I am really pleased to participate in “The Puck Stops Here”. It is great to see the Canadian Consulate supporting the Canadian game community.
My plan is to identify/discuss some of the familiar (and not so familiar) issues facing game companies (and others) doing business in the U.S. Over the next few weeks I will touch on various topics including:
COPPA and CAN-SPAM compliance;
Using music in games;
Integrating voice communications in games and avoiding potential liability under CALEA;
Do’s (mostly don’ts) re on-line gambling;
Protecting intellectual property and reducing exposure in publishing and license agreements;
Managing user generated content;
Compliance with safe harbors for copyright infringement and defamation;
Crafting and enforcing EULAs;
Reverse engineering and anti-circumvention rules under the Copyright Act;
Compliance with laws governing contests, coupons, lotteries, and prepaid cards;
Immigration issues in cross-border transactions; and
Rules for protecting against and responding to data breaches.
With any luck, these posts will generate questions and comments which will provide additional food for thought and topics for discussion. Of course, this is too much to cover in one bite or for one person, so I hope to cover these and other issues over several posts and with the help of several of my colleagues including Benjamin Lambiotte, James Dunstan, John Crigler, and Gregg Rodgers. You can view their bios at http://www.gsblaw.com/.
First things first. Today is a holiday in the U.S.: Presidents Day. For those unfamiliar with it, until 1971 this holiday was celebrated to honor George Washington’s birthday; February 22. But, from 1971 until the mid-80’s the party for George’s birthday was moved to the 3rd Monday of February. After that, it was a short step to bundling several other observances into a single holiday: Abraham Lincoln’s birthday (February 12) and, depending on which state you happen to be in, various other presidents. Just keep that in mind the next time you read a service agreement that excludes federal holidays. Now, to business.
As a start, I want take a look at a recent development in the area of personal privacy. This is topic that gets a lot of press and generates quite a lot controversy/confusion in the U.S. The fact that information about personal behavior and preferences can now be so easily and quickly collected/disseminated and, with increasing frequency, lost, has made the topic all the more controversial. To some, the fact that privacy is such a hot button in the U.S. may come as a surprise. After all, there are likely few places on earth with more rules and regulations than the U.S. But, the fact is that unlike Canada, the U.S. does not really have a centralized/uniform privacy regime. Instead, privacy in the U.S. is generally a matter of common law and legislation on state-by-state basis. I say generally, because there are exceptions.[1] Specifically, health care information, financial and credit information, and information about children. But, rather than legislating an overall policy on privacy, the U.S. generally deals with the issue in the context of specific types of information and how that information may/may not be used.[2] The mechanism to implement these policies is typically – but not exclusively – legislation. In some cases the federal government provides voluntary guidelines which are used by government agencies and courts to measure compliance with other laws. For example, while the Federal Trade Commission certainly promulgates regulations to carry out its mandates, it also develops guidelines and principles for use in evaluating compliance with laws it is charged with enforcing, such as Section 5 of the FTC Act which applies to unfair and deceptive acts or practices.
A recent development (released last week) on the voluntary side of things (we will talk about COPPA and data breach legislation, etc., later in the week) is the FTC Staff Report entitled: “Self-Regulatory Principles for Online Behavioral Advertising” (http://www.internetnews.com/ec-news/article.php/3802806/Advocates+Blast+FTC+Guidelines+on+Web+Privacy.htm). The Report follows up on previous work and public hearings by the FTC on the subject, which began in 1995. The Report sets forth 4 principles to govern “behavioral advertising – the practice of tracking an individual’s online activities in order to deliver advertising tailored to the individual’s interests”:
Web sites should provide a clear, concise, and prominent statement about their behavioral advertising practices. These notifications are to be separate from general privacy policies and should give consumers an easy-to-use method of opting out. Companies that collect information through mobile devices should ensure they have sufficient disclosure mechanisms.
Companies are encouraged to maintain reasonable security and retention practices with respect to the data they collect.
Companies are also encouraged to inform consumers of retroactive material changes to their data collection policies.
Companies are encouraged to receive express consent from consumers before collecting "sensitive data," such as information about children, health information, and Social Security numbers.
But, don’t let the title fool you. While these principles are not mandatory, there are likely consequences for failing to comply. Indeed, as the Report notes, these principles do not displace existing laws and companies engaged in this practice “should be mindful of the federal and state laws that may apply to their operations”. On this point, the FTC took pains to point out that it has been very active in conducting investigations and bringing law enforcement actions challenging deceptive privacy claims and improper disclosure of consumer data, noting that since 2001 the FTC has brought 23 such actions.
