Setting the Ground Rules

640px Card Game 05

I’m working on a few transactions right now between companies in different countries (heck, on different continents), and there seems to be one issue none of my clients or their counterparts really want to deal with, and that’s choice of law. The problem is that choice of law is really important, and drafting a contract without knowing which law applies is kind of like playing cards but not knowing whether it’s poker or pinochle. It’s all cards in the end, but the rules matter.

The biggest differences are probably between civil law countries, like France and Germany, and common law countries, like the United States and the United Kingdom. As a rule, civil law countries are more likely to dictate the terms of a contract as a matter of law, rather than allowing the parties to work the rules out amongst themselves. This has the advantage of protecting the weaker partner, of course, but also the disadvantage of preventing two parties who both know and understand the terms of an agreement from getting the agreement they really want.

A good example is online terms and conditions, which are typically dictated by one party to the other without any meaningful opportunity to negotiate (essentially, a take-it-or-leave-it contract). In the US, those online terms are usually enforced largely as written (as long as they are properly entered into, which should be the subject of an entirely separate blog post). That means most if not all of those disclaimers, liability caps, and waiver stand a pretty good chance of being enforced. That’s not to say there’s no risk for the service provider in those situations, but ultimately most of the words in that contract stand a good chance of being enforced against the less powerful party.

Things are different in Germany, where you can pretty much toss out a significant chunk of some of those agreements, or at least contest them with a decent chance of prevailing. Your typical US online terms, with its lengthy, all-caps paragraphs, stands a pretty good chance of modification by the court if it comes to that. That’s not the only example of contract clauses which won’t survive under German law, and those issues can also come up in heavily negotiated contracts between sophisticated parties as well.

So, if you’re negotiating a contract with another party, work out the ground rules first, and decide which law and which courts will apply. Otherwise you may still be figuring out your meld while your opponent is putting down their royal flush.

Image courtesy of Benebiankie / CC BY-SA (https://creativecommons.org/licenses/by-sa/4.0)

Secret Service starts new Cyber Crime Task Force

Robert Warwick in Secret Service

Last week the United States Secret Service announced the creation of the “Cyber Fraud Task Force,” to focus on the investigation of cyber financial crimes. The new task force is the result of a merger of two prior groups focusing on cyber crime and financial crime respectively, and is an acknowledgement that many if not most financial crimes have a significant online component these days. After all, why bother crawling the streets with dirty, gun-toting conspirators when you can suck millions of dollars out of the world economy from the air-conditioned comfort of your parent’s basement?

In theory the new task force will allow the Service to utilize the expertise of both groups in a more coherent and uniform fashion. The Secret Service has long been involved in the investigation of financial crimes, and was originally part of the Treasury Department. Now part of the Department of Homeland Security, there are discussions in Washington about moving the Secret Service back to Treasury, however, as part of an increased focus on financial crimes.

Although this decision has been years in the making, the timing during the coronavirus pandemic is not necessarily a coincidence, given a significant uptick in financial crimes expected in the wake of efforts to keep the world economy afloat, including PPP and record numbers of unemployment claims.

Image courtesy of Wikimedia Commons, public domain.

Privacy Shield Struck Down

Marco Dente Venus Wounded by a Rose s Thorn 1930 581 Cleveland Museum of Art tif

Max Schrems has become quite the thorn in the side of United States business, and it’s just gotten worse.

The European Court of Justice today struck down the EU-US Privacy shield, one of the two primary methods by which European companies can transfer personal information of EU citizens to the United States. Otherwise, under Europe’s strict privacy laws, personal information cannot be transferred to the United States due to US laws requiring disclosure of data for civil litigation, law enforcement, and national security purposes. Those US laws conflict with the rights granted to EU citizens under the European General Data Protection Regulation (GDPR).

The alternative, standard or “model” contractual clauses, are both unwieldy and not terribly well suited to many kinds of data transfer. They also impose risks and obligations which are unpalatable to many US companies, particularly those involving large amounts of data. More importantly, those are also under fire, given that certain of the provisions in those contracts conflict with US law and are not enforceable as written.

