Court Upholds Forum Selection Clause in B2B Clickwrap

By Mehmet Munur

A District Court in Indiana recently held that NexTag’s clickwrap Terms of Service was enforceable against Appliance Zone despite arguments by Appliance Zone that no contract was formed and that if an agreement were formed it was procedurally unconscionable. Ironically, NexTag was helped by the fact that Appliance Zone was an ecommerce merchant that used a similar sign-up process and similar website terms of use in its own business.

Appliance Zone advertises and distributes appliance parts and accessories through its commercial website. NexTag operates a commercial comparison website and advertises the goods of third parties such as Appliance Zone. NexTag refers customers to the third parties’ website where they can purchase the good and charges a few dimes for every referral.

When Appliance Zone found out that NexTag used Appliance Zone’s trademark to promote the prices of goods of Appliance Zone’s competitors, Appliance Zone brought a trademark infringement suit under the Lanham Act against NexTag in Indiana. NexTag, being a Delaware corporation based out of California, argued improper venue due to the forum selection clause in its Terms of Service Agreement, which every business must agree with before listing their products on NexTag. Thus, the court had to decide whether the forum selection clause in NexTag’s Terms of Service Agreement was enforceable.

Appliance Zone raised three arguments to state that the forum selection clause not applicable: 1) there was no agreement between the parties; 2) if there was an agreement, it was unconscionable; and 3) the lawsuit did not arise out of the agreement and thus it was not governed by the forum selection clause.

First, Appliance Zone argued that the employee that signed up with NexTag did not have the authority to enter into the contract. The court held that the employee had apparent authority to enter into the contract. The employee clicked the radio box next to the statement “I accept the NexTag Terms of Service,” uploaded 20,000 product descriptions and 14,000 product images onto NexTag’s website, and Appliance Zone paid for NexTag’s services. Therefore, the conduct demonstrated acceptance of a valid contract.

Second, Appliance Zone argued that the Terms of Service Agreement was unconscionable because 1) it was inconspicuous, 2) parties had unequal bargaining power, and 3) Appliance Zone did not read it. The court rejected each of these arguments. The court held that the presentation of the Terms of Service Agreement was typical for the online retail industry, that it was clearly labeled, and that it was placed in a highly visible portion of the web page. Appliance Zone also had to check a box to manifest assent to the Agreement. The court also cited Appliance Zone’s similar sign-up process and similar language in its Terms of Use against Appliance Zone to state that NexTag’s Terms of Service Agreement was not procedurally or substantively unfair. The court also stated that Appliance Zone had failed to demonstrate the disparity in the bargaining power and that Appliance Zone would be presumed to have read the terms and agreed to them when it signed them as a matter of fundamental contract principle.

Finally, the court addressed Appliance Zone’s argument that the trademark issue did not arise out of the Terms of Service Agreement. The court held that the binding precedent required that the Agreement govern the dispute between the parties—Appliance Zone had cited to persuasive 2nd Circuit Precedent.

This case highlights how electronic Business-to-Business agreements are more difficult to overturn than electronic Business-to-Consumer agreements. Plaintiff’s arguments related to not having read the agreement, uneven bargaining positions, and unconscionability are mostly arguments raised in Business-to-Consumer settings. However, such arguments are unlikely to work in cases where the party arguing against the enforceability of the contracts employs a similar contract in a similar settings.

The case is Appliance Zone, LLC v. NexTag Inc., No:4-09-cv-0089-SEB-WGH (S.D. In. Dec. 22, 2009).

Read More...

Article 29 Working Party Releases 12th Annual Report

By Mehmet Munur

The Article 29 Working Party, a group created under the EU Data Protection Directive and made up of the data protection regulators of each Member State to provide guidance on data protection and privacy issues, has released its 12th Annual Report. The Chairman, Alex Turk, states that the four main issues of the year were protection of children’s personal data, search engines and the large of amounts of data they gather, international transfer of personal data with emphasis on the use of Binding Corporate Rules, and air passenger name records. Overall, Enforcement by the DPAs appears to have increased compared to the previous year.

