Make Money Online

The Federal Trade Commission (FTC) is regulating the use of blogs and other consumer-generated new media content in marketing. Revised advertising rules issued by the agency broadly extend the concept of endorsements and testimonials to include as sponsored advertising all sorts of loose new media relationships that are increasingly used in place of traditional radio and television advertising and paid endorsements.  These rules fundamentally change the legal and regulatory landscape for Web 2.0 marketing and should be studied carefully by bloggers, marketers and online advertising agencies, all of whom will now have to contend with new compliance obligations.

On October 5, the FTC issued its final revised Guides Concerning the Use of Endorsements and Testimonials in Advertising, the first rewrite of the Guides since 1980.  Under the revised rules, which go into effect on December 1, companies that make payments or give free products to bloggers and other online commentators in order to generate positive buzz or favorable reviews for their products will now have to monitor closely the statements and claims made about the products and ensure that these relationships, if material, are clearly and conspicuously disclosed.  Otherwise, they will face liability for unfair or deceptive advertising practices under Section 5 of the FTC Act, even if they do not control what the bloggers say (or, indeed, whether they say anything).  The bloggers themselves will face similar liability for false or misleading statements and non-disclosure of material connections.  Marketers are also responsible for advising bloggers of their responsibilities.

While not actually binding law, the Guides serve as administrative interpretations of the law, issued to provide guidance on what the FTC considers to be deceptive behavior.  However, this does not mean compliance is optional.  Violations are punishable by civil penalties of up to $11,000 per violation. In addition to the regulation of Web 2.0 marketing which is the focus of this article, the Guides also include other significant changes, such as a new requirement that testimonials which do not describe typical consumer experiences must include clear and conspicuous disclosures of the results consumers can generally expect to achieve by using an advertised product.

By its very nature Web 2.0 marketing encompasses a variety of informal and fuzzy relationships which fall within the purview of the FTC’s new rules even though they are qualitatively different from traditional uses of endorsements in advertising.  For example, a marketer may provide unsolicited samples of its products to members of a blogger network who sign up for the network so that they can review the products on their sites.  Or a marketer may supply a product, such as a video game, to one particularly well-read blogger known as an expert or authority in his area in the hope of gaining a positive review.  Or the marketer may institute a word-of-mouth or viral marketing scheme where participants receive something of value (such as a payment or an entry in a sweepstakes) to e-mail their friends or send out tweets about the marketer’s product.  All of these relationships may now be characterized by the FTC as endorser-advertiser relationships, wherein both the “endorser” (i.e., the person generating the content about the product) and the “advertiser” (the marketer) must ensure the absence of false or misleading statements and the “clear and conspicuous” disclosure of connections that are not reasonably expected by the target audience and are likely to influence purchasers’ assessment of the credibility of the statements.

When is a Favorable Post an “Endorsement”?

The Guides define an “endorsement” as an advertising message that consumers will likely believe reflects the opinions, beliefs, findings or experience of a party other than the sponsoring advertiser, whether the endorser’s statements are the same as or different from the sponsoring advertiser’s.  Knowing the level of incentive that turns blogger commentary into a compensated “endorsement,” thereby rendering both the blogger and the advertiser potentially liable for failure to disclose material connections and for deceptive statements, is critical.  The FTC notes on page 10:

“[A] blogger could receive merchandise from a marketer with a request to review it, but with no compensation paid other than the value of the product itself. In this situation, whether or not any positive statement the blogger posts would be deemed an “endorsement” within the meaning of the Guides would depend on, among other things, the value of that product, and on whether the blogger routinely receives such requests. If that blogger frequently receives products from manufacturers because he or she is known to have wide readership within a particular demographic group that is the manufacturers’ target market, the blogger’s statements are likely to be deemed to be “endorsements,” as are postings by participants in network marketing programs. Similarly, consumers who join word of mouth marketing programs that periodically provide them products to review publicly (as opposed to simply giving feedback to the advertiser) will also likely be viewed as giving sponsored messages.”

The Guides cite as an example a consumer who purchases a new brand of dog food and reviews its favorably on her personal blog.  If she purchases the dog food with her own money or gets it for free because the store routinely tracks her purchases and generates a coupon for a free trial bag of the new dog food, there is no endorsement.  However, if the consumer gets the dog food as a result of joining a network marketing program under which she periodically receives various products about which she can write reviews if she wants to, her positive review will be considered an endorsement.  As another example, a college student who has earned a reputation as a video game expert receives (as he has in the past) a copy of a newly released video gaming system along with a request from the manufacturer to write about it on his blog.   He tests it out and gives it a favorable review.  This is also an endorsement, and the FTC comments that because the review is disseminated via a form of consumer-generated media in which his relationship to the advertiser is not inherently obvious, and given the value of the gaming system, the blogger should clearly and conspicuously disclose that he received it free of charge.  Furthermore, “[t]he manufacturer should advise him at the time it provides the gaming system that this connection should be disclosed, and it should have procedures in place to try to monitor his postings for compliance.”  (Here the blogger would also have to comply with the FTC’s rules on the use of expert statements in advertising.)

In one of the Guides’ most controversial examples, a skin care product manufacturer participates in a blog advertising service that matches up advertisers with reviewers.  The marketer requests that the blogger try out its new body lotion and write a review.  The blogger, totally on her own initiative and without any direction from the manufacturer, makes an unsubstantiated recommendation that the product cures eczema.  Both the manufacturer and the blogger will be liable for the unsubstantiated claim and any failure to disclose that the blogger is being paid.

The FTC has explained that the purpose of the new rules is to treat new media in the same manner as traditional journalistic and advertising outlets.  However, as a practical matter, many businesses treat these channels differently and will have to scramble to implement the necessary monitoring and enforcement mechanisms.  When a business buys a conference sponsorship, for example, in the hope of generating some positive online buzz, is anyone at the sponsor giving the conference organizer’s blog and Twitter emissions at compliance review?  Indeed, the whole point of marketing to bloggers and through social media is to support a spontaneous and unforced style of commentary that has greater authenticity for cynical, tech-savvy consumers.   Of course, in response to such comments the FTC has countered that its rules are designed precisely to protect consumers’ ability to rely on this quality of the blogosphere in making purchasing decisions.   Controlling what bloggers say is not relevant; what matters for liability purposes is whether “the advertiser initiated the process that led to [the] endorsements being made – e.g., by providing products to well-known bloggers or to endorsers enrolled in word of mouth marketing programs ….”

