Stolen and Infringing Domain Names: The Law of Cybersquatting

As most business owners know, it takes consistent effort to protect the trademark from being infringed by other individuals and businesses.  While trademark law can afford you a set of rules and a mechanism through which to enforce your rights, the impetus is always on you, as the trademark owner, to defend what is yours.  This can be especially difficult in an online word considering (1) the relative anonymity the Internet can afford, and (2) the ease with which domain names can be purchased and registered.

Cybersquatting and cyberpiracy are buzzwords that are becoming more well-known in our day to day lives as business people.  The term cybersquatting originated from the situation where a person or business who knowingly and in bad faith reserves a domain name consisting of the trademark or name of a company with the intent of selling the right to that domain name back to the legitimate owner.”  

The Anticybersquatting Consumer Protection Act, now embodied in 15 USC §1125, is a federal law that took effect in 1999.  This domain name protection law is intended to give trademark and service mark owners a new way to fight cybersquatters.

For example, Nintendo of America Inc. was awarded $560,000 and a recovered 48 Internet domain names in a domain infringement suit in October of 2000.  It was one of the first massive domain name lawsuits that resulted from the 1999 Act.  The Court awarded the company statutory damages ranging from $2,000 to $30,000 per name for 48 names—for a total award of $560,000.  

The major drawback to using the ACPA to enforce your rights, is that you must sue in federal court to do so.  Even with a successful outcome, the process to get there can cost you a lot of time and money.  Fortunately, the Internet Corporation of Assigned Names and Numbers (ICANN) has established a cheaper, faster, and more user-friendly way to enforce your rights in a domain name.  ICANN is a not for profit public benefit corporation that is responsible for administering and overseeing all Internet domain name registrars and their underlying policies.

If someone has taken a domain name similar to your domain name, trademark, or trade name, you may be able to use ICANN’s Uniform Domain-Name Dispute-Resolution Policy (UDRP) to request a binding Administrative Proceeding.  Such a proceeding is initiated by filing a complaint online, and following through with the administrative procedures provided by the UDRP.  If you prevail, the only remedy is transfer of the infringing domain name to you; monetary damages are not allowed under the UDRP’s Administrative Proceeding.

If you think that someone has registered a domain name that may infringe on your trademark or service mark, please contact our law offices to determine if you would be able to file an ACPA or UDRP action to acquire the domain name or avert the domain name registrant from future use of the domain name.

California Passes New Affiliate Nexus Tax

At the end of last month, Governor Jerry Brown signed a bill into law that will establish a sales tax nexus in the State of California for online retailers who use in-state affiliates to market and sell their products.  These marketers are essentially independent contractors who market for the online retail business.  The affiliate nexus tax, or as some call it, the “Amazon Tax,” after the company Amazon.com, which uses quite a number of affiliate marketers, is a way for states to collect taxes on internet transactions from online retailers operating out of state.  This tax is sweeping because it will establish sales-tax nexus in the State of California for non-California businesses based solely on in-state affiliate marketers, who are not employees for the non-California business!

By way of background, the U.S. Supreme ruled in 1992, in the case of Quill vs. North Dakota, that retailers do not have to collect sales tax unless the retailer has a physical presence in the state, known as a “nexus.”  The nexus can be established by a physical office or even a single employee in a state.  What the new tax does is to create another basis for establishing nexus.  The law states that any online merchant must charge sales taxes on any buyer’s purchases, if the purchase occurred through an online California affiliate marketer.  This law is an attempt at creating a level playing field between brick and mortar businesses in California—who must collect sales tax—and out-of-state online retailers who, until now, could sell to California residents and/or through California affiliates while still avoid paying sales tax.  Needless to say, this law has created a huge backlash by online retailers.  For instance, news story report that Amazon.com immediately severed all dealings with its affiliate marketers in California.

