E-Commerce Law Week, Issue 360

Be Careful What You Wish For . . .  Congress Proposes Data Security Bills
With state legislatures falling all over each other in the rush to enact data security legislation, it’s easy to forget that Capitol Hill also is a hotbed of data security legislative proposals.  The newest proposal on the Senate side comes from Sens. Arlen Specter (R-PA) and Patrick Leahy (D-VT).  S. 1332, the “Personal Data Privacy and Security Act of 2005,” is 91-page bill that would, among other things, require almost every entity that collects, accesses, transmits, stores, or disposes of personally identifiable information in digital or electronic form to provide notifications of a security breach that affected more than 10,000 individuals nationwide or affected a network or database associated with more than 1,000,000 individuals nationwide.  And on the House side, a somewhat narrower (and as-yet unnamed) data security bill has been proposed that would require the Federal Trade Commission (FTC) to issue rules requiring entities to establish reasonable security measures and to provide notice for security breaches.  This proposal takes a far less comprehensive approach to data security than the Specter-Leahy bill, but in doing so it delegates a great deal of regulatory authority and oversight to the FTC. 

While federal legislation with a preemption clause could provide welcome relief from a patchwork of state state security obligations, the ambitious scope of some of the federal proposals suggest that business could get more than it bargained for, absent some determined advocacy on the Hill.

Second Circuit Pop-up Ad Decision -- Websites as Storefronts?
Is an Internet website more like a storefront -- facing competition from other stores in the neighborhood -- or an exclusive economic zone over which the website owner has full control?  In the latest act of a continuing Internet-based advertising courtroom drama, the US Court of Appeals for the Second Circuit has provided a partial answer to that question in reversing a district court ruling against adware company WhenU.com.  The Second Circuit found that WhenU does not “use” the trademarks of contact lens company 1-800 Contacts within the meaning of the federal Lanham Act, and reversed a preliminary injunction that prevented WhenU from displaying advertisements to users accessing 1-800 Contacts’  website .  But because the Second Circuit's June 27 decision in 1-800 Contacts, Inc. v. WhenU.com, Inc. focuses on WhenU’s particular practices -- and even contrasts them to those of “other internet advertising companies … that ‘sell’ keyword trademarks to its customers” (e.g., Google, Yahoo! and others) -- the ultimate impact of the decision on the developing law regarding the legality of keyword-based advertising is unclear. 

Perhaps the most important aspect of the decision is its conclusion that displaying an advertisement that is triggered by a visit to a particular website does not necessarily infringe trademark rights of the site owner.  Of course, in the real world, buying billboard space next to your competitor's store is also not a trademark infringement.  But website owners have asserted broader rights in cyberspace, and the Second Circuit's decision limiting those rights is significant.

A New Norme for French Data Protection Law
The French data protection authority (the Commission Nationale de L’Informatique et des Libertes (“CNIL”)) has given us a lot to talk about lately.  While some of the CNIL's actions have reflected its traditionally strict approach to data protection law (e.g., the rejection of whistleblower programs on which we reported earlier this month), the CNIL has shown a marked increase in flexibility in its attitude toward data protection in the commercial content.  In March, we reported that the CNIL adopted an "opt-out" rule for unsolicited commercial emails sent to businesses.  More recently, the Norme Simplifiée No. 48-05 (“Norme”), adopted by the CNIL on June 7 and released on June 22 with an explanatory statement, instituted relaxations of data protection procedures for customer information.  This approach to data protection may reflect a growing realization in France that greater commerciality in public policy is needed to reinvigorate the persistent weakness of the French economy (which played a major role in the recent French "No" vote on the proposed EU Constitution).

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.