If enacted, the law would direct the FTC, within specified timeframes, to make rules requiring “covered entities” ‑ those that collect, use, transfer or store “covered information”  of more than 5,000 individuals over any consecutive 12-month period ‑ to comply with a host of new requirements protecting the security of the information as well as the privacy of the individuals to whom information pertains.  Specific requirements are imposed directly on entities covered under the act.

“Covered information” that is protected under the proposed bill includes personally identifiable information (“PII”), unique identifier information and basically and any information that may be used to identify an individual.  Some provisions require different standard with regard “sensitive personally identifiable information”, which is defined as information relating to medical records or religious affiliations and PII which, if lost, compromised, or disclosed without authorization could “result in harm to an individual.”

A high level summary of a draft form of the bill was discussed in our recent webinar, “App-Endectomy: Removing the Mystery from the App Ecosystem.”  Here we’ll present the key highlights of the proposed bill.

Right to Security and Accountability

The bill requires the FTC to initiate a rulemaking proceeding to require covered entities to carry out security measures to protect the covered information it collects and maintains.  These security measures should be proportional to the size, type and nature of the covered information and should be consistent with recognized industry standards and the current guidance provided by the FTC in its privacy framework.  Each covered entity shall have “managerial accountability”, a process to respond to on-frivolous inquiries from individuals.  The bill requires that covered entities implement a “privacy by design” approach that builds privacy protections into their everyday business practices.

Right to Notice and Individual Participation

The bill also requires that the FTC to initiate a rulemaking proceeding to require covered entities to: (i) provide clear, concise and timely notice regarding its information practices and any material changes to such practices; (ii) offer individuals a clear and conspicuous opt-out mechanism for (a) unauthorized uses of their information or (b) use by third parties of their covered information for behavioral advertising or marketing.  The higher opt-in consent is required whenever an entity is dealing with sensitive PII, materially changes its stated practices or when the uses or transfer of information to a third party creates a risk of economic or physical harm to an individual.  Entities should also provide individuals with access to their PII and mechanisms to correct inaccurate PII.  In the event an entity enters bankruptcy or an individual terminates its relationship with an entity, the individual must also have the option to request that is covered information be rendered not personally identifiable if possible.

Rights Relating to Data Minimization, Constraints on Distribution, and Data Integrity

The bill’s requirements on data constraints and integrity are fairly standard.  Covered entities should only collect what’s needed.  They must have procedures to ensure the accuracy of the information and they should only retain the info as long as necessary to provide the service.  Whenever a covered entity transfers information a third party, the covered entity and third party must enter into a contract that says the third party won’t combine information to identify individuals without such individual’s opt-in consent.

Enforcement and Penalties

The bill grants the FTC enforcement authority over “knowing or repetitive” violations which shall be treated as unfair or deceptive acts or practices.  State attorneys general are given civil action authority to enforce the Act.  Notably, the Act does not provide for a private right of action, which is likely to raise opposition from privacy advocates. 

Monetary penalties for violating the Act are stiff – a covered entity that knowingly or repeatedly violates the Act is liable for a civil penalty of $16,500 multiplied by the number of days of noncompliance.  If a covered entity violates the Act and fails to obtain proper consent when required, the penalty is $16,500 multiplied by the number of days of noncompliance or the number of individuals whose consent was not obtained, whichever is greater.  Liability is capped at $3 million. The act would preempt state laws, except those laws dealing with health or financial information or data breach notification.

Safe Harbor

There would be safe harbor programs which the FTC would create and supervise that would exempt participating entities from certain requirements of the Act.  However, these programs would have to have, in the FTC’s opinion, similar or more protective requirements than the Act itself.

While Senators McCain and Kerry tout the proposed legislation as a step towards greater and more consistent privacy protection, privacy advocates have argued the Commercial Privacy Bill of Rights Act of 2011 does not go far enough.  Unlike the FTC’s 2010 privacy framework which recommends a “Do Not Track” mechanism, the bipartisan bill doesn’t provide for a “universal opt-out” in which consumers can end all tracking but using a national registry.  Consumer advocates also claim that the bill would prohibit states from implementing stricter measures. 

We will continue to track the ongoing developments in privacy legislation and its potential impact on our clients.

The DMCA was initially intended as the US implementation of two treaties adopted by the World Intellectual Property Organization (WIPO) in 1996 to establish rules for two evolving forms of digital media: music and computer software and databases.  However, as the legislation was introduced in Congress, additional provisions were added in response to lobbying efforts by two distinct constituencies.  

Media companies wanted the bill to include provisions to protect their IP, which was increasingly available in digital form, from widespread infringement.  They therefore pressed for the inclusion of anti-circumvention rules that prevent anyone from bypassing any technological measures used by copyright owners to control access to their works.  And ISPs, hosting companies and interactive services sought provisions to provide a safe harbor from infringement claims based on the actions of their users.  In hindsight, these provisions, which were ultimately included in the DMCA, have each impacted the technological landscape in ways that are felt everyday

Without the anti-circumvention provisions, it is unlikely that DVD technology, which was being test marketed when the DMCA was enacted, would have been embraced by movie studios.  The adoption of DVD technology has led to the blossoming of new lines of electronics manufacturing and rental businesses that have far outpaced those which evolved when VHS was the primary medium for home viewing of movies.