This is the second victory for Mr. Schrems, an Austrian privacy advocate whose first lawsuit challenging the sufficiency of the Safe Harbor arrangement between the United States and the EU, was struck down in 2015.

Venus Wounded by a Rose’s Thorn by Marco Dente, Courtesy of the Cleveland Museum of Art, Public Domain

Stopping a horse is harder than you think …

Horse Running Without Jockey

There’s been a lot of news about the attempt by Robert Trump, brother of President Donald Trump, to block the publication of niece Mary Trump’s book on the family’s internal dirty laundry. Just this evening, a judge denied Robert Trump’s request for a preliminary injunction against publication, meaning the book should start shipping tomorrow absent some last-minute intervention.

A preliminary injunction is a temporary order which attempts to preserve the status quo until a dispute can be decided on the merits. In order to obtain an injunction, not only does the plaintiff have to show that he or she will likely prevail on the merits of the case, but also that the plaintiff will suffer “irreparable harm” if the injunction is not granted. That’s where many if not most attempts to seek an injunction fail – for the most part, courts assume that most commercial disputes can be resolved by the payment of damages afterwards, and will only grant an injunction where that’s clearly not the case. This court, at least, was not persuaded otherwise.

In this instance, the issuance of a preliminary injunction was further complicated by the First Amendment. Generally speaking, the United States Constitution does not permit what is called a “prior restraint” on speech, since a government actor (the court) cannot normally take steps to prevent speech before it takes place. They can, however, make the speaker liable for any damages caused by the speech after the fact, so Mary Trump may join John Bolton in the list of Trump tattlers who face legal action long after, as two judge have now put it, “the horse is not just out of the barn, it is out of the country.”

Image: Horse Running Without Jockey by Paolo Camera (Wikimedia Commons)

Arbitration clauses under fire in Canada

Amsterdam NL Begijnhof

Oh, Canada.

Last month, the Canadian Supreme Court issued an opinion in Heller v Uber, a case brought by an Uber driver in Canada seeking classification as an employee rather than an independent contractor. There are a lot of those cases around the world and, while interesting, Uber’s somewhat controversial business model isn’t normally a relevant subject for this blog. What is interesting for the rest of us, however, is the court’s treatment of the arbitration clause, and the no-so-faint signs of life of the “unconscionability” clause in Canada.

You see, the arbitration clause for this California-based company contained a requirement that disputes with drivers be subject to arbitration in the Netherlands. Does that seem reasonable to you? No? Well, apparently the court didn’t think much of it either, so rather than exercise the deference courts often have for these types of agreements, they decided to delve a little deeper. You can read about the details here or in the court’s opinion, but the real takeaway for companies doing cross-border business with Canada is the court’s analysis of the applicability of arbitration clauses in international transactions and the doctrine of unconscionability. The court reached two important conclusions:

  • First, the court decided that it had jurisdiction to review bona fide challenges to the arbitration clause if the question was otherwise unlikely to be resolved. In reaching this decision, the court noted that upfront costs of $14,500 US and the burden of arbitrating a relatively small claim thousands of miles away meant that the plaintiff’s challenge to the arbitration clause would probably never be heard.
  • Second, the court reviewed whether the transaction was “unconscionable,” in other words, whether there was a significant difference in bargaining power and whether that difference was likely to significantly disadvantage the weaker party. Perhaps unsurprisingly, the court did in fact decide that a single Uber driver was the weaker party, and was disadvantaged in his deal with the multinational Uber Technologies Inc., given that the fees alone equalled his annual income from his contract with Uber.

We have to be careful in applying this case to normal e-commerce transactions, since it is on some level employment-related, and both courts and laws are tend to be very protective of a person’s livelihood. That being said, it’s a reminder that arbitration clauses are already viewed with some skepticism by courts and lawmakers, so it’s important to make sure the arbitration clause offers a realistic avenue to resolve disputes.

