Trademark Registration of Marijuana, CBD, and Hemp Products

Trademark Registration of Marijuana Products

Trademark Registration of Marijuana, Cannabidoil, and Hemp Products

A trademark is any word, slogan, logo, symbol, or design that identifies an organization’s goods or services as unique from another set of goods or services. Trademarks serve two important functions. First, they are a source identifier, allowing one company to distinguish its goods or services from its competitors’, and preventing infringers from benefiting from the public perception earned through the sweat, blood, and tears of the trademark owner. Second, they are an indicator of quality, allowing consumers to know where they bought their products.

Because branding comes into play in every industry, we are seeing interesting developments from a variety of different sectors. For example, in 2017, we saw heavy metal bands challenging long-standing rules on disparagement, and our own Detroit Red Wings look at a potential infringement case against a hate group.

One area in which we will see opportunities for growth in the coming months is in marijuana-related products due to potential changes in definitions at the federal level.

Definitions Under the Controlled Substances Act (CSA)

Although marijuana and related products are legally available to various degrees in 47 states, including Michigan, under the CSA, marijuana is still a Schedule 1 controlled substance, meaning that it has a high potential for abuse with no currently accepted medical value.

Previously, the CSA defined marijuana to include the entire Cannabis Sativa L. plant, not making any distinction between its different parts. However, on January 4, the 2018 Farm Bill was signed into law, which brings about major changes to how the federal government regulates cannabis. 

This bill has created a new, separate definition for “hemp,” defining it as any plant with a tetrahydrocannabinol (THC) level below 0.3%. Hemp produces cannabidiol (CBD) oil, which is promoted as a wellness drug that does not get users high. Instead, it may be useful for treatment of epilepsy, anxiety, as well as for other medical problems.

Due to this new definition, certain strains of cannabis are now legal at the federal level – a major change to the previous drug enforcement regime.

Trademarks for Cannabis, Marijuana, and Related Products

There are a number of provisions under the current statutes and regulations that apply to the trademark registration of marijuana related products.

First, 15 USC 1051 and 15 USC 1127 allow owners of trademarks used in lawful commerce to seek trademark protection. Again, trademarks allow companies to avoid unfair competition, so it makes sense that Congress would not allow companies conducting illegal transactions on the black market to seek legal trademark protection.

Second, if an applicant is requesting a trademark on a service or product that is regulated under another law, 37 CFR 2.69 allows the Trademark Office to determine if the applicant is complying with the applicable standard because use of a mark in commerce must be lawful.

In a 2017 Trademark Trial and Appeal Board case, the Trademark Office refused to issue trademarks that would protect branding on “dispensaries selling marijuana” and “dispensary services.” These actions are illegal, under the CSA’s prohibition on manufacturing distributing, and dispensing controlled substances, including marijuana. As a result, the Board could not register the mark due to the then-definitions in the CSA.

This decision did foresee the reclassification of certain strains of cannabis. Due to the new definition in the 2018 Farm Bill, excluding hemp and CBD from Schedule 1 drugs, we will almost certainly see new trademark applications for these products in the coming months.

Tips for Protecting Your Cannabis-Related Trademarks

Register Early

Now that hemp and Cannabidoil have been removed from the list of controlled substances, if your business is part of the cannabis industry, you should consider filing for trademark protection in order to protect your brand sooner rather than later. Due to the long timeline for trademark registration, it often makes sense to begin the process early.

Canada legalized recreational marijuana in 2018, but already their Intellectual Property Office is facing a bottleneck of cannabis-related brand names. Companies who delayed attempts at registration may be looking at a wait time of over a year before their brand is protected.

A similar “green rush” to register trademarks in the US is expected, so don’t delay getting your application in to avoid potential bottlenecks.

Work With a Lawyer to Get Your Application Right the First Time

At the moment, not all cannabis is legal in the U.S. – only certain strands. This is a new development in a new industry. The attorneys at the Trademark Office may not be aware of the different definitions in what is legal under federal law and what is not. This will not result in an automatic rejection, but it could delay your application.

An experienced trademark attorney will be able to craft your application in a way that clearly demonstrates that the goods or services your company provides are legal under current federal definitions. A clear, technical explanation at the outset can go a long way to smoothing the path to approval and could save months in further office review.

It is also useful to note that the trademark office has approved more than 300 marks specifically related to marijuana that do not involve actions currently prohibited by the CSA. For example, “Professional Marijuana Grower” owns a word mark on the title of their magazine that specifically protects their printed publication. There is a lot of room for business development in the cannabis region that does not involve manufacturing or dispensing the product.

Contact Your Elected Officials

While this last step does not specifically relate to brand protection, it is a smart move for any business in this new industry. If you are involved at all in the marijuana industry, you should contact your Senators and House Representatives to urge their support of changes to the law toward full legalization.

Marijuana is a huge industry, projected to generate $75 billion in sales, if it is fully legal by 2030. This alone should make your elected officials take note of the importance of having their constituents enjoy the full benefits of the law.

This article is for informational purposes only and does not contain legal advice. If you are interested in seeking trademark protection for your marijuana-related product or have other intellectual property questions, our experienced IP attorneys today with the form on this page, or call us at 855-473-8474.

cryptocurrency scams

How to Avoid Getting Scammed With Cryptocurrencies

The rise of cryptocurrencies has been fascinating to watch, but there are a number of common scams associated with with this form of digital currency.

Cryptocurrencies are incredibly exciting and it can be a roller coaster to watch your investment grow and shrink. However, unlike traditional currencies and stocks, cryptocurrency is unregulated. While there are many legitimate companies out there, there are nearly 1,000 dead cryptocurrencies whose coins have no value or were nothing more than scams or Ponzi schemes to begin with.

In Japan, for example, eight men were arrested who collected more than $68 million in cryptocurrency from around 6,000 people as part of a pyramid scheme.

If you are getting started in the world of cryptocurrency investment and trading, here are some areas where you should conduct due diligence before moving forward:

Initial Coin Offerings (ICOs)

ICOs, like IPOs, offer an opportunity to get in at the ground level. The Securities and Exchanges Committee (SEC) has issued a warning against them, stating: “They also bring increased risk of fraud and manipulation because the markets for these assets are less regulated than traditional capital markets.”

In the United States, many ICOs qualify as securities, and must be registered with the SEC. This agency actively investigates companies promoting digital assets and cryptocurrency ICOs that have not registered and are not eligible for an exception. Registration ensures that securities make financial disclosures to investors. It also works to prohibit deceit, misrepresentation, and fraud in the sale and exchange of securities. Information from registered companies is publicly available online to promote truth in securities.

Other countries have taken an even harsher approach against ICOs. For example, South Korea and China have banned ICO fundraising altogether due to the risks involved. Unlike more traditional IPO and stocks, which give investors equity in a company, ICOs give investors tokens that increase in value as more people invest in the company.

Governments are right to be worried – one study suggests that 80% of 2017 ICOs were scams, receiving $1.34 billion in funding. The good news is that, despite the large number of ICO scams out there, they received only 11% of funding given that year. This means that the majority of projects were legitimate, which is good news for the future of this industry.