However, these same provisions have also led to disputes and litigation that, to some, run counter to their original intent.  For example, while developing and improving methods to ensure the security of the internet and computers connected to it would seem to be an unassailable goal, the anti-circumvention provisions have created a Catch-22 for security experts and researchers.  In order to improve copy-protection systems and computer security programs, these experts and researchers need to determine what flaws exist in any currently deployed security system.  Thus, the very act of testing those systems is a violation of the anti-circumvention provisions of the DMCA.  For a more detailed, albeit one-sided, view of this debate, here is the Electronic Frontier Foundation’s report, entitled “Unintended Consequences: Ten Years under the DMCA.”

The safe harbor provisions have enabled the explosive growth of the web, particularly as an interactive medium.  In effect, website operators from MySpace to WordPress were able to provide forums for users without a constant fear of being sued based on the acts of their users.

In order to maintain “safe harbor” protection, the “provider of online services” must meet certain conditions.  It cannot have knowledge of an infringement nor derive any direct financial benefit from the infringing activity where it has the right and ability to control it.  A provider must also expeditiously remove material if a copyright holder sends a take-down notice, without the need to evaluate the notice to determine if it is accurate or whether the user who uploaded the content has any rights to it.   From a simple perspective, this seems to make sense:  a provider should not be put in a position of having to adjudicate disputes over content.  As a pure intermediary, its obligations should be as simple as possible (If receive take-down notice è then take down content).  The principals are the ones with the vested interest in the content and should be the only ones debating the merits of who has the right to make content available.

However, some content owners believe that too much emphasis is being placed on the take-down “remedy” enabling it to serve as a blanket of immunity for all infringement claims.  What if an online provider’s sole business model is to provide users with a readily available means to post content online?  And what if the site becomes wildly popular, with the potential to earn substantial amounts of money selling ads to companies seeking that vast user base and audience? And what if it is clear that users are posting content they don’t own?  Doesn’t the online provider lose its safe harbor protection because it has knowledge of the infringement?  Or is deriving financial benefit from the infringement? 

These are the basic facts underlying Viacom’s lawsuit against Google.  The case is headed for trial next spring.  The outcome will undoubtedly have major repercussions throughout the digital media world.

The intermediary function of online providers has also recently come under assault in a somewhat surprising context, the presidential campaign.  John McCain’s campaign had posted various videos on YouTube that included snippets from broadcast news footage.  In response to take-down notices from the news outlets, YouTube pulled the videos.

The McCain campaign then sent a letter to YouTube claiming its use of the footage was privileged under the fair use doctrine.  While recognizing that a fair use analysis could not be undertaken in response to every take-down notice, the McCain campaign proposed that such an analysis be done, at the very least, when the content at issue was posted by a political campaign.

In response, YouTube, politely, told the McCain campaign “thanks but no thanks.”  In a possible overstatement, the letter said that “[l]awyers and judges constantly disagree about what does and does not constitute fair use.  No number of lawyers could possibly determine with a reasonable level of certainty whether all videos for which we receive disputed takedown notices qualify as fair use.”  While acknowledging that some parties abuse the take-down notification process, YouTube essentially passed the burden of policing those abuses to the users who upload the content who, according to YouTube, “operat[e] from a position of strength, with knowledge of exactly where the content in [their] videos came from.”

Ironically, McCain voted for the DMCA.  But YouTube’s response appears to be more in line with both the express language and intent of the safe harbor and take-down notice provisions of the act.

The question of whether a fair use analysis needs to be employed in connection with issuing a take-down notice is currently the subject of litigation involving not an online provider but content owners.  Universal Music and Universal Publishing Group had issued a take-down notice to YouTube over a 29-second video posted by Stephanie Lenz of her toddler dancing to Prince’s “Let’s Go Crazy.”  YouTube took down the video.  Lenz then sued the Universal entities claiming that they made a misrepresentation in sending the take-down notice to YouTube knowing that Lenz’ use of “Let’s Go Crazy” was not infringing.  In essence, Lenz was arguing that a copyright owner must make a fair use analysis prior to sending a take-down notice to an online provider.

The Universal entities moved to dismiss the complaint.  At issue is language in the DMCA that, when sending a take-down notice, the complaining party must state its good faith belief that the use at issue is “not authorized by the copyright owner.”  Universal argues that fair use is merely an “excused” infringement and therefore a fair use evaluation is not relevant to determine whether the use is “not authorized” for DMCA purposes.  As Universal also pointed out, the DMCA take-down provisions do not even mention fair use, much less place a burden on the party issuing the notice to consider it.

The district court denied the motion, stating that the issue of whether fair use qualifies as “authorized by law” in connection with a take-down notice under the DMCA was a question of first impression. 

Obviously, this is a case that will be closely watched.  However, a final ruling in Lenz’ favor will have considerable consequences, effectively shifting the fair use burden from the user uploading the content (as YouTube noted in its letter to the McCain campaign) to the party issuing the take-down notice, in most cases copyright right owner. 

And so, we usher in the next decade of the DMCA.  And while it is difficult to predict what the next ten years will bring, it is probably safe to say that, regardless of the disputes that will inevitably arise, the digital marketplace will continue to rapidly evolve, with the DMCA serving as the basic framework and foundation for protecting digital rights and the focal point for disputes yet to come.