toggle accessibility mode

Asked and Answered #5: Online Privacy and Privacy Policies

By John DiGiacomo

In this episode, we discuss online privacy, privacy policies, and we answer the question, “Where is the new Tool album?”

Music: Cullah, “Rhythm of the Funk;” Cloudkicker, “Digital Lightning.”



Eric:                 Hello and welcome to Asked and Answered, Episode 5, brought to you by Revision Legal and Intellectual Property Law and Internet Law Firm.

I’m Eric Misterovich and I’m here with my partner John DiGiacomo.

John:               Hello and happy Friday.

Today I’m excited to talk about two of my favorite things; privacy and Tool.

Eric:                 Yeah, you … I love seeing the Facebook updates of drafting to Tool in the background. Must get you pumped up to write some briefs.

John:               Yeah, there’s nothing more 90’s than being … There’s nothing more adult than drafting to Tool. [inaudible 00:01:06] privacy policy especially.

Eric:                 Oh, that’s great. Well, let’s … I agree. I think those are two good topics. The first one, the privacy policy, the issue came up because we ran across this cool tool by the University of Texas to talk about privacy policies and help consumers digest them easier.

Why don’t we talk a little bit about just privacy in general. It’s a hot topic right now. The NSA … There was just a federal ruling about NSA’s tactics being invalid and outside the scope of their authority. This issue of privacy is just everywhere in our face right now.

John:               It really is and it’s a really fundamental issue that goes back to the Bill of Rights. In the United States, we don’t have a statement about privacy that is explicit in the Bill of Rights.

We have these amendments to the U.S. Constitution that create, what are called, a conumbra of privacy rights. They typically arise out of Roe v. Wade and these other cases on contraceptives that created this little shadow of privacy rights that isn’t really that explicit.

So because there is no stated privacy amendment to the U.S. Constitution and because there isn’t really a federal statute addressing a lot of these things. We just go by common law. That is in complete contrast to the EU. EU has this data protection directive and now Canada has a similar piece of legislation that says that the EU and Canada now are opt in societies.

In order to collect personal or personally identifiable information from an EU resident, or now a Canadian resident, you have to take … You have to get explicit consent. You have to do something more than just display a privacy policy on a website. That’s way different from the U.S.

Eric:                 Yeah, that opt in/opt out choice … It may seem like a small difference but it can cause major, major changes in society. You know, everything from opting in to say like, organ donation, is an opt in thing.

I read a book about this in how much difference can happen in a society from the opt in/opt out. The way that we treat privacy … Maybe it’s going to change at some point. I think people are certainly getting tired of being spied on almost. It’s not really spying on because you’re consenting to it by using these websites or anything, but it feels wrong at some level.

John:               Yeah it really does. It’s interesting that in light of the growing public concern about both surveillance in the private sector and in the public sector, courts are starting to treat privacy a little bit differently. I think, as of yesterday, a court … I believe it was at … No, excuse me, it was a second circuit. The second circuit said that the mass surveillance of U.S. citizen’s phone records is unconstitutional.

In the past we would have said “No, it’s okay because of terrorism”. [crosstalk 00:04:23] That’s really the default position. [crosstalk 00:04:24] Now courts are saying “I don’t know about that”.

Eric:                 Yeah.

I’ll put this in the show notes if I can find it. I remember watching a video one time … It was, I think, a Swedish video. It was about privacy and privacy policies and it had people coming into a bakery. They would buy, you know, whatever … a bagel, muffin, and the cashier would say “Where do you live? What’s your address”? and start asking them all these really personal questions and the consumer was just like, “I’m not answering that”. Then they would leave and the person would just follow them out the store and following people, following them down the street because that’s what happens online.

It’s shocking when you actually see it in real life, if you want to call it that. It feels completely wrong and it’s completely normal online.

John:               It is and, unfortunately, no one has really taken on the task of getting a federal data policy law. I think that’s probably the next step and it’s probably going to take a very serious data breach, even more serious than the ones that we’re seeing now which are incredibly serious because it’s millions of people, to get there.

