July 2021 Update
Even when a work is comprised of unprotectable elements, copyright protection may still exist for a work based on the original selection and arrangement of unprotected elements. Skidmore v Led Zeppelin (9th Cir 2020) 952 F3d 1051, 1074; Apple Computer, Inc. v Microsoft Corp. (9th Cir 1994) 35 F3d 1435, 1446. To qualify, the work must contain numerous original selections and arrangements of unprotected elements. Skidmore, 952 F3d at 1074. The copyright protection, however, only protects the particular way the unprotected elements are selected and arranged. See §1.2.
Short phrases are not entitled to copyright protection. Corbello v Valli (9th Cir 2020) 974 F3d 965, 977 (phrase “social movement” was not subject to copyright protection); Grosso v Miramax Film Corp. (9th Cir 2004) 383 F3d 965, 967 (poker jargon not subject to copyright protection); Narell v Freeman (9th Cir 1989) 872 F2d 907, 911. In addition, names, titles, and slogans are not copyrightable subject matter. BeyondBlond Prods. v Heldman (CD Cal, Aug. 17, 2020, No. CV 20-5581 DSF (GSJx)) 2020 US Dist Lexis 150556; 37 CFR §202.1(a). But tweets could contain sufficient original expression by the author to be subject to copyright protection. Kaseberg v Conaco, LLC (SD Cal 2017) 260 F Supp 2d 1229. See §1.2.
If a work presents certain information as facts (including dialogue) and the author subsequently claims the facts or dialogue are fictionalized, courts will treat the fictionalized facts as unprotectable expression. Previously, this legal theory was called copyright estoppel, but the Ninth Circuit rebranded it as the “asserted truths doctrine.” The asserted truths doctrine will apply irrespective of whether the work is disseminated to the public. Corbello, 974 F2d at 978. See §1.2.
An interesting issue arises when a person creates an unauthorized recording of a live performance. Examples include bootleg recordings of live concerts and unauthorized recordings of live performances. Under the Copyright Act, such recordings are not entitled to copyright protection because the recordings are not fixed by or under the authority of the author (i.e., the performers). Performers of bootlegged musical performance have a cause of action against bootleggers, despite not having ownership. Kihn v Bill Graham Archives, LLC (CD Cal 2020) 445 F Supp 3d 234, 256. See §1.2.
Literary and graphic characters are subject to copyright protection when they “constitute the story being told in a work.” Daniels v Walt Disney Co. (9th Cir 2020) 958 F3d 767, 773. The Ninth Circuit described this as “a high bar, since few characters so dominate the story such that it becomes essentially a character study”; ancillary characters that are “only the chessman in the game of telling the story” are not entitled to copyright protection. 958 F3d at 773. See §1.4.
The U.S. Supreme Court has created the “government edicts doctrine,” which applies to state and local governments as well as to the federal government (see 17 USC §105). Georgia v Public.Resource.Org, Inc. (2020) ___ US ___, 140 S Ct 1498, 1506. The doctrine applies to works created by judges and legislators in the course of their judicial or legislative capacities (e.g., judicial opinions, statutes, and legislative histories). The doctrine can also apply to works created by private entities through a work made for hire agreement with the legislature and when the work serves a legislative function, such as annotations to statutes. 140 S Ct at 1508. In contrast, the government edicts doctrine does not extend to parts of a court reporter created by a private party and not subject to a work made for hire agreement, like headnotes, summaries, syllabi, and tables of contents. 140 S Ct at 1507. See §1.4D.
It is well settled that the voluntary, unauthorized downloading, copying, and uploading of copyrighted works violates the reproduction right. See Oracle Am., Inc. v Hewlett Packard Enter. Co. (9th Cir 2020) 971 F3d 1042, 1050. See §1.9.
A licensee of an exclusive copyright has standing to sue for copyright infringement if the infringement occurred during the term of the license and the infringement implicated the specific right held by the licensee. Tresona Multimedia, LLC v Burbank High Sch. Vocal Music Assoc. (9th Cir 2020) 953 F3d 638, 645. If, however, less than all co-owners of a copyright attempt to independently grant an exclusive license, the licensee does not have standing to sue. This result dovetails with the principle that the holder of a nonexclusive license does not have standing to use. 953 F3d at 646. See §1.16.
To show substantial similarity, the Ninth Circuit employs a two-part test: An objective, extrinsic test and a subjective, intrinsic test. The extrinsic test has three parts: First, the plaintiff must identify similarities between the copyrighted work and the accused work. Second, the court must determine which similarities constitute protectable material and which are unprotectable material or material the use of which has been authorized. Finally, after disregarding the unprotectable and authorized-use material, the court must determine the scope of protection for the work as a whole. Corbello v Valli (9th Cir 2020) 974 F3d 965, 974. See §1.22.