One way to vet an ICO is to look at the supporting documents and examine the company, as you would for any IPO or similar investment. In addition to researching the company, make sure you look at its whitepaper. Ask yourself, does the whitepaper make sense, or is it full of jargon? Does it sound like it is written by someone who understands the company, or by a freelancer who recycles the same generic blockchain explanation from a dozen other papers?

Moreover, when you ask questions to the company, do they provide real answers that you can understand, or is every answer a regurgitation of empty buzzwords? Play devil’s advocate and question the feasibility of the project. Transparent companies with a legitimate ICO will demonstrate their faith in their companies.

Cryptocurrency Offers

One of the defining features of a cryptocurrency is the potential for anonymity. Is anyone on the internet really who they say they are?

Most people are able to recognize scams in spam email – what are the odds that a Nigerian prince is actually reaching out to you for assistance with his financial issues? However, people sometimes lose their common sense when it comes to new technology that they may not quite understand. In London, for example, nine people invested a combined £150,000 from cold-callers purporting to sell non-existent cryptocurrency over the phone. Do not let this be you!

There is real danger in investing without knowing to whom you are giving money. Do not let the promise of instant riches sway your better judgment. As the SEC warns:

“If an investment sounds too good to be true, be cautious.”

As with any other type of potential investment, if a promoter guarantees returns, if an opportunity sounds too good to be true, or if you are pressured to act quickly, please exercise extreme caution and be aware of the risk that your investment may be lost.”

When you go to the company’s website, does it feel like a real company website, or is the same person doing all the work? Are all the photos of the company stock photos, or is there a real office with real people, not just models? Again, use your judgment. Do not be afraid to turn down an offer if it does not feel right.

Cryptocurrency Exchanges

Finally, you should be cautious about the exchange you use to buy cryptocurrency. Even if you do all your due diligence on a cryptocurrency and feel confident in purchasing the tokens, you should turn an inquiring eye on the exchange you want to use as well.

Exchanges are where cryptocurrencies are traded. They make good money on transaction fees from these trades and are not regulated or secured.

One infamous example is Mt. Gox, one of the original bitcoin exchanges that hosted 70% of all transactions. In 2014, the exchange was hacked and 850,000 bitcoins were lost or had been stolen, valued at $473 million at the time.

Due to the potential for hacks on less-than-secure exchanges, many experts recommend storing your own cryptocurrency in your own wallet, not on the exchange. 

When choosing a cryptocurrency exchange, your due diligence should include the history of the exchange, the number of transactions that occur on the exchange, what kind of security systems are in place to prevent hacks, and how it is insured.

Final Thoughts

You may have noticed a common theme running through this post – the importance of treating cryptocurrency investments and transactions the same way you would treat any other business or financial transaction. At the end of the day, investing in cryptocurrencies can yield great rewards. However, the new technology should not make you forget the common sense you would utilize in any other situation.

This article does not provide legal advice. If you seek an Internet lawyer who understands your business and technology, contact the Internet lawyers at Revision Legal today at 855-4-REVISION.

Bitcoin 101

One of the most exciting internet trends in the past few years has been the rise and decline of bitcoin. Although the currency has been around for a decade, in December 2017 it reached its record high of nearly $20,000 per coin. While the coin’s value has dropped considerably in 2018 – it is currently less than $4,000 per coin – it is likely that we will be hearing more about the currency in 2019 and beyond.

Here is what you should know about bitcoin right now.

What is Bitcoin?

As much as bitcoin has been in the news, it can be a difficult concept to wrap your head around.

Bitcoin is a cryptocurrency, meaning that it can be used to buy products and services. Many businesses, including Revision Legal, have been accepting bitcoin payments for a number of years. Like paper currency, it has value because the people who use it believe it has value and pay money for it, or accept it in exchange for goods or services.

Bitcoin is unregulated by design; there are no government currency controls. Instead, all transactions are publicly stored in a ledger called “blockchain,” which is stored on a peer-to-peer network. All transactions are open and public, but users’ identities are anonymous.

Data miners track and encrypt bitcoin transactions, and save this data in the blockchain, in a similar manner as a family keeps track of expenses in a checkbook. The blockchain records every bitcoin transaction between any two parties in a public record, stored on every data mining system. This makes many people say that the blockchain is indisputable, and argue that bitcoin has a technologically secure system.

New bitcoins are created through data mining. In a nutshell, data miners use software that generates code and verifies bitcoin transactions in the blockchain ledger. In exchange, data miners are eligible to receive bitcoin as payment for their work.

Bitcoins are traded on public or private exchanges. In order to access your coins, you need to store unique private keys – passwords – in a wallet.

How can I Get Rich With Bitcoin?

There are two ways that people can make money off of bitcoin and other cryptocurrencies – data mining and investing in the currency.

Data miners can invest in either hardware systems or in cloud services. If you decide to invest in a hardware system, it will need to be more powerful than typical home or business systems. Basic set-ups begin at $500, but can easily cost thousands of dollars. Many miners today choose to join mining pools, which pool their computing power in order to increase their chances of earning bitcoin, and then split the profits.

While data mining was incredibly profitable years ago, it is becoming less so today due to competition. Data mining also requires a great deal of energy, which also can be a significant investment.

On the other hand, investors buy and trade bitcoin as if it is a stock rather than cash. Some may actively invest in the currency, while others may accept it in lieu of payment for services rendered. For example, in January 2018, rapper 50 cent announced that he had accepted 700 bitcoin for a 2014 album and forgotten about it for several years. He then discovered the account, which was worth $7.8 million.

Anyone who wants to invest in bitcoin can do so. You can buy and sell bitcoin on any of dozens of exchanges. When investing in bitcoin, you should remember:

  • Not every bank allows cryptocurrency purchases, so check with yours to make sure it does before trying to make a purchase.
  • Store your pass keys in a secure wallet. This is the only way you will be able to access your investment. While many exchanges offer wallet services, some experts recommend keeping your passcodes in your personal wallet for maximum security, even going as far as to print your keys, to avoid the possibility of being hacked.

There are also several business opportunities that run parallel to bitcoin, blockchain, and cryptocurrency. For example, IBM has created its own open source blockchain technology called Hyperledger. It is designed to increase data security and streamline transactions. This technology is adaptable to a variety of industries ranging from finance to healthcare, travel, and entertainment.

App developers can create secure wallet storage solutions or a payment platform that makes it easier to use cryptocurrency to purchase goods or services. Data security experts will be needed to monitor and neutralize threats to companies partaking in cryptocurrency transactions.

As the interest in bitcoin grows, there may be more demand from people who want a piece of the action. Bitcoin ATMs and vending machines, which connect to exchanges and allow investors to purchase bitcoin with cash, are popping up around the world. They offer opportunities for developers, designers, and marketers to create, distribute, and maintain these boxes across the country and around the world.

Criticisms of Bitcoin

Although bitcoin is widely praised in the technology community and gaining support in financial districts, there are many concerns about it.

One criticism is that bitcoin is a bubble waiting to burst. As more and more people jump on board, prices increase. However, there is concern that there is only so much growth possible. People may be making money now due to the increased interest and growth in cryptocurrencies, but at some point, further growth may be impossible.

