The annotations of the Official Code of Georgia Annotated are not protected by copyright.

On April 27, 2020, the Supreme Court affirmed the judgment of the Court of Appeals for the 11th Circuit which had held that the annotations of the Official Code of Georgia Annotated (OCGA) are not protected by copyright.

The OCGA is the official code of the State of Georgia and includes the Georgia statutes in force and non-binding supplementary material, including annotations, such as summary of judiciary decisions or a list of relevant legal articles.

The Code Revision Commission assembles the OCGA, and is composed of the Lieutenant Governor of Georgia, four Georgia senators, four Georgia representatives, the Speaker of the House, and five members appointed by the state of Georgia.

However, it is a private organization, Matthew Bender & Co., Inc., a division of the LexisNexis Group, which prepares the annotations under a work-for-hire agreement. As such, Georgia is the copyright owner of the annotations.

While the annotated version of the Georgia Code is made available for free on the LexisNexis site, the OCGA is protected by a paywall. Public.Resource.Org (PRO) is a non-profit organization aiming to facilitate public access to government records and legal materials. It scanned a copy of the paper version of the OCGA and posted it on its freely accessible site.

The Commission sent PRO several letters asking for the copy of the OCGA to be taken down from its site. As the non-profit refused to do so, the Commission filed a copyright infringement suit.

The Northern District Court of Georgia held that the annotations were protected by copyright as they are not “enacted into law.” The US Court of Appeals for the 11th Circuit reversed, reasoning that it is not the Commission which is the author of the OCGA, but rather, the People, while judges are legislators are only “draftsman… exercising delegated authority.”

The Supreme Court affirmed, but Chief Justice Roberts, who delivered the opinion of the court, followed a different reasoning than the 11th Circuit judges.

The Court cited the government edicts doctrine, under which judges cannot be the authors of the works they produce in the course of their official duties as judges and legislators. This doctrine was developed by three 19th century cases, Wheaton v. Peters (1834), holding that a court reporter cannot have a copyright in the Court’s opinions, Banks v. Manchester (1888), holding that “the judge who, in his judicial capacity, prepares the opinion or decision, the statement of the case and the syllabus or head note”  cannot be the author of the work and thus cannot hold its copyright, and finally Callaghan v. Myers (1888), holding again that a court reporter cannot have a copyright in the Court’s opinions.

For the Court, “[i]f judges, acting as judges, cannot be “authors” because of their authority to make and interpret the law, it follows that legislators, acting as legislators, cannot be either.”

The Commission can be qualified as a legislator, as it “functions as an arm of [the Georgia Legislature] for the purpose of producing the annotation…[and] serves as an extension of the Georgia Legislature in preparing and publishing the annotations.”  The Commission creates the annotation in the discharge of its legislative duties, in its role as an adjunct to the Legislature.

Justice Ginsburg dissented, taking the view that “the annotations are not created contemporaneously with the statures to which they pertain,” that “are descriptive rather than prescriptive,” and that they are only “given of the purpose of convenient reference.” Justice Sotomayor, who joined the opinion of the Court, noted during the debates that dictum is not law either.

The State of Georgia had argued that §101 of the Copyright Act lists “annotations” as works eligible for copyright protection. This argument did not convince the Court, as §101 does not state that annotations prepared by a judge or legislators can be protected.

A amicus curia brief filed by the American Library Association argued that “[t]he LexisNexis unannotated code fails to provide meaningful citizen access to Georgia law.“ It further noted that the online code can only be accessed after agreeing to a clickwrap, which states  that  the State of Georgia “reserves the right to claim and de-fend the copyright in any copyrightable portions of the site,” but that once on the site, the user is not able to understand which part of the Code is protected by copyright or not. The brief also noted that such a scheme “undermin[es] libraries’ longstanding commitment to patron privacy.”

Georgia had argued that, if these annotations are not protectable, it would not be able to induce private organizations, such as LexisNexis, to preparer such work. Chief Justice Roberts wrote “[t]hat appeal to copyright policy, however, is addressed to the wrong forum,as it is Congress, not the courts, which must decide the best ways to pursue the objectives of the Copyright Clause of the US Constitution.

The issue of public access to law is an important issue, and it remains to be seen if this case will advance or hinder it.

