I.       INTRODUCTION

The legal landscape for companies doing business on the Internet seems to change on a weekly basis. As companies struggle to keep up with the implementation of new laws and regulations, one type of company in particular is caught in the middle of these fast-paced changes: Internet service providers (“ISPs”). This article provides a brief overview of three laws about which every ISP should be aware. These include the Communications Decency Act, the Digital Millennium Copyright Act, and the Children’s Online Privacy Protection Act. The key relevant components of each statute are discussed below. In addition, a brief discussion is set forth with respect to website user agreements, customer agreements, and acceptable use policies.

II.      THE COMMUNICATIONS DECENCY ACT

One question often asked by ISPs is whether an ISP can be held liable for the acts of third parties that occur on its networks, e.g., such as when an allegedly defamatory message is posted on a website hosted on the ISP’s servers. In general, the answer to that question is “no,” but there are some caveats.

In 1996, Congress enacted the Communications Decency Act (“CDA”). Although several provisions of the CDA have been struck down by the United States Supreme Court as unconstitutional, one key section of the CDA remains in effect that essentially immunize “interactive service providers” (including ISPs ) from liability based upon an ISP’s exercise of editorial functions. That section states that “no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Consequently, “no provider or user of an interactive computer service shall be held liable on account of--

    (A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing or otherwise objectionable, whether or not such material is constitutionally protected; or

    (B) any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph (1).

Set forth below are the facts from two (of many) reported cases answering the question of whether an ISP can be held liable for the acts of third parties conducted on or through its network.

      A.    Scenario One

Two vulgar messages are posted to a bulletin board hosted by your ISP by a person claiming to be “Alexander Lunney”. Then, a threatening, profane email that appears to have been authored by “Alexander Lunney” is sent over the ISP’s network. The real Alexander Lunney is a 15 year-old high school student. The real Lunney did not write, authorize, or send the email. Rather, one of your subscribers, who cannot be identified, wrote and sent the email. Lunney sues the ISP, alleging that “he has been stigmatized by being falsely cast as the author of these messages.” Is the ISP that you own liable to Lunney? According to the New York Court of Appeals and, by implication, the U.S. Supreme Court, the answer is “no,” your company is not liable.

       B.      Scenario Two

A group of college athletes are videotaped, without their knowledge or consent, by hidden cameras in restrooms, locker rooms, and showers. The videotapes and still images are displayed and sold over Internet websites hosted by your ISP. The athletes sue your company alleging invasion of privacy, public nuisance, a third-party beneficiaries claim, and a claim for eavesdropping under the Electronic Communications Privacy Act. Sound like a good claim? Is your company liable? According to the federal district court for the Northern District of Illinois, the answer to both questions is “no.”

How can this be? Does it seem fair that young Mr. Lunney should have “no recourse,” or that the male athletes should not be compensated for the severe humiliation they undoubtedly suffered? Perhaps not. In fact, each of the plaintiffs does have recourse—just not against the ISP.

      C.    The Communications Decency Act Immunizes ISPs (To a Certain Extent)

A number of cases from federal jurisdictions, including those noted in the two scenarios presented above, have concluded that the CDA immunizes ISPs from all liability relating to the exercise (or non-exercise) of editorial functions. In the words of one court, the CDA “creates a federal immunity to any cause of action that would make service providers liable for information originating with a third-party user of the service.” Consequently, “lawsuits seeking to hold a service provider liable for its exercise of a publishers traditional editorial functions—such as deciding whether to publish, withdraw, postpone, or alter content—are barred.”

Courts that have interpreted the CDA as applied to ISPs typically focus on Congress’ intent, as demonstrated by the legislative history of the Act, in their reasoning. For example, the rationale underlying the Does 1-30 v. Franco Productions decision, the basis for “Scenario Two” above, notes that “Immunity under the CDA is not limited to service providers who contain their activity to editorial exercises or those who do not engage in web hosting, but rather ‘Congress…provid[ed] immunity even where the interactive service provider has an active, even aggressive role in making available content prepared by others.’”

