a privacy policy?  The answer is not much of an obligation at all.

Put another way, is it simply a question of disclosure – so long as a business tells users what it intends to do with their personal information, can the business pretty much do anything it wants with personal information?  This would be the privacy law equivalent of the “as long as I signal, I am allowed to cut anyone off” theory of driving.

Much high-profile enforcement (via the Federal Trade Commission and State Attorneys General) has definitely focused on breaches by businesses of their own privacy statements.  Plus, state laws in California and elsewhere either require that companies have privacy policies or require what types of disclosures must be in those policies, but again focus on disclosure rather than mandating specific substantive actions that businesses must or must not take when using personal information.

As The Economist recently noted in its Schumpeter blog, “Europeans have long relied on governments to set policies to protect their privacy on the internet.  America has taken a different tack, shunning detailed prescriptions for how companies should handle people’s data online and letting industries regulate themselves.”   This structural (or lack of structural) approach to privacy regulation in the United States can also been seen – vividly – in legal and business commentary that met Google’s recent privacy overhaul.  Despite howls of displeasure and the concerted voices of dozens of State Attorneys General, none of the complaints relied on any particular violations of law.  Rather, arguments (by the AGs) are made about consumer expectations in advance of consumer advocacy, as in “[C]onsumers may be comfortable with Google knowing their search queries but not with it knowing their whereabouts, yet the new privacy policy appears to give them no choice in the matter, further invading their privacy.”

Again, there’s little reliance on codified law because, for better or worse, there is no relevant codified law to rely upon.  Google, Twitter and Facebook have been famously the subjects of enforcement actions by the states and the Federal Trade Commission, and accordingly Google has been careful in its privacy rollout to provide extensive advance disclosures of its intentions.

As The Economist also reported, industry trade groups have stepped in with self-regulatory “best practices” for online advertising, search and data collection, as well as “do not track” initiatives including browser tools, while the Obama Administration last month announced a privacy “bill of rights” that it hopes to move in the current or, more realistically, a future Congress.

This also should not ignore common law rights of privacy invasion, such as the type of criminal charges successfully brought in New Jersey against the Rutgers student spying on his roommate.   These rights are not new and for the time being remain the main source of consumer recourse for privacy violations in the absence of meaningful contract remedies (for breaches of privacy policies) and legislative remedies targeted to online transactions.

More to come on this topic shortly.

Much has been made lately of tension between Twitter and its outside developers.  The issues stoking the fire are less legal issues than business issues brought to front-burner by two particular factors:

(1) The maturity of Twitter as a development platform, or in the words of Ryan Sarver of Twitter, “In the early days, all the clients except Twitter.com were built out by ecosystem companies, mainly because Twitter was so focused on keeping the lights on.  But we learned that in order for us to really grow, we had to start taking over that core experience.” (quoted in the NY Times, 7/17/11).

(2) A reported Federal Trade Commission inquiry into the relationship by the , which has (in some views) caused Twitter to re-think its liberal open-door policy when it came to permitting outside development on its platform.

An excellent story and accompanying podcast on this subject appeared in the NY Times last week, written by Claire Cain Miller.

Bottom line: Twitter is seeking to control the applications that control access to Twitter, meaning desktop and mobile, and leaving the field open to enterprise applications, usability applications, analysis and similar applications.

Certainly the business reasons seem pretty clear, in that Twitter seeks to control core functionality – and the development of that core functionality – of the mother ship.  Although it is not terribly surprising that that strikes some critics as cynical, see for example here (“Twitter, just be honest: ‘The only way we can figure out how to make money is same ol’ display ads and we need to own the client for that.’”)

There are legal issues here, namely the ability of the platform to restrict access to its API.  As Claire Miller and others have noted, part of the problem for Twitter is that developer expectations may have been artificially inflated.  But there is more.  The FTC hint of antitrust scrutiny may be causing Twitter some heartburn about its historical open-ness.  Some analogy from two unrelated contexts: In trademark law, the concept “use in commerce” requires confirmation of continued public use of a registered trademark every 5 years or so.  In real property law, a property owner’s failure to restrict public access to property – and thus demonstrate its private claim – can, under some circumstances, support a court’s granting a permanent public right of way.

Quoting Rob Diana from Regular Geek, “Twitter also now owns the platform as a whole and must be as reliable as a utility company.  They must provide all of the capabilities that consumers need in the clients.” (emphasis added) A danger for a “public utility” of the information superhighway is creeping expectation of the duties and obligations of public purpose: Loss of commercial freedom, permanent regulatory scrutiny and public stakeholder claims.  It may very well be that Twitter is acting much like New York’s Rockefeller Center, which closes public access to traffic one day a year as a legal “fiction” in order to continue to assert private ownership rights.