 

 

 

 

Facebooktwitterredditpinterestlinkedinmailby feather

New York’s SHIELD Act Updates New York Data Breach Law

New York’s SHIELD Act (“Stop Hacks and Improve Electronic Data Security” Act) is an amendment to New York’s data breach notification law. It took effect on October 23, 2019, but its data security provisions, codified in N.Y. Gen. Bus. Law § 899-bb, only took effect on March 21, 2020.

First let’s have a look at the provisions which took effect in 2019.

The Act greatly expanded the territorial scope of New York data breach law as it no longer covers only a person or company conducting business in New York state. If the breach affects a New York resident, then the law applies.

The definition of “private information” is expanded to include an account number, credit or debit card number, if they can be used to access an individual’s financial account without additional identifying information, security code, access code, or password. It also now includes a username or e-mail address combined with a password or security question and answer allowing to access an online account.

Private information” now includes biometric information, which is defined as “data generated by electronic measurements of an individual’s unique physical characteristics.”

They are:

  • a fingerprint,
  • a voice print,
  • a retina or iris image,
  • any other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity.

What is a security breach?

The definition of a security breach was expanded to include unauthorized access to computerized data that compromises the security, confidentiality, or integrity of private information retained by a company. Before the Shield Act, the law only covered unauthorized acquisition of personal data maintained by a business.

The SHIELD Act specifies that a company may consider several factors to determine whether information has been accessed or is reasonably believed to have been accessed without authorization, among them indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.

The notice of the breach

The notice cannot be provided to the affected person by email If the breached information includes an e-mail address in combination with a password or security question and answer allowing access to a online account.

In that case, a clear and conspicuous notice must be “delivered to the consumer online when the consumer is connected to the online account from an internet protocol address or from an online location which the person or business knows the consumer customarily uses to access the online account.”

The notice must now include:

  • the telephone numbers and websites of the relevant state and federal agencies providing information regarding security breach, response and identity theft prevention and protection information.

If the individual or company is required to provide notice of the breach under the Gramm-Leach-Bliley Act (GLBA) , the Health Insurance Portability and Accountability Act (HIPAA), or to the New York Department of Financial Services, an additional notice to the affected individuals is not required, but must still be provided to the New York Attorney General, the department of State, the division of State Police, as well as to the consumer reporting agencies (CRAs).

A HIPAA covered entity must report a breach to the New York Attorney General if the notification of the data breach to the Secretary of Health and Human Series is required by HIPAA, even if the breach includes breach of information which is not “private information.”

If the breach affects any New York residents, the person or business must provide a copy of the template of the notice to the state attorney general, the department of state and the division of state police, and this notice must not delay sending the notice to the affected persons.

It is not required, however, to notify an affected person of a breach if:

  • the persons authorized to access the private information inadvertently disclosed it and
    • the person or business reasonably determined that misuse of the information will not likely occur, or
    • financial harm to the affected persons will not likely occur or
    • emotional harm will not likely occur, if a username or e-mail address in combination with a password or security question and answer that would permit access to an online account was disclosed.

Such a determination must be documented in writing and maintained for at least five years. If the incident affects over 500 New York residents, the person or business must provide the written determination to the state attorney general within ten days after the determination.

In practice, this means that a written document must be created to explain why it has been decided not to notify affected individuals of a breach. This document must be written with the utmost care, and should explain the circumstances of the breach, how it was discovered, what information had been breached how the risk was assessed and why the decision not to report the breach has been taken.

The SHIELD Act does not provide a private right of action, but the remedies provided are “in addition to any other lawful remedy available.” The penalties for failure to notify increased, however, from ten to twenty dollars per instance of failed notification.

The statute of limitations is expanded from 2 to 3 years from the date the attorney general became aware of the violation or the date the notice was sent.

The Data Security Provisions of NY SHIELD ACT, which took effect on March 21, 2020

Any person or business which owns or licenses computerized data which includes private information of a New York resident must develop, implement, and maintain a data security program.

In order to be compliant with the NY Shield Act, such a person or business must put in place administrative, technical, and physical safeguards.

A  small business, which is defined as one having less than 50 employees, less than 3 million dollars in gross annual revenue in each of the last 3 fiscal years or less than 5 million dollars in year-end total assets is not exempt from this requirement. However, it is sufficient that the security program contains reasonable administrative, technical and physical safeguards which are “appropriate for [its] size and complexity.”