Although the CDA immunize ISPs from liability for exercise of its editorial functions, an ISP should, of course, continue to use sound reasoning in its business practices. In addition, the CDA does impose certain obligations on ISPs. At the time the ISP enters into an agreement with a customer, it must notify the customer that parental control protections (such as content-filtering software) are available that can limit access to material that is “harmful to minors.” The notice must identify, or provide the customer with access to information identifying, providers of those protections.

      D.    ISPs Must Comply With Obligations Under The Communications Decency Act

While the CDA offers ISPs immunization from liability for the exercise of editorial functions, ISPs must comply with specific obligations under the CDA if they wish to take advantages of the CDA’s protections. The section of the CDA setting forth these obligations reads:

[a] provider of interactive computer service shall, at the time of entering an agreement with a customer for the provision of interactive computer service and in a manner deemed appropriate by the provider, notify such customer that parental control protections (such as computer hardware, software, or filtering services) are commercially available that may assist the customer in limiting access to material that is harmful to minors. Such notice shall identify, or provide the customer with access to information identifying, current providers of such protections.

To fulfill its obligations under the CDA, an ISP should take two actions. First, on the homepage of the ISP’s website it should place hyperlinks to providers of content-filtering hardware or software (such as SurfWatch or Net Nanny). Second, the ISP’s Terms of Service, or Subscriber Agreement, should contain a clause that notifies the subscriber of the availability of parental control protections, as well as identify and provide the subscriber with contact information for the providers of such protections. Although it is not clear whether both or just one of these measures would suffice, the marginal cost to do both is well worth the time and money spent.

      E.      Exceptions To Immunity Provided By The Communications Decency Act

It is important to note that the CDA has no effect on criminal laws, intellectual property law, state laws that are consistent with the CDA, the Electronic Communications Privacy Act, the Computer Fraud & Abuse Act, or similar state laws. For this reason, it is critical that ISPs (i) continue to conduct their business in a reasonable and prudent manner and (ii) avail themselves of the limited liability protections offered to “online service providers” under the Digital Millennium Copyright Act.

III.     DIGITAL MILLENNIUM COPYRIGHT ACT

The Digital Millennium Copyright Act (“DMCA”) was enacted by Congress in 1998; it is a complex statute whose length is more than 150 pages. The DMCA was enacted for six primary reasons, only one of which is discussed herein—section 512. Section 512 of the DMCA creates four new categories for limitations of liability for copyright infringement by online service providers. These include limitations of liability for (i) transitory communications, (ii) system caching, (iii) storage of information on systems or networks at the direction of users, and (iv) information location tools. Each of the four limitations results in a complete bar to monetary damages.

In order to invoke the benefits of the limitations of liability provisions must qualify as a “service provider,” as that term is defined in the DMCA. An ISP fits the definition of a “service provider” for purposes of all four limitations of liability. Further, not only must the entity qualify as a service provider in order to take advantage of the limitations, it must also (i) adopt and reasonably implement a policy of terminating in appropriate circumstances the accounts of subscribers who are repeat infringers, and (ii) accommodate and not interfere with ‘standard technical measures ’” as defined in the DMCA. For purposes of this article, a service provider shall be referred to as an ISP.

      A.    Limitation of Liability For Transitory Communications

An ISP is not liable for monetary damages or injunctive relief due to copyright infringement “by reason of the provider’s transmitting, routing, or providing connections for material through a system or network controlled or operated by or for the ISP, or because of the intermediate and transient storage of that material if

        (1)    the transmission of the material was initiated by or at the direction of a person other than the ISP;

        (2)    the transmission, routing, provision of connections, or storage is carried out through an automatic technical process without the selection of the material by the ISP;

        (3)    no copy of the material made by the ISP is maintained; and

        (4)    the material is transmitted through the system or network without modification of its content.