Contributory infringement has a threshold requirement of direct infringement by third parties. Vicarious infringement has a threshold requirement of direct infringement by third parties. Oracle Am., Inc. v Hewlett Packard Enter. Co. (9th Cir 2020) 971 F3d 1042, 1050. See §1.25.
Bootlegging is the unauthorized fixation of a live performance. Because the copy is not made by or under the authority of the author (i.e., the performers), bootleg copies of live performances are not entitled to copyright protection. Kihn v Bill Graham Archives, LLC (CD Cal 2020) 445 F Supp 2d 234, 256. Congress has created a cause of action for music performers who are victims of bootlegging. See 17 USC §1101. Under §1101, bootlegging only applies to the unauthorized recording, public performance, or distribution of musical peformances. If the plaintiff has standing under §1101, the plaintiff has the same remedies as provided in 17 USC §§502 and 505. See §1.29A.
The 3-year statute of limitations starts running when the plaintiff has constructive knowledge of the claim, not actual knowledge. Oracle Am., Inc. v Hewlett Packard Enter. Co. (9th Cir 2020) 971 F3d 1042, 1047. Constructive knowledge is defined as enough information to warrant an investigation which, if reasonably diligent, would lead to the discovery of the claim. 971 F3d at 1047. Whether the plaintiff conducted an investigation is irrelevant. See §1.30.
In interpreting the scope of a copyright license, courts will employ state law canons of contract construction, but only to the extent those rules of interpretation do not interfere with federal copyright law or policy, chief among them the policy to protect authors’ rights. Oracle Am., 971 F3d at 1051. Interpreting a license is a question of law. Great Minds v Office Depot, Inc. (9th Cir 2019) 945 F3d 1106, 1110. See §1.31.
The Copyright Act grants courts discretion to award costs and “reasonable attorney’s fee[s]” to the prevailing party. 17 USC §505. Not all claims involving copyrights are subject to §505; rather, only claims involving the validity of a copyright and copyright infringement (including declaratory relief actions) are subject to that section. Doc’s Dream, LLC v Dolores Press, Inc. (9th Cir 2020) 959 F3d 357, 359. Claims and defenses that do not require making legal determinations under the Copyright Act, such as an accounting or failure to pay royalties under a license, are not subject to §505. 959 F3d at 361. See §1.35.
On December 27, 2020, the Copyright Alternative in Small-Claims Enforcement Act of 2020 (the CASE Act) (17 USC §§1501–1511) was enacted as part of the Consolidated Appropriations Act, 2021 (116 Pub L 260, 134 Stat 1182). The CASE Act establishes a Copyright Claims Board (CCB) in the Copyright Office to hear copyright infringement matters. The CASE Act (1) caps damages at $30,000 total (including statutory damages of $15,000 per work, and $7500 per work for which an application was not filed in accordance with 17 USC §412 timelines); (2) provides an opt-out alternative for the respondent; (3) includes streamlined procedures that limit discovery and rely mostly on written materials; (4) allows claims by both copyright owners and users for infringement and exceptions and limitations, respectively; and (5) includes additional fees for bad faith claimants and bars those who repeatedly abuse the system. See §1.35A.
Congress attempted to abrogate sovereign immunity for copyright infringement lawsuits by enacting 17 USC §511(a). However, the Supreme Court held that US Const Art I, §8, cl 8 (the Intellectual Property clause) and §5 of the Fourteenth Amendment are insufficient for Congress to abrogate sovereign immunity. Allen v Cooper (2020) ___ US ___, 140 S Ct 994. See §1.36.
Whether a specific use constitutes a “fair use” or an infringement is not subject to a bright-line analysis, and requires a case-by-case approach. Dr. Seuss Enters., L.P. v ComicMix LLC (9th Cir 2020) 983 F3d 443, 451. See §1.39.
In Google LLC v Oracle Am., Inc. (2021) 593 US ___, 141 S Ct 1183, Google had copied a limited part of the so-called declaring code portion of the Sun Java SE program—that portion of the program called an Application Programming Interface (API). The Supreme Court held, as a matter of law, that Google’s copying of part of the Sun Java API was a fair use. Google’s copying involved only those lines of code necessary to allow software developers to put their skills to work creating a brand new and transformative program (the so-called implementing code) for Google’s new Android smartphone platform. See §§1.40, 1.41, 1.49A, 1.50, 1.54, 1.55.