I can’t help but think that the nail in Uber’s coffin here was choosing the Netherlands as a place of arbitration rather than the neighboring United States, since that smacks of a decision to make the already unpalatable prospect of arbitration in a faraway place completely unrealistic. Unfortunately for the rest of us, in choosing the Netherlands, Uber might have opened the door to other challenges to cross-border arbitration clauses. Indeed, the dissenting justice makes this exact point, noting that this exception to the general rule that decisions on arbitration be left to the arbitrator will undoubtedly lead to more attempts to undermine that general rule. To the extent those challenges succeed, they will also limit the usefulness of arbitration clauses in Canada, particularly in cross-border transactions.

Hat tip to Ryan Flewelling of DS Avocats in Ottawa, Canada for pointing me in the direction of this decision. Or maybe, since it’s Canada, hat trick? Go Flyers!

Image courtesy of Dietmar Rabich, Amsterdam (NL), Begijnhof — 2015 — 7215-8, CC BY-SA 4.0 (Wikimedia Commons)

New opportunities for owners of generic domain names

Screen Shot excerpt from booking.com homepage

Much to the chagrin of companies which have built a brand based on a name plus the top level domain .com, like booking.com or cars.com, the US Patent and Trademark Office has long denied applications for trademark based on those domain names. The Supreme Court changed that last week with a ruling which states that the term Booking.com is eligible for trademark protection even though the term “booking” on its own is clearly generic.

What this means is that a host of other “generic.com” domains (like cars.com or wine.com) will become eligible for trademark protection as well. Unfortunately, what it also means is that those generic words will become more difficult to use in everyone else’s domain names, since trademark holders will try to prevent any similar use of those words (like cars or wine) in a domain name at all. The majority seems pretty unimpressed by that concern, but given that the mere threat of a trademark infringement case can be very risky for a small business it’s definitely a practical concern for them.

It remains to be seen exactly what circumstances will be seen to render a generic domain name protectable, since the Supreme Court didn’t articulate a hard-line rule. If we look at the booking.com domain name, however, the following factors certainly weighed in the company’s favor:

  • The company has consistently referred to itself as booking.com, including the domain extension, rather than booking or any other name.
  • The company’s logo also includes the .com, seemingly without exception.
  • Consumers also clearly know the company as booking.com, and do not think of that as merely a domain name to get to the company’s site.

It’s important to note that this decision doesn’t change the fact that a domain name itself is not considered “use” under trademark law, so companies who hope to trademark their .com domain name will want to make sure that use can be demonstrated separate from the purely functional use of accessing the website using a browser.

If you’re the proud owner of a generic domain, it’s time to make sure your branding reflects the entire domain name, since that could be the difference between a registrable trademark or just a domain name.

Why Section 230 really matters to business

1280px Illustration of 1904 patent for catcher protector

Protection doesn’t have to be attractive to be effective.

There’s a lot of discussion in the US political arena about Section 230 of the Communications Decency Act (CDA). Much of it is, frankly, wrong, but I’m not here today to tell you about why I think that to be the case. I do want to tell you that, if you have an online business and you accept any content whatsoever from third parties, Section 230 offers critical protection to your business and you need to consider whether you want that critical protection to disappear.

When the internet was young, there was a period where the liability of online service providers for third party content was unclear. One of those, CompuServe, decided on a completely hands-off approach, taking absolutely no steps to control what was posted by whom, in large part to avoid liability for being in any way involved. Another, Prodigy, differentiated itself by moderating content to ensure that “bad” content didn’t reach its users. Both were sued, and CompuServe’s hands-off approach was vindicated, whereas Prodigy’s approach was not. From that point on the common wisdom was that, to avoid liability, platforms should remain completely neutral and not meddle in any way with third-party content. Any moderation of third party content at all increased the risk of liability.

As you can imagine, a completely unmoderated internet rapidly began to move from interesting source of information to unmanageable dumpster fire. In an effort to reign things in, particularly with respect to pornography and defamation, Congress passed the Communications Decency Act (CDA). And now the internet is free of both …

That’s not what happened. What actually happened is the CDA was found mostly unconstitutional, but Section 230 of CDA survived. Section 230 states that “interactive computer services” would not be treated as the “publisher or speaker” of a third party’s content. In other words, the law made it safe for companies to allow customers or others to publish content on their websites or using their systems, and ensured that the company wouldn’t be held responsible for anything which was said (for the most part). That clearly benefits the YouTubes and Facebooks of the world, but it also benefits anyone who allows third party content onto a website.

