Articles Posted in Internet Law

Published on:

Mentioned in passing, in our first December blog post is another potential pitfall for operators of Internet-based services such as websites or applications. This one pitfall in particular comes out of the State of California. However, given the role of the internet as a wide-spread source of information, this is a lesson for any individual pitching to minors online. This law is Business & Professions Code 22580-22582 (“BPC 22580-22582”) otherwise known as “Privacy Rights for California Minors in the Digital World.” What does this law pertain to in general? What kind of entities need to be concerned about California Minors? What are the privacy rights these minors are allowed to enjoy?

What is BPC 22580-22582?

BPC 22580-22582 is a sub-part of the California Business and Professions Code.  It applies to operators of Internet websites and services, including, but not limited to, applications that are directed towards children and those same entities where the entities know the websites or services are used or visited by children. Here, “directed to” means it was created mainly for children, and is not intended for a general audience, including, but not limited to, adults. The law states, for children with registered accounts, entities must:

Published on:

Last week we discussed smart toys, and we mentioned “COPPA” in that article.  As such, some of you may be asking what is COPPA?” In short, COPPA is a federal law specifically tailored towards children, and stands for “Children’s Online Privacy Protection Act.” This law is meant to protect children from over exposure and prohibit businesses from gathering invasive amounts of analytics on children using their products or services. This remains a legitimate concern, attempting to curtail some of the worst aspects of online life.  What exactly does COPPA prohibit? Is there any limitation? Does it provide guidelines for a business to follow and ensure compliance?

COPPA Prohibitions

The spirit of COPPA can be summarized as follows: It is unlawful for an operator or a website or online service directed to children or with knowledge that it is collecting or maintaining a child’s information, to violate this federal statute by failing to give notice on the website of what information it collects, how it’s used, and how it’s disclosed, failing to obtain parental consent, providing reasonable means for parents to review or cancel the use of the service or website, to not condition participation in a game, offering of a prize or other activity by disclosing more personal information than is necessary, and failing to establish and maintain procedures to protect the confidentiality, security and integrity of the children’s information.

Published on:

We have finally reached December, and with it, comes the time for shopping. Of course, some people will focus on the youngest members of their families – i.e., children.  However, it needs to be emphasized that even with children, there are special concerns. The law considers juveniles and their decision-making capabilities, and in the age of the “smart toy,” this could have far ranging impacts on businesses and the emerging market. What is a smart toy? How might it differ from an average toy? What would a business need to be aware of?  What about a parent?

Smart Toys

Smart toys, alternatively known as “connected” toys, are those devices that can be used for play, but also connect to the internet or cloud.  This concept may sound like the internet of things–and these smart toys are just another part. A good example of this may be something like the “Hello Barbie” dolls from 2015. These dolls were akin to a smart chat program, or a more personable Siri/Cortana/Alexa. While Barbie’s operating system would not allow her to break significantly off a script, she would remember and adapt to a child’s thoughts, concerns, or desires.

Published on:

This is a current update on the principle of net neutrality that is worthy of a discussion. So, how or why is an update necessary?  The answer is that net neutrality rules may be changing soon, and various organizations are currently lobbying for their positions.  Why does net neutrality matter to businesses or consumers?  Is there a way or reason for removing net neutrality? What may you need to consider as a business or consumer after the demise of net neutrality?

Historical Background

For those that have not been following the idea of net neutrality, the idea is simple. No one packet of data can be favored or disfavored by a company that provides internet access. Previous rules would forbid this, and allow entities to sue if there was an intentional slowdown of their service. Indeed, this has allegedly occurred in the past as described in a lawsuit between Time Warner Cable (now Spectrum) and the State of New York.  Essentially, Spectrum was intentionally slowing down service, and only improving the service after payment was received by it.  Under the Open Internet Rules, this process was prohibited.

Published on:

In a current dispute between Google and a Canadian company over de-indexing a competitor, Google is doing everything in its power to avoid the court order. Not necessarily because it believes in the innocence of Datalink, but because to de-index would be removing an important immunity under current U.S. laws. One may be wondering, what was the immunity that prompted Google’s move? Why could it just pick up and go somewhere else? Should other businesses be concerned for this possible loss of immunity, and why might a business support Google here?

Case History

Equustek Solutions, Inc., a Canadian company, engaged in litigation with Datalink due to illicit activities on Datalink’s part (e.g., misappropriation of trade secrets) and using those trade secrets to confuse consumers in the market. Due to the similarities resulting from the alleged misappropriation, Datalink led consumers to believe that they were purchasing Equustek’s products. Equustek then sued in Canadian courts, resulting in various court orders against Datalink. However, Datalink managed to evade enforcement by fleeing the country and setting up shop somewhere else.