Still, the principles may not go far enough and the FTC has come under quite a bit of criticism for opting for “self-regulation”, rather than recommending Congress enact legislation on the subject. Bottom line: this is likely not the last you will hear on the topic of behavioral advertising.
So, if you are a game company in Canada selling products to consumers in the U.S. and collecting information about their buying and surfing behaviors, should you care what the FTC has recommended? The answer is clearly, yes. After all, the U.S. is a big market (1.33 Billion in January 2009). And, activities that violate these principles may be prosecuted in the U.S., even if you are located in Canada. But, don’t despair, you are probably a lot closer to compliance than many of your U.S. counterparts, since PIPEDA reflects many of the same principles and, unlike the FTC principles is mandatory. So, if you comply with PIPEDA, it is likely you will satisfy most, if not all of the principles announced in the Report. Note however, that the FTC principles apply to more than just “personal information” as defined in PIPEDA. As a result, if you are engaged in behavioral or contextual data collection (and most game companies are) you may need to adjust your practices to extend beyond personal information, to include any information that “could be associated” with a particular consumer or device.
Couple of other interesting tidbits (unrelated) to keep in mind:
Epilepsy Warnings – Continuing an effort he first began in 2001, Assemblyman Steven Englebright (D-Setauket), has introduced A4004 in the New York Assembly. This bill would require any person who sells or rents video games to display a warning sign with respect to the relationship between playing video games and epileptic seizures and establishes penalties for a violation of such provisions.
Games and Cigarettes – Rep Joe Baca (D-CA) has introduced H.R. 231, “The Video Game Health Labeling Act of 2009”. If enacted the bill would require developers to affix a warning label on any vide game rated T (teen) or higher by the ESRB similar to that required for cigarette packaging: “WARNING: Excessive exposure to violent video games and other violent media has been linked to aggressive behavior.”
Safe Harbor – 17 USC Section 512(c) (Copyright) and 47 USC 230 (Communications Decency Act) contain safe harbors for service providers against claims of copyright infringement and defamation. Several cases addressed these provisions in 2008, with differing results. At the extreme, the 9th Circuit ruled against the 230 defense in Fair Housing Council v. Roomates.com, 2008 WL 879293 (9th Cir. April 3, 2008) in an opinion that is both difficult to follow and reconcile with the plain language of the statute. A more reasoned opinion going the other direction is Goddard v. Google 2008 WL 5245490 (N.D. Cal. Dec. 17, 2008). On the copyright side, see Io v. Veoh 5:2006cv03926 (N.D. Cal. Aug. 27, 2008). This case involved claims for copyright infringement stemming from infringing videos uploaded to Veoh’s site by users. Veoh successfully defended the claim, relying on 512(c). The reason it succeeded, was that it followed the requirements of the safe-harbor to the letter and more: it responded to compliant DMCA takedown notices promptly, it notified users of its policies against copyright infringement, it registered a Copyright Agent with the Copyright Office, it terminated users who were repeat infringers and blocked new registrations from the same email addresses, and it used hashes to stop the same infringing videos from being uploaded by other users.
Bottom line here: If you are a service provider get familiar with the safe-harbors; they are your friends.
License vs. Sale – Whether a transaction is characterized as a license or sale is a big deal under U.S. law. Consider for example, the case of Vernor v. Autodesk, 87 USPQ2d 1501 (W.D.Wash. 2008), in which the court held that the unauthorized sale of used software on an internet auction site was permissible under the first-sale doctrine. This, despite the fact that the agreement under which the software was originally transferred was expressly characterized as a license and included language reserving all rights to Autodesk. Critical to the court’s determination that the transaction at issue was a sale (and not a license) was the fact that the agreement permitted the licensee to retain possession of the software in exchange for a single up-front payment. According to the court, this turned the license into a sale with the result that Autodesk exhausted its exclusive right to re-distribution under the copyright act when it sold the software.
As you might expect, Vernor is not the last (or the first) word on this subject. Following Vernor, several courts have held to the contrary. For example, in Blizzard v. MDY, CV-06-2555 (D. Ariz. 2008), the court examined the issue in the context of Section 117 of the Copyright Act (Vernor involved Section 109), which permits the owner of a software program to make multiple copies of the program. The court, evaluating the Blizzard EULA (which contained license language not dissimilar to that in Vernor) held that the users of a program created by MDY known as WowGlider, were not owners of the WoW program, but licensees subject the limitations on use set forth in the license. As a result, neither the WowGilder users nor MDY could take advantage of the Section 117 defense and MDY and its founder were held liable for contributory and vicarious copyright infringement. The key here (ignored by the court in Vernor) was that the agreement giving the user rights in WoW (a) made clear that the rights granted were as a licensee and did not include unlimited rights to copy or distribute the game and (b) imposed “significant” restrictions on the transfer of the game by requiring the user to transfer the original media and the packaging and documentation.