For example, I’m responsible for anything I write on this blog, for better or worse. This blog allows comments, however, which means that third parties can effectively post their content to my website. Under Section 230, if my son decides to comment on my blog to say something nasty about the famous soccer player Cristiano Ronaldo, Mr. Ronaldo can sue my son for defamation but he can’t sue me (at least not successfully). Equally important, when I make the decision to delete my son’s comment I can do so without losing the liability protection Section 230 provides. In a pre (or post) Section 230 world, that’s not necessarily going to be the case, and I’d have to seriously consider turning off the ability to comment. The same applies to almost any website with interactive features, from comments to customer ratings, discussion boards to help boards, and pretty much any other online content which is sourced from more than one person.

There are limits on the liability protect Section 230 offers, especially with respect to intellectual property, but it’s really the law which has allowed the internet of today, with all of its warts, to come into being. Without Section 230, much of that would become fraught with risk. That risk would force many providers to shut down those interactive features altogether, and companies would lose a very critical source of information and communication about their customers and products. Realistically, it would also increase the near-monopoly power of those large service providers who can afford to wrestle with the liability issues which would arise, like Facebook and Google.

Section 230 isn’t perfect, no law ever is, but unless you want to lose the ability to interact with your customers online it’s extremely important.

EFF has a brief article on CDA Section 230 which explains in some more detail the protections offered by Section 230. Verge has provided a summnary of the history of Section 230 and the potential harms of some of the proposed changes. As always, for details on Section 230 and an excellent treatment of some of the specific issues outlined above see Professor Eric Goldman’s Technology and Marketing Law Blog

Think you can’t be sued in the US?

Older seated man with younger standing man

“I’m telling you Dad, you shouldn’t use AWS for your new website.”
It should come as no surprise that the internet has thrown old rules of jurisdiction (a fancy word for where a lawsuit can successfully be brought) into question. Courts are – somewhat understandably – hard put to determine when businesses from far-flung countries should be hauled into court in the US, particularly given the complexity of the technology and the huge numbers involved when dealing with successful websites.
Professor Eric Goldman reported recently on a case which could mark a watershed change in US court’s jurisdiction over foreign defendants if it were to become the norm. The case involves copyright infringement, the source of many not-great legal rulings, and appears to stand for the proposition that targeting advertising to the US plus the use of US service providers may be sufficient to confer jurisdiction in the US. Given the premier position of many US service providers in the internet infrastructure, that’s a big deal.

In short, the court held that the owner of two websites based in Russia may be subject to jurisdiction in Virginia because the defendants: (1) targeted a significant amount of marketing to Virginia (which is relative, since it was only about 0.2% of the defendant’s worldwide audience), (2) used a US-based registrar and cloud services provider, and (3) registered a DMCA agent with the US Copyright Office. While the defendant in this case may not be an overly sympathetic character, that logic could be used to subject almost any ad-driven multinational website to jurisdiction in the United States, particularly given that the volume of business in Virginia, while significant, was a very small fraction of US traffic (to say nothing of total traffic). It’s definitely a red flag for companies providing services from outside of the US who aren’t intentionally targeting US consumers.
For international companies looking to stay out of the reach of US courts, there are definitely a few lessons to be learned here:

  1. Know where your ads are displayed. Many companies outsource a lot of their social media targeting, understandably, but if you want to avoid US jurisdiction you need to keep an eye on where your ads are being shown and, how they are being customized for a particular market. Courts are clearly considering these issues so it’s important you aren’t wasting advertising spend on markets you may not want to be in, for legal reasons or otherwise. You may decide to take the risk of selling in the US, but it should be a knowing decision rather than something which simply happens.
  2. Use non-US service providers. Although US providers like Amazon and Google may be ubiquitous, they may not always be the best choice. If you want to reduce your contacts to the US this is probably the easiest place to start, since there are domain name registrars and cloud service providers all over the world. They may not be as well known, but unless you absolutely must use a US provider it’s worth taking a look. As a bonus, you might also increase your compliance with GDPR and other international laws which US providers aren’t terribly keen on following. Your non-US customers might actually appreciate it.
  3. Reconsider the DMCA. This is a more difficult decision to make. Whatever its faults, the DMCA actually protects online companies from liability for content uploaded by customers, so it’s generally better to have a registered agent and follow the DMCA notice and counter notice regime where possible. That analysis might change, however, if the cost of that protection is general jurisdiction in the US for unrelated lawsuits.