The unauthorized use of intellectual property within video games is becoming a heavily litigated issue. In Solid Oak Sketches, LLC v 2K Games, Inc. (SD NY 2020) 449 F Supp 3d 333, a tattoo artist sued the publisher of the National Basketball Association (NBA) video game series for depicting Solid Oak’s tattoo designs on certain digitized versions of NBA players in the video game. The district court held that the depiction of player tattoos in the video game was transformative because the original purpose was for the players to express themselves through body art, while the tattoos in the video game were used to help identify the players themselves and the particulars of the tattoos were not observable. 449 F Supp 3d at 347. See §1.45D.
An issue arises with e-commerce websites that allow third parties to sell products on the website, such as Amazon and eBay. Courts have found that when the website is not actively involved in the listing, bidding, sale, and delivery of the infringing content, there is no right and ability to control. See Hendrickson v eBay, Inc. (CD Cal 2001) 165 F Supp 2d 1082, 1094; Hendrickson v Amazon.com, Inc. (CD Cal 2003) 298 F Supp 2d 914, 918. However, print on demand websites that allow users to submit images to be printed on a wide variety of products do have the right and ability to control infringement. See Sid Avery & Assocs. v Pixels.com, LLC (CD Cal, Feb. 24, 2021, No. CV 18-10232-CJC (JEMx)) 2021 US Dist Lexis 35620. See §1.80.
Automated takedown notices (also known as robo-notices) are particularly problematic under the subjective good faith belief requirement, because automated processes cannot make determinations on fair use or whether the party had a license. A key takeaway is that although automated processes can identify potential infringement, it is good practice to have an individual review the use and make a fair use/license determination prior to issuing the notice. See Enttech Media Grp. LLC v Okularity, Inc. (CD Cal. Oct. 2, 2020, No. 2:20-cv-06298 RGK (Ex)) 2020 US Dist Lexis 222489. See §1.83.
There is a fine line between how comprehensive a response to an examiner’s rejection should be and how cursory a response can be to achieve allowance. If a response is comprehensive, the applicant increases the likelihood that statements made in the response can be used against the applicant during litigation. If the response is too cursory, the applicant runs the risk of forfeiting an issue on appeal. See, e.g., In re Google Tech. Holdings LLC (Fed Cir 2020) 980 F3d 858, 863 (“we decline to hear Google’s new arguments…. Google has not provided any reasonable explanation as to why it never argued to the examiner during the iterative examination process or later to the Board”). See §2.10.
The venue where a corporate defendant can be sued is becoming more limited. Under the patent venue statute, 28 USC §1400(b), a patent infringement suit can be brought against a defendant “in the judicial district where the defendant resides, or where the defendant has committed acts of infringement and has a regular and established place of business.” With respect to the residency requirement, the Supreme Court has held “a domestic corporation ‘resides’ only in its State of incorporation for purposes of the patent venue statute.” TC Heartland v Kraft Foods Group Brands (2017) ___ US ___, 137 S Ct 1514, 1517. With respect to the requirement of a regular and established place of business, the Federal Circuit has held “(1) there must be a physical place in the district; (2) it must be a regular and established place of business; and (3) it must be the place of the defendant.” In re Cray, Inc. (Fed Cir 2017) 871 F3d 1355, 1360. See §2.16A.
An inter partes review (IPR) is available for patents regardless of the effective filing date; however, for applications filed on or after March 16, 2013, an IPR cannot be filed until 9 months after the patent is granted or, if a PGR was filed, after termination of the PGR, whichever is later. Grounds for initiating an IPR are limited to anticipation and obviousness based only on patents and printed publications. 35 USC §311(b). See also Samsung Electronics America v Prisua Engineering (Fed Cir 2020) 948 F3d 1342, 1350. Note, however, that once the IPR is instituted, any substitute claim can be reviewed for compliance with other patentability requirements, such as whether the substitute claim meets the patent eligibility standard of 35 USC §101, even though patent eligibility is not a grounds to initiate the IPR. See UNILOC 2017 LLC v HULU, LLC (Fed Cir 2020) 966 F3d 1295, 1304. See §2.17.
It is important to keep in mind that the two-step patent eligibility test is applied to the claims. Therefore, when relying on a feature of the invention to demonstrate patent-eligible subject matter, that feature should be expressly recited in the claims and not left as an inference based on the written description. In Ericsson v TCL Communication Technol. Holdings (Fed Cir 2020) 955 F3d 1317, Ericsson argued that the inventive concept that transforms the claims into patent-eligible subject matter was in a particular layered software architecture, which was described in the written description. 955 F3d at 1328. The Federal Circuit rejected Ericsson’s arguments because the features relied on were not expressly claimed: “Ericsson misstates the role of the specification, which ‘cannot be used to import details from the specification if those details are not claimed.’” 955 F3d at 1328 (citation omitted). See §2.18A.