Bottom line here: Pay close attention to the terms of your EULA. One other note, the Blizzard case is also significant because a recent ruling in the case addressed the anti-circumvention provisions of Section 1201 of the DMCA. That will be the subject of a later post.
[1] Indeed, Justice Brandeis found the “freedom to be let alone” to be one of the most basic freedoms protected by the U.S. Constitution. So, it is not as though privacy is a foreign concept on the federal scene. It is just that, in the U.S., it is handled very differently.
[2] This all seems quite odd to folks who have been following the privacy debate for any length of time. Many of the basic principles incorporated into the EU Privacy Directive and PIPEDA were actually developed by the U.S. Dept. of Health Education and Welfare in 1971 as part of the “Code of Fair Information Practices”, which included five clauses: openness, disclosure, secondary use, correction, and security. Although these principles were adopted later by the OECD and others, they were only adopted in the U.S. on a limited basis.
My plan is to identify/discuss some of the familiar (and not so familiar) issues facing game companies (and others) doing business in the U.S. Over the next few weeks I will touch on various topics including:
COPPA and CAN-SPAM compliance;
Using music in games;
Integrating voice communications in games and avoiding potential liability under CALEA;
Do’s (mostly don’ts) re on-line gambling;
Protecting intellectual property and reducing exposure in publishing and license agreements;
Managing user generated content;
Compliance with safe harbors for copyright infringement and defamation;
Crafting and enforcing EULAs;
Reverse engineering and anti-circumvention rules under the Copyright Act;
Compliance with laws governing contests, coupons, lotteries, and prepaid cards;
Immigration issues in cross-border transactions; and
Rules for protecting against and responding to data breaches.
With any luck, these posts will generate questions and comments which will provide additional food for thought and topics for discussion. Of course, this is too much to cover in one bite or for one person, so I hope to cover these and other issues over several posts and with the help of several of my colleagues including Benjamin Lambiotte, James Dunstan, John Crigler, and Gregg Rodgers. You can view their bios at http://www.gsblaw.com/.
First things first. Today is a holiday in the U.S.: Presidents Day. For those unfamiliar with it, until 1971 this holiday was celebrated to honor George Washington’s birthday; February 22. But, from 1971 until the mid-80’s the party for George’s birthday was moved to the 3rd Monday of February. After that, it was a short step to bundling several other observances into a single holiday: Abraham Lincoln’s birthday (February 12) and, depending on which state you happen to be in, various other presidents. Just keep that in mind the next time you read a service agreement that excludes federal holidays. Now, to business.
As a start, I want take a look at a recent development in the area of personal privacy. This is topic that gets a lot of press and generates quite a lot controversy/confusion in the U.S. The fact that information about personal behavior and preferences can now be so easily and quickly collected/disseminated and, with increasing frequency, lost, has made the topic all the more controversial. To some, the fact that privacy is such a hot button in the U.S. may come as a surprise. After all, there are likely few places on earth with more rules and regulations than the U.S. But, the fact is that unlike Canada, the U.S. does not really have a centralized/uniform privacy regime. Instead, privacy in the U.S. is generally a matter of common law and legislation on state-by-state basis. I say generally, because there are exceptions.[1] Specifically, health care information, financial and credit information, and information about children. But, rather than legislating an overall policy on privacy, the U.S. generally deals with the issue in the context of specific types of information and how that information may/may not be used.[2] The mechanism to implement these policies is typically – but not exclusively – legislation. In some cases the federal government provides voluntary guidelines which are used by government agencies and courts to measure compliance with other laws. For example, while the Federal Trade Commission certainly promulgates regulations to carry out its mandates, it also develops guidelines and principles for use in evaluating compliance with laws it is charged with enforcing, such as Section 5 of the FTC Act which applies to unfair and deceptive acts or practices.