Another concern is that there is nothing backing bitcoin. Even though the US Dollar has not been redeemable by gold or silver in decades, Federal Reserve banks hold collateral equal to the currency in circulation and the Fed stabilizes the market for dollars to avoid extreme fluctuation in value. On the other hand, bitcoin acts more like a stock than currency. It has no intrinsic value and the market can change drastically in a matter of hours.

Additionally, there are many aspects of cryptocurrencies, including the complicated technology and anonymous nature that make it easy for scammers to take advantage of buyers – a topic we will explore in the future.

This article does not provide legal advice. If you seek an Internet lawyer who understands your business and technology, contact the Internet lawyers at Revision Legal today at 855-473-8474.

dmca

Digital Millennium Copyright Act and Internet Service Providers

Digital Millennium Copyright Act and Internet Service Providers

The Digital Millennium Copyright Act (DMCA) was enacted in 1998 to bring the United States up to date with technology and with international intellectual property treaties.

While there are many aspects of the DMCA, one of the most important to web hosts and internet service providers (ISPs) involves the “safe harbor” provisions. Under this provision, if a content provider:

  • Does not have actual knowledge that the material was infringing another’s copyright;
  • Is not aware of facts or circumstances where infringing activity is apparent; and
  • Acts quickly to remove the content, once made aware of it,

Then the content provider will not be liable for monetary damages for copyright infringement.

If your company is a web service provider who wishes to take advantage of the “safe harbor” provisions, you will need to ensure that your organization is registered with the Copyright Office’s DMCA website. This way, you will have a designated agent on file in a public database, so that you will be able to receive notices of copyright infringement, otherwise known as “takedown notices.”

DCMA Takedown Notices

One of the most common ways we see the DMCA’s “safe harbor” provisions in use today is through takedown notices submitted to service providers. If a copyrighted work is being hosted on a website against the wishes of the copyright holder, the copyright holder can send a takedown notice to the website.

This notice should include:

  • The identity and contact information of the person who is requesting the copyrighted material being removed
  • Information of how the individual is related to the copyrighted material. For example, does this person own the copyright, or were they assigned the right to enforce it?
  • Information about the copyrighted material being infringed, including what the copyrighted material is comprised of and a link to the page it is hosted on
  • A statement that this information is accurate, under penalty of perjury, and
  • A physical or digital signature

Once a service provider receives a takedown notice, they must investigate the claims in a timely fashion. Responses to a takedown notice may include:

  • Removal of the copyrighted material, or
  • Disabling access to the copyrighted material, such as deactivating links

If a third-party user is the subject of multiple verified takedown notices, a service provider may decide to terminate that individual’s ability to access their site.

Because copyright is automatically granted, you will be able to enforce certain rights with a DMCA takedown notice, even if it is not registered with the US Copyright Office. This has led to the DMCA to be a useful tool in controlling the spread of “revenge porn” – compromising selfies sent by one individual to another in confidence, which are later posted to websites and visible to anyone online.

Because the individual who took the picture is the copyright owner, that person is able to contact websites like Google or Tumblr and ask for the material to be removed under the DMCA.

Penalties for ISPs That Ignore a DMCA Takedown Notice

If you receive a DCMA takedown notice but fail to act accordingly, you may lose protection of the “safe harbor” provision and can be found liable for copyright infringement.

In 2014 and 2015, the safe harbor provision was put to the test. BMG Rights Management, LLC, filed a lawsuit against Cox Communications Inc., an internet service provider.

BMG’s enforcement arm, Rightscorp, attempts to pursue individuals who download music online without paying for it. Rightscorp will send emails requesting individuals settle these claims for $20-30 per song. However, the only way to trace these individuals is through the ISP. BMG sends copyright notices to ISP providers with messages to pass along to the users. Other ISP providers would simply forward these emails as instructed. However, Cox did not.

BMG then sued Cox, and won $25 million. Cox’s refusal to forward these messages – a reasonable step, according to the judge, to implement a policy to terminate repeat infringers – meant that it was no longer protected by the “safe harbor” provisions, and would therefore be liable for the copyright infringement of its users.

This was the first case of its kind, and it may embolden other copyright holders or enforcement agencies to be more aggressive in ensuring their messages reach their intended audience.

If you receive a DMCA notice and have questions about determining the proper course of action to ensure your organization is eligible for the DMCA’s “safe harbor” provisions, contact an experienced internet attorney today to understand your legal obligations.

Creating a DMCA Compliance Policy

You should create a DMCA compliance policy if your organization:

  • Has a website that allows third-parties to post content, such as social media posts or blog comments;
  • Hosts websites; or
  • Provides internet services to users.

This policy should include:

  • Notice and takedown procedures for receiving, processing, investigating, and acting when a DMCA takedown notice is received;
  • Provisions to routinely monitor your site and automatically remove copyrighted material; and
  • A policy to terminate accounts of or access by repeat infringers.

Many companies have gone one step further, and made their DMCA reporting and compliance policies exceedingly user-friendly and easy to understand.

For example, social media sites like Facebook, Twitter, and Pinterest have streamlined their DMCA compliance policy by creating easy to use fillable forms for copyright holders who believe their work was uploaded without permission.

Similarly, web hosting company A2 Hosting’s DMCA policy walks its users through the elements of a proper takedown notice, listing very clearly the elements needed for an actionable request.

When you create your company policy, you should remember that many people seeking to enforce their copyrights online through the DMCA are not lawyers and may have limited understanding of how the act works. Creating a user-friendly system will make your process of sorting out the real notices significantly easier.

If you have questions regarding how to stay compliant with the DMCA, contact Revision Legal’s team of experienced copyright and internet attorneys through the form on this page, or call 855-473-8474.

FOSTA-SESTA

FOSTA-SESTA for Internet Service Providers

FOSTA-SESTA for Internet Service Providers

The Allow States and Victims to Fight Online Sex Trafficking Act (FOSTA) and the Stop Enabling Sex Traffickers Act of 2017 (SESTA) are two bills that were passed by the House and Senate. The combination of the bills, referred to as FOSTA-SETSA was signed into law in April 2018. This law represents an important change to the way internet content will be policed moving forward.

Previous Requirements Under the Community Decency Act

Before the enactment of FOSTA-SESTA, Section 230 of the Community Decency Act (CDA) stated:

“No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”

In other words, websites like Craigslist or Reddit, which encourage anonymous users to engage in discussion, debate, and commerce, would not be liable for the content on these sites, even if they edited or moderated the content, so long as the meaning did not change. This law, which was described as “the law that gave us the internet,” was capable of shielding Google and Facebook from liability for defamation lawsuits, or even criminal investigations.

For a long time, this law was also used to protect Backpage.com, which a Senate Subcommittee Report discovered was involved in 73% of all child trafficking reports. The owners of the site argued that Section 230 of the CDA shielded them from liability. However, the Senate discovered that Backpage was actively facilitating child sex trafficking by editing ads so they would pass community standards and teaching its users on how to post “clean” ads for illegal transactions.

This level of editing went beyond the safety net of Section 230, and in April 2018, the Department of Justice issued a 93-count indictment against seven people involved with Backpage.com. The FBI seized the website.

What FOSTA-SESTA Changes

Under FOSTA-SESTA, websites can be civilly liable and prosecuted in criminal court for any sex trafficking discussions that are viewable on their platform.