In Simio, LLC v Flexsim Software Products, Inc. (Fed Cir 2020) 983 F3d 1353, however, the Federal Circuit continued to carve out a distinction between improving a computer’s functionality (which could be patent-eligible subject matter) versus improving a user’s experience (which is considered an abstract idea) with a new program or software. The court held that a computer-based system that utilizes graphics instead of writing programming code to create object-oriented simulations was directed to an abstract idea because it did not improve computer functionality, but rather, the user experience. Similarly, in Customedia Technol., LLC v Dish Network Corp. (Fed Cir 2020) 951 F3d 1359, the Federal Circuit found a data delivery system for providing automatic delivery of multimedia data products from one or more multimedia data product providers, although possibly improving the abstract concept of targeted advertising, did not improve the actual functioning of the computer itself because the computer was merely being used as a tool in a system for advertising. 951 F3d at 1365. See §2.19.
A generic second-level domain (SLD) combined with a top-level domain suffix such as “.com” or “.biz” (TLD) can create a descriptive mark that is eligible for protection on proof that it has acquired distinctiveness or secondary meaning. See United States Patent and Trademark Office v Booking.com BV (2020) ___ US ___, 140 S Ct 2298. In Booking.com, the U.S. Supreme Court rejected the USPTO’s sweeping rule that a trademark consisting of a generic word plus “.com” is generic as a matter of law. The Court found that “[a] compound of generic elements is generic if the combination yields no additional meaning to consumers capable of distinguishing the goods or services.” 140 S Ct at 2306 (emphasis in original). Finally, the Court held that “[w]hether any given ‘generic.com’ term is generic … depends on whether consumers in fact perceive that term as the name of a class or, instead, as a term capable of distinguishing among members of the class.” 140 S Ct at 2307. See §3.45.
In Starbucks Corp. v Wolfe’s Borough Coffee, Inc. (2d Cir 2009) 588 F3d 97, 110, the Court of Appeals for the Second Circuit rejected Starbucks’ claim that Wolfe’s Borough Coffee’s use of the CHARBUCKS mark for coffee resulted in tarnishment because the Charbucks line of coffee was marketed as a product of very high quality. See §3.65.
“[A] famous mark is one that has become a ‘household name.’” Blumenthal Distrib., Inc. v Herman Miller, Inc. (9th Cir 2020) 963 F3d 859, 870 (quoting Thane Int’l, Inc. v Trek Bicycle Corp. (9th Cir 2002) 305 F3d 894, 908). Other examples of trademarks that have been found to be famous include NIKE (Nike, Inc. v Nikepal Int’l, Inc. (ED Cal Sep. 7, 2007, No. 2:05-cv-1468- GEB-JFM) 2007 US Dist Lexis 66686); STARBUCKS (Starbucks Corp. v Wolfe’s Borough Coffee, Inc. (2d Cir 2009) 588 F3d 97, 105); and the trade dress of Apple’s iPhone (Apple, Inc. v Samsung Electronics Co., Ltd. (ND Cal 2013) 920 F Supp 2d 1079, 1097). See §3.66.
In Vazquez v Jan-Pro Franchising Int’l, Inc. (2021) 10 C5th 944, the California Supreme Court held that Dynamex Operations W., Inc. v Superior Court (2018) 4 C5th 903 applies retroactively to all nonfinal cases that predate the effective date of the Dynamex decision. See §4.13.
The ABC test in the Dynamex decision was first codified by the California state legislature in 2019 with the enactment of AB 5 (Stats 2019, ch 296). Assembly Bill 5 specifically codified the presumption of employee status in Dynamex but added a number of exceptions. The legislature amended the provisions of AB 5 in 2020, by enacting AB 2257 (Stats 2020, ch 38) and AB 323 (Stats 2020, ch 31). The California statutes now applicable to independent contractor classification are Lab C §§2775–2787 and the statutes enacted by Proposition 22 (Bus & P C §§7448–7467 and Rev & T C §17037). See §4.13.
Labor Code §§2775–2787 apply generally for purposes of the Labor Code and the Unemployment Insurance Code, and for purposes of wage orders issued by the Industrial Welfare Commission. See Lab C §2775(b)(1). They do not distinguish between exempt and nonexempt employees, except those listed in Lab C §§2776–2784, subject to specified conditions. See §4.14.
The ABC test in the Dynamex decision was first codified by the California state legislature in 2019 with the enactment of AB 5 (Stats 2019, ch 296). The legislature amended the provisions of AB 5 in 2020 by enacting AB 2257 (Stats 2020, ch 38) and AB 323 (Stats 2020, ch 31). The statutes enacted by the legislature that are now applicable to independent contractor classification are Lab C §§2775–2787. The ABC test for employee status in Dynamex is specifically codified in Lab C §2775(b)(1). See §4.14A.