      B.    Limitation of Liability For System Caching

An ISP’s liability for copyright infringement is limited for system caching functions in a case in which

        (1)    the material is made available online by a person other than the ISP;

        (2)    the material is transmitted from the person described in subparagraph (1) through a system or network to a person other than the person described in subparagraph (1) at the direction of that other person; and

        (3)    the storage is carried out through an automatic technical process

The practical result of this limitation is to allow an ISP to “retain a copy of the transmitted material so that subsequent requests for the material can be fulfilled by transmitting the retained copy, rather than retrieving the material from the original source on the network. “ The ISP must, however, make sure to comply with the following conditions in order to qualify for the limitation:

          (i)    The content of the retained material must not be modified;

          (ii)    The provider must comply with the rules about “refreshing” material—replacing retained copies of material with material from the original location—when specified in accordance with a generally accepted industry standard data communication protocol;

          (iii)    The ISP must not interfere with technology that returns “hit” information to the person who posted the material, where such technology meets certain requirements;

          (iv)    The ISP must limit users’ access to the material in accordance with conditions on access (e.g., password protection) imposed by the person who posted the material; and

          (v)    Any material that was posted without the copyright owner’s authorization must be removed or blocked promptly once the ISP has been notified that it has been removed or blocked at the originating site.

      C.    Limitatio of Liability For Information Residing On Networks At The Direction of Users

Section 512(c) of the DMCA is perhaps the most critical of the limitations of liability for ISPs because it applies to materials that are hosted on an ISP’s system or network at the direction of a user. To qualify for the limitation, the ISP must meet the following conditions:

        (1)    the ISP must not have actual knowledge of infringing materials, is not aware of facts or circumstances from which infringing activity is apparent, or upon gaining such knowledge or awareness the ISP responds expeditiously to take the material down;

        (2)    does not receive a financial benefit directly attributable to the infringing activity, if the ISP has the right and ability to control the infringing activity;

        (3)    designates an agent to receive notification of claims of infringement and files the proper forms with the Register of Copyrights; and

        (4)    Upon receiving proper notice in accordance with the notice and take-down provisions, responds expeditiously to remove or disable access to the claimed infringing material.

Importantly, the ISP must make sure to (1) place an appropriate notice on the website notifying the public of the statutorily-required information for contacting the ISP to give notice of the claim of infringement, and (2) file the proper Interim Designation of Agent to Receive Notification form with the Register of Copyrights. Failure to do so may result in the ISP loses its protection under the DMCA.

The ISP owner should also note that a copyright owner may request the clerk of any United States District Court to issue a subpoena that requires the ISP to identify the alleged infringer. Upon receipt of such a subpoena, the ISP must disclose to the copyright owner the information required by the subpoena, notwithstanding any other provision of law.

      D.    Limitation of Liability For Information Location Tools

The fourth limitation relates to hyperlinks, online directories, search engines, and other similar features and services. The conditions with which the ISP must comply with are essentially the same as those set forth in the immediately preceding section addressing § 512(c).

IV.     CHILDREN’S ONLINE PRIVACY PROTECTION ACT & PRIVACY POLICIES IN GENERAL

Commercial website owners often wonder whether they need to post a privacy policy on their websites. While there is not yet a generally-applicable federal law requiring website owners to develop and post privacy policies on the Internet, there are several situations in which website owners are required to post a privacy policy.

      A.    Websites Subject to the Children's Online Privacy Protection Act

Rightfully concerned about the safety and welfare of children surfing the Internet, Congress enacted the Children’s Online Privacy Protection Act of 1998 (“COPPA”), a federal statute designed to protect the privacy of children under the age 13. COPPA went into effect on April 21, 2000. COPPA, and its implementing rule , is intended to regulate the information collection and disclosure practices of two categories of websites: (i) those that are “directed to children,” and (ii) general audience sites that have “actual knowledge” that the information being requested is being provided by the child. Websites that fall in these two categories must post a statutorily-mandated notice of the website’s information collection and disclosure practices with respect to a child’s “personal information.” Failure to do so could result in potentially severe penalties from the Federal Trade Commission (“FTC”), the agency charged with enforcing COPPA.