Specifically, someone who “owns, manages, or operates an interactive computer service (or attempts or conspires to do so) to promote or facilitate the prostitution of another person” can face up to 10 years in prison and hefty fines.

This law removes the Section 230 shields for web hosts, internet service providers (ISPs), and social media sites specifically when it comes to sex trafficking. The shields on liability will remain in place for other matters, such as defamation lawsuits.

However, FOSTA-SETSA does represent a major change to the duties and responsibilities with regard to monitoring and enforcing their content. After the law passed, many sites took steps to remove material for which they could be found liable. Craigslist, for example, took down its entire personals section, while Redditt removed several popular subreddits.

ISP Compliance Under the New Laws

If your company provides any online services, there are a number of steps you can take to ensure you are in compliance with FOSTA-SETSA.

First, you should take a look at services your organization currently provides. If you have classified ads, dating apps or services, social media forums, or accept third-party ads on your site, you should update your terms of service to specifically reflect what you will, and will not allow to be posted.

Second, you will need to double down on efforts to moderate these third-party messages. You should understand the language used in sex trafficking in order to do this properly. If you need to, hire and train additional moderators to do this job correctly. You should also update your parameters periodically in order to catch new language and phrases used in these communications.

Finally, decide what level of risk your company wants to take. While some companies may decide to challenge the law if pursued, many are taking a conservative approach. For example, Craigslist made the decision to completely remove its Personals section to avoid liability under the law. Recent news of Tumblr’s decision to remove adult content from its site has also been linked to this new legislation.

Remember, your company may or may not actually be subject to FOSTA-SETSA. For example, ProtonMail, a Switzerland-based email service, issued a statement explaining how it is not governed by US laws. Because activities such as gambling and sex work are not illegal in Switzerland, a Swiss court would be unlikely to acquiesce to a government request for data related to these activities.

Praise and Criticism for FOSTA-SESTA

FOSTA-SESTA received praise from a number of sectors. Many industry leaders who are members of the Internet Association, including Amazon, Microsoft, Uber, and Netflix, supported the new legislation, stating that it is “committed to combating sexual exploitation and sex trafficking online.” Another proponent of the new law argued that this change is needed to “deal with a 21st century problem.”

The Department of Justice (DOJ) also largely supported the change in legislation, as it gives additional tools to fight trafficking. However, the DOJ asked that language be amended to focus on trafficking, rather than consenting adults. It also raised a constitutional concern, in that FOSTA-SESTA allowed for criminal punishments on behavior that occurred before the law passed. This sort of ex post facto law is unconstitutional, and is a highly criticized element of the law.

Advocates for sex worker safety believe that this law does more harm than good. The law will prevent people from using sites like Craigslist to advertise their services, which is a safer alternative than being on the street. Instead, because of this law, women and men may need to put themselves back in dangerous situations to make their livings.

Freedom Network USA, which provides services to trafficking victims – the group the law is designed to help – also argues that this law will drive the sex trade further underground.

Removing references to sex trafficking and prostitution will not make their victims or participants disappear. Under current enforcement models, investigatory agencies are able to track victims online through IP address and photographs. If these sites are shut down, victims will be less likely to be identified and face more threats of violence.

Free speech advocates, including the ACLU, also argue that FOSTA-SESTA requires online platforms to spend more energy on policing content, which can have a chilling effect on free expression online. Perhaps the most vocal opponent to the new law is the Electronic Frontier Foundation (EFF), which believes that Congress is now censoring the internet and preventing the development of new technologies.

For more information on ISP disclosures or compliance requirements with federal and state laws, contact Revision Legal’s team of experienced internet attorneys through the form on this page or call 855-473-8474.

report child pornography

Internet Server Provider Requirements to Report Child Pornography

Internet Server Provider Requirements to Report Child Pornography

Internet service providers (ISPs) occupy a unique place in modern society. They provide internet access to millions of people across the United States, which allows instantaneous communication, exchange of ideas, and, unfortunately, a new haven for criminal activity.

Because of their unique role in facilitating online communication and commerce, ISPs are subject to certain federal laws regarding child pornography and child sex trafficking.

Revision Legal’s internet and privacy attorneys have experience drafting website and software privacy policies, advising on privacy law compliance, and enforcing state law privacy torts. Our privacy law attorneys can advise you or your business on compliance with:

  • State privacy law
  • The Children’s Online Privacy Protection Act
  • California’s Shine the Light law
  • The European Union’s Data Protection Directive

Child Pornography

Under Federal law, it is illegal to produce, distribute, import, receive, or possess any image of child pornography. Images do not need to depict sexual activity. Instead, a picture of a naked child can be considered child pornography if it is sexually explicit. Minors under the age of 18 can not consent to be in these images.

While adult pornography that is not “obscene” is protected by the First Amendment free speech protections, child pornography is not protected. Individuals violating federal child pornography laws are subject to strict criminal punishments, including harsh jail sentences.

Child Sex Trafficking

Child sex trafficking is the recruitment, harboring, transportation, provision, obtaining, or advertising of a minor child for the purpose of a commercial sex transaction. Being convicted of this crime can result in serious criminal penalties. Federal laws also provide for civil asset forfeiture of property owners who ignore human smuggling on their land.

The internet is the major hub for facilitating human sex trafficking. A recent study of child sex trafficking survivors reported that 75% were advertised online. Additionally, the FBI estimates that at any given moment, 750,000 child predators are online.

ISP Requirements For Reporting Child Pornography

ISPs are required by 18 USC §2258A to issue a report to the National Center of Missing or Exploited Children (NCMEC) when they obtain knowledge of facts or circumstances involving:

  • Sexual exploitation of children;
  • Selling or buying of children;
  • Production or distribution of child pornography; and
  • Websites designed to trick minors into viewing pornography or other obscene material.

This report must contain information regarding:

  • The individual user, including his or her email address or IP address
  • The history of the transmission, including when and how it occurred
  • The geographic area of the involved individual, including the IP address, or the verified billing address

ISPs must also provide any images of apparent child pornography, as well as the complete communication regarding any images of apparent child pornography, including any digital files contained in or attached to the communication.

ISPs are not required to actively search their systems for information regarding sex trafficking or child pornography, nor are they required to monitor individuals for these types of communications.

Failure to make reports can result in fines up to $150,000 for the first offense, and up to $300,000 for subsequent offenses.

The NCMEC will forward these reports to appropriate local, state, federal, or international law enforcement agencies and relevant attorney general for investigation. This collaboration across domestic and international jurisdictional lines is important because a significant amount of child pornography and sex trafficking is done between jurisdictions.

Contacting the NCMEC

The NCMEC’s website is http://www.missingkids.com/home, and its CyberTipline can be contacted at 1-800-THE-LOST (1-800-843-5678) or online at https://report.cybertip.org/.

Other Efforts to Stop Child Pornography and Child Sex Trafficking

Due to the widespread, international nature of child pornography and child sex trafficking, it must be tackled on a number of different fronts.

Because of the serious nature of these crimes, both the US government and private ISPs have undertaken efforts to curb the distribution and production of child pornography and end child sex trafficking.

Private Internet Provider Efforts to Block Child Pornography

In addition to the federal government’s efforts to curb these practices, private internet service providers have reformed their services to block child pornography.