Labor Code §§2776–2784 contain an extensive list of occupations and relationships that are excepted from the ABC test, subject to certain conditions specified in the statutes. The exceptions include, without limitation, professional service providers including graphic designers, fine artists, photographers, photojournalists, freelance writers, editors, and content contributors; recording artists, songwriters, and musicians; construction industry contractors and subcontractors; certain licensed professionals including insurance brokers, real estate brokers, physicians, dentists, other health care professionals, lawyers, architects, engineers, accountants, private investigators, securities brokers, and investment advisers; direct sales salespersons; and commercial fishermen. The conditions specified for each exception are detailed and must be reviewed carefully. Workers who do not satisfy the conditions of the ABC test and are not expressly excepted in the statutes are evaluated in accordance with the California Supreme Court’s prior decision in Borello. See Lab C §§2775(b)(3), 2785(d). See §4.14A.
In November 2020, California voters approved Proposition 22 (Bus & P C §§7448–7467 and Rev & T C §17037), a measure sponsored by Uber, Lyft, and DoorDash, which allows app-based ride-hailing and delivery companies (called “network companies” under the measure, see Bus & P C §7463) to continue treating their workers as independent contractors provided that the companies offer certain benefits to those workers. In effect, Proposition 22 creates an additional exception to Lab C §2775(b)(1). See §4.14A.
In 2020, the State Bar’s Standing Committee on Professional Responsibility and Conduct issued California State Bar Formal Opinion No. 2020–203, available at https://www.calbar.ca.gov/Portals/0/documents/ethics/Opinions/Formal-Opinion-No-2020-203-Data-Breaches.pdf, to address lawyers’ obligations in the face of data breaches, i.e., situations where unauthorized third parties have obtained access to electronically stored confidential client information in a lawyer’s possession. The opinion provides that lawyers who use electronic devices containing confidential client information must assess the risks of keeping such data on electronic devices and computers, and take reasonable steps to secure their electronic systems to minimize risk of unauthorized access. In event of a breach, lawyers have an obligation to conduct a reasonable inquiry to determine the extent and consequences of the breach and to notify any client whose interests have a reasonable possibility of being negatively impacted by the breach. See §6.57.
Companies that use facial recognition technologies or that process biometric information likely need to obtain affirmative express consent from consumers prior to data collection or processing, but should always process data consistent with their privacy policies and other affirmative consumer-facing representations. See In re Everalbum, Inc. (January 11, 2021) FTC File No. 1923172 (see https://www.ftc.gov/enforcement/cases-proceedings/1923172/everalbum-inc-matter). In its administrative complaint, the FTC alleged that a California company, Everalbum, Inc., misrepresented the manner in which it applied facial recognition technology to photos and videos that consumers uploaded through the “Ever” mobile application, browser application, and social media accounts for storage on Everalbum’s cloud-based storage service. See §9.9.
In IMDb.com, Inc. v Becerra (9th Cir 2020) 962 F3d 1111, the court ruled that CC §1798.83.5 was unconstitutional for violating a website’s First Amendment speech rights. Civil Code §1798.83.5 was passed with the intention of prohibiting commercial online entertainment employment service providers from publishing or sharing a subscriber’s date of birth or age information in online profiles; however, it was subsequently found to restrict noncommercial speech in violation of the First Amendment and invalidated. See §9.18.
In November 2020, California voters approved Proposition 24, called the California Privacy Rights Act of 2020 (CPRA). See https://vig.cdn.sos.ca.gov/2020/general/pdf/topl-prop24.pdf. As described in §9.18B, when it becomes effective, the CPRA will make significant changes to the California Consumer Privacy Act of 2018 (CCPA) (CC §§1798.100–1798.199.100). The CPRA amends the original CCPA in several significant ways, including the establishment of a new law enforcement agency, a new definition of “sensitive data” with further limits on use and sharing, and expanded liability for data breaches. The CPRA grants consumers the right to opt out of a business’s sharing of personal information and requires that business implement certain methods to allow consumers to exercise that right. A business engaged in sharing must provide a link on the homepage of the business’s website titled “Do Not Sell or Share My Personal Information.” CC §1798.135(a). The CPRA broadens the scope of the original CCPA’s small business exemption by raising the threshold for applicability to businesses that process for commercial purposes personal information of from 50,000 to 100,000 consumers or households. See CC §1798.140(d)(1)(A). In general, the CPRA takes effect on January 1, 2023. Many of the obligations found in the original CCPA remain in effect in the CPRA, but the CPRA includes additional obligations. Businesses should start preparing now for the CPRA because it has a “look back” provision to January 1, 2022. See §§9.18A–9.18B.