The administrative safeguards include:

  • Designating one or more employees to coordinate the security program
  • Identifying reasonably foreseeable internal and external risks
  • Assessing whether sufficient safeguards have been put in place
  • Training and managings employees in the security program practices and procedures
  • Selecting service providers which can maintain appropriate safeguards, and requiring those safeguards by contract

The technical safeguards include:

  • Assessing risks in network and software design
  • Assessing risks in information processing, transmission, and storage
  • Detecting, preventing, and responding to attacks or systems failures
  • Regularly testing and monitoring the effectiveness of key controls, systems, and procedures

The physical safeguards include:

  • Assessing risks of information storage and disposal
  • Detecting, preventing, and responding to intrusions
  • Protecting against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information
  • Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic documents in such a way that the information can no longer be read or reconstructed
Facebooktwitterredditpinterestlinkedinmailby feather

Works Posted on Public Instagram Accounts Can be Used by Third Parties Without Infringing Copyright

A recent decision from the Southern District of New York (SDNY) should give pause to artists promoting their works by posting them on their public social media accounts.

Mashable had offered professional photographer Stephanie Sinclair 50 dollars for licensing rights for one of her photographs, to illustrate an article on female photojournalists featuring her and several others.

Ms. Sinclair did not accept the offer, and Mashable then embedded the photo that Plaintiff had previously published on her public Instagram account to illustrate the article. Ms. Sinclair asked Mashable to take down the picture. It refused and Ms. Sinclair then filed a copyright infringement suit.

Mashable moved to dismiss, claiming that, by posting the photograph on her public Instagram account, Plaintiff had granted Instagram the right to license the photograph, and that, it turn, Instagram had granted Mashable a valid sublicense.

United States District Judge Kimba M. Wood from the Southern District of New York (SDNY) granted the motion to dismiss, finding that Mashable had used the photograph pursuant to a valid sublicense from Instagram, which Terms of Use state that users grant Instagram “a non-exclusive, fully paid and royalty-free, transferable, sub-licensable, worldwide license to the [c]ontent [posted] on or through [Instagram],” if the content is posted on a public, not a private account.

An image published on a website can be “embedded” in another page if a specific “embed” code has been added to the HTML instructions incorporating the image, which directs the browser to the third-party server to retrieve the image. The embedded image then is hyperlinked to the third-party website.

In our case, Plaintiff’s photograph appeared embedded on the Mashable website page, but was not hosted on Mashable’s website server. It was hosted on Instagram’s server, after Plaintiff had posted it on her public account.

In a similar case, Goldman v. Breitbart, the SDNY had rejected in 2018 the “server’s test“ laid out by the Ninth Circuit in Perfect 10, Inc. v. Amazon. com, Inc., which was a hyperlinking case, not an image embedded case. Under this test, images appearing on a site using frames and in-line links are not a display of the full-size images stored on and served by another website.

While noting that in-line linking works, like embedding, is based on HTML code instructions, United States District Judge Katherine B. Forrest had not applied the server test in Goldman, finding it inappropriate to the specific facts of this case and also “[not] adequately grounded in the text of the Copyright Act.” She found that using an embedded tweet reproducing a photograph protected by copyright to illustrate an article was infringing.

In Goldman, the author had not originally published the photograph on Twitter. Instead, he had uploaded it in his Snapchat Story. It became viral and was published on Twitter by a third party. Judge Wood explained in a footnote that, as Instagram had granted Mashable a valid license to display the work, the court did not need to address the issue of whether embedding an image is an infringing display of the work.

Take away: by posting a work protected by copyright on a public Instagram account an author automatically transfers rights to the social media site, including the right to sub-license a worldwide license to use it. The author not wishing to transfer these rights is only left with the option of making his or her account private.

Facebooktwitterredditpinterestlinkedinmailby feather

Tracking the COVID-19 Pandemic While Respecting EU Data Protection Laws

French representative Mounir Mahjoubi published on April 6 a note on how technology can help with containing the COVID-19 pandemic while respecting privacy laws and ethics.

IoT, Big Data analytics, AI and blockchain may all be used to monitor this major health crisis. For instance, China has been using the “Alipay Health Code”, which uses big data to automatically draw automated conclusions about whether an individual is sick or not. However, there is a fine line between tracking to surveillance. Singapore collaborated with WhatsApp to offer an update about the virus: interested parties can sign up to receive the latest information about the virus. Individuals in the US and the UK can download an app to voluntarily report how they are feeling, even if they do not have any symptoms. Users can then follow how the virus is developing.

