Archive for Social Media

Privacy Claims Based on LinkedIn’s Security Promises Survive Motion to Dismiss

[Post by Venkat Balasubramani]

This is a lawsuit filed in the wake of a widely reported data breach at LinkedIn. Plaintiffs alleged benefit-of-the-bargain type claims against LinkedIn, saying LinkedIn failed to live up to its security practices. The first time around, the court rejected these claims and granted LinkedIn’s motion to dismiss. (“Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation.”) This time around, the named plaintiff slightly adjusts her pleadings, and part of her claim survives.

Standing: She alleges that she was a premium subscriber from March through August 2010 and that:

“prior to her purchase of the premium subscription, she read LinkedIn’s User Agreement and Privacy Policy and that, had LinkedIn disclosed its lax security practices, she would have viewed the premium subscription as less valuable and would have attempted to purchase a premium subscription at a lower price or not at all.”

The court says that the cases construing California’s unfair competition statute hold that a consumer’s reliance on a product label is sufficient to confer standing under both the UCL and Article III. LinkedIn, on the other hand, argued that this precedent only applies to cases where the misrepresentation is contained in a “label or an advertisement.” While LinkedIn cited to cases saying that plaintiff has to allege more than “mere overpayment,” LinkedIn also disputed the notion that the statements in LinkedIn’s privacy policy was the type of advertising that could support a claim under the UCL statute at all. Among other things, the purported promise is a stray sentence that applies to premium and non-premium members alike. The court rejects LinkedIn’s argument, taking a broader view of the Unfair Competition Law cases. The court says that cases aren’t strictly limited to misrepresentations in labels or advertisements; and even to the extent they are, the term “advertisement” is broadly construed. The court hints at some skepticism as to who would actually read the policy, but says that this is not the situation where a prospective customer was physically precluded from reading the policy.prior to her purchase of the premium subscription, she read LinkedIn’s User Agreement and Privacy Policy and that, had LinkedIn disclosed its lax security practices, she would have viewed the premium subscription as less valuable and would have attempted to purchase a premium subscription at a lower price or not at all.

LinkedIn_logoPlaintiff states a claim: LinkedIn raised a variety of arguments on the merits, including that the representation in question was not material, that the precise method of data encryption was disclosed, and that this isn’t something that would register with an average consumer. None of these is sufficient at the motion to dismiss stage. Plaintiff alleged “plausible” explanations and arguments for why the statement was false and would be likely to mislead customers, and that’s the extent of the court’s inquiry. As to her explanation of falsity, the court cites to the fact that (1) LinkedIn’s encryption practices were not in line with prevailing industry recommendations (by the National Institute of Standards and Technology), and (2) a few days after the data breach, LinkedIn publicly stated that it would revise its encryption practices to bring them in line with prevailing industry standards.

The court dismissed the breach of contract and UCL claim based on the unfairness prong previously, and dismisses those claims with prejudice. The UCL claim based on the fraud prong survives.

__

The idea that flowery language in a privacy policy would come back to haunt a company is not entirely shocking. Nevertheless, that privacy policy language could potentially support a claims under the UCL statute will probably raise a few eyebrows. As is frequently said, there is no greater lie on the Internet than “I read and agreed to the terms and conditions”! Interestingly, LinkedIn did not cite to or try to marshal any disclaimers or other protective provisions in its terms of service to neutralize or otherwise undermine plaintiff’s claims.

Privacy plaintiffs who happen to be paying customers are continuously fine-tuning their claims, and it was inevitable that they would find some sort of hook, at least to survive a motion to dismiss. To their benefit, the theory advanced doesn’t require a showing of harm flowing from the breach – i.e., they need not show that their information was ultimately misused. But they would have to prove up their allegations that they read and relied on the policies in question, and that’s where they will face some serious challenges. The case may also not lend itself to class resolution, and this may derail the case as a class action as well. (See the Gmail privacy litigation ruling.)

Case CitationIn re LinkedIn User Privacy Litigation, 12-CV-03088-EJD (N.D. Cal. Mar. 28, 2014)

Court Rules That Kids Can Be Bound By Facebook’s Member Agreement

[Post by Venkat Balasubramani]

The status of kids’ ability to form contracts via online terms of service was somewhat uncertain over the last several years, with a few Facebook-related rulings raising questions. A group of minor plaintiffs who opted out of the Fraley v. Facebook Sponsored Stories settlement brought suit for violation of their publicity rights under an Illinois statute.

facebook image FA recent ruling shuts out their claims, and gives some clarity to the online contracting landscape for minors.

