DMCA – A few things to remember

In the last post, I told you how to prepare a DMCA Takedown notice, but I also mentioned a few caveats. Some of those are:

  • As I’ve said before, make sure you have all of the elements of the notice. It’s really not that hard.
  • In a similar vein, don’t lard up the notice with a ton of extraneous language. Lawyers in particular love to do this, but typically it just makes things more complicated for anyone who has to read it and slows the process. Often, the longest letters also leave out critical elements, which means they are actually less effective than a straightforward, simple notice. No one needs the back story – if the item is infringing we don’t need to know that the website belongs to your Uncle Max, who snuck the photo from your grandmother’s basement.
  • The DMCA is a pretty easy way to take down content which is copied, but that also makes it tempting to use for items which you want removed but for which you do not actually have the copyright (e.g., that unflattering photo of you which was actually taken by someone else, or that photo in your grandmother’s basement which you probably didn’t take). You can be held liable for false or inaccurate DMCA notices, so keep that in mind.
  • The DMCA is not for trademark complaints, although some service providers ask for a trademark notice which incorporates some of the elements of the DMCA. Don’t be surprised if a DMCA notice for a trademark matter doesn’t result in an immediate takedown (or any takedown at all).
  • While DMCA notices are most often sent to web hosting companies (and Google), anyone who has third-party content on their website, from comments to contributions, can and should register a DMCA agent. Before sending a cease and desist to a website, consider whether the content is actually the website owners and, if not, check to see if they have a DMCA agent
  • Unfortunately, people intent on copying online materials will often change providers as soon as the first notices are received, so before sending that angry followup to the host make sure the materials are still hosted with them

Unfortunately, as many frustrated writers and photographers have found, combating copyright infringement online resembles a game of whack-a-mole, so you may have to prioritize your copyright battles accordingly.
Next, we’ll find out what happens after your notice arrives at the web host.

DMCA – The takedown notice

DMCA removed notice

Since we’re on the topic of the DMCA, I thought I’d put together a primer on the DMCA takedown and notice procedures. As I mentioned in my last post, the takedown procedure offers a quick way for copyright holders to have their materials taken offline while reducing the risk for internet hosts and service providers – with caveats. We’ll cover the caveats later, but for now we’ll focus on the takedown notice, which notifies the host or ISP that there is infringing material on a website which they host. The takedown notice is addressed to the service provider, not the actual infringer, and will be forwarded by the service provider to its customer.

The takedown notice must include the following:

(i) A physical or electronic signature of a person authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

This is pretty easy – anything which you intend to be a signature can be your signature. A scan will do, your name typed and preceded by /s/, just your name, or, in the right circumstances, even an “X” will do. As long as it can be construed as a signature it will probably suffice.

(ii) Identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works at that site.

This is the stuff you want removed, typically in the form of a URL leading directly to the infringing material. If there are too many to list, you can reduce it down to a reasonable sized list, but remember the host should be able to find those materials reasonably quickly – you can’t just point to the home page and say “it’s here” unless the entire home page is a copy of your materials. If the infringement is only a small portion of the page or site, consider providing a pdf with the infringing materials circled or highlighted.
Don’t list your own copyrighted materials here, or you risk having them removed. That’s like what my brother did a few years back when he called the city to have a car towed and inadvertently reported his own car, then in an effort to correct it he reported his car again. He then had to move his car. Don’t do it.

(iii) Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material.

In most cases, this is where you’ll provide links which show your materials in their original location. Again, a host should be able to look at the pages listed under (ii) then look at the list under (iii) and, without too much effort, see what is allegedly infringing. Use a list of URLs where needed, and an attachment showing the exact location of the original photo or text can be helpful where appropriate.
If your content isn’t online, provide enough information for the host to verify in some way that the materials are yours. I’ve seen links to books on Amazon, citations for published papers, and even scans of documents attached to DMCA notices – as long as the host has something credible to rely on it should suffice, and if it doesn’t they’ll likely let you know so you can supplement the notice with additional materials.

(iv) Information reasonably sufficient to permit the service provider to contact the complaining party, such as an address, telephone number, and, if available, an electronic mail address at which the complaining party may be contacted.

This should be pretty self-evident, but it should really be more than just a reply-to address in an e-mailed complaint. A DMCA notice with contact information which is intended to avoid disclosing the identity of the complainant may be ignored by some service providers.

(v) A statement that the complaining party has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.
(vi) A statement that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

These two requirements seem to confuse people, but in reality it’s easy (and required). You simply have to parrot these two lines in your notice, e.g. “I have a good faith belief …” and “The information in this notification …” Whether you think it makes sense or not, these two statements are required, and leaving them out (or creatively rewriting them) can render the notice ineffective.