Published on:

The European Commission released its first annual review of the current EU-US Privacy Shield in order to determine what may or may not need changes as a matter of policy. As it currently stands, the Privacy Shield creates enforceable protections for European Union residents regarding the use of their personal data. The US-based entities that wish to participate will have to conform to greater transparency standards in how the data is used, as well as submitting to strong oversight to ensure adherence, and increased cooperation with Data Protection Authorities (“DPAs”). So, what changes are suggested in this new report? How might this affect businesses in the United States? What consequences, if any, may be added to the new changes?

What is the review?

It was conducted by the Commission to the European Parliament, which in essence reviewed the function of the Privacy Shield and gathered input from publicly-available sources. These sources combined press releases as well as legal cases that were available to the Commission; although, neither source was cited specifically within the seven-page report. The Commission is composed of both European and American representatives, such as the European Data Protection Supervisor and Federal Trade Commission.

Published on:

In general, internet commerce transpires on the national and international levels. Naturally, data protection is an important concern for private and public agencies.  The European Union’s remaining members are currently in the process of another process to protect data with the “General Data Protection Regulation” (GDPR) set to take effect next year. This differs from the previous Privacy Shield in some respects, as it is broader, and expands beyond the European Union and deals with any individual that may have a shred of a connection to the European Union. So, what is GDPR? What does it require? Also, what are the consequences for non-compliance?

What is the GDPR?

The GDPR grants the following as rights to a data subject (i.e., a user): breach notification; right to access a copy of personal data free of charge in electronic format; right to be forgotten; data portability, allowing transmission to another provider; privacy by design for systems; and data protection officers in cases where constant monitoring of data subjects on a large scale may occur, or for special categories of data regarding criminal convictions.

Published on:

As the Equifax breach continues to become a complicated issue, certain lessons can be learned for other businesses handling personal information. Namely, what not to do in their business operations?  In the wake of the cybersecurity breach, it had been reported that Equifax was aware of the security gaps, and did nothing to remedy them. So, where exactly did Equifax go wrong in its data security plans? How was it informed about the open holes in its security infrastructure?  What can a business owner do to avoid becoming an encore of Equifax’s folly? Is there any way to determine gaps in security policies and procedures?

Where did Equifax go wrong?

Effectively, Equifax appears to have failed at multiple levels, resulting in this breach. This is best summarized into one large mistake. There were no updates implemented to the computer systems Equifax used on its networks.  This was due to a delayed response to a known vulnerability in the Apache Struts web application. This framework is well known, it is used in the business community, and is an open-source framework for developing Java applications. In short, the delay was exasperated by the company’s failure to detect the vulnerability during a security scan.

Published on:

As the Equifax breach has developed recently, another issue has come up, namely the arbitration provision within its website, which has caused consumer outrage and confusion. So, why does this provision matter? If consumers want to get their credit frozen, or check to see if they were affected, surely Equifax wouldn’t add insult to injury to the consumers who are suffering from its mistakes. Certainly, it would appear to be bad business to do so, or at least, unwanted attention. However, Equifax cannot be said to avoid adding insult to injury. Instead, Equifax has implemented that arbitration provision, and later removed it. So again, why would Equifax implement this provision? What impact might it have on the consumer? Why might this be important for businesses everywhere to observe?

What is the arbitration provision?

The arbitration provision that had insulted many consumers was attached to Equifax’s offer of free credit monitoring. In exchange for the service being performed (after the security breach) Equifax demanded that consumers settle any dispute with them through arbitration. In general, arbitration is a private and less costly way to settle disputes outside of the courtroom. While the results of the arbitration may be binding, it gives broader latitude to discovery, time, and may be faster and less formal than a formal trial.  While Equifax later clarified this provision would not apply to the current breach, however, nevertheless consumers were upset at the revelation.

Published on:

Let us move on to the ways to protect ourselves in the future by using a credit freeze or fraud alert.  These options can protect your personal, private, and confidential information after a security breach and effectively add extra protection against identity theft. We have discussed them briefly in the past, although now, it seems appropriate to dive into further analysis. What are credit freezes and fraud alerts? How do they add more protection against identity thieves? What other actions might someone take to create additional safeguards?

Credit Freeze

The first and most basic way to prevent harm from identity theft is through a credit freeze, also known as a security freeze. A credit freeze is more or less what it sounds like–i.e., it “freezes” your credit where no lender can get access to your credit unless the consumer decides to lift it. Even then, the freeze cannot be undone without a pin number issued at the time of the freeze.