In 2008, Comcast and NetZero joined Verizon and Sprint in taking steps to block child pornography. These companies block bulletin boards where images are disseminated, as well as child porn news and web sites. These efforts to remove old images from circulation will allow law enforcement to focus on more recent images of children who are more likely to still be victimized.

Search engines, such as Google and Bing, are also blocking searches for restricted material, and are working to tackle peer-to-peer sharing of these images. A study analyzing data between 2011 and 2014 showed that these efforts reduced this type of search traffic by 70%.

Senate Fact Finding Into Online Criminal Activity

Finally, the federal government has many investigative tools that can be utilized to expose criminal activity online.

The leading online marketplace for commercial sex is Backpage.com. According to a 2017 Senate Subcommittee Report, this website is involved in 73% of all child traffic reports received by the NCMEC.

This investigation looked into whether Backpage.com was merely a conduit for criminal activity, or if the site was actually involved in promoting the criminal activity. If, as Backpage.com claimed, it was merely a conduit, it would be immune from liability under the Community Decency Act (CDA), which provides certain levels of immunity for ISPs and websites that make content available online and have good-faith screening processes to block offensive material. However, if Backpage.com was actively participant in criminal activity, the site could have criminal and civil liability.

Over the course of a nearly two-year investigation, the Senate discovered that not only was Backpage.com editing customer ads for child trafficking or pornography in order to remove words suggesting criminal activity, but also that it was coaching customers how to post “sanitized” versions of the ads to avoid detection.

Backpage.com had previously avoided liability for criminal activity under the CDA because the extent of its involvement with the criminal activity had not been known. The Senate subcommittee’s fact finding helped exposed Backpage.com’s practices, paving the way for lawsuits from victims of sexual exploitation. One such lawsuit was filed in June 2017 (1:17-cv-11069).

From the aggressive pursuit of Backpage.com by the US Senate, it is evident that the government is willing to utilize all the tools in its toolbox to seek out this sort of criminal activity online.

For more information on ISP disclosures or compliance requirements with federal and state laws, contact Revision Legal’s team of experienced internet attorneys through the form on this page or call 855-473-8474.

data privacy news

2018’s Biggest Data Privacy News Stories

2018’s Biggest Data Privacy News Stories

As the year draws to a close, we wanted to take a moment to review the biggest data privacy news stories of 2018 and discuss what we can learn from them as we move into the new year.

1.   Europe’s GDPR

Probably the biggest news story is the European Union’s Global Data Privacy Regulation (GDPR). This regulation, which came into effect in May 2018, places significant limits on how companies must collect and store data.

In addition to outlining what companies must do when they process personal data, the GDPR has new regulations relating to how companies must handle data breaches. Businesses are now required to notify their relevant data protection authority within 72 hours of becoming aware of a breach. Depending on the type of data, the company must also notify impacted individuals, if the breach involves a high risk to their rights and freedoms.

Perhaps the most shocking aspect of the GDRP are the high fines a company faces for failure to comply with the regulation. Severe breaches can carry fines up to €20 million ($22.5 million), or 4% of a company’s annual revenue, whichever is greater. As a result, companies like Amazon.com, which took in just under US $178 billion in revenue in 2017, could be looking at multiple billions of dollars in fines for noncompliance.

If your company is subject to the GDRP, you should be looking closely at this regulation to ensure you are complying with all aspects of it. Remember: even if your company is attached by hackers, you can still be fined.

In order to ensure you are fully compliant with the regulation, speak with an attorney who specializes in internet privacy law.

2.   Huge Data Breaches

It seems like every week, we get data privacy news stories. In July, the Identity Theft Research Center reported that over 22 million records were exposed in the first half of the year alone.

Companies like Under Armour faced off against hackers who broke into the MyFitnessPal app, affecting over 150,000,000 users. While there were enough data protections in place to secure sensitive identifying information and credit card numbers, Under Armour’s password protection system was partially protected under a weaker hashing system that was easier to compromise. The stolen passwords could then be sold or used in online scams.

Perhaps the biggest data breach story was the Cambridge Analytica / Facebook scandal. This spring, it came to light that 50 million profiles were harvested data from user’s profile pages to analyze and influence election results, including the 2016 presidential election.

The program collected information about each individual user who completed a personality test, but also information from those user’s online friends. The usage violated Facebook policies, which allowed collection of data only to improve in-app experiences, not for advertising or other purposes. This breach led the UK to issue a £500,000 fine on Facebook (approximately US$644,000), which Facebook has recently appealed.

Facebook is taking a number of steps internally to prevent another Cambridge Analytica scandal, including reviewing apps that have access to large amounts of user data, and turning off the app’s access to someone’s data if it has not been used in the past three months. Imposing and adhering to this sort of internal policy may help limit this type of data misuse. The increased GDPR data privacy protections may also help prevent another Cambridge Analytica scandal, although Facebook previously failed to adhere to an agreement with the Federal Trade Commission (FTC) regarding its users’ data privacy.

Foreign operatives also attempted to steal intellectual property from universities. In March, the US Department of Justice filed charges against an Iranian company and nine individuals for hacking into hundreds of universities around the world, including 144 in the US. The attacks involved sending phishing emails to professors in order to gain access to university data.

These attacks began in 2013, and are estimated to have stolen 31 terabytes of academic data and intellectual property.

What can Your Company Learn From These Sensational Headlines?

In the Under Armour example, the company had many protections in place to protect user’s passwords, but its hashing protocols were flawed. Regularly reviewing and updating the security of your data encryption can help you stay one step ahead of hackers.

You should store data separately, as Under Armour did, to ensure that financial information, including credit card numbers, are kept separately from login data.

To avoid inadvertently allowing third parties to have access to your customer’s personal data, as in the Facebook case, you can follow GDPR guidance on appropriate limitations. You should also routinely audit third party use, to ensure they are adhering to your company’s privacy policies.

If you believe a third party is misusing your customer’s data, you can shut them out and ensure they dispose of the data, including backups, properly. You can also offer rewards to people who find holes in your security system.

Finally, as the Iran-University breach demonstrates, hackers do not always target automated systems. Sometimes the weakest links in data protection are humans.

You should routinely remind anyone who has access to your network – from first semester freshmen to tenured professors – to be wary of emails from unknown sources, even emails that make it through spam filtering. Your employees should exercise extreme caution before clicking on links in these emails.

3.   Data Leaks

A data leak may not seem as serious as a data breach, because it may be inadvertent disclosure, rather than a malicious attempt at hacking into your company’s data. However, a data leak can cause as much harm as a deliberate breach.

In 2018, an employee discovered that Panera Bread’s website included plain text personal data from users who ordered food online. It is estimated that millions of customers’ names, addresses, credit card numbers, and birth dates were vulnerable to automated tools searching for this type of data.

Making matters worse, the leak went on at least eight months after Panera’s head of information security was made aware of the problem.

To avoid putting your company in this situation, you should continue to conduct internal audits of your company’s website and security system. You should take reports of data leaks seriously and investigate them in a timely fashion when they are brought to your attention. Most importantly, you should not let the leak continue especially if there is a quick fix to stop it.