In the meantime, we have to make sure that we take care of our users by making them aware of what their rights are when they interact with our websites. That’s what we do as attorneys. We draft these website agreements, Terms of Use agreements and a privacy policy to ensure that the user understands what the relationship is between the parties.

Eric:                 Right. Those are complex agreements that can be long, they can be confusing. We certainly try to make them as easy and adjustable as possible but that’s not always the case. That’s why I thought this idea from the University of Texas was really interesting.

They have a Chrome extension called “Privacy Check”. It’s available now. You can download it and what it does is … You go to a website, you find their privacy policy, you hit the privacy check extension and it immediately reviews the privacy policy. It has these 8 icons, 8 or 10 icons that pop up and tell you “What is this website currently doing”? It’s certainly a fast, quick and easy way of digesting a privacy policy which is a good start.

I’ve played around with it a little bit and it seems to work. I haven’t really checked it for accuracy. I think these privacy policies can be pretty complex sometimes. I think it’s a really good start, I’m almost surprised this is one of the first times I’ve heard of something like this.

John:               Yeah, it almost seems like you would have some kind of independent agency that helped consumers understand what information is being collected and that agency would then standardize that information across websites.

That would be kind of a cool tool. This seems more of a syntax based tool, so the accuracy is probably not going to be the greatest but it’s a really good start. Kudos to Texas for taking this on.

Eric:                 Yeah and your idea of standardizing it kind of reminds me of, I think, the recent changes and what happens with credit card bills. I think they made those … I think there was legislation passed that attempted to standardize those and make those more easily digestible. It seems like maybe that’s the kind of model to help websites explain how they are collecting or what they’re collecting and what they do with the information that they collect from you.

John:               Yeah and I think that some states have tried to do that. California is the most notable example and we’ll talk about that later.

If it’s not at a federal level, all of a sudden, it becomes very burdensome to comply with. It really does have to be at the federal level so everybody is on the same page, every consumer knows exactly what they’re getting. Like I said, this is a great start.

Eric:                 Yeah, it’s cool. I’d check it out, it’s called “Privacy Check” on Google Chrome extension. It’s an interesting little tool.

Why don’t we talk about this world of website agreements that we’re often tasked with drafting? We know that these are important and we spend a considerable amount of time getting these right for our clients but I’m not sure the rest of the world understands why these things are important.

John:               No, I don’t think they do and I think a lot of times they skimp on them or they decide to copy and paste them from somebody else’s site and that’s really not a great idea.

A Terms of Use agreement; let’s start there. Terms of Use agreement is the primary contract between the website and the end user or, in some cases, depending on the business model, it will be a contract between the website and its advertisers or any other third party.

So the Terms of Use or Terms of Service agreement covers the … It discloses the purpose of the the website, it’s licences, the use of that website to the end user for specifically enumerated purposes and nothing more than those purposes. It also takes a license from the end user for certain purposes.

So, for example, if it’s a social media website, it will take a non exclusive license so that the website operator has accurate rights to display the content that the user is submitting to the website.

Eric:                 Right, yeah, user generated content. [crosstalk 00:10:13] You know, who, under traditional copyright law … I’m the author of this comment or this idea or this image or anything that you’re posting to a website, that website operator needs to have the permission to display that. That’s all done in the Terms of Use agreement.

You know, this is one time where it’s really the website operator’s chance to set the rules. This is your website, this is your business. It’s time for you to set your rules of how people are going to use this website. People should take advantage of that and set rules that they want and that protect their interests.It’s one of the few times you really get to layout … This is the rules of the business. You don’t really get that option too many times in life and I think people should take care of that and take advantage of it.

John:               They definitely should and one thing the consumer should know is that these things are enforceable. It’s not like the old days when they weren’t enforceable. They are enforceable under two theories; one is the Browser App theory, which is that once you browse the website and interact with it, you ascend to the terms. The other is the standard “I Agree” click grab theory, which is that once you click an “I Agree” button to accept those terms, you ascend to them.