Playing the Compliance Game

Unfortunately, corporate legal departments will now have to extend the long arm of compliance over a whole host of Web 2.0 marketing activities that until now may have been loosely policed, if at all.   “In employing this means of marketing,” the FTC dryly observes, “the advertiser has assumed the risk that an endorser may fail to disclose a material connection or misrepresent a product, and the potential liability that accompanies that risk.”  However, it also states that in the exercise of prosecutorial discretion it will consider “the advertiser’s efforts to advise these endorsers of their responsibilities and to monitor their online behavior ….”

What this means for companies is that they will have to design a compliance and monitoring program.  What it means for online advertising agencies is that they can expect new restrictions and levels of review from clients over their Web 2.0 marketing activities and should also expect to assume a role in their clients’ compliance and monitoring programs.  Companies will want to get a handle on what their marketing departments are doing to curry favor with bloggers and create buzz through viral online marketing and will be especially anxious to herd advertising and PR agencies into the corral, since the companies are legally responsible for the actions of these third-party agents.

If compensation, free products or other valuable incentives (such as sponsorships) are being offered in the hope of stimulating positive reviews, then the company will need to institute and document a process of advising bloggers and other new media commenters about their duty to disclose material connections and the limits on the factual claims they can make about a products and its beneficial effects.   There should also be periodic monitoring of the resulting posts, with documented follow-up action if necessary, to make sure they comply with the FTC’s endorsement guidelines.
If blogger relationships are managed through an advertising or PR agency, then the agency will likely have to provide detailed information for each campaign about its contacts with bloggers and will have to share in the responsibility of conveying the advertiser’s guidelines to them and monitoring their compliance.   Companies should include a specific allocation of responsibilities with respect to these issues in written contracts with their agencies.  At the very least, a company should reserve the right to audit and pre-approve an agency’s solicitation of bloggers so that the company knows which bloggers the agency is dealing with and whether the relationships are of a type that could lead to advertiser-endorser liability and can monitor the bloggers’ posts about the company’s products.

If this compliance burden is too onerous for companies and their online advertising agencies, the alternative is to implement policies that prohibit the payment of compensation or giving away of valuable products in the hope of generating positive online buzz.   Favorable reviews are not “endorsements” within the meaning of the Guides unless they have been incentivized in some way.

Tips for Bloggers

As for bloggers and other online commenters, they should be sure to disclose any compensation or benefits they receive to comment on products and, if they do have such a connection to an advertiser, should be very careful to follow the guidelines furnished by the advertiser or its advertising agency (which the advertiser is required to provide) and not make general or sweeping factual claims about the product or any claim that can’t be easily substantiated.  If a blogger chafes at submitting to this degree of oversight and control, he always has the option of buying the product himself, for example, rather than receiving it as a freebie.  The FTC has indicated that advertisers and not bloggers will be its main enforcement target.  However, a blogger who runs a “substantial operation” that violates the rules and who receives a warning will still be at risk.  Moreover, the FTC can adopt a more aggressive enforcement stance at any time.

The FTC’s rulemaking will heavily influence the way marketers generate buzz on the Internet and warrants close scrutiny of participation in blogger and viral incentive programs by all parties involved.

Credit:
FTC Regulates Blogger, Viral Marketing Relationships

The Federal Trade Commission (FTC) is regulating the use of blogs and other consumer-generated new media content in marketing. Revised advertising rules issued by the agency broadly extend the concept of endorsements and testimonials to include as sponsored advertising all sorts of loose new media relationships that are increasingly used in place of traditional radio and television advertising and paid endorsements.  These rules fundamentally change the legal and regulatory landscape for Web 2.0 marketing and should be studied carefully by bloggers, marketers and online advertising agencies, all of whom will now have to contend with new compliance obligations.

On October 5, the FTC issued its final revised Guides Concerning the Use of Endorsements and Testimonials in Advertising, the first rewrite of the Guides since 1980.  Under the revised rules, which go into effect on December 1, companies that make payments or give free products to bloggers and other online commentators in order to generate positive buzz or favorable reviews for their products will now have to monitor closely the statements and claims made about the products and ensure that these relationships, if material, are clearly and conspicuously disclosed.  Otherwise, they will face liability for unfair or deceptive advertising practices under Section 5 of the FTC Act, even if they do not control what the bloggers say (or, indeed, whether they say anything).  The bloggers themselves will face similar liability for false or misleading statements and non-disclosure of material connections.  Marketers are also responsible for advising bloggers of their responsibilities.

While not actually binding law, the Guides serve as administrative interpretations of the law, issued to provide guidance on what the FTC considers to be deceptive behavior.  However, this does not mean compliance is optional.  Violations are punishable by civil penalties of up to $11,000 per violation. In addition to the regulation of Web 2.0 marketing which is the focus of this article, the Guides also include other significant changes, such as a new requirement that testimonials which do not describe typical consumer experiences must include clear and conspicuous disclosures of the results consumers can generally expect to achieve by using an advertised product.

By its very nature Web 2.0 marketing encompasses a variety of informal and fuzzy relationships which fall within the purview of the FTC’s new rules even though they are qualitatively different from traditional uses of endorsements in advertising.  For example, a marketer may provide unsolicited samples of its products to members of a blogger network who sign up for the network so that they can review the products on their sites.  Or a marketer may supply a product, such as a video game, to one particularly well-read blogger known as an expert or authority in his area in the hope of gaining a positive review.  Or the marketer may institute a word-of-mouth or viral marketing scheme where participants receive something of value (such as a payment or an entry in a sweepstakes) to e-mail their friends or send out tweets about the marketer’s product.  All of these relationships may now be characterized by the FTC as endorser-advertiser relationships, wherein both the “endorser” (i.e., the person generating the content about the product) and the “advertiser” (the marketer) must ensure the absence of false or misleading statements and the “clear and conspicuous” disclosure of connections that are not reasonably expected by the target audience and are likely to influence purchasers’ assessment of the credibility of the statements.