In 2020, mobile app developer Hyperbeard settled FTC charges that it violated the Children’s Online Privacy Protection Act of 1998 (COPPA) (15 USC §§6501–6506) by allowing third-party ad networks to collect personal information from children playing the company’s child-directed games, without notifying parents or obtaining verifiable parental consent as required by COPPA. The settlement highlights an operator’s strict liability under COPPA for data collected by third parties through its service. Here, Hyperbeard had not notified the third-party ad networks embedded within its apps that the apps were directed to children. In the settlement, Hyperbeard agreed to pay a $4 million civil penalty, suspended on payment of $150,000. See https://www.ftc.gov/news-events/press-releases/2020/06/developer-apps-popular-children-agrees-settle-ftc-allegations-it. See §9.33.
From 2016 to 2020, many U.S. data importers relied on the Privacy Shield Framework agreed to by the EU Commission and the U.S. for data transfers and enforced by the U.S. Department of Commerce and the FTC through cooperation with EU data protection authorities. However, in July 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield as a transfer mechanism in the Schrems II case. See Data Protection Commissioner v Facebook Ireland Ltd & Maximillian Schrems, Case C-311/18 (July 16, 2020). Data transfers reliant on Privacy Shield are no longer lawful, and U.S. data importers that relied on Privacy Shield must update their policies and practices, as well as turn to an alternative transfer mechanism. See §9.38.
Most U.S. data importers rely on Standard Contractual Clauses (SCCs), which are agreements executed by data exporters and data importers to ensure appropriate safeguards for the transfer of personal data. SCCs are not without risk, however, because the CJEU indicated in its July 2020 ruling that data transfers to the U.S. may be inherently problematic due to government surveillance issues and may require supplemental measures by data exporters and data importers to protect personal data. In addition, in November 2020, the EU Commission published revised draft SCCs that, if approved, would replace the current SCCs. Businesses that export or receive personal data from the EU should pay close attention to developments around the SCCs. See §9.38.
Advertising on the Internet
An attorney is not responsible for the content of an attorney’s profile on a professional online directory and rating website created and maintained by a third party. However, if the attorney chooses to exercise control over the profile’s content by “adopting” the profile on the directory itself or otherwise using the profile to market the attorney’s practice, the attorney becomes responsible for its content. State Bar Formal Opinion No. 2019–199. See §17.10D.
As part of the Notification and Federal Employee Anti-discrimination and Retaliation Act of 2002 (No FEAR Act) (Pub L 107–174, 116 Stat 566), the federal government creates and disseminates resources for individuals to protect themselves and recover from cyberattacks. These resources are available at this website, which is continually updated: https://www.ready.gov/cybersecurity. See §18.3.
The State Bar of California’s Standing Committee on Professional Responsibility and Conduct (COPRAC) Formal Opinion No. 2020–203 provides that attorneys who use electronic devices that contain confidential client information must assess the risks of keeping such data on electronic devices and computers, and take reasonable steps to secure their electronic systems to minimize the risk of unauthorized access. In the event of a breach, lawyers have an obligation to conduct a reasonable inquiry to determine the extent and consequences of the breach and to notify any client whose interests have a reasonable possibility of being negatively impacted by the breach. See §18.6A.
In United States v Peterson (9th Cir 2019) 776 Fed Appx 533, 534 n.3, the court identified “refrigerators with Internet connectivity, Fitbit™ watches, etc.” as likely falling within the definition of “computer” in the Computer Fraud and Abuse Act (CFAA) (18 USC §1030). See §18.17.
On November 30, 2020, the Supreme Court heard oral argument in Van Buren v United States (11th Cir 2019) 940 F3d 1192, cert. granted (2020) ___ US ___, 140 S Ct 2667. The certified question presented was whether a person who is authorized to access information on a computer for certain purposes violates 47 USC §1030(a)(2) if that person accesses the same information for an unauthorized purpose. In other words, can a defendant be criminally liable for exceeding authorized access? The case should resolve a Circuit split between the First, Fifth, Seventh, and Eleventh Circuits (which have answered “yes”) and the Second, Fourth, Sixth, and Ninth Circuits (which have answered “no”). See §18.19.
The Ninth Circuit, in In re Facebook Inc. Internet Tracking Litig. (9th Cir 2020) 956 F3d 589, addressed whether Facebook’s placement of a persistent cookie on a Facebook user’s computer, and the transmission of URL and other information by that cookie, violated the prohibition in the Electronic Communications Privacy Act of 1986 (ECPA) (Pub L 99–508, 100 Stat 1848) on the interception of electronic communications. Based on the technical nature of the transmission of information to Facebook, the court concluded that Facebook was not a party to the intercepted communication. As a result, the party exception to the ECPA and Facebook could, in theory, be subject to liability under the ECPA. The Ninth Circuit reversed the dismissal of that claim, and remanded to the district court. See §18.28.