Twitter rolled out its new API TOS (“Developer Rules of the Road”) in March of this year.  Rob Diana noted at that time that the announcement may have been – or perhaps should have been – anticlimactic, in that “A basic Twitter client is a terrible idea in today’s ecosystem.”  Wrote Diana:

Unless there is major functionality outside of the existing solutions, a new client is a losing idea. There is a high barrier to entry when we already have third-party clients like Tweetdeck, Seesmic, HootSuite and PeopleBrowser. This does not include some of the other applications that focus on team or brand management. So, by saying not to develop a new client, Twitter has saved us and investors a lot of time and money.

“With regulators considering easing fund-raising rules for start-ups …” a recent Wall Street Journal story began, “social-networking sites that link entrepreneurs to large pools of donors are gearing up for a boom.”

First, the background.  Federal and state securities laws govern the sales – including the solicitation of sales – of securities, affecting all efforts to raise capital for startups.  This includes any public efforts to raise money, and includes raising small or large amounts of money.  Generally, sales and solicitations of sales of stock require compliance with SEC and various state securities law, and more particularly the registration requirements of those laws. Continue reading

Our Twitter chat last week with technology and entertainment lawyer Joy Butler highlighted legal issues with app development, including contract issues between app developers and clients, on one end, and intellectual property (IP) and API issues between the app and the intended development platform, on the other end.

Privacy issues become pressing later when the app goes public for end users, although the biggest privacy problems tend to arise when app publishers get tripped up by commitments made in their own end user license agreements (EULAs) or privacy policies, more so than from any violations of privacy laws.  More on privacy and the app/API problems in a separate blog post.

Immediate issues are copyright and trademark, both governed by federal laws, but also governed by API terms of use and similar application development agreements with hosting platforms.  Apple’s software developer kits (SDK) for the iPad and iPhone encompass similar purposes as part of broader packages of developer protocols for use of those APIs.

Continue reading

The following is our first twitter chat on trending legal issues. This one focused on legal issues involved with app development and APIs and featured thoughts from attorneys Andrew Mirsky and Joy Butler (@joybutler). Be sure to stay tuned to the @MirskyLegal twitter account for more information on the next #lawchat and please tweet in using the provided unique hashtag!
Continue reading

Please join me (@mirskylegal) and fellow DC media law attorney Joy Butler (@joybutler) for a Twitter chat (hashtag: #lawchat1) discussing App Development/API legal issues, Tues 4/5, 1215pm, live @ PJ Clarke’s, 1600 K Street, NW, WDC (downstairs Sidecar restaurant).  Limit 8 seats in person, please RSVP to andy@mirskylegal.com. Join us in person, or join the discussion via twitter hashtag #lawchat1.

Possible topics:

• Compliance with third party requirements (Facebook, Twitter, Google) for use of APIs
• Permissible access to and use of customer data
• Use of open source code for development of software
• Development contract issues, including:

• • copyright ownership (“work for hire” or partial license? To what extent can developer use functionality/code on work for subsequent clients?)
  • warranties, reps, indemnification
  • importance of defining scope of work (work often done in phases)
  • developer’s duty to fix bugs and provide maintenance after delivery
  • international law/enforcement issues if developer and client are not both US based

Trademark registration generally trumps an unregistered (i.e. common law) use of the same trademark, so says @cyclaw in speaking about trademark registration in Canada.

I had tweeted this #trademark question:

What happens if you apply for – and get – US federal trademark registration, but later find that someone else has been using the same trademark since before you filed?  Or for that matter, does it even matter whether you discovered this other use prior to your filing for registration.

Thank you to @cyclaw for that quick reply.  In the US, though, the answer is slightly different: it matters only whether you can demonstrate your use prior to the date of first use by the other party.  So while US federal registration generally trumps common law use, first-in-time unregistered users do retain certain – albeit limited – rights which survive and trump another party’s later registration. Continue reading

I’ve set a monthly goal for November of taking tangible steps to make my company a “Socialprise” law firm.  What does that mean?

Let me take inspiration from Dell Computers: “This is not about campaigns or initiatives,” said Richard Binhammer, senior manager, outreach communications and executive initiatives, social media and community, Dell. “It’s about adopting social media as a way to do better business.”  Binhammer was quoted this week in Geoff Livingston’s blog spotlighting Dell’s social media efforts.

Livingston lauds Dell’s early efforts (in the bygone days of 2006 and 2007) as an early and enthusiastic adopter of social media as a customer service tool.   Continue reading