The key question in front of Judge Seeborg was whether the contract at issue between minors and Facebook — essentially granting a publicity rights release –- was one of the narrow types of contracts with minors that were void, or if the contract was merely voidable under California Family Code 6701, et seq. Section 6701 sets forth certain exceptions to the general rule of contract voidability for minors—i.e., a minor cannot:

(a) give a delegation of power
(b) make a contract relating to real property …
(c)  make a contract relating to personal property not in the immediate possession or control of the minor

Plaintiffs tried to rely on subsections (a) and, as a fallback subsection (c), but the court quickly rejects these as inapplicable. As to whether entry into a TOS is a delegation of power, the court says it is no more so than any ordinary contractual arrangement. Sure, Facebook has the right to do certain things with the minor’s image and likeness, but this isn’t the type of delegation the statute is intended to cover. Subsection (c)’s reference to property that is not in the immediate possession of the minor means that it doesn’t apply to licenses.

Given that the contracts don’t fit into any of these (narrowly construed) categories that would render the contract void, the Facebook’s contract with the minors is voidable, meaning that it’s valid until the minors decide to void it. Plaintiffs made no allegations that they had tried to void it. In fact, the minors in this case:

[did not] dispute that they continued to use their Facebook accounts long after this action was filed.

D’oh!
__

With the caveat that this is just a district court ruling, and plaintiffs will continue to attack these terms in far-flung jurisdictions, this is a very helpful ruling for Facebook in that it removes some uncertainty as to a big category of potentially lucrative users: users who are old enough to not pose COPPA-problems but those who haven’t yet reached the age of majority. Networks for the most part took a don’t-ask/don’t-tell type of approach with this group, but were hesitant to enter into deeper economic and legally uncertain relationships. (The litigation over in-app purchases serves to illustrate why these relationships can be challenging for networks. See In re Apple In-App Purchase Litigation. Facebook is also involved in a similar dispute, which is pending.)

One possible downside for networks and silver lining for minors: the right of dis-affirmance–that the plaintiffs failed to exercise here–could translate into a takedown right of sorts. It probably cannot be an effective tool to take down older content (see California’s minor “eraser law” for something that could come into play here), but it could certainly turn into a hassle for networks when it comes to continued ability to exploit content from a minor’s account. From a logistical standpoint, perhaps networks will simply decide that it’s easier to remove all content from a disaffirming minor’s account?

Case citationC.M.D. v. Facebook, 2014 WL 1266291 (N.D. Cal. Mar. 26, 2014)

Social Media and the Law

[Post by Jacki Beem]

As the social media environment continues to grow and become a highly interactive and more frequently used way for people and companies to communicate, new legal issues or scenarios consistently arise. People are using social media forums to network, message others, do damage control, find jobs, recruit others, do market research, and promote goods and services. As our time spent on social media sites increases, so do issues of content control, ownership, privacy, copyrights, brand protection, defamation, workplace problems, and advertising issues.

Social Media and the Law

At Focal PLLC, many clients approach us with cutting edge internet, media, and technology issues, often involving social media in some way. Although many issues have not yet reached a courtroom, there has been a healthy amount of litigation within the bounds of social media. A great legal resource is the Practising Law Institute’s treatise on “Social Media and the Law.” This resource offers a detailed look at the applicable law in certain situations, describes cases that have interpreted these new laws, and provides excellent practice materials (such as samle cease-and-desist letters) for attorneys and business owners.

This treatise covers all of the state, federal, and foreign privacy issues surrounding social media (including user information, personal data, protecting user privacy, privacy policies, privacy torts, compliance with privacy laws, and tracking). In addition, it covers the various privacy acts, and many of the rules and cases that have interpreted them in social media settings.

The section on Employment and Workplace issues was also very interesting. In addition to the issues arising from an employer’s use of social media sites, the treatise offers a detailed look at the various legal issues that arise when an employee uses social media in a way that causes their employer to take adverse action. What business owners and large companies may find useful is the guidance provided for adopting an effective and comprehensive Social Media Policy.