The report serves as a summary of all EU DPAs’ reports on the implementation of the EU Data Protection Directive, the E-Privacy Directive, major case law, and major specific issues. The following are some of the interesting tidbits from the Annual Report.

The Austrian DPA found that a whistle-blower hotline of a US multinational required that the Austrian subsidiary be considered a data controller. The Austrian DPA held that data transfers by the employees would be imputed to the employer because the employer’s Code of Conduct required its employees to report illegal or unethical activity.

The Danish DPA highlighted the case of a nightclub that wanted to create an electronic access control system that used fingerprints, photos, and black lists of unwanted customers who would be rejected at the door. The DPA allowed the database so long as customers gave explicit consent and data was deleted after consent was withdrawn.

The French DPA, CNIL, stated that it had been in session 50 times and adopted 586 resolutions during the year, an increase of 50% compared to previous year. CNIL also handled 4,244 complaints during the year. It conducted 218 inspections, “an increase of 33 % compared to the previous year.” The DPA imposed fines ranging between $30,000 to $100. CNIL also issued 126 warnings, an increase of 20% compared to the previous year.

The Dutch DPA greatly increased its enforcement activity compared to the previous years. It carried out 95 investigations, an increase of 50% compared to the previous year, and imposed sanctions or threatened to impose sanctions on 68 cases, compared to 39 in the previous year and 2 the year before.

The Spanish DPA, AEPD, was just as active as it was in the previous year. The DPA did not disclose how much money it collected in fines; however, it reported a sharp increase in reported offences. AEPD continued to focus on telecommunications, financial institutions, and video surveillance issues during its investigations. In fact, the financial sector and the telecommunications sector made up the top two spots for fines imposed during the year. The Spanish DPA has also been increasing its activities in the international arena. In addition, AEPD is taking larger leadership role in the Ibero-American Network for Data Protection. During the 31st International Data and Privacy Protection Conference, AEPD made a “Joint Proposal to Draft International Standards for Protection of Privacy and Personal Data” that was unanimously adopted. AEPD is now in charge of developing international standards for the protection of privacy with regard to processing of personal information.

You may read our blog post on the previous year’s report here.

Read More...

Article 29 Working Party Adopts Documents, Deems Israel and Andorra Adequate

The Article 29 Working Party started the new year with a volley of announcements. The Working Party document WP 165 states that Israel guarantees an adequate level of protection and WP 166 states that Andorra has adequate privacy protections. Additionally, the Working Party issued WP168 on “The Future of Privacy: Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data.”

WP168 is a response to the Consultation by the European Commission asking for views on whether the EU’s current legal framework was satisfactory for the challenges posed by new technology and shifts in culture since the adoption of the EU Data Protection Directive in 1995. The Working Party, with the cooperation of the Working Party on Police and Justice, state that “the main principles of data protection are still valid despite the new technologies and globalisation.” However, the consultation also proposes that concepts of consent and transparency be clarified, additional principles such as privacy by design and accountability be adopted, bureaucratic burdens be simplified, and that fundamental rights be unified to apply to police and judicial cooperation in criminal matters. This document suggest the direction that European Data Protection is likely to take in the near future.

Read More...

Florida Ethics Opinion Underscores Risks Associated with Social Media for Attorneys

by Mehmet Munur

Florida Judicial Ethics Advisory Committee recently issued an opinion that answered the question “Whether a judge may add lawyers who may appear before the judge as ‘friends’ on a social networking site, and permit such lawyers to add the judge as their friend” in the negative. Though social media can be a valuable tool for any profession, the opinion emphasizes why attorneys should consider the risks involved in contributing to social media. While not mentioned in the opinion, attorneys should also consider other risks associated with listing specialties, receiving client testimonials, and unintentionally forming attorney-client relationships.