When is a Favorable Post an “Endorsement”?

The Guides define an “endorsement” as an advertising message that consumers will likely believe reflects the opinions, beliefs, findings or experience of a party other than the sponsoring advertiser, whether the endorser’s statements are the same as or different from the sponsoring advertiser’s.  Knowing the level of incentive that turns blogger commentary into a compensated “endorsement,” thereby rendering both the blogger and the advertiser potentially liable for failure to disclose material connections and for deceptive statements, is critical.  The FTC notes on page 10:

“[A] blogger could receive merchandise from a marketer with a request to review it, but with no compensation paid other than the value of the product itself. In this situation, whether or not any positive statement the blogger posts would be deemed an “endorsement” within the meaning of the Guides would depend on, among other things, the value of that product, and on whether the blogger routinely receives such requests. If that blogger frequently receives products from manufacturers because he or she is known to have wide readership within a particular demographic group that is the manufacturers’ target market, the blogger’s statements are likely to be deemed to be “endorsements,” as are postings by participants in network marketing programs. Similarly, consumers who join word of mouth marketing programs that periodically provide them products to review publicly (as opposed to simply giving feedback to the advertiser) will also likely be viewed as giving sponsored messages.”

The Guides cite as an example a consumer who purchases a new brand of dog food and reviews its favorably on her personal blog.  If she purchases the dog food with her own money or gets it for free because the store routinely tracks her purchases and generates a coupon for a free trial bag of the new dog food, there is no endorsement.  However, if the consumer gets the dog food as a result of joining a network marketing program under which she periodically receives various products about which she can write reviews if she wants to, her positive review will be considered an endorsement.  As another example, a college student who has earned a reputation as a video game expert receives (as he has in the past) a copy of a newly released video gaming system along with a request from the manufacturer to write about it on his blog.   He tests it out and gives it a favorable review.  This is also an endorsement, and the FTC comments that because the review is disseminated via a form of consumer-generated media in which his relationship to the advertiser is not inherently obvious, and given the value of the gaming system, the blogger should clearly and conspicuously disclose that he received it free of charge.  Furthermore, “[t]he manufacturer should advise him at the time it provides the gaming system that this connection should be disclosed, and it should have procedures in place to try to monitor his postings for compliance.”  (Here the blogger would also have to comply with the FTC’s rules on the use of expert statements in advertising.)

In one of the Guides’ most controversial examples, a skin care product manufacturer participates in a blog advertising service that matches up advertisers with reviewers.  The marketer requests that the blogger try out its new body lotion and write a review.  The blogger, totally on her own initiative and without any direction from the manufacturer, makes an unsubstantiated recommendation that the product cures eczema.  Both the manufacturer and the blogger will be liable for the unsubstantiated claim and any failure to disclose that the blogger is being paid.

The FTC has explained that the purpose of the new rules is to treat new media in the same manner as traditional journalistic and advertising outlets.  However, as a practical matter, many businesses treat these channels differently and will have to scramble to implement the necessary monitoring and enforcement mechanisms.  When a business buys a conference sponsorship, for example, in the hope of generating some positive online buzz, is anyone at the sponsor giving the conference organizer’s blog and Twitter emissions at compliance review?  Indeed, the whole point of marketing to bloggers and through social media is to support a spontaneous and unforced style of commentary that has greater authenticity for cynical, tech-savvy consumers.   Of course, in response to such comments the FTC has countered that its rules are designed precisely to protect consumers’ ability to rely on this quality of the blogosphere in making purchasing decisions.   Controlling what bloggers say is not relevant; what matters for liability purposes is whether “the advertiser initiated the process that led to [the] endorsements being made – e.g., by providing products to well-known bloggers or to endorsers enrolled in word of mouth marketing programs ….”

Playing the Compliance Game

Unfortunately, corporate legal departments will now have to extend the long arm of compliance over a whole host of Web 2.0 marketing activities that until now may have been loosely policed, if at all.   “In employing this means of marketing,” the FTC dryly observes, “the advertiser has assumed the risk that an endorser may fail to disclose a material connection or misrepresent a product, and the potential liability that accompanies that risk.”  However, it also states that in the exercise of prosecutorial discretion it will consider “the advertiser’s efforts to advise these endorsers of their responsibilities and to monitor their online behavior ….”

What this means for companies is that they will have to design a compliance and monitoring program.  What it means for online advertising agencies is that they can expect new restrictions and levels of review from clients over their Web 2.0 marketing activities and should also expect to assume a role in their clients’ compliance and monitoring programs.  Companies will want to get a handle on what their marketing departments are doing to curry favor with bloggers and create buzz through viral online marketing and will be especially anxious to herd advertising and PR agencies into the corral, since the companies are legally responsible for the actions of these third-party agents.

If compensation, free products or other valuable incentives (such as sponsorships) are being offered in the hope of stimulating positive reviews, then the company will need to institute and document a process of advising bloggers and other new media commenters about their duty to disclose material connections and the limits on the factual claims they can make about a products and its beneficial effects.   There should also be periodic monitoring of the resulting posts, with documented follow-up action if necessary, to make sure they comply with the FTC’s endorsement guidelines.
If blogger relationships are managed through an advertising or PR agency, then the agency will likely have to provide detailed information for each campaign about its contacts with bloggers and will have to share in the responsibility of conveying the advertiser’s guidelines to them and monitoring their compliance.   Companies should include a specific allocation of responsibilities with respect to these issues in written contracts with their agencies.  At the very least, a company should reserve the right to audit and pre-approve an agency’s solicitation of bloggers so that the company knows which bloggers the agency is dealing with and whether the relationships are of a type that could lead to advertiser-endorser liability and can monitor the bloggers’ posts about the company’s products.

If this compliance burden is too onerous for companies and their online advertising agencies, the alternative is to implement policies that prohibit the payment of compensation or giving away of valuable products in the hope of generating positive online buzz.   Favorable reviews are not “endorsements” within the meaning of the Guides unless they have been incentivized in some way.