The Mahjoubi note cites an article published last month on the Nature website about how digital tools can help us remediate the COVID-19 outbreak. This article provides several examples, including how Johns Hopkins University’s Center for Systems Science and Engineering has developed a real-time tracking map of COVID-19 cases across the world, using data collected from the US Centers for Disease Control and Prevention (CDC), the World Health Organization (WHO), the European Center for Disease Prevention and Control, the Chinese Center for Disease Control and Prevention (China CDC) and the Chinese website DXY, which aggregates data from China’s National Health Commission and the China CDC. The map allows everyone to follow the location and number of confirmed COVID-19 cases, as well as deaths and recoveries around the world.

The note explains that mobile data tracking may be used three different ways to control the pandemic: (1) to monitor collective mobility practices containment, (2) to identify individuals who have been in contact with a person affected by the virus, and (3) to control whether an individual is indeed confined.

Technologies used for these different purposes may be the telephone, GPS and Bluetooth applications, video surveillance, banking cards…

The first use, monitoring collective mobility, can be implemented using, for example, cell phone data pooled from telephone operators. GPS data an also be used for this purpose. Data is anonymized and aggregated. As such, this use respects the GDPR as it does not apply to anonymized data. However, it should be noted that data can be de-anonymized (or re-identified).

The other two uses identify affected individuals and track whether they are indeed staying confined, and raise ethical and legal issues.

Several technologies can be used to identify an individual who has been in contact with an infected person, sometimes called “contact tracing.” It seems that both China and South Korea used such technology to track the spread of COVID-19. France is developing its Stop Covid contact tracing app. The  Pan-European Privacy Preserving Proximity Tracing initiative (PEPP-PT) is an initiative of 130 researchers and technologists from eight European countries collaborating to create a tracing solution fully compliant with the GDPR and preserving privacy.

Indeed, in the European Union, such use of data must be done in compliance with the GDPR. Marie-Laure Denis, the President of the French data protection agency, the CNIL, said in an interview to Le Monde (in French) that such monitoring must be done on a voluntary basis only, based on a free and informed consent, and that there should be no consequences for someone refusing, for example, to download an application. Ms. Denis also noted that such a scheme would have to comply with the data protection principles. Indeed, the GDPR sets out seven key principles: lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, security and accountability. She notes that if these principles are respected, there would be no need for a legislative provision.

The GDPR provides that only data necessary for an explicit purpose should be collected. The COVID Symptom Tracker app explains, for instance, that the data can “only be used to help medical science and healthcare providers to better understand Coronavirus.”

Ms. Denis also noted that the choice of the technology used to track is important, as, for instance, an application using Bluetooth technology detecting if another phone equipped with the same application is in the immediate vicinity, provides more guarantees than an app using a precise and continuous geolocation.

On April 8, the European Union Commission recommended the development of a common EU approach for the use of mobile applications and mobile data in response to the coronavirus pandemic.

These recommendations include:

  1. strictly limiting personal data processing for the purposes of combating the pandemic and ensuring that personal data is not used for any other purposes such as law enforcement or commercial purposes;
  2. ensuring that regular reviews are being conducted of the continued need for personal data processing for the purposes of fighting COVID-19 and setting appropriate sunset clauses to ensure that such processing does not extend beyond what is strictly necessary for those purposes;
  3. taking measures to ensure that processing is terminated once it is no longer needed and that the personal data is then “irreversibly destroyed unless, on the advice of ethics boards and data  protection authorities, [its ] scientific value in serving the public interest outweighs the  impact on the rights concerned, subject to appropriate safeguards.”
Facebooktwitterredditpinterestlinkedinmailby feather

Newly Arch-Popular Zoom App in Privacy Crosshairs

The COVID-19 virus has forced employees and contractors to work from home, and educators scramble to find ways to continue to teach. Zoom, a video teleconferencing platform, has been the service of choice for many. 200 million people now use Zoom daily.

A New York Times article recently revealed that Zoom automatically sent names and email addresses of participants to a meeting to a system which matches them with their LinkedIn profiles, if the host of the meeting had signed up for the sales prospecting program LinkedIn Sales Navigator. This article came after Motherboard had revealed that the iOS version of the Zoom app was sending some analytics data to Facebook, regardless of whether Zoom users have a Facebook account or not.