It’s almost impossible for online marketers to avoid all contact with US providers, but it’s important to understand some of the risks which may accompany those providers and eliminate those risks where possible.

If you want more detail on this case, check out Professor Goldman’s post. As an aside, if you are active in internet marketing and the law, you really need to be reading that blog on a regular basis anyway (although keep checking back here as well!).

Image from Wikimedia.

Is your website ready for prime time?

Medieval monk sitting at a writing desk

Time to get to work!
Since we’re all at home trying to figure out how to make money while away from the office or, even worse, bricks-and-mortar store, this is a good time to think about updating your website. Many businesses with an online component are holding on pretty well under the circumstances, and some are even thriving, possibly at your expense. Here are a few ideas to get you started!

  1. Update your information. Ok, this one is pretty obvious, but it’s important that people know how to get in touch with you, whether you’re open or not, and how they can still buy your services. If they weren’t able to buy your products online, that probably needs to change. Strictly speaking, that’s not a legal issue, but it’s probably the most important issue you have to deal with if you’re going to keep your business afloat!
  2. Update your Terms and Conditions (or Terms of Use). No matter what you call them, your terms of service lay down the ground rules for your online presence, so it’s critical that they are binding on your customers and that they accurately spell out what you are and are not responsible for. If you don’t have one, you need one, especially if customers can order products or services via your website. This is important, so there will be more detail in a later post, but for now just make sure you have one!
  3. Update your Privacy Policy. There was a time when privacy policies, like terms and conditions, were optional, but now it’s pretty much a must-have. Like terms of use, there are many different privacy policies to be found online, it should accurately state your real policies and processes, so yes, you’ll have to read and revise it accordingly. Unfortunately, privacy policies, even more than terms of use, need to be customized for your audience under state, federal and international law, so if you are selling financial services, or targeting children, or Europeans, or selling the data of California residents you’ll need to customize your privacy policy accordingly. We’ll deal with the alphabet soup that is privacy policies (or “statements”) under the GDPR, CCPA, and other laws later, but for now you still need one.
  4. Register a DMCA Designated Agent. There’s a lot wrong with copyright law these days but, for website owners, the Digital Millennium Copyright Act (DMCA) isn’t one of those. Basically, if you follow a few simple rules and procedures you can be sure that you won’t be held liable for copyright infringement by a contributor to your website. That’s any contributor, from the one-time guest post to a regular contributor or even customers who upload photos and other content to your website. I’ll outline those DMCA rules separately, but to start with you need to register a DMCA agent with the United States Copyright Office. It’s very easy, very cheap, and could save you a ton of money if it’s ever needed. A DMCA notification and takedown policy on your website is a good idea, but not strictly necessary. You can even put it in your terms of use if you’d like. As for those rules, I’ve covered those in a separate article, but you really won’t need them unless and until you receive your first notice, so for now just get yourself registered.
  5. Improve compliance with the Americans with Disabilities Act (ADA). To generalize wildly, the ADA mandates that all “places of public accommodation” be made accessible for the disabled. Unfortunately, it’s very unclear how that applies to websites, but given the number of lawsuits filed under the ADA in recent years you pretty much have to assume it does. While there’s no black-letter law on what constitutes compliance with the ADA, the general consensus is that website owners need to comply with a standard called WCAG 2.0 AA. While that standard is way too complex to outline here, and there’s no single tool to make you website compliant, you can start with a few simple tasks like making sure there’s alternative text for all images, adding text for any videos or audio presentations, adding text for form labels so it’s easy to tell what goes in each field, and making sure all pages and links have headings or descriptors which accurately describe the content. Focus on the real meat of your website, since it’s more critical that the disabled be able to access your services than it is for them to know that you also like to hike the Andes when you’re not at work.
  6. Cookie Policy. You may or may not need a cookie policy. They are particularly necessary when selling to Europeans, in which case you probably need an opt-in mechanism as well (like those annoying banners which pop up all over the place when you are browsing certain websites). The CCPA is a little less antagonistic towards cookies, but even under CCPA a disclosure at the point of collection, ideally with an opt-out mechanism, is the minimum for legal compliance. At the very least, make sure your privacy policy outlines where and how cookies are used, especially if you are using Google Analytics or third party ads, since that’s relatively easy. Adding banners and opt-ins may require the assistance of your web developer.