Tips for Bloggers

As for bloggers and other online commenters, they should be sure to disclose any compensation or benefits they receive to comment on products and, if they do have such a connection to an advertiser, should be very careful to follow the guidelines furnished by the advertiser or its advertising agency (which the advertiser is required to provide) and not make general or sweeping factual claims about the product or any claim that can’t be easily substantiated.  If a blogger chafes at submitting to this degree of oversight and control, he always has the option of buying the product himself, for example, rather than receiving it as a freebie.  The FTC has indicated that advertisers and not bloggers will be its main enforcement target.  However, a blogger who runs a “substantial operation” that violates the rules and who receives a warning will still be at risk.  Moreover, the FTC can adopt a more aggressive enforcement stance at any time.

The FTC’s rulemaking will heavily influence the way marketers generate buzz on the Internet and warrants close scrutiny of participation in blogger and viral incentive programs by all parties involved.

Credit:
FTC Regulates Blogger, Viral Marketing Relationships: Analysis and compliance tips

For over a year controversy has swirled around the plans of the Internet Corporation for Assigned Names and Numbers (ICANN), the non-profit organization that sets policy for the Internet’s domain name address system, to authorize potentially hundreds of new generic top-level domains (gTLDs) starting in 2010.  At present there are only 21 gTLDs, including .com, .net, .org, .info, .biz, etc.  If ICANN continues full steam ahead, however, you could soon see domain names ending in .paris, .bank, .google or .pizza, among other things.  ICANN’s plans have created a major headache for trademark owners, who face the possibility of a huge increase in cybersquatting, typosquatting and phishing incidents.  At the same time, if the trademark issues can be navigated successfully, the new gTLDs may mean a revenue enhancement opportunity for affiliates.

Brand protection in the domain name sphere is already expensive for trademark owners.  Preemptive or “defensive” registration of domain names identical to a business’ trademarks can lead to ownership of literally hundreds or thousands of registrations if the business is, for example, Disney and has a large trademark registration portfolio spanning the globe.  But a defensive brand protection strategy actually requires more than this, since the trademark owner must also anticipate that domain name cybersquatters and typosquatters will register common misspellings and mistypes of its trademarks, as well as combinations of the trademarks with other terms (e.g., www.mickeymousecartoon.com).

When you throw all of the common existing gTLDs (biz, .info, and national or transnational gTLDs like .eu) into the mix, there can be thousands or tens of thousands of domain names with the potential to cause brand damage or consumer confusion in the hands of a squatter if the trademark owner doesn’t secure them.  Aggregated, the registration fees alone can cost hundreds of thousands of dollars per year.  In addition, under U.S. trademark law, an owner must actively police the use of its marks or risk the loss of its trademark rights.  Active policing and brand protection do not require registration of every possible domain name and legal action against every single typosquatter, but there must be a coherent, reasonable and vigilant strategy to protect the business’ goodwill; in other words, if you don’t care enough about your trademarks to spend money on brand protection, don’t go whining to a court about infringers.

As expensive and imperfect as a defensive domain name registration strategy is, it is much cheaper than the alternative, i.e., letting cybersquatters and typosquatters gobble up large numbers of sensitive domain names and then siccing your lawyers on them.  The problem is not an absence of legal recourse – both the federal Anti-Cybersquatting Consumer Protection Act, 15 U.S.C. §1125(d) (ACPA), and ICANN’s Uniform Domain Name Dispute Resolution Policy (UDRP), a policy followed by all domain name registrars enabling a trademark owner to compel the cancellation or transfer of an infringing domain name by mandatory arbitration, provide relief against squatters who have no legitimate interest in a domain name and have registered it in bad faith.

However, in practice this system is cracking under the strain of cybersquatter and typosquatter proliferation and innovation.  While arbitration under the UDRP is generally much cheaper than litigation under the ACPA, it still costs thousands of dollars in legal and filing fees at a minimum and frequently a lot more.  Furthermore, if the culprit is using a proxy registration service or an offshore rogue domain name registrar as an accomplice, identification of the culprit and securing of the registration are much more difficult.  Finally, successful acquisition of the abusive domain name registration doesn’t cut off the expense, since it must now be added to the portfolio of existing registrations to be maintained.

If all of this makes your head spin, now imagine adding several hundred more gTLDs to which squatters can hitch a trademark or a misspelling of a trademark.  Some of these domain names a trademark owner will have to register or acquire, even under the most permissive brand protection strategy, if it cares at all about protecting its customers from phishing schemes and avoiding consumer confusion.  Regulated financial institutions, which have a compliance mandate to educate their customers about security threats as well as to protect their reputations (and the bottom line from fraud losses), will need to be particularly vigilant.  For example, letting a squatter use www.chase.bank is simply not an option.   No wonder, then, that financial services companies and associations like Bank of America Corp. and the American Bankers Association have been among the most vocal objectors to ICANN’s gTLD initiative.

ICANN Responds to Trademark Owners

Faced with such objections and requests to delay implementation of the new gTLDs until a new trademark abuse prevention strategy could be devised, ICANN convened the Implementation Recommendation Team (IRT), a group of intellectual property experts, in March 2009 to examine the problem.  On May 29, 2009 the IRT published its Final Report on Trademark Protection in new gTLDs (pdf) for public comment.  In the report the IRT recommends coupling the implementation of the new gTLDs with several significant measures to protect trademark owners, including the creation of:

1. An IP Clearinghouse to serve as a repository of data about asserted trademark rights (both registered and unregistered trademarks) throughout the world and a validator of these rights where trademark claims impact domain name registrations, and
2. A Globally Protected Marks List (GPML) of select trademarks which have a large number of registrations in numerous countries and, accordingly, are targeted for the highest levels of abuse.

A “reasonable fee” would be assessed for the submission of marks to the IP Clearinghouse and GPML, but at a low enough rate so that holders of large trademark portfolios would not incur substantial costs exacerbating those of defensive domain name registration as described earlier.

The report also recommends the creation of a variety of trademark rights protection mechanisms (RPMs), some applying to the period prior to launch of the new gTLDs and others applying post-launch, which would utilize information in the IP Clearinghouse and GPML to resolve disputes and, in certain limited cases, block registration of infringing domain names.  These measures would supplement, not replace, the UDRP.