The Federal Bureau of Investigation (FBI) provides a mechanism for filing complaints regarding ransomware attacks: https://www.ic3.gov/Home/Ransomware and has issued a Public Service Announcement, available at https://www.ic3.gov/Media/Y2019/PSA191002, warning that ransomware attacks are becoming more targeted, sophisticated, and costly. Ransomware attacks constituted 81 percent of financial-based cyberattacks in 2020. https://atlasvpn.com/blog/ransomware-accounts-for-81-of-all-financially-motivated-cyberattacks-in-2020. See §18.38.
In In re Facebook, Inc. Internet Tracking Litig. (9th Cir 2020) 956 F3d 589, the district court had dismissed a trespass to chattels claim based on its conclusion that the plaintiffs had failed to demonstrate that an actual injury occurred through the transmission of plaintiffs’ browsing history to Facebook. See generally Intel Corp. v Hamidi (2003) 30 C4th 1342, 1351. The Ninth Circuit reversed, finding that plaintiffs’ allegation that Facebook was unjustly enriched was sufficient to confer standing in federal court. 956 F3d at 599. See §18.41.
The defendant in WhatsApp Inc. v NSO Grp. Techs. Ltd. (ND Cal. 2020) 472 F Supp 3d 649, was alleged to be an agent of the Israeli government that manufactured, distributed, and operated surveillance technology designed to intercept and extract information and communications from mobile phones, in particular through the WhatsApp app. Among other claims, WhatsApp Inc. asserted trespass to chattels. The plaintiff did not assert that the actions of the defendant, sending “approximately 1,400 messages out of the 1.5 billion people in 180 countries who use the WhatsApp service … impaired the physical functioning of WhatsApp’s servers.” 472 F Supp 3d at 684. Instead, WhatsApp asserted it had suffered “consequential economic damages, such as the expenditure of resources responding to the breach, and the loss of goodwill in WhatsApp’s business due to a perceived weakness in WhatsApp’s encryption or its services.” 472 F Supp 3d at 685. The court found that WhatsApp had not sufficiently alleged any actual harm arising from the defendant’s actions, and dismissed the complaint with leave to amend. See §18.41A.
In AMA Multimedia, LLC v Wanat (9th Cir 2020) 970 F3d 1201, the court held that the defendant was not subject to personal jurisdiction because he did not purposefully direct his activities at the United States, the U.S. was not the focal point of the website or the harm suffered by the plaintiff; the website lacked a forum-specific focus and the volume of U.S.-generated content did not show that the site was expressly aimed at the U.S. market. See §19.8.
Making a substantial number of sales of goods or services to California residents via one’s own website is sufficient to establish personal jurisdiction. However, sales must be substantial, not random, isolated, or fortuitous. Thurston v Fairfield Collectibles of Georgia, LLC (2020) 53 CA5th 1231, 1240 (company made 8 to 10 percent of its sales to California residents, totaling $320,000 to $375,000 a year; court found that this was “the equivalent of having a brick-and-mortar store in California—a ‘virtual store’”). See §19.9.
First Amendment and Other Speech-Related Liability
The First and Fourteenth Amendments prohibit content-based restrictions on speech. Reed v Town of Gilbert (2015) 576 US 155, 135 S Ct 2218. A content-based restriction is one that “by its very terms, singles out particular content for differential treatment.” IMDb.com Inc. v Becerra (9th Cir 2020) 962 F3d 1111, 1120. Content-based restrictions are “presumptively invalid.” 962 F3d at 1120, quoting R.A.V. v City of St. Paul (1992) 505 US 377, 382, 112 S Ct 2538, 2542. Content-based restrictions are subject to strict scrutiny (i.e., the government must show a compelling state interest for the action and that it was narrowly tailored to achieve that interest). Reed, 576 US at 164, 135 S Ct at 2227. See §20.19B.
If an anti-SLAPP motion is granted, the plaintiff cannot seek leave to amend the dismissed causes of action, even when those actions are based on completely different conduct. See Medical Marijuana, Inc. v ProjectCBD.com (2020) 46 CA5th 869, 900; Simmons v Allstate Ins. Co. (2001) 92 CA4th 1068, 1073. The policy consideration is that allowing leave to amend would effectively circumvent the purpose of the anti-SLAPP statute by allowing protracted and costly litigation. See §20.77.