Some people (often attorneys) feel the need to lard up their notices with everything from copyright registration information to all sorts of creative reservations of rights or nasty threats. None of that is necessary, and much of it is superfluous. If the notice is proper, in order to benefit from the immunity provisions, an ISP has to either remove the materials or ask for clarification (if certain elements are present but the notice is not entirely in compliance with the law). If the notice is non-compliant it can, and probably will, be ignored.

Too much information … information … information

German letterhead schematic

One of the questions I’m asked all of the time is one which no one on this side of the Atlantic Ocean would ever expect, and that is, what are the legal requirements for business letterhead in the US? The answer is, there are none, usually accompanied by a vaguely perplexed look. That’s not entirely true, as I’ll discuss below, but it’s pretty darn close. But first, why the question in the first place?

Perhaps unsurprisingly, Germany does regulate the content of letterhead, as do most European countries to one extent or another. Although the requirements differ for different types of corporations, German letterhead (Briefbogen) typically includes the company name and address, the court at which the company is registered, the company’s number in the corporate registry (Handelsregisternummer), and the managing directors or officers of the corporation. Germans also typically include their complete banking information, including the IBAN or similar bank number and account.

In the US, in contrast, letterhead is typically limited to the company name, address, phone numbers, and website address. personalized letterhead may also include an e-mail address or other contact information, and occasionally letterhead will include a slogan or information about the company’s productions. That’s typically it – no additional information is required or expected. In fact, you can leave most of that information off if you really want, although it may not make as professional an impression.

While not a requirement under the law, it is advisable for companies to include their full legal names somewhere on the letterhead, including “Inc.” or “LLC” or whatever, to clearly indicate to the recipient of any correspondence that they are dealing with a limited liability business entity. Certain industries include additional information by custom (e.g., law firms include the names of partners in the partnership), but that’s not a legal requirement.

It’s also important that the letterhead not be deceptive – while you don’t have to include any particular information on your letterhead, the information you choose to include should be accurate and clear.

So, to be clear, you do not need your EIN (tax number), directors, officers, or bank information on your US letterhead. In fact we recommend against it, because that’s just information that scammers can use to try and social engineer their way into your company bank account.

For more information about German letterhead requirements, see this summary from the Hamburg Chamber of Commerce (in German) or shoot us an e-mail.

Hey, I’ve lost my company’s domain name!

The registration system for domain names isn’t really set up for corporate ownership, since the “owner” of a domain name is typically the person who is listed as registrant rather than the corporation. The down side of this system is something we see all the time, particularly with small companies – a domain name is registered by a well-meaning, tech-savvy employee (all too often in his or her personal account) and, when that employee moves on, the company is stuck without control over critical domain names and related accounts. If the employee is fired, it’s even worse, since the now-disgruntled employee may well have control over the company’s entire online presence for an indeterminate period of time.

While there’s no silver bullet here, there are a few best practices which make it easier to regain control over a domain under the control of a wayward (or simply unreachable) ex-employee. Those are:

  • Make sure the company name and address is listed as the Registrant, along with the name of an officer who is most likely to remain with the company. The tech savvy employee can be listed as administrator, to facilitate management of the domain without jeopardizing ownership.
  • Corporate web assets should be held in an account which is in the company’s name and paid for with a company credit card, and should be kept separate from other business or personal websites and domains.
  • Have an agreement in place making it clear that, upon termination of employment for any reason the domain name registrant and admin are to be changed to an officer of the company’s choosing. Ideally, this should be in a standalone agreement so you can provide it to the registrar without divulging hiring or salary information.
  • Make sure renewal notices and the like go to a generic e-mail address, ideally one which is monitored by more than one person, so that termination or resignation of an employee doesn’t result in a lapsed registration (although there are downsides to this as well).
  • Make sure someone other than the admin knows the password to the account (but be judicious, you also don’t want the password becoming generally known). For particularly active accounts, you may want to request a regular update confirming the password and listing all domain names along with expirations dates for the corporate account.
  • Make sure all domains are registrar locked against transfer and deletion

The above isn’t foolproof, since a knowledgeable or well-placed employee can manage to retain control no matter what the circumstances, and given that registrars differ in how they handle requests relating to domain name ownership. Also, be aware that some of the above suggestions may have downsides as well, so consider what’s best for your organization when determine who has access to accounts and how.

Disability-related lawsuits find new targets

Since at became law in 1990, there’s little doubt that the Americans with Disabilities Act (ADA) has helped make public buildings and businesses more accessible to the disabled. At the same time, however, brick-and-mortar businesses have long complained about the cost of ADA compliance, and claim that many ADA-related lawsuits are more about making money for lawyers than about actually increasing accessibility. Now that most shopping has moved online, lawsuits have begun to extend the ADA to websites and other online services, concepts which really didn’t exist at the time the law was passed.