The new gTLDs and the process ICANN is developing would apply worldwide.  All registry operators for the gTLDs would be governed by the process, and they in turn would be required to bind all domain name registrars to certain commitments (like participation in the URS, if the IRT’s proposal is adopted).  ICANN has been working with the World Intellectual Property Organization (WIPO) and other international groups on this project, and the IRT team is composed of IP experts from a number of different countries.

Rights Protection Mechanisms:  an Alphabet Soup

The RPM proposals are complex and contain much administrative detail, so I do not attempt to provide a full summary here.  However, a few elements of these proposals are particularly noteworthy   Third-party applications for top-level domains that match or are confusingly similar to trademarks in the GPML (such as, hypothetically speaking, .apple) would initially be blocked, as would third-party applications for second-level domains that are identical to marks on the list (apple.computer, again hypothetically speaking).  Applicants to be gTLD registry operators would be required as part of the application to specify both pre-launch and post-launch RPMs they intend to implement.

An example of a pre-launch RPM endorsed by the IRT report is participation in a Pre-Launch IP Claims Service, whereby, if a gTLD registry does not provide some other type of pre-launch RPM, and a third party attempts to register a second-level domain that matches a trademark contained and validated in the IP Clearinghouse (and that is not a Globally Protected Mark subject to blocking), the registry would notify both the trademark owner and the registrant.  The registrant receiving the notice would not be blocked from registering the domain name, provided that it makes certain contractual representations and warranties – i.e., it has a right or legitimate interest in the domain name, will not use it in bad faith and (under penalty of cancellation of the domain name) has provided accurate contact information.  (You can see what I mean about the procedures being complex.)

The IRT proposal also recommends that all gTLD registries be required to participate in a new Uniform Rapid Suspension System (URS), sort of a cheaper, fast-track, limited-purpose version of the UDRP for super-bad cybersquatters.  Successful use of the URS would not result in cancellation or transfer of an infringing domain name registration, as with the UDRP; rather, the registration would be frozen for its natural life, and Internet users attempting to access that domain name would see a specific error webpage.

While the “substantive” standard for evaluating a URS complaint would be the same as the UDRP’s – bad-faith registration and use, with no legitimate interest in the domain name – the complainant’s “evidentiary” burden would be greater, so that it would have to establish its case by clear and convincing evidence, and the complaint would be denied if there was any “genuine contestable issue” about the infringement or the illegitimacy of the registration.  (The URS is intended to resolve only the most clear-cut cases of trademark abuse; an unsuccessful complainant would still be able to seek relief under the UDRP or ACPA.)  Complaints would be submitted to a third party selected by ICANN, which would retain a qualified legal expert to render a decision.  Fees would be assessed by the third party on a cost-recovery basis.  All in all, the process would be more streamlined and less formal than under the UDRP, and complaints could be submitted by e-mail.

Thick WHOIS Reporting

Finally, the IRT report recommends requiring all registry operators for the new gTLDs to provide WHOIS information under the “Thick WHOIS” model, as is currently done in the .biz and .info registries.   This model contemplates the provision of detailed WHOIS information by the central registries for all domain names registered within those registries, rather than reporting by domain registrars (the “thin WHOIS model”), which tends to be less complete and reliable.  Using the thick WHOIS model for the new gTLDs will make it easier and more cost-effective for trademark owners to identify and pursue squatters.

Will this Improve Inefficiencies in the Current Trademark System?

The IRT’s proposals are not going to sweep away the complications of preventing trademark abuse in the domain name sphere since the system of preventing domain name abuse in its current form is certainly overtaxed and inefficient.  Brand protection is still going to be administratively complex and expensive, but the IRT’s proposals, if adopted, should compensate for some of the increased risk from the new gTLD’s.  The GPML blocking proposal, in particular, should be helpful, although it will apply only to a relatively small handful of well-known marks registered throughout the world.

An Opportunity for Affiliates?

While these protections will undoubtedly aid trademark owners and represent a much needed supplement to the rather clunky and expensive UDRP, in light of the sheer number of domain name possibilities that the new gTLDs will open up, trademark owners can still expect to have their hands full (and wallets emptied) protecting their brands and fending off squatters.  However, this headache and expense might create opportunities for new types of arrangements between merchants and their affiliates.

For example, rather than a merchant trademark owner trying to anticipate and register all domain names under the new gTLDs that could pose a problem if acquired by an unfriendly third party, it could license its affiliates to do so; the affiliates could either keep the domain names inert or have them resolve to approved ad copy.  Affiliates could be paid a premium commission for clicks or transactions resulting from Internet traffic visiting the new domain names, to compensate the affiliate for both its initiative in opening up new real estate and the mitigation of trademark risk to the merchant from having the domain name in “friendly” hands.  The affiliate contract could even contain a buyout clause giving the trademark owner the option to purchase the domain name registration from the affiliate at a designated price (the affiliate’s out-of-pocket costs plus some kind of premium).

For affiliates, such an arrangement would mean new sources of revenue.  For the merchant, in addition to increased Internet traffic, the arrangement would mean lowering its trademark abuse and brand protection costs – fewer domain name registrations to acquire and maintain, fewer disputes to pursue under either the URS or UDRP.  The “good guys” (affiliates) would effectively be deputized to compete with the “bad guys” in the new gTLD gold rush.  However, affiliates sensing an opportunity should get on the same page with their merchants and enter into an appropriate contract before snapping up domain names; otherwise, they risk being lumped together with the squatters.

As the 2010 launch date approaches, hold on tight – it’s going to be a bumpy ride for sure.

Here is the original:
Trademark Issues in ICANN Domain Name Initiative Create Perils, Opportunities

This is the second installment of Andrew M. Baer’s coverage of new, more assertive type of data security regulation that has huge implications for businesses operating online. Call it Data Security Regulation 2.0.