Commentators, such as Professor Stephen Gillers (see NY Times Article) have argued that the judges may be oversensitive to judges “friending” attorneys in Facebook, I believe that the opinion is just the beginning in a series of opinion that are likely to highlight related issues that may come up in social media. Before joining LinkedIn, we considered the Ohio Supreme Court’s guidance on some of the issues mentioned above. First, we considered whether we could join such an organization in the first place and be listed as attorneys. Ohio Supreme Court Opinion 88-4, though superseded by the Ohio Rule of Professional Conduct 7.4, stated:

A lawyer may ethically be listed in a legal directory or law list provided the listing does not contain a false, fraudulent, misleading, or deceptive statement or claim.

This opinion probably refers to MartinDale Hubbell listings, which are dominated by attorneys. While LinkedIn is professional in nature, attorneys in no way dominate it. I remember seeing that LinkedIn included about 700,000 attorneys (apologies for the lack of citation) out of their 50 million professionals. Nevertheless, the Ohio Supreme Court opinion highlights issues involved in joining such social media outlets in the first place. Therefore, attorneys must ensure that their listings in any social media do not contain false, fraudulent, misleading, or deceptive statements.

Issues related to attorneys’ specialties may also arise on social networks. The Supreme Court of Ohio only recognizes a few areas of specialization, such as admiralty, trademark, and patent law. Therefore, avoid listing specialties unless you are actually specialized under Rule 7.4. LinkedIn includes a "specialties" section by default field in profiles, which if overlooked, may inadvertently describe an attorney to have specialized in those areas. Therefore, double-check your profile to ensure that you have accurately listed your specialization.

Another cause for concern is client testimonials. While the prohibition against client testimonials have been superseded, Model Rule 7.1 states that a “lawyer shall not make or use a false, misleading, or nonverifiable communication about the lawyer or the lawyer’s services.” Note that the Model Rule, which came into effect in 2007, “does retain the DR 2-101 prohibition on unverifiable claims.” Therefore, “[w]hatever means are used to make known a lawyer’s services, statements about them must be truthful.” The Ohio Supreme Court Opinion 2000-6 further states that:

a law firm’s public communication of client quotations describing the general nature of the legal services provided, responsiveness of the law firm, and other non-substantive aspects of the firm’s representation is improper under the professional rules of conduct. This view is based on the current rules in the Ohio Code of Professional Responsibility and is consistent with ABA Model Rule 7.1, the Comment thereto, and the advice offered by the Board in Opinion 89-24.

Therefore, it may be a good idea to ensure that client testimonials are verifiable to an objective degree or avoid client testimonials altogether.

While the Model Rules are silent on the issue of the formation of an attorney-client relationship, the Restatement Third of the Law Governing Lawyers section 14 provides that:

A relationship of client and lawyer arises when:
(1) a person manifests to a lawyer the person's intent that the lawyer provide legal services for the person; and ...
(b) the lawyer fails to manifest lack of consent to do so, and the lawyer knows or reasonably should know that the person reasonably relies on the lawyer to provide the services

Such an issue may arise while answering LinkedIn questions or a direct inquiry by another Facebook or LinkedIn member. Inadvertent formation of an attorney-client relationship bring with it all of the conflicts issues that an attorney should consider before representing a client.

Therefore, attorneys should double-check their jurisdictions’ ethics guidance to ensure that they are not running afoul of ethical rules that have been in at work for some time but may arise in ways not previously imagined.

See also Legal Blog Watch regarding a related South Carolina opinion regarding law enforcement officials and judges.

You can also find a link to the ABA Model Rules here.

Read More...

Court Rejects Plaintiff’s Argument that Overbroad Privacy Policy Led to Waiver of 1st Amendment Rights

By Mehmet Munur

A federal district court in Missouri ruled on December 9 that the broad website privacy policy of a newspaper did not lead to an anonymous commenter’s contractual waiver of his First Amendment rights. While the case does not break new ground in First Amendment jurisprudence, it emphasizes some of the shortcomings of the self-regulatory system of privacy regulation of the web in the US. Such overbroad privacy policies and underlying practices may be one reason why the FTC is shying away from the Notice-Choice paradigm.