This article does not contain legal advice, and is for informational purposes only. Our internet privacy attorneys have significant experience helping our clients stay compliant with data privacy and protection laws, and manage data breaches when they occur. To discuss your data privacy needs, contact Revision Legal’s internet attorneys with the contact form on this page, or call us at 855-473-8474.

manage data breaches

How to Manage Data Breaches Under GDPR

How to Manage Data Breaches Under GDPR

In recent weeks, we have posted about the requirements of personal data protection under Europe’s General Data Protection Regulation (GDPR) that companies must now follow. Today we will look into what a company must do in the event of a data breach under this regulation.

Over the past few years, we have seen some truly impressive data leaks around the world.

Between May and July 2017, Equifax was hacked, which compromised data for 143 million people, including names, social security numbers, birthdates, and home addresses. In 2018, a number of online retailers, such as Macy’s and Adidas, suffered from data breaches. Even Facebook faced a major data breach that affected as many as 50 million people. Because data breaches are, unfortunately, a fact of life, businesses and consumers must be prepared for them.

If your internet business is subject to the GDPR, here is what you should know:

What is a Data Breach?

Article 4 of the GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.”

Under the GDPR, you are required to “implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principals, such as data minimization, in an effective manner and to integrate the necessary safeguards in the processing.” (Article 25)

These requirements include having appropriate levels of security, limiting access to personal data so it can only be accessed on an as-needed basis, and conducting tests on a regular basis to ensure that you catch security breaches before they occur. You must also have an appropriate backup system in the event that the data is lost.

You may also be required to have a qualified data protection officer, who will be in charge of overseeing data security. This position is especially important if you are processing a significant amount of sensitive data, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or information related to genetic or biometric data.

Government data protection authorities are available for consultation, especially when there is a high risk in processing, or there are no measures in place to mitigate potential risks.

How Your Company Should Manage Data Breaches

You are not required to disclose every data breach. However, you must make an assessment as to whether or not the breach is likely to cause a significant detrimental effect to individuals.

If the breach is likely to be significantly detrimental, you must notify your country’s data protection authority within 72 hours of becoming aware of the breach. This notification must include:

  • The nature of the breach, including what type of data was taken and how many people’s information was compromised;
  • The likely consequences of the data breach;
  • What measures you have taken, or propose to take in order to address the breach; and
  • What measures, if any, that can mitigate adverse effects of the breach.

Additionally, if the data breach is likely to involve a high risk to the rights and freedoms of individuals, you must disclose the breach to the individuals at risk without undue delay. The GDPR allows you to make this communication by issuing an effective public communication, if contacting individuals would require disproportionate effort. Companies that have implemented measures, such as encryption, that would render the data unintelligible are allowed to forgo public notification.

Manage Data Breaches: Fines for Non-Compliance

If a company fails to comply with the GDPR’s data breach rules, specifically the requirement to notify your customers within 72 hours of the breach, you can also be fined a significant amount of money.

Less severe breaches carry fines up to €10 million ($11.2 million) or 2% of a company’s annual revenue, whichever is greater. More severe breaches can carry fines up to €20 million ($22.5 million), or 4% of a company’s annual revenue, whichever is greater.

In 2016, the year before Equifax had its major data breach, it reported $3.1 billion in revenue, meaning that it could have been liable for a fine up to $124 million due to its failure to report the breach within 72 hours.

Fines are discretionary, rather than mandatory, meaning that each country’s enforcement agency will assess the situation before imposing fines.

Factors that will be considered include:

  • The nature of the infringement;
  • The number of people affected by it;
  • Whether the breach was intentional or merely negligent;
  • What steps were taken to protect the data; and
  • History of noncompliance, if any.

Additionally, you may be required to compensate individuals for any damages they suffer as a result of the breach.

If You are a Consumer Whose Data has Been Breached

As a consumer, if your data was breached, there are a number of steps you should take.

If the data breach was for non-financial data, like an email or social media account, you should change your passwords. You should also monitor for suspicious activity, such as strange messages being sent or strange posts to your feed.

If the data breach was for a financial account, such as a credit or debit card or bank account, you have a couple more steps to take after changing passwords. Depending on the severity of the breach, you should place a credit freeze or a fraud alert on your accounts at Equifax, Experian, and TransUnion. You can also check your credit report for free at annualcreditreport.com. You should also monitor your financial accounts to look for unauthorized transactions.

Finally, if the GDPR applies to your situation, you can file a lawsuit against the company that violated our data protection rights, and make a claim with your national data protection authority.

This article does not contain legal advice, and is for informational purposes only. Our internet privacy attorneys have significant experience helping our clients stay compliant with data privacy and protection laws. If you have questions regarding compliance with GDPR, contact Revision Legal’s attorneys with the contact form on this page, or call us at 855-473-8474.

 

gdpr processing personal data

When is it “Necessary” to Process Personal Data Under GDPR?

Last week I wrote about the EU’s new General Data Protection Regulation (GDPR) consumer-friendly approach to personal data collection and storage.

This regulation, which went into effect earlier this year, requires that companies only collect, store, or process personal data when there is consent or when it is necessary. Companies are often surprised at the broad definition of “necessary” under the regulation. Often, they do not need an individual’s consent to collect, store or process their personal data.

The GDPR provides five lawful bases outlining when it is “necessary” to process someone’s data. If your use falls into one of these five categories, then you do not have to worry about obtaining, or losing, consent.

Article 6(1)(b): Contracts

If the processing is “necessary for the performance of a contract” to which the individual is a party, or if the individual requested the company to do something prior to entering into a contract, the processing is necessary and therefore lawful under GDPR.

Here are some transactions that would fall under this category:

  • Paul purchases a t-shirt from an online store, which creates a contract between Paul and the store. The store needs to collect data from Paul, including his shipping address and payment information, in order to complete the contract and hold up its end of the deal.
  • Karen is having brochures printed for her office, and contacts a printing company for a quote. The printing company needs to collect Karen’s email address to send her the official quote. If Karen decides to work with the printing company, the company will need additional information in order to complete the transaction.

Contractual obligation will cover many transactions. However, an important part of the GDPR is that the data is collected for a specific and limited purpose, and that collection is limited to what is necessary for the original purpose. If you want to continue to use the customer’s information for marketing purposes after the transaction has completed, you may need to find a different lawful basis.

Article 6(1)(c): Legal Obligation

If a legal obligation requires you to process an individual’s information, you must do so.

Examples of legal obligation include:

  • A court order requiring a business to turn over information on an individual
  • A financial institution noticing suspicious account activity that could be money laundering reports this activity under relevant criminal statutes
  • Businesses collecting and reporting required information about their employees to relevant government agencies.

As these examples demonstrate, a company’s legal obligations to collect, distribute, or otherwise process personal data are typically spelled out in statutes, regulations, or court orders.

Article 6(1)(d): Vital Interests

The GDPR requires disclosure of personal data in situations when it is necessary to save someone’s life. This typically refers to sharing medical records between doctors, hospitals, and emergency rooms. Sharing information about the patient is permitted, but it is also permitted to share information about parents in order to save a child’s life.

Rule 46 of the GDPR also considers “protecting an interest which is essential” to the life of individuals to fall under this category, such as if processing data is necessary for emergencies, like fighting disease outbreaks, recovering from natural or man-made disasters, or other humanitarian emergencies.