The Practising Law Institute is offering a 20% discount on the “Social Media and Law” treatise to readers of this blog. If you are an attorney or business owner looking to navigate the legal issues surrounding social media, you can pick up your discounted treatise here.

 

[NOTE: PLI sent us a review copy for free. The link above is not an affiliate link—i.e., we do not receive any commissions or a percentage based on purchases.]

AFP & Getty’s Republication of Twitter/Twitpic-Sourced Photos Turns Out to Be Costly – AFP v. Morel

[Post by Venkat Balasubramani]

This is a long-running copyright infringement case that we’ve covered repeatedly. (My most recent post with a pre-trial recap: AFP v. Morel – Lawsuit Over Haiti Photos Taken From Twitter/Twitpic Goes to Trial.) AFP and (through AFP) Getty thought they had a license to republish Daniel Morel’s photographs of the Haiti earthquake that Morel had posted to Twitpic, and they in turn licensed the photographs downstream. Unfortunately, they did not have any permission at all, as the person who purportedly granted them permission (Lisandro Suero) turned out to have copied Morel’s photos and posted them to his account without permission. In response to Morel’s infringement arguments, AFP and Getty asserted, among other arguments, one that they could exploit the photos because the Twitter and Twitpic terms of service contained a broad license grant in their favor. Somewhat predictably, this argument did not fare well.

Prior to the trial, the court found defendants liable for infringement, putting them on the hook forsomething. The big question at trial is if AFP and Getty acted in good faith or willfully infringed. Going into trial, the evidence didn’t look particularly good for defendants. Editorial Photographers UK & Ireland had great day-by-day coverage of the trial. It’s well worth reading the whole thing, but a few snippets caught my eye:

Questioned on why he had ignored AFP’s guidelines on the use of material found on social networks, Amalvy [an AFP executive] said he was focused on the scale of the Haitian catastrophe. Pressed on his claims that he had only ever seen Morel’s stolen images at Suero’s TwitPic account, but had seen none of Suero’s linked tweets, Amalvy pled unfamiliarity with the technology.

….

Had it occurred to the editor of 20 years experience that the quality and nature of the Morel images might indicate they were by a professional photographer? Apparently not. Were the images withdrawn from sale when it was quickly learned that they were stolen? No: AFP simply changed the credit from Suero [the person they thought owned the photo] to Morel. Did AFP contact their clients to warn them they were publishing stolen images with a false byline? Of course not, they were too busy. When AFP tried to contact Morel to make a deal did they mention that they’d already published his work under a false byline? Take a wild guess.

Getty & AFP had a variety of excuses for what went wrong and why they did not immediately cease distribution of the images, but none of them seemed to sway the jury. Getty also pointed the finger at AFP and tried to position itself as a platform used by AFP. (One vaguely appealable issue may be the availability of DMCA safe harbor protection to Getty, but the costs and further wrangling can’t possibly be worth it.)

Ultimately, the jury did not think that Getty and AFP were good actors. They awarded the maximum statutory damage awards for infringement ($150,000 x 8 images, for a total of $1,200,000) and for DMCA violations ($25,000 x 16 violations–8 for removal or alteration of copyright management information and 8 for dissemination of false copyright management information–for a total of $400,000). The total comes in at $1,600,000. [Note: media reports have varied slightly on the actual amount of the award, but based on the infringements at issue and amounts available, these look like the right figures. The verdict form was unavailable at the time of publication of this post, but we’ll post the verdict form when we get a copy of it.]

Getty’s and AFP’s decision to not settle with Morel is inexplicable. AFP is reported to have urged the jury to award the minimum amount for infringement, which is $275,000. This means that going in to the trial, they knew they had to pay at least this much. The delta between this and Morel’s maximum possible recovery could not have possibly been enough to thwart a settlement. Morel’s possible recovery was a known number–i.e., the parties all knew that a possible statutory damage award would exceed actual damages. Getty and AFP probably spent high six figures on their own fees at trial alone. Why not just put this entire amount toward settlement? It’s possible that when you added Morel’s request for his own attorneys’ fees to the mix this made settlement untenable. But this again comes back to AFP’s and Getty’s own intransigence. They should have settled this one a long time ago. The idea that jurors would be at all sympathetic to larger media entities who admittedly misappropriated a photographer’s photos, refused to immediately correct the error, then took a hard line when he complained about it, is fanciful. Interestingly, one component of Getty’s defense was along the lines of the following:

“The mistake was having photos on the website in the first place and that is copyright infringement.” [Getty’s lawyer] urged the jury that Getty is comprised of “well-intentioned people acting in good faith to right a wrong.”