The plaintiff brought a motion to compel in order to reveal the identity of an anonymous commenter, who was not a party to the litigation, for comments posted on a News-Leader article. First, the Plaintiff argued that the anonymous commenter’s speech was not given absolute protection. While the court agreed, it stated that political speech was given high level of protection especially in circumstances where the commenter was not a party to the litigation and dismissed the argument.

Second, the plaintiff argued that the anonymous commenter agreed to the News-Leader’s Privacy Policy during the sign-up process and, therefore, waived his First Amendment rights to anonymous speech. The Privacy Policy stated:

We also reserve the right to use, and to disclose to third parties, all of the information collected from and about you while you are using the Site in any way and for any purpose, such as to enable us or a third party to provide you with information about products and services that may be of interest to you. In some cases we will use and/or share only non-personally identifiable information, but in other cases we may use and share personally identifiable information.

The District Court rejected this argument as well because “a contractual waiver of constitutional rights ‘must, at the very least, be clear.’” Therefore, the District Court declined to reveal the identity of the anonymous poster.

Leaving aside the free speech issues, the case also highlights some of the issues with the current state of privacy regulation on the web in the US. First, FTC’s aspirational Fair Information Practice Principles seek to stop such overreaching privacy policies. The Notice principle, which is “the most fundamental” of the principles, states that the entity collecting the data should “properly inform” consumers “of the uses to which the data will be put” and the “identification any potential recipients of the data.” Therefore, stating that the data transferred to any third party for any purpose does not properly inform a consumer. Nevertheless, this inconsistency does not create any liability because the FIPPs are only guidelines and they are not enforceable. FTC expects the industry participants to regulate themselves and only appears to bring enforcement actions against the most egregious of violators.

In contrast, websites in jurisdictions with omnibus data protections laws, such as the EU, would be hard pressed to implement such privacy policies. The EU Data Protection Directive states in Article 6 that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.” Since the purposes in the privacy policy are neither specified nor explicit, any further use by the collecting entity or a third party would violate the Directive and its national counterparts.

However, this difference in approaches to privacy regulation may be changing. Commentators and regulators in the EU and the US recognize the shortcomings of the Notice-Choice paradigm and are moving away from it. Recently, in the Madrid International Conference of Data Protection and Privacy Commissioners highlighted some of the issues with Notice-Choice and the need to move towards an Accountability standard. In fact, the regulators signed a document to that effect during the conference. Two weeks later, the Department of Commerce Conference on Cross Border Data Flows, Data Protection and Privacy reiterated the same message—primarily because the attendees were the same people. Finally, just last Monday, several attendees to the FTC Privacy Roundtable highlighted the issues with self-regulation in the US and the need to move to an Accountability standard. In fact, the FTC hinted at the need to refine the current Notice-Choice paradigm with the Sears enforcement action. Given the regulatory momentum, we will likely see the FTC providing more guidance for websites on privacy issues soon after the Privacy Roundtables, at the very least in the behavioral advertising realm.

The case is Sedersten v. Taylor, No. 09-3031-CV-S-GAF, 2009 U.S. Dist LEXIS 114525 (W.D. Mo. Dec. 9, 2009).

See also Venkat Balasubramani’s comments via Eric Goldman’s Blog.

Read More...

Supreme Court to Review Electronic Communications Case

by Mehmet Munur

The Supreme Court will review a 9th Circuit Court case finding that the unauthorized search of employee text messages on an employer provided text messaging pager may have violated the employee’s privacy rights despite a written policy stating that the employees should have no expectation of privacy.

Once again, the Supreme Court’s review of the case highlights the complexity of employee electronic communications in the workplace. With the extensive use of blogging and social media in the workplace, it is becoming more and more important to put in place explicit electronic communication policies and to implement those policies uniformly. You can find our previous blog post on the 9th Circuit Opinion here.

Read More...