These security concerns have been acknowledged in a blog post by Eric Yuan, Zoom’s CEO and the company released a new version of the app. However, a class action suit has been filed against Zoom in the Northern District of California, claiming that Zoom failed to implement adequate security protocols and failed to provide accurate disclosures to its users, and thus fell well short of Zoom’s promises as stated in its privacy policy.

The New York Times reported that New York’s attorney general, Letitia James, sent a letter to Zoom asking it which security measures have been put in place to prevent hacking. Senator Richard Blumenthal wrote a letter to Eric Yuan asking for information about how Zoom handles the personal data of its users and protects against security threats and abuse against its service.”

Another issue is “zoom bombing,” where uninvited tele-conferencing participants are “crashing” a conference to disrupt it using noise or unwelcome images, including pornographic images. Indeed, it has been reported that several educational Zoom meetings have been crashed by uninvited parties. On one instance, the intruder exposed himself to student, and in another case, the hacker disturbed a doctoral defense using obscene drawings and racial slurs.

Zoom-bombing is a crime, as we are reminded by Matthew Schneider, United States Attorney for Eastern Michigan, warning that anyone who hacks into a teleconference can be charged with state or federal crimes.

The FBI warned last month about this new risk and provided some security tips, such as avoiding making meetings or classrooms public, but instead organizing a private meeting, either by requiring a password to participate or using Zoom’s waiting room feature to control which guests can indeed be admitted.

The FBI also recommended not to share a link to a Zoom event on social media but instead send the link to invited parties, to set screensharing to “Host Only,” and also to make sure that people use the January 2020 updated version of the Zoom software, which disabled the ability to randomly scan for meetings to join.

Zoom announced in early April that it will enable the “waiting room” feature for all accounts, including the free accounts, and will also require additional password settings. Free K-12 education accounts will be required to use passwords and will not be able to turn off the password feature. The New York City Department of Education has however announced that it will no longer allow the use of Zoom for distance learning out of security concerns.

Facebooktwitterredditpinterestlinkedinmailby feather

Gender-Neutrality and the Law, an Update

California Bill No. 2826, introduced on February 20, 2020, by Assembly member Evan Low (D–Silicon Valley) would introduce a Part 2.57 on Gender Neutral Retail Departments in the California Civil Code.

Department stores with 500 or more employees would be required not to separate children’s clothing, toys, or childcare products on their selling floors, regardless of whether a product has been traditionally marketed for girls or boys.

Department stores failing to do so, and not correcting it within 30 days of receiving written notice of the violation from the Attorney General, would be liable for a civil penalty of $1,000.

Department stores selling children clothes would maintain “one, undivided area of its sales floor where… all clothing for children, regardless of whether a particular item has been traditionally marketed for either girl or boys, shall be displayed.” The same would go for toys.

Man Calming a Young Boy Posing before the Camera ca. 1850, Public Domain

Assembly Member Low explained in the press release that “clothing and toys sections of department stores that are separated along gender lines pigeonhole children. … [S]eparating items that are traditionally marketed for either girls or boys makes it more difficult for the consumer to compare products. It also incorrectly implies that their use by one gender is inappropriate.”

The California bill presents its purpose as being a practical one, as it is easier for consumers to shop if all children’s clothes are presented together on the sales floor, making it easier to compare products, but also to avoid stereotyping. Target removed gender-based signs in 2015 for its kids’ bedding and toy products. The retailer made that decision following a viral social media post.

Manufacturers are introducing gender-neutral lines for children. The concept is not new, as all children used to wear dresses, which was quite practical if a nappy quickly needed to be changed. As for a color to be assigned to a particular gender, boys sometimes wore pink and girls sometimes wore blue. Boys wore dresses.

Gender-neutral clothing lines for adult are also being launched. Now that women have gained the right to wear pants, gender-neutral clothes are pants or shorts, worn with shirts and ample sweaters. The ultimate gender-neutral clothing line would be men wearing skirts, as it is the norm for Highlanders. Jean-Paul Gaultier introduced the man-skirt in his Et Dieu Créa l’Homme collection, but the concept is still far from being mainstream.

No similar bill is currently discussed in New York. However, the State Assembly added last year a Section 145 to the Public Building Law requiring state agencies to ensure that all single-occupancy bathrooms under their jurisdictions are designated as gender neutral in state-owned buildings and, where practicable, in state-leased buildings. The law defines “single-occupancy bathroom” as “a bathroom intended for use by no more than one occupant at a time or for family or assisted use and which has a door for entry into and egress from the bathroom that may be locked by the occupant to ensure privacy and security.”