Depending on several factors, an ISP may need to post a privacy policy that complies with COPPA. (It is, of course, better to be safe than sorry—all ISPs should post something on their website that addresses the concerns of COPPA). If an ISP’s website is subject to the requirements of COPPA, the ISP must post a “clear and prominent” link to the privacy policy. For operators of general audience websites that are subject to COPPA, a link to the COPPA privacy policy must be placed on the home page of the children’s section of the website. To satisfy the “clear and prominent” requirement, the FTC suggests that the link be in a larger or different-colored font on a contrasting background. Contrary to common practice, however, a link at the bottom of a web page, where most legal information is usually found, will not satisfy the “clear and prominent” requirement. The COPPA notice must contain the following information:

• The name and contact information of all operators collecting or maintaining children’s personal information through the website or online service;

• The kinds of personal information collected from children and how the information is collected—directly from the child or passively, e.g., through the use of cookies;

• How the operator uses the personal information. For example, is it used for marketing back to the child? Notifying contest winners?;

• Whether the operator discloses information collected from children to third parties. If so, the operator must disclose the kinds of businesses in which the third parties are engaged; the general purses for which the information is used; and whether the third parties have agreed to maintain the confidentiality and security of the information;

• That the parent has the option to agree to the collection and use of the child’s information without consenting to the disclosure of the information to third parties;

• That the operator may not require a child to disclose more information than is reasonably necessary to participate in an activity as a condition of participation; and

• That the parent can review the child’s personal information, ask to have it deleted, and refuse to allow any further collection or use of the child’s information. The notice must also state the procedures for the parent to follow.

In addition, an operator must obtain “verifiable parental consent” from the child’s parents prior to collecting, using, or disclosing information from or about the child. The FTC considers violations of COPPA and its regulations to be unfair or deceptive trade practices under the FTC Act, and violators can face hefty fines.

      B.    FTC Enforcement of COPPA & Privacy Policies

To underscore the importance of complying with COPPA, it has been said that the FTC maintains a COPPA enforcement division that is dedicated to searching the Internet and locating operators who fail to comply with COPPA’s requirements. The penalties for failing to comply with COPPA can range as high as $11,000.00 per violation.

Most importantly, if a website owner develops and posts a privacy policy on its website, either pursuant to COPPA, another law, or simply by choice, it is critical that the website owner adhere to the privacy policy: in 1998 the FTC stated that a website owner’s use or dissemination of personal information in a manner that is inconsistent with a posted privacy policy constitutes a deceptive practice under the FTC Act. Based on that statement by the FTC, a court might reasonably conclude that such conduct is also a violation of the Texas Deceptive Trade Practices Act, a statute which provides some consumers with a remedy for treble damages.

V.     WEBSITE CUSTOMER & USER AGREEMENTS (TERMS OF SERVICE)

Every commercial website should contain a link to the company’s “terms of service” or “user agreement” or “customer agreement.” This document is designed to set forth the terms of the agreement entered into between the website owner and each website visitor or company customer. A common question is whether such agreements are enforceable in a court of law. The short answer is “sometimes,” depending on the factual circumstances of the particular case and the jurisdiction within which the case is brought, among other factors.

From a practical standpoint, an ISP that allows customers to sign up for service online should have two separate agreements posted on its site: a user agreement and a customer agreement. A user agreement typically includes such items as a limitation of liability clause, disclaimers of warranties, copyright infringement notification policies, etc. The user agreement sets forth the terms of the agreement between the website owner and every website visitor, regardless of whether the visitor (i.e., someone simply browsing the website) is also a customer who purchases specific services. The customer agreement, on the other hand, sets forth the terms of the relationship between the website owner and the customers that purchase its services, such as Internet access service.