Regulators Issue Final Model Privacy Notice

By Mehmet Munur

On November 17, eight federal regulators issued final rules and model privacy notice forms as required under the Gramm-Leach-Bliley Act. While the use of the notice forms are not required, the two-page forms create a safe-harbor for disclosures required under the GLBA.

The notice forms replace the Sample Clauses previously issued by the regulators. The regulators stated that their studies “confirm[ed] that a notice composed solely of the Sample Clauses promotes ease of scanning to perform simple tasks – because the notice is short and not because it is understandable – but the Sample Clauses do not do well on comprehension measures. Moreover, the testing showed that current notices – in which the Sample Clauses are typically embedded – do poorly on all measures.” Therefore, the regulators appear to want to increase the use of the model clauses as much as possible.

The FTC has been pushing for alternate means of providing notice to individuals for some time. The FTC noted in its February 2009 Behavioral Advertising Staff Report that “privacy policies have become long and difficult to understand, and may not be an effective way to communicate information to consumers. Staff therefore encourages companies to design innovative ways – outside of the privacy policy – to provide behavioral advertising disclosures and choice options to consumers.” Then in its recent Sears Enforcement, FTC stated that Sears failed to “disclose adequately that the software application, when installed, would: monitor nearly all of the Internet behavior that occurs on consumers’ computers.” Sears had mentioned the broad nature of data collection only in the 75^th line of a legal agreement. Then in August, FTC once again mentioned the Sears enforcement and the need to provide better notice in the Health Breach Notification Rule; stating “[b]uried disclosures in lengthy privacy policies do not satisfy the standard of ‘meaningful choice.’” FTC will be conducting Privacy Roundtables in the near future. We expect the highlights notices, model privacy notices, and Carnegie Mellon’s Nutrition Label Approach to privacy statements to take center stage in these roundtables.

Read More...

FTC Delays Enforcement of Red Flags Rule, Court Holds Red Flags Do Not Apply to Lawyers

by Mehmet Munur

The FTC news release notes that the Federal Trade Commission delayed the enforcement of the Red Flags rules until June 1, 2010. The FTC news release also notes the decision by the U.S. District Court for the District of Columbia that the FTC Red Flags Rules did not apply to attorneys. The Federal Trade Commission v. American Bar Association order states that the memorandum will be published in the next thirty days.

The FTC promulgated the Red Flags Rules under the authority given to it by the Fair and Accurate Credit Transactions Act. FTC had previously suspended the enforcement of the rules until November 1, 2009. Congress is currently considering a bill that would limit the scope of the Red Flags Rules.

Read More...

FTC Modifies ChoicePoint Consent Order and Imposes Stricter Compliance

By Mehmet Munur

The Federal Trade Commission announced today that it had entered into a modified consent agreement with ChoicePoint due to ChoicePoint’s inability to live up to the original consent agreement entered into in 2006.

The FTC entered into a consent agreement with ChoicePoint was due to compromise of 163,000 financial records and at least 800 cases of identity theft. The breach was possibly a watershed moment in data breaches and brought attention to data aggregators. ChoicePoint paid $10 million in civil fines, $5 million in consumer redress, and countless millions of dollars in forwent business opportunities, attorneys’ fees, and settlement fees for lawsuits. ChoicePoint also agreed to “establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from or about consumers” which would be subject to an audit every two years.

The FTC press release for the most recent consent order notes that ChoicePoint “turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off.” As a result, ChoicePoint, since acquired by Reed Elsevier, compromised the personal information of approximately 13,750 individuals. ChoicePoint must now pay a fine of $275,000 and report to the FTC every two months for two years. The FTC also increased the final data by which ChoicePoint would be subject to biennial audits by two years to 2028. The new consent order may be found here.

The FTC enforcement reiterates FTC's attitudes about privacy promises. Such scrutiny by the FTC will certainly be burdensome for ChoicePoint and require it to step up its information security operation or face even more fines and enforcement from the FTC.

Read More...