The justification for the bill was that “[g]ender identity is personal to an individual and not based on how the public views the individual’s appearance.”

 

Facebooktwitterredditpinterestlinkedinmailby feather

The Territorial Scope of the European Union Right to Be Forgotten is Limited

France’s Council of State (Conseil d’État) held on March 27, 2020, that the right to be forgotten provided by European Union laws is not universal.

At issue in this case was the territorial scope of the right to be forgotten, called by the Conseil d’État “dereferencing right” (droit au déférencement).

A dereferencing request is a request, made by a natural person, to have links to webpages removed from the results of a search on this person’s name. This “right to be forgotten” was first recognized by the European Court of Justice in its 2014 Google Spain and Google judgment and is now provided by Article 17 of Regulation 2016/676, the General Data Protection Regulation (GDPR).

Under Article 17 of the GDPR, the data subject has the right to request the controller to erase personal data without undue delay, if:

  • The personal data is no longer necessary for the purpose for which it has been collected;
  • The data subject withdraws his/her consent to have the data processed;
  • The data subject objects to the processing the personal data has been unlawfully processed;
  • The personal data must be erased to comply with a legal obligation;
  • The personal data is that of a minor.

Google removes only the links from the results of searches conducted from the domain names corresponding to its search engine in the European Union Member States. Therefore, for instance, if a search is conducted using the <google.fr> domain name, only results displayed in all the European Union domain names are removed, not results appearing in the <google.ca> domain name.

In 2016, the French Data Protection Authority, the CNIL, fined Google 100,000 Euros for refusing to apply a dereferencing request to all the domain name extensions of Google’s search engine, not only to the European Union extensions.

Google lodged a request for annulment of this decision with France’s Council of State (Conseil d’État), which decided to stay the proceeding and ask the Court of Justice of the European Union for a preliminary ruling about the interpretation of several provisions of Directive 95/46, which was at the time the European Union personal data protection law, but has since been repealed and replaced by the GDPR.

The Court of Justice of the European Union held in September 2019, that a search engine operator cannot be required to carry out a dereferencing request on all the versions of the search engine, only “on the versions of that search engine corresponding to all Member States.

The Conseil d’État thus annulled the 2016 CNIL decision.

Take away:

A “right-to-be-forgotten” request does not have to be universally granted and its geographical scope will be limited to the place of residence of the data subject. If the data subject resides in one the Member States of the European Union, the request will be granted for all the European Union versions of a particular search engine, but not those outside the E.U.

Facebooktwitterredditpinterestlinkedinmailby feather

The FTC Settles with Tea Company over Failure to Adequately Disclose Connection with Influencers

The Federal Trade Commission (FTC) announced on March 6 it has settled a lawsuit with the Florida-based company Teami LLC (Teami) over its claims that drinking its teas has positive health effects, including rapid weight loss, and over its use of influencers for marketing purposes without adequately disclosing the connection.

According to the March 5, 2020 complaint, Teami paid hundreds of influencers between June and late-October 2018 to endorse Teami products on Instagram, by a post or a video.

 

The influencers who allegedly had not made adequate disclosures were not named as defendants, but each received a warning letter from the FTC asking them to describe the actions they are or will be taking “to ensure that [their] social media posts endorsing brands and businesses with which [they] have a material connection clearly and conspicuously disclose [their] relationships.”

According to the complaint, the FTC had first contacted the defendants, Teami’s co-founders, in April 2018 to inform them that any material connections to any endorsers had to be disclosed clearly and conspicuously by using unambiguous language in a way that consumers can easily notice the disclosure without having to look for it.

Teami then implemented a social media endorsement policy, informed influencers about it, and provided guidance on how to disclose their relationship with Teami in their sponsored posts.

However, some of the video endorsements did not disclose the connection between Teami and the endorser within the video itself (see the Cardi B video here) while others did not include a disclosure in the first two or three lines of the accompanying text without having to click on “more.” Similarly, some Instagram posts only displayed the connection, when viewed in a follower’s feed, if the followers clicked on “more.”

As such, the FTC claimed that these sponsored social media posts were misrepresentations or deceptive omissions of material fact which are deceptive acts or practices prohibited by Section 5(a) of the FTC Act.

Under the proposed court order settling the FTC’s complaint Defendants and their agents are permanently restrained and enjoined “from making, or assisting others in making, any misrepresentation, expressly or by implication, about the status of any endorser or person providing a review of the product, including a misrepresentation that the endorser or reviewer is an independent or ordinary user of a product.”