What are the consequences of the affiliate nexus tax for your business?  If you are or could be considered an affiliate for a larger website, your contact with California might present negative tax consequences for the business you serve.  As we saw with Amazon, you might be dropped as an affiliate marketer.  Until there are national laws on the books allowing or disallowing an affiliate nexus tax, online businesses will simply forum shop to find affiliates in states that will not tax them.  Please contact our law offices at 530-345-2212 to learn more about this law, how it affects your business, and what you can do to remedy the situation.

U.S. Privacy Laws—Cloud Computing, Transparency, and the European Union—Are We Behind the Times?

At a roundtable discussion yesterday, June 21, 2010, an attorney and representative for the U.S. Federal Trade Commission descried the current patchwork of U.S. privacy laws.  Unlike our neighbors across the pond in the European Union, the U.S. approach to privacy protection is arguably lacking in terms of uniformity and effectiveness.

As I described in a previous blog, the U.S. Congress has yet to adopt a federal statutory scheme that would hopefully provide uniformity.  The FTC representative echoed the often-heard concern in privacy law circles that the U.S. law needs to adapt to new methods of business data transfer and record retention—in particular, cloud computing.  A popular buzzword at present, cloud computing promises to streamline a business’s data processing, record retention, and provide lightning-quick methods of collaboration in a business climate that is seeing a rapid increase in “telecommuting.”  At the same time, cloud computing also threatens to expose the personal information of a business’s consumers, customers, and/or website users.  Although security measures are available to help make cloud computing secure against intrusions into or inadvertent disclosures of personal information, the retention and transfer of such sensitive information in an online environment certainly raises the specter of increased risk to privacy breaches.

One of the major concerns of the FTC is to require notice and disclosure of privacy breaches.  The FTC and most consumers understand that data breaches are inevitable, whether data is stored in a brick-and-mortar building or in on the cloud.  The FTC wants to ensure, however, that whenever such a breach occurs, the consumer will be notified of the breach.  California already requires businesses to notify California residents of such breaches, but many other states do not.  The House of Representatives approved a bill to require such notification for all U.S. consumers, see http://bit.ly/dnmBUr, but it has yet to be approved by the Senate.

In contrast to the U.S., the European Union nearly 15 years ago promulgated a Data Protection Directive; see http://bit.ly/9e4eDt, which provides considerably more protection to its residents.  Although many consider this directive to be too onerous on businesses, it does address the notice or “transparency” issue as described above.  Beyond just reporting breaches into a consumer’s personal data, the Directive requires notice, and sometimes consent, every time “personal data” is “processed”—which means just about anything you can do with data: transfer, store, etc.  Furthermore, such data can be processed only if it meets certain criteria regarding business necessity.

As a U.S. business owner, the important thing to be aware of is that you will become subject to the data privacy laws of whatever jurisdiction in which your customers, clients, or website users reside.  For example, if you have customers who reside in Nevada or Massachusetts, and your business is based in California, you will have to comply with stricter privacy laws than you normally would in your home state.

More surprisingly, if you have operations in any country in the European Union or have personal data from an individual who resides in the European Union, the EU Directive could potentially apply to your business operations.  Most often, problems occur when such data is transferred “offshore” from the EU country into the U.S., because the EU does not consider U.S. law to be sufficiently protective of its residents.  That being said, the EU has certain, limited “safe harbor” exceptions so that U.S. businesses do not have to comply with all of the onerous provisions in the Directive.  See http://www.export.gov/safeharbor.

For more information on how what laws apply to your business and how to comply with them, you can contact our law firm at info@ajstewartlaw.com.