A recent development (released last week) on the voluntary side of things (we will talk about COPPA and data breach legislation, etc., later in the week) is the FTC Staff Report entitled: “Self-Regulatory Principles for Online Behavioral Advertising” (http://www.internetnews.com/ec-news/article.php/3802806/Advocates+Blast+FTC+Guidelines+on+Web+Privacy.htm). The Report follows up on previous work and public hearings by the FTC on the subject, which began in 1995. The Report sets forth 4 principles to govern “behavioral advertising – the practice of tracking an individual’s online activities in order to deliver advertising tailored to the individual’s interests”:
Web sites should provide a clear, concise, and prominent statement about their behavioral advertising practices. These notifications are to be separate from general privacy policies and should give consumers an easy-to-use method of opting out. Companies that collect information through mobile devices should ensure they have sufficient disclosure mechanisms.
Companies are encouraged to maintain reasonable security and retention practices with respect to the data they collect.
Companies are also encouraged to inform consumers of retroactive material changes to their data collection policies.
Companies are encouraged to receive express consent from consumers before collecting "sensitive data," such as information about children, health information, and Social Security numbers.
But, don’t let the title fool you. While these principles are not mandatory, there are likely consequences for failing to comply. Indeed, as the Report notes, these principles do not displace existing laws and companies engaged in this practice “should be mindful of the federal and state laws that may apply to their operations”. On this point, the FTC took pains to point out that it has been very active in conducting investigations and bringing law enforcement actions challenging deceptive privacy claims and improper disclosure of consumer data, noting that since 2001 the FTC has brought 23 such actions.
Still, the principles may not go far enough and the FTC has come under quite a bit of criticism for opting for “self-regulation”, rather than recommending Congress enact legislation on the subject. Bottom line: this is likely not the last you will hear on the topic of behavioral advertising.
So, if you are a game company in Canada selling products to consumers in the U.S. and collecting information about their buying and surfing behaviors, should you care what the FTC has recommended? The answer is clearly, yes. After all, the U.S. is a big market (1.33 Billion in January 2009). And, activities that violate these principles may be prosecuted in the U.S., even if you are located in Canada. But, don’t despair, you are probably a lot closer to compliance than many of your U.S. counterparts, since PIPEDA reflects many of the same principles and, unlike the FTC principles is mandatory. So, if you comply with PIPEDA, it is likely you will satisfy most, if not all of the principles announced in the Report. Note however, that the FTC principles apply to more than just “personal information” as defined in PIPEDA. As a result, if you are engaged in behavioral or contextual data collection (and most game companies are) you may need to adjust your practices to extend beyond personal information, to include any information that “could be associated” with a particular consumer or device.
Couple of other interesting tidbits (unrelated) to keep in mind:
Epilepsy Warnings – Continuing an effort he first began in 2001, Assemblyman Steven Englebright (D-Setauket), has introduced A4004 in the New York Assembly. This bill would require any person who sells or rents video games to display a warning sign with respect to the relationship between playing video games and epileptic seizures and establishes penalties for a violation of such provisions.
Games and Cigarettes – Rep Joe Baca (D-CA) has introduced H.R. 231, “The Video Game Health Labeling Act of 2009”. If enacted the bill would require developers to affix a warning label on any vide game rated T (teen) or higher by the ESRB similar to that required for cigarette packaging: “WARNING: Excessive exposure to violent video games and other violent media has been linked to aggressive behavior.”
Safe Harbor – 17 USC Section 512(c) (Copyright) and 47 USC 230 (Communications Decency Act) contain safe harbors for service providers against claims of copyright infringement and defamation. Several cases addressed these provisions in 2008, with differing results. At the extreme, the 9th Circuit ruled against the 230 defense in Fair Housing Council v. Roomates.com, 2008 WL 879293 (9th Cir. April 3, 2008) in an opinion that is both difficult to follow and reconcile with the plain language of the statute. A more reasoned opinion going the other direction is Goddard v. Google 2008 WL 5245490 (N.D. Cal. Dec. 17, 2008). On the copyright side, see Io v. Veoh 5:2006cv03926 (N.D. Cal. Aug. 27, 2008). This case involved claims for copyright infringement stemming from infringing videos uploaded to Veoh’s site by users. Veoh successfully defended the claim, relying on 512(c). The reason it succeeded, was that it followed the requirements of the safe-harbor to the letter and more: it responded to compliant DMCA takedown notices promptly, it notified users of its policies against copyright infringement, it registered a Copyright Agent with the Copyright Office, it terminated users who were repeat infringers and blocked new registrations from the same email addresses, and it used hashes to stop the same infringing videos from being uploaded by other users.
Bottom line here: If you are a service provider get familiar with the safe-harbors; they are your friends.
