home

Website Audits: New Compliance Frontier

By Adam R. Bialek and Juan P. Rodriguez

GC New York

August 9, 2012

Operation of a website that engages in advertising and sales carries all the rewards and pitfalls of operating a traditional business—and more. For example, advertising and sales have long required significant investment and infrastructure, while today, anyone with a computer and $10 can establish a business and advertise. In the past, advertising was reviewed and cleared before release, and businesses retained counsel to guide them in complying with the law. The ease with which business and promotion can be launched and carried out on the Internet has created a flood of new exposures.

Small businesses and individuals are not the only ones impacted. Large companies and institutions that do not follow a structured protocol regarding their website operations can be exposed to liability as well. The all-important website can, if not monitored, be a business killer.

There are two types of issues that need to be controlled to limit the exposure of a website operator: the conduct of the operator and the conduct of the visitor. Actions of either can lead to liability. Risk in the cyber environment needs to be managed continuously, and new risks appear as fast as the Internet evolves.

The Website Audit

Any standard website can have extensive pitfalls that require compliance to ensure that contract, privacy and intellectual property laws are followed. The website audit is a process that should be engaged in periodically to make sure that the procedures in place to avoid exposures are followed and to rectify any issues not picked up through reasonable vigilance. Whether performed by an in-house trained professional or a retained practitioner concentrating on intellectual property and Internet law, a thorough website audit will examine the areas discussed below.

Website Disclosures

When a person walks into a store, he or she is expected to act in an appropriate manner; a customer is not expected to speak in a rude, loud manner, blast music or eat food. "Shirts and Shoes Required" ensures proper attire is worn on the premises. Websites similarly have codes of conduct for visitors. Often called "Terms of Use," "Terms of Service" or "Legal Terms," these conditions for use of the website are defined in a contract that explains and addresses the relationship between the website operator and visitors. It is imperative that a website have appropriate terms of use and that the operator also comply with the terms.

Terms of use will address issues such as intellectual property rights, rights to material submitted to the website, disclaimers, securities or tax law notifications, rules of conduct, limitations of liability, policies for children, whom to contact if an issue arises, the location from which the website operates, choice of law and jurisdiction, and restrictions on how the website may be used. Properly displayed terms of use can be determinative of jurisdiction and venue for dispute resolution.1 A website audit must also consider whether operators create or simply post content and whether the terms of use should have a Digital Millennium Copyright Act (DMCA) notice.2

Depending on the business, a notification (e.g., a required tax disclosure per Circular 230) or disclaimer may be necessary (e.g., lawyers should remind visitors that an attorney-client relationship is not created by submitting a question through the "Contact Us" feature, and explain that prior results do not guarantee future results). Certain industry designations or disclosures may be required (e.g., Attorney Advertising Notice). A website auditor checks for compliance with the specific rules pertinent to a particular profession.

A website auditor can also examine a website's privacy policy to ensure that it complies with state and federal law, and that the statements made by the website operator are accurate. Privacy policies should be clearly designated (under California's "Shine the Light" law,3 privacy policies for websites interacting with California residents should have a separate heading) and comply with several distinct requirements, such as notice to the visitor, identification of personal information collected and contact information for visitors who want to know what personal information was collected and how it was/will be used.4

Consideration should be given to the types of information collected; storage and transport of such information; whether the website is static or interactive; whether users can submit sensitive information, such as names, addresses and credit card information, that may require additional technological safeguards and disclaimers within the website policies; and what else might be done with the information collected.

Failure to properly notify the public of certain disclaimers or conditions on the use of the website or the intent to use information can result in exposure of the website operator to claims of breach of contract, breach of privacy, breach of data security or even copyright infringement.

Copyrights

If it is on the Internet, it is free to use. It is on the Internet, so it is in the public domain. If there is no copyright notice, it is not copyrighted. These are common assumptions that are wrong.

The era of "right click, copy; right click, paste" has made Internet copyright infringement one of the most common violations of intellectual property rights. Websites often contain text and images created by others. With technology so advanced that even a piece of an image can be identified on a website, operators must be sure that all materials on a website are properly licensed from their respective owners. Proper vetting of all copyrighted material can help shield a website operator from potential liability. It is not sufficient to claim that an image is from royalty-free sources. The specific licenses must be reviewed.

Stock art and photo houses often limit these royalty-free images to non-commercial use or use in connection with content that the creator deems acceptable. For example, it is important to know if the context in which a photograph is used on a company's website is permitted (some stock art companies limit the license by prohibiting a use that depicts, for example, a "model in a sensitive way, i.e. mental or physical health issues, substance abuse, criminal behavior, sexual activity or preference without a disclaimer"5).

Websites that permit uploading of content (including images) pose specific risks to an operator, including, among other risks, copyright infringement, trademark infringement, violation of rights of publicity and promotion, trade libel, defamation and dissemination of false information. While there are federal statutes that provide some defense (e.g., the Communications Decency Act6 and the DMCA7), a website audit can suggest techniques to minimize the risk of liability.

When an operator permits others to post content on a site, it is critical to enlist the protections of the DMCA, which places the burden of a take-down procedure on the website operator, but requires the aggrieved party to take action to put the operator at risk of exposure. The operator can shield itself from direct liability exposure by filing a statement with the U.S. Copyright Office identifying the operator's DMCA agent, by establishing a takedown procedure, and by paying a fee.