Understanding those terms is very important. For the website owner, it’s especially important because if you don’t have a custom drafted Terms of Use agreement for your specific purposes, you can run into a bunch of problems.

Personally, in our practice, I’ve seen a website owner of an eCommerce store not adopt a Terms of Use agreement that was tailored towards his business model and he was sued in California for copyright infringement even though he has no relationship to California. Lo and behold, the basis for jurisdiction was that he had forgotten to change the choice of law clause that said that jurisdiction was proper in California. So, he had represented in his Terms of Use agreement that this was a proper place for him to be hauled into court and he had never even been to the state.

It’s important to understand what, as a business owner and as a consumer, what you’re getting into when you’re interacting with one of these websites.

Eric:                 Yeah, yeah, they’re important, they’re enforceable, they’re the chance to protect your business and, like you said, they are not something that should be copied and pasted. It’s, you know … There’s no doubt that you can look at other sites and understand what they did, get an idea but you want to craft these to how you operate. You don’t want to have provisions in there that don’t apply to you. You want to have these provisions tailored to what you do and how you respond to it. Not just shove this off, copy and paste and get on with your life.

You’re really missing out and really opening yourself up to, like you said, that example. A real pain in the ass if you don’t take care of these.

John:               Yeah, huge pain in the ass. One of the biggest pains in the asses that I’ve ever seen was that a large, large company that we represent has a tool on its website that provides some specific data. So, lo and behold, it finds that its competitor is taking …Excuse me, has written a script to scrape the data associated with that tool and replicate that tool on its own website.

Well, our client, you know … Because it didn’t listen to our advice, didn’t adopt a Terms of Use agreement. Had it adopted one, we could have sued for breach of contract because the Terms of Use agreement would’ve said “Look, you cannot come to this website and scrape data. By agreeing to use this website, you agreed to these terms, etc … Therefore that would be a breach of contract”, and they didn’t do it. So they were left without a proper cause of action. There are some real serious consequences to not doing this correctly.

Eric:                 Yep, yeah, and one area that often comes up in the online space is the issue of copyright infringement. You know, this doesn’t apply to every website and that’s the point here is if you are a social media site, you’re going to have specific concerns. If you’re an eCommerce store you’re going to have specific concerns. If you’re basically just an informational website about your business and there’s not a lot of interaction, you’re probably going to have less concerns. If you’re a crowd funding portal, you’re gonna have even more concerns. Anytime there are users interacting with your site and posting content, there becomes an issue with copyright and copyright infringement.

There’s a federal law, called the Digital Millennium Copyright Act, that applies in these settings. It’s a very useful tool for copyright owners. It provides a notice and take down procedure by which copyright owners can have infringing images, songs, movies, words, websites removed quickly. Because the internet is what it is and it’s so easy to copy and reproduce content, this has been a very valuable tool for copyright owners.

For website owners, there’s different levels of concern, different actions they should take to take advantage of what the DMCA offers. That’s typically by registering or designating an agent, right?

John:               Right. A lot of people think “Well, I’ll just respond to DMCA notices and it’s cool, nothing is going to happen as long as I content down”. Well, that’s not actually the case. If you, for example, are a service provider and you receive a DMCA notice and you do not have a registered agent with the U.S. copyright office, you don’t qualify for the safe harbor. You can be sued directly for direct liability or secondary liability for the republication of that copyrighted content.

There’s a lot of little pitfalls within this process of adopting a Terms of Use agreement. Ensuring that you comply with the copyright regulations, et cetera, that really need to be navigated successfully in order for you to protect yourself and to protect your business.

Eric:                 Yeah and we’re talking about designating a copyright agent … It’s a one page form, its a relatively small fee and what do you get for that? You get immunity from copyright infringement lawsuit. It’s a huge, huge benefit and it’s something that if you’re copying and pasting, you’re not going to understand the importance of this. If you’re not dealing with an attorney who understands what they are doing, you’re going to be left out of this protection.

John:               Yeah and it’s really not smart to be left out of the protection.