Massachusetts Has Written Your Information Security Program

Unlike the Nevada law (see Part 1), which is relatively brief and narrowly focused on the encryption of electronically transmitted data, Massachusetts’ new data security regulation, 201 CMR §17.00(pdf), is extremely sweeping and eliminates much private discretion in the realm of information security by imposing comprehensive, detailed operational requirements for business activities that touch personal information. Having had the privilege (or misfortune, depending on your view of current events) of serving as bank counsel for many years, I have grown accustomed to requirements like these being enforced by federal and state regulators. (Indeed, I once had a wonderful bonding moment with FDIC examiners as I was describing my client’s highly conscientious program for monitoring its vendors’ safeguards around customer information.) However, many companies are in unregulated industries, and for smaller businesses this type of government intrusion may come as a nasty shock. Simply put, from the standpoint of the Commonwealth of Massachusetts, we are all banks now.

Issued by the Office of Consumer Affairs and Business Regulation under authority granted by the state’s identity theft law, the regulation was initially set to go into effect on January 1, 2009. However, complaints from business groups and the deflating economy convinced the Commonwealth to postpone implementation and scale back some of the more onerous requirements. The amended regulation was finalized on February 12, 2009 and now mandates compliance by January 1, 2010. Despite some smoothing at the edges, it is still a remarkably activist bit of policymaking. All philosophical and ideological objections aside, 201 CMR §17.00 should be studied closely by CIO’s and corporate counsel, not only to stay on the Commonwealth’s good side, but also because the regulation is basically a primer for writing an information security program and may well provide a model for future federal data security legislation.

Under the law “[e]very person that owns, licenses, stores or maintains personal information” about a Massachusetts resident must “develop, implement, maintain and monitor” a comprehensive written information security program, which must be “reasonably consistent with industry standards” and also must incorporate a sizeable laundry list of specific security measures. The definition of “personal information” is more expansive than in the Nevada statute, covering the same categories of information (name and Social Security or driver’s license number, etc.), but also a name combined with a credit or debit card or other financial account number with or without any required code or password that would permit access to the account.

Information security programs will be assessed for compliance based on a sliding scale, taking into account the size, scope and type of the business, the available resources, and the amount and sensitivity of stored customer and employee data. However, at a bare minimum, each program must include such measures as designation of an employee to maintain it, security failure detection systems, employee training, employee security policies, disciplinary action for violators, immediate termination of terminated employees’ access to personal information (including immediate deactivation of passwords and user names), limitation of access to personal information to those who have a need to know, limitation of information collection and retention by legitimate business need, initial and ongoing due diligence review of third-party vendors with access to personal information to verify their compliance with 201 CMR §17.00, physical access controls (including locking of facilities), regular monitoring and upgrading of safeguards, review of security measures at least annually (sooner if there is a material change in business practices), and review and documenting of security incidents and any responsive or remedial action taken.

These program requirements apply to personal information whether it exists in electronic or paper form. However, businesses which electronically store or transmit personal information must incorporate additional computer and wireless system requirements in their information security programs. These include secure user authentication protocols and access control measures, such as unique user IDs and passwords and safe methods of assigning and controlling the same, system monitoring, “reasonably up-to-date” anti-virus, malware and firewall protection together with ongoing application of security patches for these and the operating system, and employee computer security training. For a regulated financial institution or a publicly traded company subject to the Sarbanes-Oxley rules, the security measures mentioned so far are already standard business practice; smaller or more entrepreneurial companies, however, may have difficulty with the regulation’s insistence on formal written procedures and documentation.

What is unusual about the Massachusetts regulation is its explicit emphasis on encryption, which sets it apart from the federal banking regulations. To the extent technically feasible, a business must encrypt all records and files containing personal information transmitted over public networks or wirelessly. Additionally, all personal information stored on laptops or other portable devices must be encrypted. Encryption is defined much more rigorously than in the Nevada statute, as “the transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key.” An earlier version of the regulation required 128-bit or equivalent encryption. Although this was dropped businesses are advised to steer clear of weak forms of encryption, since any use of security measures that are clearly insufficient in light of known risks or are disfavored in the industry will run afoul of the regulation’s other requirements.

The encryption requirement is far-reaching, as it covers not only the transmission of personal information (as the Nevada law does) but also its storage on laptops, smart phones, flash or USB drives, and other media. Frequently an employee will transfer information from an office terminal to one of these devices in order to work from home or in a mobile setting. If the device is subsequently lost or improperly accessed, the employer will be liable if there is no encryption. Therefore, businesses with customers or employees in Massachusetts must specifically address the storage of information on portable devices in their information security programs and employee training. My advice here is either to prohibit such activities since employees with a legitimate need can easily be provided with secure remote access to data stored on work systems, access that should not include the ability to download the data,) or allow transfer of personal information only to devices specially provided by the employer that contain suitable access controls as well as industry-standard encryption.

Violations of 201 CMR §17.00 carry stiff penalties. The Massachusetts attorney-general is empowered to bring enforcement actions to recover up to $5000 per violation, attorneys’ fees and restitution for losses suffered by consumers, as well as obtain injunctive relief. In addition, as mentioned previously, any failure to comply with the requirements will be gleefully used by a plaintiff’s attorney to build a negligence case based on breach of a statutory standard of care.

Desperately Seeking Preemption?

The new laws in Nevada and Massachusetts are surely the harbinger of things to come. More and more states are considering assertive, top-down regulation of information security practices, and the profusion of different standards in various states will make it difficult and costly to comply with them all. The different encryption requirements in Massachusetts and Nevada illustrate this problem. Businesses would benefit from the enactment of a single, federal data security law that would preempt state laws covering the same subject matter. Until this happens, all businesses receiving personal information from a nationwide market should develop and implement, if they are not already required to do so by federal regulations, a written information security program that includes encryption and complies with the strictest state regulatory regime (as of this moment, Massachusetts).

Data Security Regulation 2.0 is not limited to banks and large corporations, but encompasses millions of businesses that collect customer information online. These businesses will have to get a lot more sophisticated very quickly. The perplexed are strongly urged to consult counsel and information security professionals to decrypt the new regulatory landscape.
——————
Andrew Baer is the founder of Baer Business Law, LLC, a Philadelphia firm focusing on e-commerce, business and technology law.

Read the original:
Data Security Regulation 2.0, Part 2: Massachusetts Has Written Your Information Security Program

Nevada and Massachusetts are pushing forward with a new, more assertive type of data security regulation that has huge implications for businesses operating online.  Call it Data Security Regulation 2.0.