What You Need to Know Now About Privacy Laws for Your Online Business

What You Need to Know Now About Privacy Laws for Your Online Business
Beginning March 1 of this year, there will be a new paradigm shift in data security requirements for many online businesses.  This is because the Massachusetts legislature has enacted the strictest, and most far-reaching data security regulations for any person or business that owns or licenses “personal information” of a Massachusetts resident.  Even California business owners should pay close attention to the data security laws of other states, because as your business grows and it begins to operate on a nation-wide or even world-wide level, the laws of far-away jurisdictions can apply to your operations.
Your online business must comply with both federal privacy laws and the privacy laws of any given state if you have come to possess, own, or license the “personal information” of any resident of that state.  Complying with federal law is comparatively simple in that the law is uniform across the nation.  The general rule of thumb for complying with federal privacy law is that you better uphold those promises and obligations in your online Privacy Policy.  See 15 USC § 45a.
Complying with state law, by contrast, can be mind-numbingly confusing because your nation-wide online business must comply with 50 separate statutory schemes.  The easiest solution for many businesses is to identify the state with the strictest privacy laws, and make sure to abide by those laws.  Beginning March 1, 2010, that state will be Massachusetts when 201 CMR 17.00[hyperlink
Is there a way to make “201 CMR 17.00” a hyperlink? And the same for the other hyperlinks below, for California, notice, and Nevada, respectively
: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf] goes into effect.
Many states, including California [hyperlink: http://www.docstoc.com/docs/24306397/California-Business-and-Professions-Code-Sections-22575-22579], require that you post a privacy policy and comply with it, and that your business discloses [hyperlink: http://codes.lp.findlaw.com/cacode/CIV/5/d3/4/1.81/s1798.82] a breach in security if that occurs.  Nevada [hyperlink: http://www.leg.state.nv.us/NRs/NRS-597.html] takes a slightly stricter approach insofar as your business must have certain encryption procedures for the transmission of personal information of Nevada residents.  See NRS 597.970.  Massachusetts has far surpassed Nevada insofar as your business must comply with detailed and comprehensive data security requirements including, but not limited to, 1) comprehensive data security systems with encryption and restricted access, 2) comprehensive monitoring and maintenance protocols of these systems; and 3) comprehensive employment policies and procedures relating to data security.
The Law Offices of Aaron J. Stewart can help your online business develop and implement a privacy policy that protects you and your customers, and complies with all applicable laws and regulations!  Please contact our firm for more information.

Beginning March 1 of 2010, there will be a new paradigm shift in data security requirements for many online businesses.  This is because the Massachusetts legislature has enacted the strictest, and most far-reaching data security regulations for any person or business that owns or licenses “personal information” of a Massachusetts resident.  Even California business owners should pay close attention to the data security laws of other states, because as your business grows and it begins to operate on a nation-wide or even world-wide level, the laws of far-away jurisdictions can apply to your operations.

Your online business must comply with both federal privacy laws and the privacy laws of any given state if you have come to possess, own, or license the “personal information” of any resident of that state.  Complying with federal law is comparatively simple in that the law is uniform across the nation.  The general rule of thumb for complying with federal privacy law is that you better uphold those promises and obligations in your online Privacy Policy.  See 15 USC § 45a.

Complying with state law, by contrast, can be mind-numbingly confusing because your nation-wide online business must comply with 50 separate statutory schemes.  The easiest solution for many businesses is to identify the state with the strictest privacy laws, and make sure to abide by those laws.  Beginning March 1, 2010, that state will be Massachusetts when 201 CMR 17.00 goes into effect.

Many states, including California, require that you post a privacy policy and comply with it, and that your business discloses a breach in security if that occurs.  Nevada takes a slightly stricter approach insofar as your business must have certain encryption procedures for the transmission of personal information of Nevada residents.  See NRS 597.970.  Massachusetts has far surpassed Nevada insofar as your business must comply with detailed and comprehensive data security requirements including, but not limited to, 1) comprehensive data security systems with encryption and restricted access, 2) comprehensive monitoring and maintenance protocols of these systems; and 3) comprehensive employment policies and procedures relating to data security.

The Law Offices of Aaron J. Stewart can help your online business develop and implement a privacy policy that protects you and your customers, and complies with all applicable laws and regulations!  Please contact us for more information at info@ajstewartlaw.com for more information.