For example, Home Depot was sued in 2015 by a blind Pennsylvania man alleging that the Home Depot website relied too heavily on images without the alternative text and descriptive links required to allow access by the sight-impaired. The same plaintiff had filed at least 68 similar lawsuits targeting online retailers. Companies from Target to eBay have been sued for ADA issues, and many companies have paid out millions to the government or class action plaintiffs, in addition to the cost of becoming compliant after the fact. Now, plaintiffs’ lawyers have begun targeting platform providers, in what may well result in a new wave of ADA litigation against the internet’s infrastructure providers.

While it’s increasingly clear that internet accessibility is required under the ADA, it’s less clear what constitutes an accessible website. Here are some of the steps you can take to make your website more accessible and less likely to result in a lawsuit or legal liability:

  • Perform a website audit, to determined what aspects of your website might not meet reasonable accessibility standards.
  • Update your website to comply with the Web Consortium’s Web Content Accessibility Guidelines 2.0 (WCAG), currently the closest thing there is to an accessibility standard under the ADA.
  • Make sure your development and design policies include guidelines for continuing WCAG compliance, since it’s all too easy to lose sight of accessibility in the stress of a new site or product rollout.
  • Train customer support and technical personnel to understand and facilitate use of your website by disabled customers, and to be sensitive to the needs and complaints of disabled users.

Although the Department of Justice is expected to issue guidelines some time in 2018, it’s probably not a good idea to wait. In addition to good risk management, it may well be good business, to keep both your disabled and able-bodied customers happy.

Do I really have to worry about the new European privacy rules?

Is it finally time to pay attention to European efforts to regulate privacy? At least according to pwc, the answer is yes.

Let’s face it – many Europeans regarded the former “Safe Harbor” as a loophole big enough to drive a truck through, and many US companies quietly agreed by effectively ignoring it. The GDPR is an attempt to address that more effectively, at least with respect to American companies with assets in Europe, particularly behemoths like Google and Facebook. As of May 25, 2018 most processing of European personal data will have to comply with the GDPR (General Data Protection Regulation), including processing by US-based companies. There are a few reasons for US companies to be more concerned about the GDPR than previous efforts to regulate privacy:

  • The GDPR has the effect of law, without the need for individual (and often inconsistent) country legislation.
  • All businesses which “target” EU nationals are subject to the regulation, no matter where they are based.
  • The fines have been increased significantly and can be tied to worldwide revenue, to ensure that they are meaningful for even the largest of companies.

Of course, it’s easy for EU officials to threaten Google, which has at least four data centers located in the EU, each presumably worth many millions of dollars. It’s a little harder for them to penalize US companies which don’t have assets on the ground in the EU, particularly given that US courts are likely to be skeptical of attempts to enforce the regulation against companies with no offices in Europe. So, how do you know if you should be worried about the GDPR? If you answer yes to any of the following you need to start getting your privacy house in order:

  • Do you have assets in Europe? As already noted, you should be GDPR compliant unless you’re willing to kiss those assets goodbye without compensation.
  • Do you have personnel in Europe? Even with limited assets on the ground, you need to consider the risk to your employees, and the subsequent risk to your company if they are penalized and decided to sue.
  • Is the European market is important to you, or is it expected to be important to you in the future? Obviously, an adverse judgement in the EU could result in loss of any European-based revenue, to say nothing of the loss of customers due to bad publicity.

Notwithstanding the hype, companies with no footprint in Europe and minimal aspirations of success in the European market probably have little to fear from the GDPR. That being said, given increasing concern over privacy on this side of the ocean, even those companies may want to consider implementing some of the GDPR requirements, to minimize any penalties and to make compliance easier if and when it becomes necessary. Besides, better privacy practices may well make business sense for a lot of US companies.

You’re running out of time!

Painting of boy holding a turkey

Quick, I have dinner, you handle the rest!
When I say you’re running out of time, you may think I’m referring to time needed to buy presents, drawing the absolutely incorrect conclusion that I have not yet purchased a suitable present for my wife. I have. It’s just that she changed the ground rules on me and … oh, never mind, that’s not what I meant anyway.
What I meant is that you’re running out of time to register your DMCA Designated Agent under the new system we reported on earlier this year. Like it or not, agents designated under the old system are no longer valid starting January 1, 2018, so if you are in any way hosting third-party content you’ll want to register a new agent under the new system.

It’s not terribly difficult, so cruise on over to the US Copyright office’s website and register. You’ll need the following information for both the designated agent and the owner or operator of the website (which may or may not be the same):

  • Name
  • Address
  • Phone number
  • E-mail address

Oh, and you’ll need a credit card. You can’t use mine, I have a little more shopping to do.