If that sounds familiar, it is because that’s a typical argument raised by targets of Getty’s own copyright enforcement campaign. Getty is not very sympathetic to this argument when they are on the receiving end of it, and it’s no big surprise given the circumstances in this case that the jury did not buy it either.

This is probably not the last of this case. Getty, AFP, and the various other media entities and their insurance companies have some wrangling between them to see who ultimately foots the bill. It’s possible Getty and AFP could appeal, but I can’t imagine they would want to sink additional resources into this dispute.

Some possible takeaways from this:

  • be careful if you source material from social media (avoid any direct commercial use of this material)
  • don’t try to rely on some broad license contained in a platform’s terms of service
  • don’t be a heavy handed big media entity, and if you do, know in advance that the “we made a mistake in good faith” argument is unlikely to resonate
  • photos are different, as Eric notes below (posting a meme to reedit is one thing, but licensing a photo for money is another)

None of these are particularly shocking or surprising.

Police Officer’s Facebook Ranting Isn’t Protected by the First Amendment –Gresham v. Atlanta

Gresham v. City of Atlanta, 2013 U.S. App. LEXIS 20961 (11th Cir. Oct. 17, 2013).

[Post by Venkat Balasubramani]

facebook image FGresham was a law enforcement officer. She complained on Facebook about the alleged unethical interference by a department investigator in an arrest Gresham had made. Gresham’s Facebook page was set to “private,” but as everyone reading this blog has learned repeatedly, her friends could view her posts and “could potentially distribute the comment more broadly.”

The department had a policy that required any criticism of a fellow officer to be “directed only through official department channels.” Due to Gresham’s violation of this rule, the Office of Professional Standards opened an investigation on Gresham. While the investigation was pending, she was deemed not eligible for a promotion that came up. Gresham sued, claiming that the investigation and her promotion ineligibility were retaliation for her exercise of First Amendment rights.

The trial court granted summary judgment against Gresham, and the Eleventh Circuit affirms in a per curiam opinion. The court says that as a public employee, in order to bring a First Amendment retaliation claim, she must satisfy the Pickering test and show that the speech involved a matter of public concern and also that the speaker’s interest outweighed the government’s interest in efficient public interest.

Plaintiff raised the lackluster argument on appeal that defendants did not have any evidence in support of their position. The court says that even assuming the speech in question was on a matter of public concern, the department’s interest in efficiency outweighs her interest in speech:

Common experience teaches that public accusations of unethical conduct against fellow officers would have a natural tendency to endanger the spirit de corps and good working relationship amongst the officers.

Plaintiff also argued that she took to Facebook because her efforts to use departmental channels were unsuccessful. The court says the timing of her Facebook rant (seven days after interference in the investigation) indicates that this is unlikely.

Finally, the court says in passing that plaintiff’s speech was not directed at anyone who could remedy the problem she was complaining about. Rather than bringing the problem to the attention of someone who could fix it, she was just “venting her frustration with her superiors.”

__

Ranting about your workplace on Facebook is never a good idea. That said, you wonder how she would have fared if she was a private employee. Given the NLRB interpretations that have tried to limit employers’ rights to discipline employees for speaking out on social media, she may have been able to argue that she was bringing up an issue regarding working conditions. This case may illustrate the counterintuitive current state of affairs regarding employee speech in which private sector employees have greater speech rights than public sector employees.

A final note is that a person’s possible social media audience has legal effect in often interesting ways. Here, for example, the court noted that Gresham’s audience did not consist of her supervisors and this undermined her argument that she was truly seeking to solve a workplace problem. On the other hand, the court also did not give credit to the fact that her settings were set to private. She probably could not have gotten any traction with the argument that the police department should not have seen her post in the first place. It seems that in the context of a legal dispute, your privacy settings can hurt you, but they rarely help you.