So let’s talk a little bit about privacy policies now. Privacy policies … Well, you tell me, what do you think privacy policies are for?

Eric:                 Well, they are intended, in my opinion, they’re a chance for the business and the website to explain to the user what information is being collected about them and what you are doing with that information. I think some … Again, this is a spot where I think website owners, operators, this is the last thing they’re really concerned about but it is important to get this stuff right and it is important because the data you are collecting can be valuable. What you do with that data is going to be governed by this privacy policy. If you don’t get it right and if you don’t do it correctly, if you don’t leave yourself wiggle room to do what you want to do with that data, you’re hindering yourself.

I know an example of this came up, I think recently in the Radio Shack bankers …

John:               Yeah, I was just going to say that, absolutely.

Eric:                 Yeah, they have all of this customer data but then you go back and look at their privacy policy and they said they’ll never sell it. Well, it’s an asset and now they’re in bankruptcy and it’s being sold. I think they were … I don’t know exactly how that worked out. I think they were able to somehow get around that.

John:               Yeah, I can’t really remember either but let’s assume that they didn’t. Let’s assume that the privacy policy, as it was enacted then, said that they couldn’t sell that information. Well, now you’re left without one of the most valuable assets that you have and had you just had some proper drafting at the outset, you would’ve been able to sell that asset.

Eric:                 Yeah, it’s really shocking that they did not … I mean, it’s a pretty standard provision to include in a privacy policy that, you know, you’re not going to sell it but if the entire business is sold, then that’s part of the business and that will be sold.

John:               Yes, it’s really sticky too because even if you … Let’s say had a merger or an acquisition. If that provision is not in the privacy policy, the successor company cannot acquire that information.

Eric:                 Right.

John:               Effectively, you can’t do anything. You’re just stuck there without violating that privacy policy and potentially subjecting yourself to a class action lawsuit.

Eric:                 Yeah and I think companies, because of the role that privacy is playing in everyone’s lives right now and because everyone is really concerned with it or aware of the NSA or aware of what’s happening, I think a lot of these companies look at these privacy policies and they go “I don’t want take their data” or “I don’t want to sell it, I’m not going to share it. I don’t want to do any of this” and they think it will scare consumers off to even talk about it.

I think that is probably a mistake because you can draft a privacy policy to reserve the ability to sell it if there is this kind of merger acquisition bankruptcy sale of the business. You want to preserve the ability to do that. It doesn’t necessarily mean you’re mining data and selling it to third parties. So when people … You got to weigh that balance of informing the consumer and protecting yourself about what you can do with the data that you get from your consumers.

John:               Absolutely. Like everything in life, while most things in life, the answer is somewhere in the middle. It’s not this “Well, we’re not going to collect any information” and it’s not “Well, we’re going to collect all information, we’re going to sell it to whoever wants it”. It’s more about transparency. If the company is transparent with it’s customers and it specifically identifies, in a transparent way, the information that it’s collecting and using, then customers are going to feel okay in interacting with that company. That’s all there is to it.

Consumers aren’t as stupid as we think they are.

Eric:                 Yeah and I think we know that our data is being collected. Everyone knows that now. Exactly what everyone is doing with that, we don’t always know and that’s where it gets a little hairy but I think if you’re in the business and you’re drafting this or you’re wondering what should be in your privacy policy, you got to think a long way down the road. You’re not just thinking about scaring off customers now. This is about your business, this is a part of your asset and this interaction means you should be transparent and trust the consumer and they’ll make the decision to trust you if you’re honest with them.

John:               Absolutely. I just got a notification in my email from my thermostat that sent me my April home report telling me my energy usage.

Eric:                 Mm-hmm (affirmative).

John:               Why do I need them to collect this information? As I privacy lawyer I should probably be opting out of this one.

Eric:                 Yeah.

John:               I just thought that was timely and relevant.