In this first of two installments we will overview past regulation and cover changes Nevada is implementing in regards to data security.

Data Security Regulation 1.0:  First Breach, Then Notice

By now most of us are familiar with what I call Data Security Regulation 1.0 – the complex of data breach notice statutes passed in the last five or six years by (as of the end of 2008) 44 states and the District of Columbia following California’s lead.  These statutes require notification of individuals potentially affected by the  unauthorized access of their covered personal information which may result in foreseeable  identity theft or other harm. The definition of covered personal information and the triggering event for notice differ from state to state, and some laws exempt encrypted data from the notice requirement.  This first wave of regulation was, in essence, operations and technology neutral, setting specific requirements for responding to incidents but not for preventive measures.

The impetus for Data Security Regulation 1.0 was the flood of widely publicized data breach incidents at retailers, data mining companies and government agencies, including TJX, ChoicePoint, CardSystems, DSW, and BJ’s Wholesale Club, resulting in the compromise of tens of millions of records containing credit card account information, Social Security numbers, and other sensitive personal information.  This proliferation of data breach notice statutes, in turn, led cautious businesses to issue a torrent of disclosures, whose portentous tone, coupled with a lack of specificity about what information was improperly accessed, often baffled their recipients.

Data Security Regulation 1.5:  Be Reasonable

Two or three years ago federal and state policymakers started moving away from an incident-based model of regulation, instead requiring the proactive implementation of measures to ensure a minimum acceptable level of data security.  Regulated financial institutions subject to the Gramm-Leach-Bliley Act and Fair Credit Reporting Act, among other things, have had to operate in these waters for a decade or more, but the aggressive regulatory approach to data security known in the banking world has been increasingly extended to all types of businesses whose possession of personal information exposes them to the risk of hacking, internal sabotage or accident and thus potentially imperils the public.

The Federal Trade Commission (FTC) took the lead by bringing enforcement actions against companies, most notably TJX, whose failure to implement reasonable data security measures (e.g., not upgrading controls for wireless access to its networks, not requiring network administrators to use strong passwords, and not adequately investigating reported security incidents) created culpability for the massive and repeated breaches that ensued.  The states then stepped in, a dozen or so enacting laws requiring minimum levels of security for covered businesses and agencies.

I call this second wave of governmental activity Data Security Regulation 1.5.  It imposed a higher standard on businesses than the purely reactive data breach notice laws and penalized them for specific practices that resulted in harm to the public, but did not prescriptively legislate the use of certain technologies or the actual content of companies’ information security programs.

Data Security Regulation 2.0:  Looking Under the Hood

That is beginning to change with the advent of Data Security Regulation 2.0 in Nevada and Massachusetts.  New laws in those states have government looking under the hood by setting specific standards, including the use of encryption, for businesses which collect, store and transmit the personal information of their customers.

Nevada: Transmission Requires Encryption (Sort of)

The Nevada law, NRS §590.970, became effective on October 1, 2008 and provides that “a business in this State” may not electronically transmit “any personal information of a customer” (other than by fax) “outside of the secure system of the business” unless encryption is used to ensure the security of the electronic transmission.  “Personal information” means unencrypted information consisting of an individual’s last name and first name (or first initial) combined with his or her Social Security number, driver’s license or identification card number, or financial account number plus password or access code.

Careful parsing of the statutory language is necessary to grasp its broad coverage.  For one thing, “a business in this State” is almost certainly not limited to Nevada chartered companies.  Rather, any business with operations or customers in Nevada is likely to be covered, which, of course, includes websites with Nevada customers and account holders.  Furthermore, there is no indication that a “customer” must be a Nevada resident.  Thus there are many different scenarios in which the law could be invoked.  For example, if an account representative at a business with Nevada customers e-mails a file of customer names and credit card account information, which could belong to out-of-state residents, to a vendor or her personal e-mail account without encrypting the data, the company arguably has violated the statute.  Similarly, if a company outsources certain operations to a vendor and transfers customer information to the vendor for storage or processing by posting it to a secure file server, the data must be encrypted.

Admittedly, the encryption standard required by the statute is rather loose.  Apart from requiring some form of encryption, the statute is technology-neutral.  (Not so with the new Massachusetts data security regulation, as we shall see shortly.)  For purposes of the Nevada statute, encryption is defined as:

“the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:  1. [p]revent, impede, delay or disrupt access to any data, information, image, program, signal or sound; 2. [c]ause or make any data, information, image, program, signal or sound unintelligible or unusable; or 3. [p]revent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.”

One could even argue that simply requiring a user to input a password to open a file would be sufficient to comply with the statute, since this would be a “protective measure” used to “prevent” or “impede” access to covered data.  Of course, this approach would at best comply with the letter and not the spirit of the statute, and would probably not insulate a company from liability under other laws if the FTC or a plaintiff’s attorney showed that, given the sensitivity of the data, industry best practices dictated more robust security measures.

The Nevada statute does not prescribe any specific penalties or remedies for its violation.  However, it is establishes what is known as a statutory standard of care, meaning that failure to comply may render a company liable in a negligence suit brought by identity theft victims or perhaps by banks which have incurred fraud losses as well as the substantial out-of-pocket cost of closing and reissuing compromised credit and debit cards.  In such litigation, compensatory and even punitive damages are possible.  The state can also be expected to bring its own enforcement proceedings against violators.

In tomorrow’s part 2nd segment will cover Massachusetts more comprehensive and sweeping data security regulation law.

——————
Andrew Baer is the founder of Baer Business Law, LLC, a Philadelphia firm focusing on e-commerce, business and technology law.

Credit:
Data Security Regulation 2.0, Part 1: In Nevada Transmission Requires Encryption

The Federal Trade Commission (FTC) has upped the ante in the effort to regulate consumer privacy in the online behavioral advertising space.

Not that you would guess it from the title of the FTC’s latest guidelines, which are billed as industry “self-regulatory principles for online behavioral advertising.”  However, at the very end of the FTC’s 49-page staff report is an ominous portent:  in the next year the agency will investigate industry practices and may bring enforcement actions against businesses for unfair or deceptive acts or practices and violations of other laws.  Over the past decade the FTC has brought numerous legal and administrative actions in the name of online privacy, resulting in costly cease and desist orders, fines and injunctions against online businesses for failing to disclose their privacy practices clearly, deviating from their posted privacy practices, or lacking reasonable consumer data protection measures.  Therefore, it would be a mistake to view the new online behavioral advertising principles as voluntary.