License vs. Sale – Whether a transaction is characterized as a license or sale is a big deal under U.S. law. Consider for example, the case of Vernor v. Autodesk, 87 USPQ2d 1501 (W.D.Wash. 2008), in which the court held that the unauthorized sale of used software on an internet auction site was permissible under the first-sale doctrine. This, despite the fact that the agreement under which the software was originally transferred was expressly characterized as a license and included language reserving all rights to Autodesk. Critical to the court’s determination that the transaction at issue was a sale (and not a license) was the fact that the agreement permitted the licensee to retain possession of the software in exchange for a single up-front payment. According to the court, this turned the license into a sale with the result that Autodesk exhausted its exclusive right to re-distribution under the copyright act when it sold the software.
As you might expect, Vernor is not the last (or the first) word on this subject. Following Vernor, several courts have held to the contrary. For example, in Blizzard v. MDY, CV-06-2555 (D. Ariz. 2008), the court examined the issue in the context of Section 117 of the Copyright Act (Vernor involved Section 109), which permits the owner of a software program to make multiple copies of the program. The court, evaluating the Blizzard EULA (which contained license language not dissimilar to that in Vernor) held that the users of a program created by MDY known as WowGlider, were not owners of the WoW program, but licensees subject the limitations on use set forth in the license. As a result, neither the WowGilder users nor MDY could take advantage of the Section 117 defense and MDY and its founder were held liable for contributory and vicarious copyright infringement. The key here (ignored by the court in Vernor) was that the agreement giving the user rights in WoW (a) made clear that the rights granted were as a licensee and did not include unlimited rights to copy or distribute the game and (b) imposed “significant” restrictions on the transfer of the game by requiring the user to transfer the original media and the packaging and documentation.
Bottom line here: Pay close attention to the terms of your EULA. One other note, the Blizzard case is also significant because a recent ruling in the case addressed the anti-circumvention provisions of Section 1201 of the DMCA. That will be the subject of a later post.
[1] Indeed, Justice Brandeis found the “freedom to be let alone” to be one of the most basic freedoms protected by the U.S. Constitution. So, it is not as though privacy is a foreign concept on the federal scene. It is just that, in the U.S., it is handled very differently.
[2] This all seems quite odd to folks who have been following the privacy debate for any length of time. Many of the basic principles incorporated into the EU Privacy Directive and PIPEDA were actually developed by the U.S. Dept. of Health Education and Welfare in 1971 as part of the “Code of Fair Information Practices”, which included five clauses: openness, disclosure, secondary use, correction, and security. Although these principles were adopted later by the OECD and others, they were only adopted in the U.S. on a limited basis.
Posts
1 comment:
More thoughts from Scott...
Two items in the FTC Report require a little further discussion.
First, the Report establishes the principle that any "material" change in privacy policies requires affirmative consent. Hmmm, sounds like a basic principle of contract law? Well, the FTC thinks so:
"It is fundamental FTC law and policy that companies must deliver in promises they make to consumers about how their information is collected, used and shared. An important corollary is that a company cannot use data in a manner that is materially different from promises the company made when it collected the data without first obtaining the consumer's consent. Otherwise, the promise has no meaning."
Accordingly, the principles require notice and consent for a "material" change, if is to be applied retroactively. That is, if a web site collects information for one purpose it cannot use the information it collected for a materially different purpose, without obtaining actual consent. Notably, the principles do not require the same level of notice and consent for prospective changes. But, while the principles may not directly require assent to a change of terms, case law may. For example, See Douglas v Talk America, No. 06-75424 (9th Cir. July 18, 2007), in which the 9th Circuit rejected an attempt by Talk America to enforce revised contract terms using the standard "if you use the service after we post the new terms you are bound" approach. The point being: if you want to change the terms of the contract, you better make darn sure that your customers know about the change and consent.
Second, the focus of the new principles is on "second party", not "first party or "intra-site" behavioral advertising. According to the FTC, "first-party behavioral advertising practices are more likely to be consistent with consumer expectations, and less likely to lead to consumer harm, than practices involving the sharing of data with third parties or across multiple websites." As a result, the principles apply only to the later – which would include sharing data between and among members of an ad network and may include data sharing for such purposes between affiliated companies. As above, this is not the end of the story. As the Report notes, companies "engaged in first party practices may still be required to provide reasonable security for the consumer data it collects and maintains. Additionally, depending upon the specific circumstances, a company may be precluded from using previously collected data in a way that conflicts with the privacy promises in effect at the time the company collected the data." In other words, regardless of your status as a first or second party, changing the rules after the data is collected will require compliance with the principles.
Post a Comment