However, it is also clear from the rules that if another lawful basis is available, someone controlling personal data should operate under that basis. Operating under a vital interest basis should be used only as a last resort.

Article 6(1)(e): Public Task

You are allowed to process data if doing so is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority.”

If you work for a government agency, it is often necessary to process personal data. For example, immigration officials working at airports must process data of people at border crossings. This differs from the “legal obligation” basis, in that the data processing activity does not need to be specifically listed in a statute or regulation. However, there must be a clear source of law you can point to when processing data under the public task basis.

Additionally, organizations that are not specifically government agencies but serve a public function may also operate under the public task legal basis. If a private company is charged with parking meter enforcement by a city, then that company may collect data on illegally parked vehicles. If a private company has been hired by a city to test water after a potential contamination, they are permitted to act under the public task legal basis.

Article 6(1)(f): Legitimate Interests

The GDPR also allows a company to process personal data when it is in a company’s legitimate interests to do so, as long as the interest is not outweighed by the interests or fundamental rights in an individual’s data.

This is the broadest of the categories with the most room for interpretation. Although this basis may seem flexible, it is not meant to be a free-for-all. As a company, you should ask:

  • Are you pursuing a legitimate interest?
  • Is the data processing necessary for this purpose?
  • Do the individual’s interests override the legitimate interest?

Legitimate interests include using employee and client data for, marketing, IT security, or fraud prevention. For example, a credit card company might monitor its customers data to prevent identity theft. An email server may analyze incoming mail to weed out spam or potential viruses. Companies can also use information within the realm of “legitimate interests,” meaning that sending mail or emails out to former and current customers can be lawful.

Even though it might be easy to say that every data processing activity falls under the “legitimate interest” lawful basis, your company should not rely on this category as a catch-all. Instead, carefully review your data processing activities to ensure you are operating under the necessary basis that best matches your intentions.

This article does not contain legal advice, and is for informational purposes only. Our internet privacy attorneys have significant experience helping our clients stay compliant with data privacy and protection laws. If you have questions regarding compliance with GDPR, contact Revision Legal’s attorneys with the contact form on this page, or call us at 855-473-8474.

 

 

personal data processing

Personal Data Processing Under the GDPR

In May 2018, the European Union’s General Data Protection Regulation (GDPR) went into effect. To read the regulation in its entirety, visit click here. The GDPR standardized personal data protection requirements across the 28 EU countries. Although the regulation is broad, advocates for GDPR applaud its consumer-friendly approach to personal data collection and storage.

What are the Governing Principles of GDPR?

GDPR provides a number of general principles relating to processing personal data, namely that it should be:

  • Collected and processed lawfully, fairly, and in a transparent manner;
  • Collected for a specific and legitimate purpose, as well as limited to what is necessary for the collection purpose
  • Kept only as long as necessary for the initial purpose;
  • Processed securely and protected against unlawful processing.

What are Personal Data and Personal Data Processing?

Article 4 of GDPR defines personal data as any information relating to an identified or identifiable natural person, who can be identified by reference to identifiers such as a name, ID number, location data, an online ID, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Examples of personal data include:

  • Real names and online usernames;
  • Mailing, work, email, and IP addresses;
  • Photographs; and
  • Genetic and biometric data, including DNA

Article 9 prohibits the processing of data regarding racial or ethnic origin, political opinions, religious beliefs, or trade union membership except in certain specific situations and provides further limitations related to the use of genetic, biometric, and general health data.

Personal data processing refers to personal data that is collected, recorded, organized, structured, stored, adapted or altered, retrieved, consulted, used, disclosed by transmission, disseminated or otherwise made available, aligned or combined, restricted, or erased or destroyed. GDPR applies to processing of personal data through automated, partially automated, as well as non-automated means if it is part of a structured filing system.

Examples of personal data processing include:

  • Staff management and payroll administration;
  • Sending promotional emails to an email listserv;
  • Shredding documents containing medical records or bank records; and
  • Posting a picture of someone online.

The business or person who determines the means and purposes of personal data processing is known as the controller of the data. The controller is responsible for adhering to the GDPR and can be penalized for failing to meet the regulation’s requirements.

What are GDPR’s Requirements for Personal Data Processing?

The GDPR permits processing personal data when a user consents to the processing, or when it is necessary to process data.

Consent to Process Personal Data

In order for an individual to consent to a controller processing personal data, the controller must fully inform them about what they are consenting to. Best practices to obtain consent include making the request prominent and separate from terms and conditions of a site.

Consent must also be positively given – users must have an opportunity to affirmatively agree that the controller may process their data. Users must be able to revoke consent in the future, and consent should not be a precondition of the controller providing a service to the user.

People who are 16 years old or older are capable of consenting on their own. Children under 16 must have a parent or guardian consent on their behalf.

Necessary Personal Data Processing

GDPR also list five times when it is necessary for controllers to process data without explicit consent:

  • Contracts: If a controller has a contractual obligation to the data subject, and data processing is necessary to complete contractual obligations, the controller may process the data. Additionally, the controller may process data if doing so is a necessary prerequisite for entering into a contract.
  • Controller’s legal obligation: If the controller has an obligation to report data to a regulatory body, or is under a court order to provide information, they are under a legal obligation to provide it, regardless of consent.
  • Vital interests: If personal data disclosure is required to save someone’s life, the controller is obligated to do so. This situation will almost always involve health data.
  • Public task: This category of necessary processing relates to tasks carried out by an official government agency, on behalf of an official agency, or a task that is carried out in the public interest. This will often relate to government agencies, but government contractors or private water companies may also operate under this umbrella.
  • Legitimate interests pursued by the controller: This category is very broad. It requires the controller to pursue a legitimate interest, that the processing be necessary for the purpose, and that the controller’s legitimate interest does not outweigh the individual’s fundamental rights or freedoms.

Praise and Criticism for GDPR’s Data Processing Requirements

GDPR has drawn praise from tech leaders, including Apple CEO Tim Cook, who recently expressed support for a similar regulation in the US. Cook listed four areas of the GDPR he believed should be legislated in America:

  • The right to have personal data collection be minimized (Article 5(1)(c));
  • The right for users to know what data is collected on them (Article 15);
  • The right to access that data (Article 13); and
  • The right for data to be kept securely (Article 5(1)(f).

Critics of the regulation believe that it can be too burdensome for businesses to comply with or that limitations will stymie growth of artificial intelligence systems, which rely on individuals’ personal data to grow. Others argue that large companies like Facebook and Google who currently offer free services in exchange for the ability to collect and utilize user data may limit free options due to new limitations on data processing.

What are the Penalties for Failure to Comply With GDPR?

Failure to comply with GDPR’s data processing requirements can lead to a number of different penalties, including warnings, bans on data processing, audits, orders to restrict or delete data, and monetary fines up to €20 million or 4% of a company’s worldwide net sales. You should take compliance with GDPR very seriously.

Our internet privacy attorneys have significant experience helping our clients stay compliant with data privacy and protection laws. If you have questions regarding compliance with GDPR, contact Revision Legal’s internet lawyers with the contact form on this page, or call us at 855-473-8474.