Eric:                 Yeah. It is. I … So, I cook a lot at home and half the time I’m cooking from a recipe and or something and I do it on my phone while I’m trying to cook and watch a baby and all this stuff and it’s a real pain because every time I go there, they ask me if they can track my location. I always wonder, “What the hell does food network need to know”? You can’t have my information of where I am. Just give me the recipe.

It is, you know … To give the consumers the ability to opt out like that is important but how a company manages all of these interesting questions of interacting with consumers and setting themselves up to be best protected. It’s a really interesting issue and one that you need to talk to an attorney that is experienced in this area.

John:               Yeah and it’s really interesting now because we live in this federalist system. There is no federal law on point but yet there’s a bunch of state laws that need to be navigated. The most interesting of all of them right now is California.

California is just a ridiculously large state. It is the home of Silicon Valley. They have adopted this California, what’s called “Shine the Light” law, that is an online privacy protection act that covers the collection and disclosure of the collection of personal and personally identifiable information.

Eric:                 Yeah, California. It’s always California. They usually are on the cutting edge of these kinds of laws and yeah, they have these California privacy rights and California Online Privacy Protection Act and these are specific state law rules about privacy policies.

The privacy rights provision allows consumers to reach out to a website and have the summary of the information collected and dispersed by a website given to them. They can do that once a year. This is a provision that we include in our privacy policies and it takes people by surprise usually when they read those and they say “What is this? Why am I subject to this”? Most time people aren’t going to use it, but it is the law in California and it is … You should comply with it.

It’s usually not too difficult to comply with and a lot of companies won’t even be triggered by it depending on what you are doing with the data but it is the law in California. I think it’s useful … I’m not … I need to see some stats on who actually evokes this.

John:               Yeah, that would be really interesting to know. I suspect that it is very few people.

Eric:                 Yeah. Yeah, but California also lays out … You know how we were talking about this standardized form of privacy policies and how that would help consumers. California has attempted to do that to some extent with their California Online Privacy Protection Act, which requires certain things that the privacy policy needs to disclose, including, you know, the categories of information collected, how does someone opt in or opt out?, the effective date, these “do not track” signals and how those are handled.

It’s certainly a good start, I guess, to provide some form of guidelines to drafting these. The real issue is if anyone reads a privacy policy, it’s going to take it 25 minutes to figure out this information. It’s just not easily digestible.

John:               Yeah, absolutely.

A lot of our clients come to us and say “Look, I want a privacy policy that’s easy to read”.

Eric:                 Yeah.

John:               You and I both love to write, that’s what we do for a living so it’s always fun to be able to try to write something that is coherent and yet, at the same time, legally effective and a good attorney should be able to do that.

Eric:                 Yeah definitely and that’s just the difference of interests at hand. From the consumer standpoint you want to say “Let’s make these things easier to digest”. From the owner standpoint you’re saying, “Let’s protect me”. At the same time, I think most, like you said, a lot of people say “Let’s talk like human beings as much as possible in this privacy policy” and that is refreshing and it is nice to do that.

John:               I like to talk like robot, so I don’t know what you’re talking about.

Well, let’s answer today’s … Usually during this time, we answer a question from a user and today we’re going to pretend Maynard James Keenan from Tool has sent us a question, so let’s discuss the new Tool album which is … It’s been 8 years since the last Tool album which was called “Ten Thousand Days”. I’m a huge Tool fan. I have probably seen them live about 8 or 9 times and, in fact, last year, Maynard James Keenan walked through the alley behind my office and I was the only one in town who recognized who he was and I got a really creepy picture of him from my window. Which, subsequently, I posted on Facebook and Twitter, so go out and check that out.

Eric:                 That’s hilarious.

John:               So Tool has not had an album in 8 years and why have they not had an album? It’s because they’ve been involved in this copyright infringement related lawsuit.

Eric:                 Yeah, it was … John, you’re more familiar with this, but I know it was about some artwork, right? Is that how it started?

John:               Yeah. So, in 2007, Adam Jones, who is this guitarist for Tool, incredibly talented guy, but also an artist and typically does the art for their music videos and a lot of their album cover art, had hired a friend to do some work, creative work, for the album.At this time in 2007, this friend said “Hey, you didn’t pay me for this. I own copyright rights to this content and therefore I’m going to sue you”.

