Over the past year, the NLRB’s Acting General Counsel has issued a set of three guidance documents (here, here and here) evaluating social media policies for compliance with the National Labor Relations Act. Not surprisingly, these documents take an aggressive approach to these policies.

Just for fun, here’s a little quiz on provisions in social media policies that the Acting General Counsel has opined on.  Some of these are excerpts from the actual text; in other cases, I’ve tried to figure out what the text was from the AGC’s commentary.  For each of these, do you think the AGC found the language to be lawful or unlawful?”

Employees are prohibited from posting information on any social networking sites that could be deemed material non-public information

Anybody familiar with securities laws should be aware of this particular concern — disclosure of material nonpublic information is a key element of insider trading.  So, the AGC should be fine with this, right?  Nope.  Here’s what that AGC said: ‘. . . the rule prohibiting employees from posting information regarding the Employer that could be deemed “material non-public information” . . . is unlawful.  The term . . . is so vague that employees would reasonably construe it to include subjects that involve their working conditions.‘

Result: Illegal

Respect financial disclosure laws.  It is illegal to communicate or give a “tip” on inside information to others so that they may buy or sell stocks or securities.

This doesn’t seem a whole lot different than the previous example.  Yet, the AGC ruled it legal, apparantly because it’s more limited and doesn’t use a term like “material non-public information” that an employee may not understand.

Result: Legal

Employees are prohibited from using any social media to violate, compromise, or disregard the rights and reasonable expectations as to privacy or confidentiality of any person or entity.

This should be pretty straightforward, right?  Not in this case, “absent any limitations on what was covered . . . [this rule] could reasonably be interpreted as prohibiting protected employee discussion of wages and other terms and conditions of employment.”

Ruling: Illegal

 Maintain the confidentiality of [Employer] trade secrets and private or confidential information. Trade secrets may include information regarding the development of  systems, procedures, products, know-how and technology. Do not post internal reports,  policies, procedures or other internal business-related confidential communications.

Looks a lot light the last one, right?  In this case, however, the rule “provide sufficient examples of prohibited disclosures . . . for employees to understand that it does not reach protected communications about working conditions.”  As a result, there was no problem.

Result: Legal

Respect all copyright and intellectual property laws. For [Employer's] protection as well as your own, it is critical that you show proper respect for the laws governing trademarks, including [Employer's] own copyrights, trademarks and brands.  Get permission before reusing others’ content or images.

Online infringement of intellectual property is a big problem on the Internet, and the AGC found that the first part of this rule isn’t a problem, largely because it doesn’t prohibit anything, but urges employees to respect the law.  The last, part, though, was a problem because it may impact the ability to take picture of, say, picket lines or an employee working in an unsafe condition.

Result: Partially Illegal.

No Team Member is required to participate in any social media or social networking site (unless required as part of the job), and no Team Member should ever be pressured to ‘friend,’ ‘connect,’ or otherwise communicate with another Team Member via a social media outlet.

 Employers cannot limit employees’ ability to organize or to communicate with each other about their working conditions, including via social media.  However, in this case, the restriction was only against pressuring each other to connect, and this was legal.

Result: Legal

You may not make any communication or post to a Social Media site that constitutes embarrassment, harassment or defamation of the [Employer] or of any employee, officer, board member, representative, or staff member.

Employees have a right to criticize their employer’s labor policies and treatment of employees.  In this case, the AGC held that this policy was overbroad because it did not contain any exclusion for these criticisms.

Result:Illegal

Here’s my takeaway: employers need to ensure that their social media policies cannot be construed to limit their employees protected labor activities, such as organizing themselves or complaining to the press about working conditions.  Unfortunately, this actually has to be worked into the policy itself, through examples and limitations — the AGC believes that boilerplate “savings clauses” that say something like “this policy shall not be construed to limit your rights under the National Labor Relations Act” are insufficient.

[. . . ] Since I am the lead developer, and since I have never signed anything relinquishing my ownership of the code, if I just left the company would probably fail. Since I don’t wish this upon them, I would like to find afair way to leave.What is the best approach for me to leave without harming the future potential of the company (while getting a fair share myself)?
There has been very little money spent by the other co-founders (around $2000 total), however I feel that my product (an Android application) is quite valuable, and them purchasing it makes the most sense to me.
What options are available for this purchase? What have others done in this situation, and how can I ensure my financial reimbursement while not directly harming the future potential of the company?

In another post, the same person indicated that he had not been paid anything.

So, this company’s crown jewels are in the hands of a person who’s dissatisfied with how things have been going. Even though he’s not being terribly vindictive here, this is clearly a scary situation for the company. Worse, it’s a problem they could have easily avoided by simply having him sign a simple copyright assignment before he started working.

Of course, all is not lost for the company — this individual may not own the copyright even if he never signed anything, because a “work made for hire” created by an employee is owned by the employer, not by the individual. For that purpose, we have to ask more than just “Did the company file a form W-2?”  Instead, we have to ask whether the individual was a “Servant” under agency law and, if so, whether the work was performed in the scope of his employment.  In other words, the company will have to get the lawyers involved.

In the end, a lawyer could have prepared a simple copyright assignment form for $50 – $100.  But, because the company didn’t get that done, it’s now potentially looking at legal bills in the thousands.

[Photo courtesy of miggslives on Flickr via a creative commons license.]

Before that inquiry happens, it’s well worth the effort to find and fix problems that are going to arise in that Due Diligence review anyway.  Not only will this make the process go faster, but it will mean that the investor is a lot less likely to write-off your company as a dog and move on. Besides, avoiding those problems means avoiding liability that can sink your company.