Takeaway: Disclosures about the material connection must be clear and conspicuous

As explained in the FTC Guides Concerning the Use to Endorsements and Testimonials in Advertising, a “material connection” between the endorser and the marketer of a product must be clearly and conspicuously disclosed, unless the connection is already clear from the context of the communication containing the endorsement.

A material connection may be a business, family, or personal relationship. The proposed court order defines a clear and conspicuous disclosure as one “difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers.

If the communication is solely aural (say, a podcast) or solely visual (such as an Instagram post), then “the disclosure must be made through the same means through which the communication is presented.”

If the communication is both aural and visual, such as a video, then “the disclosure must be presented simultaneously in both the visual and audible portions of the communication even if the representation requiring the disclosure is made in only one means.”

This means that if the influencer endorses product X only by wearing or showing it in his video, the disclosure must also be spoken, and if the influencer only endorses product or service Y in her video, without showing it, the endorsement must also be written.

A visual disclosure “must stand out from any accompanying text or other visual elements so that it is easily noticed, read, and understood.”

An audible disclosure “must be delivered in a volume, speed, and cadence sufficient for ordinary consumers to easily hear and understand it.

Any disclosure “must be unavoidable.” It “must use diction and syntax understandable to ordinary consumers and must appear in each language in which the representation that requires the disclosure appears.” So if the influencer makes her endorsement in several languages, the disclosure must be in all of these languages.

Takeaway: Have a social media endorsement policy AND enforce it

The FTC complaint alleged that several social media posts sponsored by Teami did not follow Teami’s social media policy.

This shows that having a social media endorsement policy, but not enforcing it, is like having no policy at all. Marketers should train their employees and direct several employees to monitor social media postings to ensure that they are compliant.

Facebooktwitterredditpinterestlinkedinmailby feather

Copyright Infringement Suit Against Supermodel Gigi Hadid Dismisssed

Judge Pamela K. Chen from the Eastern District Court of New York dismissed on July 18 a copyright infringement suit filed by XClusive-Lee, Inc. against supermodel Gigi Hadid, claiming that a picture she posted on her Instagram account was infringing.

Hadid’s Instagram account currently has almost 49 million followers, interested in viewing family pictures, fashion magazines cover featuring Hadid, fashion shoots and fashion photographs. Hadid posted in October 2018 a cropped version of a photograph of her taken the day before by a paparazzi outside Vogue’s Force of Fashion conference, where Hadid was part of a panel.

The original version of the photograph showed Defendant wearing a denim jacket and shorts, a small handbag, high heels, jewelry and make up, smiling at the camera in an outdoor urban setting, probably outside the New York City studio where the conference took place.

The photo posted by Hadid on social media was cropped mid-thigh. She added as comment:”all smiles post #ForceOfFashionpanel @voguemagazine.wearing #messikabygigihadid mini-cuffs and mono earing”, referring to a line of jewelry bearing her name which is sold by a French jeweler.  The “mono earrings”referred to in the post retail at $5,710.

Xclusive-Lee, Inc., the company which owns the copyright to this photograph, filed a copyright infringement suit against Hadid in January 2019, claiming Hadid “copied and posted Copyrighted Photograph to Hadid’s Instagram account without license or permission from Xclusive-Lee.” It claimed that it was entitled to statutory damages, including any profits realized by Hadid attributable to the infringement, pursuant to 17 U.S.C. § 504.

As a reminder, a work is protected by copyright, if it is fixed in a tangible medium and if it is original enough, even if it is not registered. However, a registration is required if filing a copyright infringement suit, and the Supreme Court recently held in Fourth Estate Public Benefit Corp. v. Wall-Street. Com LLC  that § 411(a) of the Copyright Act requires that copyright registration occurs “only when the Copyright Office grants registration” (at 888).

At the time of filing the suit, Plaintiff had applied for a copyright in the photograph, but had not been granted registration. Plaintiff argued that it had filed the copyright infringement suit before the Fourth Estate decision, but the EDNY rejected the argument as the Court cannot decline applying a Supreme Court decision “merely because the Supreme Court decision was issued after the filing of the compliant at issue in this case.”

The case was dismissed because the photograph was not registered with the Copyright Office.