Online behavioral advertising is the practice of targeting ads to individual consumers based on data collected about their web activity, such as searches conducted, web pages visited and content viewed.  The FTC has been interested in this area for years because of the presumed invisibility of the data collection to consumers.  Also, with the increasing amount and richness of data collected by numerous sites and service providers for online advertising purposes, the potential for fraud or other harm to consumers if information falls into the wrong hands, or is merged to produce or elicit more sensitive data, grows exponentially.

In November 2007, the FTC held a two-day Town Hall meeting to discuss online behavioral advertising in a public forum.  Following that event, the FTC released for public comment draft self-regulatory principles to address privacy concerns.  Over the next few months, the FTC received over 60 comments from the online advertising industry, academics and privacy advocates, among others.  On February 12, 2009, the FTC issued revised principles which it intends to serve as the framework for industry self-regulation going forward.  The principles are summarized below, along with some practical compliance tips.  The FTC staff report can be read in its entirety here (pdf).

What Is Not Covered?

The FTC’s new online behavioral advertising principles do NOT apply to first party advertising, where the site displaying the targeted ad is the same one that collected the data and where no data is shared with third parties.  A service provider performing internal functions for the site would not count as a third party, but if the site participates in an advertising network which collects data at the site for behavioral advertising, this is considered third-party sharing.  The principles also do NOT apply to contextual advertising, where an ad is immediately displayed based on a single visit to a web page or a single search query, rather than the tracking of a consumer’s online activities over time.  (With that said, first party and contextual advertising are still governed by the FTC’s general requirements concerning privacy and data security as mentioned above.)

Not Just PII

The principles apply not only to personally identifiable information (PII), such as name, e-mail address and Social Security number, but also to data that could reasonably be associated with a particular consumer or computer or other device.  Such data includes clickstream data that could be combined with a consumer’s website registration information; individual pieces of anonymous data combined into a detailed profile that is identifiable with a particular person; and behavioral profiles that are not associated with a particular consumer, but are stored and used to deliver personalized advertising and content to a particular device.

Principle #1:  Transparency and Consumer Control

Every site where data is collected for behavioral advertising should provide a “clear, concise, consumer-friendly and prominent” notice that (1) data is being collected at the site for use in providing advertising tailored to consumers’ individual interests, and (2) consumers can choose whether or not to allow this.  The site must also provide a “clear, easy-to-use, and accessible method” for exercising this option (i.e., an opt-out).  Ironically, the FTC believes that the information and features described above should NOT appear, or appear solely, in the site’s privacy policy, since these policies may not be an effective way to communicate with consumers.  Although not required, the FTC speaks approvingly of adding a pop-up box (“why did I get this ad?”) or similar disclosure in close proximity to the ad, with a link to the section of the site’s privacy policy discussing targeted advertising.

Finally, where data collection for online behavioral advertising occurs outside of the standard website context, such as through ISP’s, Web 2.0 or mobile devices, the same principles of disclosure and consumer choice will apply, so alternative methods must be developed to satisfy these principles.

Principle #2:  Reasonable Security, and Limited Data Retention, for Consumer Data

Companies collecting or storing data for online behavioral advertising must provide reasonable security.  Reasonableness is determined in light of the sensitivity of the data, the nature of business operations, the types of risk a company faces, and the protections available to it.  Companies should also retain data only as long as necessary to fulfill a legitimate business or law enforcement need.  Limited retention is key, since the FTC is eager to bring enforcement actions against companies which experience data breaches and are found to be storing consumer information for years after their relationship with the affected consumers has ended.  The FTC has also sanctioned companies which carelessly disposed of sensitive personal information, such as by tossing it into a dumpster.  If you follow negligent practices like these, you will not be able to get off the hook by playing the victim.

Principle #3:  Affirmative Express Consent for Material Changes to Existing Privacy Promises

This requirement is extremely significant because it covers not only disclosures about online behavioral advertising, but any privacy policy or notice.  If a company materially changes its privacy practices, it must obtain “affirmative express consent” (i.e., opt-in) from consumers before it may use previously collected information under the new practices.  “Material” changes are those that are likely to affect a consumer’s conduct or decisions with respect to a product or service.  Among other things, the FTC considers different uses for data collected or different types of sharing with third parties to be material changes.

As for what constitutes “affirmative express consent,” the standard privacy policy language providing that any use of the site after a modified policy is posted constitutes acceptance of the new policy clearly no longer works for previously collected data.  Instead, users must be required to take some action to consent.  According to the FTC, use of a pre-checked box indicating consent to the privacy changes is not valid consent, nor is some sort of choice mechanism “buried deep” in a lengthy privacy policy or uniform licensing agreement.  (So, yes, an extra click really is required.)

Prospective changes to a privacy policy (applying to information collected after the new policy is posted) are not covered by the affirmative express consent requirement, although the FTC mentions a need to alert repeat site visitors to the changes, such as by a prominent notice on a landing page.

Principle #4:  Affirmative Express Consent to Using Sensitive Data for Behavioral Advertising

Companies should collect “sensitive data” for behavioral advertising only after consumers opt in to receive such advertising.  Although the FTC has not provided a comprehensive definition of sensitive data, it includes financial data, data about children, health information, precise geographic location information, and Social Security numbers.  The FTC has also raised for further consideration whether certain categories of data exist that are so sensitive they should never be used for behavioral advertising.

Regulate Thyself or Else

The main take-away here is not to be fooled by the ingratiating “self-regulatory” moniker that appears dozens of times throughout the FTC staff report.  The principles discussed above are, or will soon be, industry best practices.  Outliers should be wary.  Companies collecting data for online behavioral advertising are strongly encouraged to consult their e-commerce counsel to determine whether the FTC’s principles apply to them and, if so, how to comply without jeopardizing a valuable channel for content and revenue.

FTC Sounds Off on Online Behavioral Advertising Privacy Issues