Trademarks

Trademark law is intended to protect consumers from imposters using the marks of another to sell their own products or services. The law protects the mark's capacity to serve as a source identifier in order to secure the integrity of the marketplace. It is therefore critical that any use of another's trademark be considered a "trademark fair use." A website audit can give guidance on this issue.

Public-facing content, however, is not the only source of potential liability. Courts have found that even the use of a competitor's marks within a website's meta tags (special HTML tags used to store information about a Web page that is not displayed in a Web browser) can be sufficient grounds for an injunction based on trademark infringement and likelihood of confusion.8 The use of keyword advertising can also pose issues for a website operator. While this area of the law is still developing, proper precautions can decrease risk, and a website auditor's review of internal policies and structures can assist in this regard.

Patents

Following a court ruling in 1998 that a method of doing business could be patentable subject matter, whether or not it required the aid of a computer, provided it produced a "useful, concrete and tangible result," numerous patents were granted for business methods related to the Internet, including new online ordering processes or unique Internet advertising schemes.9 Several lawsuits have been filed concerning the use of patented methods on websites.10

While these suits may be defensible, the legal costs associated with the defense can be staggering. It may not be easy to determine whether a website is infringing a patent, but most companies are not in the business of developing their own websites. When a web developer is engaged to build a site, it is imperative that the web development agreement have requisite indemnity provisions and the developer be insured against claims for infringement. A website audit can highlight deficiencies and suggest ways to help minimize the exposure.

Privacy and Right of Publicity

Smartphone devices with still and video cameras can easily upload files to the Internet, causing the population of websites displaying images of people to blossom. Reusing client-created comments and content for marketing purposes can be an effective way to develop goodwill for a website. However, the expansion of such uses creates the potential for websites to use the images of individuals without their permission. Using images and information that may identify someone without permission can lead to a possible suit and should be reviewed prior to publishing.11 All content should be vetted to ensure that even accidently captured information is identified and cleared for use, especially when minors are involved. A website audit can identify problematic uses and establish proper procedures to avoid such exposure.

Other areas that can be audited include whether an e-commerce site has proper terms of sale and a proper return policy, whether the payment process is "PCI-compliant" and whether a website that collects "personally identifiable information" has the appropriate levels of security to thwart a cyber attack.

Operator's IP

A complete website audit will not only identify those areas that pose a risk to the operator but also help the operator secure its rights and protect its intellectual property. A website audit can ensure that the operator has proper trademark and copyright protection, that the website is registered periodically with the U.S. Copyright Office and that the ownership of the website domain is properly titled.

While the web development agreement is reviewed for indemnity obligations, it should also be reviewed to determine who retains the rights to the website. Often, web developers will build in maintenance and support obligations and fail to give over rights to the web design. Thus, if the operator decides to terminate the relationship, he or she may be unable to make changes to the website or transfer the design to a new support organization. A website audit can determine the rights of the operator and suggest renegotiation before a problem arises.

Insurance

A website audit can also determine whether insurance should be purchased for the online activities of the operator, or whether an existing insurance portfolio of the operator provides sufficient coverage. Insurers are evaluating these Internet exposures, and many have taken steps to eliminate the basic claims from coverage, prompting the emergence of new Internet-specific policies. A website audit can determine whether such coverage is warranted.

Conclusion

The operation of a website brings many potential areas of exposure if the risks are not properly evaluated and addressed. While the risks are fairly easy to manage and remediate once they are identified, a company may wish to engage a professional to perform a website audit at regular intervals to ensure all proper notices and disclaimers are in place, the operator's intellectual property rights are protected and potential liability is avoided. We note, however, that these recommendations are not all-inclusive and they change quickly with the continued evolution of the web.

Addressing the issues discussed here will help ensure that a website meets all necessary compliance requirements on a federal, state and local level, and that the operator's intellectual property is protected.


Adam R. Bialek is a partner at Wilson Elser and chair of the firm's Intellectual Property practice. Juan P. Rodriguez, an associate at the firm when the article was written, is admitted to practice before the U.S. Patent and Trademark office.

Endnotes:

1. Parts Geek, LLC v. US Auto Parts Network, 2010 U.S. Dist. LEXIS 32385 (D.N.J. April 1, 2010).

2. 17 U.S.C. §512.

3. Cal. Civ. Code §1798.83.

4. Cal. Civ. Code §1798.83(b)(1)(B). Cal. Civ. Code 1798.83(b)(1)(C).

5. See istockphoto.com/help/licenses (last visited June 18, 2012).

6. 47 U.S.C. §230.

7. 17 U.S.C. §512.

8. Deltek v. Iuvo Sys., 2009 U.S. Dist. LEXIS 33555 (E.D. Va. April 20, 2009).

9. See State Street Bank & Trust Co. v. Signal Financial Group, 149 F.3d 1368 (Fed. Cir. 1998), cert. denied 119 S. Ct. 851 (1999).

10. See, e.g., CEATS v. Continental Airlines, et al., No. 6:10-CV-120 (E.D. Tex.); Orion IP v. Hyundai Motor America, No. 6:05-CV-00322-LED (E.D. Tex.).

11. Boring v. Google, No. 09-2350, 2010 U.S. App. LEXIS 1891 (3d Cir., Jan. 25, 2010). The Borings sued Google for invasion of privacy and trespass after Google's Street View® car drove down their private road and captured the Borings' house and pool on its camera, which was then displayed in Google's Street View feature.