If federal claims are brought in state court, they may be subject of an anti-SLAPP statute. Patel v Chavez (2020) 48 CA5th 484, 487; Vergos v McNeal (2007) 146 CA4th 1387, 1402. The anti-SLAPP statute will apply to federal claims in state court unless (1) the federal statute provides otherwise, or (2) the anti-SLAPP statute affects plaintiffs’ substantive federal rights and is, therefore, preempted. To date, the federal claims brought in state court that have involved the anti-SLAPP statute have been civil rights claims under 42 USC §1983. Those cases have uniformly held that the anti-SLAPP statute applies to those claims. See Patel, 48 CA5th at 488; Vergos, 146 CA4th at 1392 n4; Bradbury v Supreme Ct. (1996) 49 CA4th 1108, 1118. However, if a federal claim is brought in federal court, the claim is not subject to an anti-SLAPP motion. See §20.77.
In Balla v Hall (2021) 59 CA5th 652, the court of appeal held that anti-SLAPP motions do not have to be denied entirely if the claims are actionable in part because an anti-SLAPP motion can reach separate claims within a single pleaded cause of action. See §20.78.
Reviews posted to an Internet website are protected activity under CCP §425.16(e)(3). Abir Cohen Treyzon Salo, LLP v Lahiji (2019) 40 CA5th 882, 887 (negative Yelp! review for law firm); Wilbanks v Wolk (2004) 121 CA4th 883, 895 (negative review posted on defendant’s own website). The website constitutes a public forum and the consumer protection information is a matter of public interest. Chaker v Mateo (2012) 209 CA4th 1138, 1144. See §20.88.
Speech that might ordinarily be lawful under ordinary circumstances can constitute a breach of contract if a confidentiality agreement is in place. In Monster Energy Co. v Schechter (2019) 7 C5th 781, the California Supreme Court held that, when a settlement agreement contains terms binding the attorney and the attorney signs, the attorney is bound to the agreement, even when the signature block states “approved as to form and content.” 7 C5th at 791. When the agreement does not contain provisions demonstrating the attorney is to be bound, an attorney’s signature under a signature block with the phrase “approved as to form and content” merely signifies that counsel has read the document, the document embodies the parties’ agreement, and counsel sees no issue with the client signing the document. 7 C5th at 792. See §20.93A.
In Murphy v Twitter, Inc. (2021) 60 CA5th 12, 25, the court held that Twitter exercised traditional publisher functions in removing a user’s tweets and suspending his account, thus the lawsuit was barred by 47 USC §230. See §20.125.
In Bolger v Amazon.com, LLC (2020) 53 CA5th 431, 465, the court held that 47 USC §230 did not apply because the plaintiff’s products liability claim was based on the role of Amazon.com in the chain of production and distribution of a defective product, not the contents of the product listing. See §20.126.
On January 21, 2019, the French Data Protection Authority (CNIL) imposed a financial penalty of €50 million against Google, LLC under the GDPR, for lack of transparency, inadequate information, and lack of valid consent to process data for targeted advertising purposes. Google appealed, and on June 19, 2020, the French Administrative Supreme Court (Conseil d’Etat) dismissed Google LLC’s appeal and upheld the fines. This decision represents a landmark in GDPR enforcement, levying the highest fine issued to date under the GDPR in the European Union. See https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc. See §21.11A.
On July 16, 2020, the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II) (Case C-311/18) invalidated the EU-U.S. Privacy Shield as an adequate safeguard when transferring personal data from the EU to the United States. This decision was made primarily due to potential unrestricted U.S. government access. The court stated: “Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons,” For a summary of the ruling, see: https://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf. See §21.11C.
The Schrems II case did uphold the use of EU Commission standard contractual clauses (SCCs) for data transfers outside the EU. Note that additional supplementary contractual provisions may be required to be imposed by the data controller to ensure compliance beyond the SCCs depending on the circumstances, in accordance with the European Data Protection Board’s guidance. See Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data at https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/recommendations-012020-measures-supplement-transfer_en. Therefore, all data transfers from the EU to other countries now must be assessed on a case-by-case basis to determine whether additional clauses, in addition to those afforded under the SCCs are required. See §21.11C.
Before the Schrems II decision, organizations had been able to self-certify with the International Trade Administration (ITA), which was administering the so-called EU-U.S. Privacy Shield Framework within the U.S. Department of Commerce, through this link: https://www.privacyshield.gov/Program-Overview. As a result of Schrems II (and a parallel decision of a Swiss commission), the ITA’s website now states that the Privacy Shield Framework is no longer a valid mechanism to comply with EU or Swiss data protection requirements when transferring personal data from the European Union or Switzerland to the United States. However, the ITA also states that participants are not relieved of their obligations under the EU-U.S. Privacy Shield Framework, and that the U.S. Department of Commerce will continue to administer the EU-U.S. Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Framework and maintaining the Privacy Shield list. See §20.12.