That said, posting a photograph protected by copyright on Instragram without permission is copyright infringement. The Complaint noted that Hadid’s Instagram account featured several examples of “uncredited photographs of Hadid in public, at press events, or on the runway” and that “[m]ost if not all of these photographs were posted by Hadid without license or permission from the copyright holder.”

Could it be fair use? Hadid may have used this photograph in order to contribute to the promotion of her jewelry line. Therefore, the character of the use, one of the four fair use factors, may have been for commercial gain, not for the sake of commenting or news reporting for the Vogue conference.

The second factor, the nature of the work, would probably be in Hadid’s favor, as it is not very creative. Hadid did not use all of the work, but cropped it, but she nevertheless substantially used the work, and so the third factor could have been in Plaintiff’s favor as well. The fourth factor, the economic effect on the value of the work, measures the effect of the use on the market. The picture could be licensed to be used on her Instagram account in order to promote a commercial line, and so it is possible that the fourth factor would have been in Plaintiff’s favor.

However, it could it be argued that this particular photograph was not protected by copyright, as a work must be original enough to be protected. The photo was taken in the streets of New York, and must have been taken quickly, thus leaving little time for the photographer to make choices. Hadid deftly takes the pose, and it can be argued that it is her professional experience which contributed to the picture being original, unless the pose was directed by the photographer.

If a copyright registration had been granted before filing the case, the suit would likely not have been dismissed, as fair use is fact-based and thus is unlikely to be decided when granting a motion to dismiss.

However, if a copyright registration is mandatory for filing a copyright infringement suit, the Copyright Office may start to examine more closely whether a particular work is indeed original enough to be protected by copyright…

Take-away: Plaintiff must have a valid copyright registration before filing a copyright infringement suit.

Facebooktwitterredditpinterestlinkedinmailby feather

Commissioner of Fearless Girl Suing Author, Claiming Breach of Trademark & Copyright Agreements

International Women’s Day is ahead, and a replica of the New York Fearless Girl statue was installed this week in Melbourne. It was unveiled by the artist who created the original statue, Kristen Visbal.

The investment management company which commissioned Visbal to create the original statue, State Street Global Advisors Trust Company (SSGA), is now suing her in the Supreme Court of the State of New York for breach of their copyright and trademark license agreements, which are confidential. SSGA claims that Visbal breached the agreement by selling unauthorized replicas of the statue in Australia and in Oslo, and also by bringing a replica to the 2019 Women’s March in Los Angeles.

Fearless Girl

Fearless Girl in Wall Street

SSGA commissioned the creation and installation of the Fearless Girl Statue on the International Woman’s Day in 2017 to celebrate the first anniversary of its gender diversity index designed to measure how gender diverse are large U.S. companies. The statue originally faced the Bull statue in the downtown Manhattan. It is now placed in front of the New York Stock Exchange.

SSGA alleges that Visbal’s contractual obligations under the agreements required her to seek SSGA’s authorization before selling the statue or using it for promotional events.

SSGA claims that Visbal has breached her covenant of good faith and fair dealing implied in every contract under New York law.

It further claims that Visbal breached the terms of the confidential trademark license agreement by “failing to maintain the well-regarded reputation and integrity of Fearless Girl” and thus weakening the goodwill created by the Fearless Girl brand and campaign.

SSGA also claims that Visbal breached the terms of the confidential copyright license agreement by selling the replicas without SSGA’s authorization.

SSGA is asking the court to award damages, including exemplary damages, to the company.

As the terms of the agreements are not known to us, we do not even know which party is the owner of the copyright. Indeed, the copyright owner of a work made for hire is the employer or other person for whom the work was prepared unless the parties have expressly agreed otherwise in a written instrument signed by them.

The copyright of a joint work, a work created by two or more authors, with the intent that their contributions be merged into inseparable or interdependent parts of the work, is owned by all the authors. It is not necessary that the contributions of each author are equal, but each of the contributions must be independently copyrightable.

We know, however, that SSGA is the owner of the Fearless Girl trademark.

A few words on copyright licensing

  • You can only license what you own.
  • If you are a joint owner of a copyright, you can grant a non-exclusive license without the consent of the other owner, unless all the joint owners agree differently in writing.
  • Remember that your copyright may be licensed to become someone else’s trademark. In that case, using it without permission of the licensee may be both copyright and trademark infringement.

 

Picture is courtesy of Flickr user Billie Grace Ward under a CC BY 2.0 license.

Facebooktwitterredditpinterestlinkedinmailby feather