FTC Settles with Six Companies with Lapsed Safe Harbor Certifications

By Mehmet Munur

On October 6, 2009, Federal Trade Commission filed six complaints against companies falsely claiming that they were self-certified to the Department of Commerce EU Safe Harbor when their certification had lapsed. This FTC action should serve as a reminder to Safe Harborites either to keep up their annual recertification or to avoid misrepresenting that they are self-certified to the Safe Harbor.

The EU Safe Harbor is one of the methods allowing US corporations to export data from the EU while complying with the Article 25 of the EU data Protection Directive, which requires that data only be transferred to countries with adequate data protections—with exceptions. The Department of Commerce, European Commission, and the Article 29 Working Party negotiated the Safe Harbor. US companies self-certify for the Safe Harbor and the DoC maintains a list of these companies on its export.gov website. However, the Federal Trade Commission and the Department of Transportation have the authority to enforce the Safe Harbor. While the Safe Harbor plays a crucial role for multinational corporations in transferring personal data from the EU without violating the EU Data Protection Directive’s adequacy requirements, now more than ever, failure to abide by the Safe Harbor requirements can result in enforcement actions by the FTC.

Six companies, World Innovators, Inc.; ExpatEdge Partners LLC; Onyx Graphics, Inc.; Directors Desk LLC; Collectify LLC; and Progressive GaitWays LLC, each represented that they were self-certified to the Safe Harbor when in fact their certification had not been renewed for several years. At least three of the companies had failed to either recertify or remove their representations related to their certification from their websites for two to three years. For example, ExpatEdge had certified for the Safe Harbor in 2002 but had failed to recertify since 2006. Onyx Graphics had certified in 2006 but failed to recertify since 2007. Progressive GaitWays had certified in 2004 but failed to recertify since 2006. Since the FTC enforcement, the remaining three companies have recertified for the Safe Harbor.

The six companies each entered into consent agreements with the FTC related to their infringing activities. The consent agreements are similar to the previous FTC settlement on the Safe Harbor. The consent agreements prohibit any of the companies from “misrepresent[ing] in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other third party.” Furthermore, the companies must make all documents related to compliance with the consent agreement available for inspection for the next 5 years.

In our previous blog post, we had stated that the FTC’s enforcement was tacked onto other issues related shipment of goods. This time the FTC has squarely addressed Safe Harbor violations using its deceptive trade practices powers. According to the FTC policy statement on deception, a material representation, omission, or practice that is likely to mislead the consumer is needed for any enforcement activity. Any “act or practice is likely to affect the consumer's conduct or decision with regard to a product or service” is considered material. Additionally, any express claims are presumed material. Furthermore, the Safe Harbor Principles and FAQ 11 of the Safe Harbor clearly state FTC’s jurisdiction to bring actions against Safe Harborites for deceptive trade practices. Therefore, the companies’ express claims that they were self-certified with the Safe Harbor when their certifications had expired are clearly material misrepresentations that would mislead a reasonable consumer under the circumstances.

The recent enforcement actions in this area are certainly signs of FTC’s willingness to bring enforcement actions in this area in the future. The recent changes to the list showing organizations certified to the Safe Harbor is possibly another indication of things to come. International Trade Administration website used to host the Safe Harbor list. Recently, it has moved to the Department of Commerce’s export.gov/safeharbor/ website, which is where all other Safe Harbor related documents used to reside. The list now more readily identifies non-compliant companies.

The FTC is likely to bring more enforcement actions against companies in the Safe Harbor list that represent that they are certified but have not in fact kept up their certifications with the Department of Commerce. The FTC is also likely to expand its enforcement activities into more substantive issues related to the privacy practices of Safe Harborites in the near future. Therefore, Safe Harborites intending to leave the Safe Harbor should either promptly renew their certifications or remove any public representation that they are certified with the Safe Harbor. This should help alleviate any FTC deceptive trade practices claims. However, note that obligations undertaken by a Safe Harborite do not disappear with the organization leaving the Safe Harbor. Therefore, removing such representations only resolves part of the issues involved in joining then leaving the Safe Harbor.

Read More...