German court decides Parents can’t access deceased child’s Facebook account

Facebook

A German appeals court has decided that the Facebook account belonging to a deceased minor cannot be accessed by the deceased minor’s parents, according to German business website Handelsblatt. A couple in Berlin sued for access to the Facebook records of their daughter after she was killed by a subway train in Berlin, hoping to find clues as to the events leading up to her death. They were particularly interested in the chat records, which they thought might provide clues as to whether the daughter’s death might have been a suicide.

The lower court decided for the parents, determining that the Facebook account was part of the deceased minor’s estate. In deciding to appeal, Facebook, the subject of much criticism in Germany for its handling of data privacy, found itself in the unusual position of defending those same rights. The appellate court decided against the parents, and refused access. It appears likely that the parents will appeal the decision.

In the United States, Facebook generally does not allow parents access to a child’s account, deceased or not. Facebook does allow parents to request that the account be terminated, rather than leaving it online in “memorialized” mode, and in rare instances Facebook will honor requests for account data by parents or other authorized individuals.

At the rate we’re going, we’ll soon be traveling with books and cassettes

Image of music cassettes

Let’s not go here again
As I watched the luggage carousel spin slowly around I was pretty well aware what I would see there – nothing, or at least nothing which belonged to me. We had barely made our connection in Frankfurt, after circling for hours, and the only thing which made it through to Philadelphia was a cat. I don’t even like cats.

No problem, right? We could just run out and buy luggage on the airline’s dime.

Or not. Airline liability for lost or damaged baggage on international flight is regulated by a treaty called the Warsaw Convention, which limits airline liability for checked baggage significantly. According to Delta’s website, that’s $9.07 per pound up to a maximum of $640. Normally the answer is simple – if it’s valuable, don’t check it. The proposed ban on laptops and tablets for flights to the US from Europe, however, adds a new wrinkle to that otherwise simple advice, since most business travelers don’t really have an alternative to traveling with a laptop. Most road warriors won’t be terribly happy about seven to nine hours of lost work time, to say nothing of that low-res airline entertainment. They’ll be even less happy if they can’t retrieve the laptop at the end of that long flight.

The bigger issue, of course, is security. A lost laptop means lost data, and lost data can result in all sorts of headaches depending on what’s actually on the laptop. While encryption can limit the damage, that still won’t compensate for the loss of productivity for business travelers who depend on their laptops for their daily work.

While business travel won’t stop, the laptop ban combined with other issues which make international travel more onerous may well hit the bottom line of airlines with international routes. It will also increase the interest in everything from insurance for lost luggage to rentals of laptops and similar equipment overseas (which brings with it additional security concerns). Some frequent travelers may even consider storing electronics at offices or apartments overseas, to ensure that they are able to get back to work quickly upon arrival.

In the grand scheme, however, Skype begins to look pretty attractive when the alternative is eight hours of airline entertainment or watching TV on a cell phone followed by a full cavity search on arrival.

Of course, you could always fly via Canada.

State of Incorporation

Europeans often think that they are catching up to the US, at least in terms of harmonized and consistent laws, but in many instances our system is actually more federalized than that of Europe. Whereas you can now form a European corporation, US corporations are formed under the laws of a particular state, rather than under the federal (United States) law. Typically, that means you’ll have to decide between the state in which you’ll actually be headquartered or operating (assuming you know which state that is) and one of the states which has advantageous tax or corporate laws for corporate formation.

Traditionally, Delaware has been the first choice of most corporations because of its favorable tax and corporation laws, but other states such as Nevada, Alaska, and Wyoming have also been trying to get into the lucrative business of corporate services in recent years. If you’ll be operating completely within the border of a single state, you might as well incorporate in that state, but most German businesses are seeking to sell throughout the United States so a Delaware (or other law-tax state) corporation will be more advantageous. There is no equivalent to the European Corporation (SE) in the United States, so every US company will have to choose a state of incorporation.

Even more confusing, if you will be operating in a state outside of your state of incorporation you will have to file for authorization to do business in that state (or those states) as a foreign corporation. That’s right, a Delaware corporation doing business in California or even neighboring Pennsylvania is considered “foreign” for the purposes of state law, just as a German corporation would be, and may have to register as a foreign corporation. Although state laws regarding filing for authorization differ, it’s a safe bet to say that if you’ll have employees or physical assets based in a particular state you’ll be required to register in that state.

So, for example, if you form a corporation under the laws of Delaware, but will have your offices in New Jersey, you’ll form the corporation in Delaware and then file for authorization to do business in New Jersey. If you also have branch offices in California and North Carolina, you’ll need to file for authorization in those states as well. Filing for authorization in a particular state triggers other obligations as well, including the obligation to file an annual tax return and, usually, to file papers with the state relating to labor, taxes, and other fees. For any state in which you do not have a physical presence you’ll also need to pay a registered agent to accept mail and service of legal process on your behalf, which usually costs no more than $200 per year.

This is the first in an occasional series of posts on starting your business in the US.