If the ISP does provide a means by which a visitor can sign up for services online (and, hence, become a customer), it is especially important for the ISP to make the customer agreement a “clickwrap” agreement, e.g. by forcing the customer to place a check mark in a field denoting that the customer has read and agreed with the terms of the customer agreement before completing the registration process. In general, clickwrap agreements are most likely to be enforced by the courts. It is important to note, however, that clickwrap agreements and posted user agreements are new and developing areas of the law that are not yet well-settled.

Two (of many) key provisions that should be present in every user agreement and customer agreement are a forum selection clause and a venue selection clause. In essence, forum and venue selection clauses specifies where a lawsuit shall be filed in the event a dispute arising under or related to the agreement comes to fruition. Although it is not guaranteed that a given forum or venue selection clause contained in a user agreement or customer agreement will be enforceable, many courts have held in the context of online agreement that, in general, such clauses are enforceable.

An example should help in understanding the importance of adopting and posting properly drafted user agreements and customer agreements: given that any website is accessible in each of the U.S. states, can a California court assert jurisdiction over your Texas ISP such that it can force you to appear and defend a lawsuit in California? If there exists no forum selection clause in the ISP’s user agreement or customer agreement, at a minimum the Texas ISP would at least have to appear in California court, possibly conduct factual discovery, and, in sum, wage an expensive battle to determine whether the California court could assert jurisdiction. In such a case, the parties would be forced to conduct discovery and present evidence to the California court on the issue of whether the it could assert jurisdiction. After receiving the evidence, the California court would then examine the level of interactivity on the website and the commercial nature of the exchange of information that occurs on the website in order to make its determination.

In general, courts place websites into three categories: passive, interactive, and “the middle of the spectrum.” The key for any court is to determine whether the company owning or operating the website has “purposefully availed” itself of a particular state’s laws.

      A.    Passive Websites

A company whose website merely advertises its products or services will typically not be considered to have “purposefully availed” itself of a state’s laws. Thus, owners of a passive website would in most cases, not be subject to the jurisdiction of courts in other states.

      B.    Interactive Websites

An “interactive” site is one that actively promotes a two-way online relationship between the site operator and the site visitors. An example of an interactive site is one that allows the formation of contracts online, e.g., purchasing of CDs. Courts generally do not hesitate to find jurisdiction is proper when the site is clearly an “interactive” site. Clearly, an ISP that allows people to subscribe to their service online would qualify as an interactive site.

      C.    Middle of the Spectrum

Many websites are neither wholly passive nor obviously interactive. Some, for example, post contact information or allow visitors to register with the site by providing their email address. Courts have split on whether the these types of sites constitute “purposeful availment” such that a court in a foreign state could properly assert jurisdiction over the site operator.

      D.    Forum & Venue Selection Clases

The use of forum and venue selection clauses (especially if contained in a clickwrap agreement), while not a guarantee, would give the ISP good ammunition and the basis for a strong argument that jurisdiction is proper only in the city and state identified in the forum selection clause. If successful, the ISP would potentially have saved thousands of dollars simply by being able to defend (or prosecute) the lawsuit on its “home turf” without having to deal with the expense of travel and other factors.

VI.      ACCEPTABLE USE POLICIES

Each ISP should develop and post an acceptable use policy (“AUP”), a document that sets forth the types of customer behavior and uses that are acceptable on the ISPs network. Each ISP will have different particular considerations. In general, however, every ISP’s AUP should address the ISP’s policy with respect to the following:

• unsolicited commercial email (“UCE” or “Spam”);

• the customers’ use of and conduct on Internet Relay Chat (“IRC”) servers;

• the customers’ use of and conduct and online game servers;

• the customers’ use of and conduct on newsgroups;

• describing the customers’ responsibility for password protection and use of the customers’ accounts;

• its expectations of its customers’ conduct online, i.e., Internet etiquette and abuse;

• actions that are prohibited by the ISP, such as the forging of email headers; and

• the customers’ access to and use of the ISP’s email system.