Well, Tool, like a lot of other businesses, had a general commercial liability policy and once it got sued, its insurance carrier, Clarendon Insurance Company, paid about $450,000 to settle the case. Well, once the case was settled, Clarendon turned around and sued Tool for a breach of contract. The reason they did that was because they claimed that Tool was liable to indemnify the insurance company for the amount paid to settle the case because the exclusions that were contained within the intellectual property … Excuse me, not the intellectual property but a commercial general liability policy, excluded this type of claim. The payment for this type of claim, so, basically, Tool was on the hook.

Eric:                 Yeah and this comes down to … It seems like there was an easy fix in this situation if there was some planning done ahead of time.

John:               Yeah, I mean, this is a huge deal. This is what we always tell clients and that’s why I said the question should’ve come from Maynard James Keenan. The question is, “What do I do when I work with a contractor”? What’s the answer to that question?

Eric:                 Have a work-for-hire provision in the contract.

John:               Yeah, it’s so basic and clients never really understand this. You have to have work made for hire contract in the agreement with your contractor or if you didn’t have one at the outset, you need to have an assignment after the fact because a work made for hire provision is not enough if the work was created previously or, excuse me, prior to the execution of the contract.

Eric:                 Yep and just as background, this is a function of copyright law. When the author creates a work that is fixed in a tangible medium, they are the owner of that copyright right.

A common example of this is wedding photographers. You hire this photographer, they charge you triple the normal cost because it’s a wedding and they take all these pictures and then they edit them all, they make them available in an online gallery that’s marked with a watermark. If you want any of these pictures, you got to buy them from the photographer. Why do I have to do that? I already paid you an enormous amount of money to come take the photos. Well, it’s because they are the owner of the photo. You are not, unless you had a work-for-hire agreement between you and the photographer. That way, all of the copyright rights would vest in you as the owner instead of the photographer.

It’s an enormously important provision that, I would say, wildly overlooked by most people.

John:               Yeah and I would agree. I think there’s one other aspect of this case that’s really instructive. That is that you need to read your insurance policy. If you are an online business and you’ve just adopted a general commercial liability policy, you probably should find out what is and is not included in that policy. Typically those policies will cover what is called “Advertising injury”, which is an injury related to defamation or a claim for the right of publicity, invasion of the right of publicity, but it doesn’t usually cover intellectual property infringement. Intellectual property infringement policies are very expensive but, in a lot of cases, they’re really important. So you should work with both your insurance agent and your attorney to kind of understand “How can I best ensure the risk that is associated with my business”?

It sounds like Clarendon didn’t have a very well drafted contract here.

Eric:                 Yeah, certainly. To be in 7, 8 years litigation … Yeah, someone failed at their job here because there’s no way that should be that difficult of an issue.

John:               Yeah, so, thankfully … Well, at least from my perspective, thankfully, in January of this year, Tool prevailed at trial which means there’s a new Tool album coming and for you that clicked on this because we’re talking about Tool; I’m sorry I don’t have any information. Wish I did.

Eric:                 So you don’t know when it’s coming out?

John:               No, I have no clue. In fact, when I … I’ve actually met Maynard James Keenan and when I did, I went out of my way not to ask him that question because I read up before interacting with him that he might slap the shit out of me.

Eric:                 Yeah, I’m sure he’s tired of answering that question.

John:               So, that’s all we’ve got this week. You have anything else?

Eric:                 No, I think that was a great show. I think, you know, privacy policies and terms of use agreements … Not usually the most exciting thing in the world but they are really important and I think people … I hope people learn why they’re important today.

John:               Yeah, I hope so too and again, this isn’t legal advice. You should always contact an attorney about this stuff and thanks for listening.

Eric:                 Yeah, go check us out on Facebook and Twitter. Drop us a line if you have any questions that you’d like us to discuss and we will see you next week.

Put Revision Legal on your side