 

intellectual property in china

Find Out How to Protect Your Intellectual Property from Your Chinese Manufacturer

Any business with one eye fixed on the future knows that they can’t afford to stay out of China, one of the four largest emerging markets in the world.

Unfortunately, businesses also know that they can’t afford to stay in China either, as China accounts for at least half of all intellectual property theft from United States companies.

How do you beat the catch-22?

By learning how to play smarter than China.

That’s why we’re explaining everything you need to know about protecting your intellectual property in China, from the problems you’ll face to steps you can take.

What is Intellectual Property?

But first, we should address the basic question at the heart of this: what is intellectual property?

After all, if you’re not clear on what intellectual property actually is, you won’t have a clue about how to keep it safe.

In the simplest terms, intellectual property is any product of the human intellect that is legally protected from unauthorized use. It generally falls into four categories:

  1. Copyright
  2. Patent
  3. Trademark
  4. Trade secrets

The basic goal is to protect your property and business from infringement, particularly from the unauthorized use and misuse of your creation.

The most basic example of intellectual property theft? An employee walking out the front door with your designs to work for another company, which will market your trademarked product, design, or production process as their own.

Why You Need to Protect Your Intellectual Property

With that in mind, let’s talk about why you need to protect your intellectual property.

Intellectual property isn’t a physical asset–it’s an idea. That means that unlike a painting or a car or some other concrete object, you can’t lock it in a vault.

Yet safeguarding it is crucial.

One of the biggest reasons for this is maintaining a competitive advantage. Let’s say your company created a new drug, the only drug of its kind to do what it does or successfully treat a particular illness. That drug would make you pioneers in the field, and since you’re the only one who knows how to make it, you have a monopoly on the market.

Now let’s say someone else starts making that same drug and selling it. Suddenly, it doesn’t matter that you got there first–what matters is whether consumers happen to see your brand or your competitor’s brand first.

Another important element is brand recognition. When your company creates goodwill with customers, they’ll learn to identify your brand with that goodwill and use the brand as a shorthand identifier for quality.

And when you’ve worked so hard to create that positive association, you don’t want another company to profit on your work.

Problems with Intellectual Property in China

Since your intellectual property is so important to your business, you’d obviously want to protect it.

Here’s the problem: intellectual property protections are largely reliant on the laws of the place in question. Unfortunately for you, intellectual property laws in the United States are wildly different from intellectual property laws in China.

Worse, Chinese companies are encouraged under official Chinese government policy to poach intellectual property from American companies–often with the active participation of Chinese government personnel.

Your best option? Don’t wait for someone to infringe on your trademark. Instead, prevent the problem from happening.

Protecting Your Intellectual Property in China

So, with all of that in mind, how do you go about protecting your intellectual property on the Chinese market?

Nothing can replace an experienced intellectual property attorney, who can help you take a look at the rules, regulations, and common practices in the areas you want to do business and help you come up with a comprehensive plan to keep your property secure.

There are, however, a few things you can do to make your life (and your attorney’s life) a little simpler.

Know the Law

It starts with knowing the law.

And yes, we did just tell you that the government frequently encourages intellectual property pillaging. However, if you want a legal basis to address the issue (and protect your property from the rest of the world, as well) you’ll have to know your way around some of the most commonly used manufacturing agreements and IP registrations in China.

Again, your lawyer can help you explore your options in greater detail, but we’ve provided a few starting points here.

Manufacturing Agreements and IP Registrations

The first thing you should know about is NNN agreements, which are basic agreements protecting the confidentiality of your products while preventing your Chinese manufacturer from competing with you or circumventing you by going directly to your clients.

Many Western businesses make the mistake of believing their nondisclosure agreements are sufficient protection in China (for the record: no, they’re not.) Nondisclosure agreements work in countries like the US or Canada where judges have ample power to issue and enforce injunctions. That’s not the case in China.

You’ll also need a mold/tooling protection agreement, which makes it clear to all involved parties that the molds and tools you are having manufactured belong to you and cannot be used to manufacture products for anyone else. It seems basic, but it’s how you prevent your manufacturer from using your tools to compete with you.

In addition, you should get product ownership and product development agreements.

A product ownership agreement makes it clear that the product you co-develop with your Chinese manufacturer is solely your property.

A product development agreement is a little more complicated, but it’s designed to iron out the exact details of your product development relationship. Good agreements will make it clear who owns what components of the finished product and the precise milestones the manufacturer must meet along the way in order to receive payment.

Register Intellectual Property in China

The next thing you can do to help protect your intellectual property is to register your intellectual property in China if you have any intention of using it there.

Yes, even if you’ve already patented it elsewhere.

If you’ve been paying attention, you’ve probably noticed a trend by now: protection to the level of redundancy is a good thing where China intersects with your property. You want any dealings with your manufacturer to be ironclad and airtight.

Remember, patents are national rights. If your product is already legally protected in the local environment, it’s one less loophole a competitor (or your manufacturer) can exploit to edge you out of your own market.

Used Establish IP Protection Practices

In the process of patenting your product in China and ironing out details with your Chinese manufacturer, you should make sure you do one thing consistently throughout: abide by well-established local practices of IP protection.

Specifically, you should comb through Chinese laws on IP protection and make sure you’re abiding by it to the letter.

For example, this could include standard practices on how to handle inflow and outflow of sensitive material, restricted rights access to internal databases, and other practices.

Think of it this way – you don’t want to set up an invisible wall between Chinese coworkers and the rest of the company. That said, it’s much more socially acceptable to monitor workers in China than the West, and that’s something you should take advantage of.

If anything, most Chinese companies go well beyond what most Western companies would consider acceptable. Mobile phones, for example, might not be allowed in company buildings at all, in or out, and USB ports are blocked.

Whatever you may feel about surveillance, the fact remains that in China, it’s a competitive advantage. If you’re not using it, your Chinese competitor certainly is.

Establish Chinese R&D

Some companies have tried taking it a step further, to ensure that their Chinese manufacturer is just as invested in their success as the rest of the company.

One way that companies have done this is to establish Chinese-based research and development centers, particularly focused in areas where the company does not currently hold a large body of intellectual property.

The idea is that, through close collaboration, both sides have just as much to lose if something is leaked to a competitor, which will disincentivize your manufacturer from selling you out.

Plus, if the field is new for the company, you won’t need to transfer much (if any) core intellectual property technologies over to China. This means that you’re actively encouraging your Chinese manufacturer and Chinese staff to innovate on your behalf without having to worry about compromising your core technology.

There are downsides, of course, especially if you want to foster collaboration (which you should). Inevitably, there will have to be some sharing of core technology, or there’s no longer any incentive to stay loyal to you.

When all else fails, think of it this way: decide what you do not want to be shared with your Chinese colleagues. Anything not on that list can be shared freely.

The Attorney You Need to Protect Your Ideas

Regardless of the specific methods you use to protect your intellectual property in China, one of the best tools you can have in your arsenal is a talented intellectual property lawyer.

That’s where we come in.

We litigate to help you understand the complexities of intellectual property, business, and technology, and we believe in giving our clients plain language and respect.

If you need an intellectual property lawyer, don’t hesitate. Get in touch today to see what our firm can do to help your business thrive.