That should be enough to keep you busy for a while!

In all seriousness, though, just pick one or two of the above items and get started – many of those items are pretty straightforward unless your site is very complicated, and some (like registering a DMCA agent or taking some steps to make your website more ADA compliant) could save you tens or even hundreds of thousands of dollars in legal fees and damages in the future.

Drafting a Temporary Work From Home Policy

There are many differences between the working-from-home which is required during a health emergency and normal telecommuting. For most companies which are not virtual, the telecommuting policy is intended for folks who want (or at least expect) to work at home and who are presumably properly equipped to do so. Those policies are also underpinned by the notion that the telecommuter has an appropriate space to work in and can come to work if he or she wants to. Employees who don’t normally telecommute aren’t used to working at home, and may have a difficult time drawing the line between work and home life. They also aren’t necessarily thinking about the difference between their normal home activities and work. Finally, if you are making exceptions to your normal business rules and processes just to keep things up and running, your employees need to understand that those are exceptions rather than the rule.
With that in mind, you need to communicate your expectations for employees who are working for home clearly, using a temporary or emergency teleworking policy. Below are some of the most important considerations for such a policy.

  • Wages and Hours. First, and perhaps most important, you need to set expectations with respect to hours worked. As noted above, some employees will work too little, but others may work too much, leading to unexpected overtime costs and possible ill will. Some employees will be expected to be at their desks during normal working hours but for many, with kids at home and other distractions, will require more flexibility than that. If your business needs permit, try to offer that flexibility, while reminding employees of any limitations. One compromise which can work well is the concept of “core time,” in which you provide a set of hours where everyone is expected to be available, but allow the employee to flex the remaining hours of the day accordingly. So, for example, you might ask all employees to be available and working every day from 10:00 am to 2:00 or 3:00 pm, but allow them to flex their time outside of that range so they can help with homework, cook, or whatever.
  • Confidentiality. You’ll want to remind employees that company information should be kept confidential, and that documents and other confidential materials should be properly stored away from prying eyes at home. Most kids aren’t espionage agents for a foreign power, but kids can and will read stuff which is lying around, and if it’s interesting in any way they may well talk about it with friends.
  • Expectation of Privacy. This probably deserves its own post, but this is probably a good time to remind employees that their use of company resources may be monitored, even if the laptop is on the dining room table at home. That’s particularly critical for employees who are using their own equipment, since they may not be thinking of “privacy” the same way they would at work.
  • Cybersecurity. On a related note, employees using their own equipment should be reminded to use good security practices, including the use of encryption and virus protection as well as the use of any company-supplied network access or other tools. This is also a good place to remind employees about the proper use of any software you’ve allowed on a temporary basis, such as remote file storage or messaging or video apps. If you’ve set up company accounts with cloud providers for things like Dropbox or Google, remind employees that they are required to use the company-supplied accounts rather than their own accounts, and that all substantive discussion of work topics should be done using tools which ensure that they are preserved going forward.
  • Office Supplies. The policy should also advise employees as to how they are to obtain or replenish any office supplies which are needed. Should they order directly and request reimbursement or use a company account? Will the company handle orders and deliver to the employees house? It’s better to address these issues before the $200 expense report for office supplies is on your desk for payment.
  • Disclaimer of Liability. Finally, you’ll want to disclaim liability for anything which happens at the home outside of work hours. After all, worker’s compensation disputes get tricky when the workplace is the home, especially on a provisional basis, so it’s important to draw boundaries between the company’s responsibilities and the employee’s.

Finally, you should remind employees that all other conditions of work still apply. After all, work from home is still work, whether any of us like it or not.