Here’s a dozen high-runner legal due diligence problems that I’ve seen in early-stage companies, in no particular order, with some take-away lessons on how to avoid them.

1. Issuing more stock than is authorized by the corporate charter. A corporation’s Articles/Certificate of Incorporation always list the number of shares of stock that the company is authorized to issue. But, companies sometimes issue more shares than are authorized. The extra shares aren’t validly issued and may lead to a legal claim from the people who they were sold to. Lesson: keep a capitalization chart, showing the number of shares authorized, subtracting out the number that have been issued, and showing what’s left.
2. Not having stock or option issuances approved by the board.  Section 55-6-21 of the North Carolina Business Corporations Act (or, in Delaware, Section 152 of the DGCL) specify that the Board of Directors authorizes the issuance of stock, and there are similar rules for stock options. The officers of many companies are sometimes loose with this formality, and issue the stock or options without the board’s approval. Lesson: Always have the board approve stock and option issuances.
3. Not requiring restricted stock recipients to file an 83(b) election.  Section 83(b) of the Internal Revenue Code allows recipients of stock that vests over time to treat the stock as if it were all acquired on the day of the original purchase, instead of the dates on which it vests. For the employee, this is important, because it means that he only pays tax on the fair market value as of the date it was originally awarded, which will often be lower than the date it vested.  For the employer, it’s important, because the employer doesn’t want to have to be in the position of determining the value of the stock every month as it vests. To gain this advantage, though, the employee has to tell the IRS within 30 days, and they often forget. Lesson: require employees to file the 83(b) election as a condition of receiving the stock.
4. Engaging officers as independent contractors. Section 3121(d) of the Internal Revenue Code (and other sections) requires officers of a corporation to be treated as employees, and not as independent contractors, except under a few very limited situations. As a result, companies can get into trouble for not withholding taxes on amounts paid to their officers. Lesson: for tax purposes, always treat a company’s officers as employees and both pay and withhold tax on them accordingly.
5. Deferred compensation issues. Early-stage companies, perpetually short on cash, often make promises about future payments to their employees and other people who provide services to them.  Depending on the promise, these arrangements can fall afoul of Section 409A of the Internal Revenue Code, which regulated deferred compensation plans. (See this post for more information.) Failure to conform to 409A can lead to significant tax problems both for the employee and the employer.  The employee has to pay taxes on the deferred money, from the time it was deferred, in addition to interest and a 20% penalty. And, the employer may be liable for not properly withholding taxes. So, these arrangements should always be run by an attorney who’s familiar with 409A.  Lesson: Pay in cash or stock or consult a corporate attorney for help on paying your people in the future.
6. Informal arrangements with employees and independent contractors.  For many start-up companies, their most valuable assets are intangible: computer code, know-how, data, etc…. So, it’s important to put formal agreements in place with people who create or come into contact with those assets, to ensure that those assets don’t go with you.  Among other things, that means that these people should (a) assign all their rights in company-related intellectual property to the company, (b) agree to protect the company’s secrets, (c) agree not to solicit company customers (or personnel) after leaving the company and (d) agree not to compete with the company. Lesson: have a standard agreement which all independent contractors and employees sign, covering at least those four things.
7. Using IP belonging to a previous employer.  Company founders sometimes do the initial development of an idea while they’re working for somebody else, and then start a new company to commercialize the idea. This approach can be risky, especially if there was an agreement with the previous employer about intellectual property, since the old employer may think it owns the start-up’s core technology. (Or, even worse, they only decide that they own it once the new company is successful.)  Lesson: (1) get previous employers to agree that they do not own the new IP, or (2) at least stay out of the previous employer’s line of work, and don’t use its computers or equipment.
8. Securities law violations. Many of us had the experience in middle school of putting together a mock company, selling “stock” to family members, running the business and paying them a dividend. Unfortunately, selling stock is actually a much more complicated process than this thanks to securities laws intended to protect investors.  As a general rule, all stock that a company sells has to be registered with the government, unless the sale is exempt from registration for some reason specified in securities law.  Unfortunately, it’s common to see companies who sold stock, completely oblivious to the securities laws.  And, that can create some serious liability for them down the road. Lesson: get the assistance of a corporate attorney who understands securities law to make sure you jump through the right hoops.
9. Serious restrictions in license terms.  If you’re building on work that somebody else has done, then you probably have some sort of a license to their work. But, those licenses may be limited in time or in the scope of what you’re allowed to do.  Worse, they may be non-exclusive and allow others to compete with you.  Any of those may limit your ability to capitalize on your work.  Lesson: When negotiating licenses for core technology, be sure to read through and completely understand the terms of the license before signing.
10. Over-reliance on employment agreements. Unless there’s some sort of other arrangement in place between an employer and an employee, the arrangement is considered to be “at will” — i.e. either party can end it, at any time, for nearly any reason (with some exceptions; can’t fire somebody because of their race, for example). But, that arrangement gets thrown out if there’s an employment agreement. In that case, the employment agreement spells out when the employee can be terminated. As a general practice, employment agreements are usually only appropriate for key people at the company. Using them with other people makes your company much less flexible.  And, remember, employment agreements are generally one-way.  It’s possible to sue the employee for damages, but there’s no way to force them to work for you — involuntary servitude died with Lincoln’s Emancipation Proclamation. Lesson: Only use employment agreements when they’re needed to retain the services of key personnel.
11. Re-using forms from previous companies or from the Internet.  It’s tempting to avoid legal fees by re-using legal forms found someplace else, without having a good understanding of how the forms work. For example, any corporate attorney who’s been around for a while has heard the story of the do-it-yourself Delaware incorporation that incurred thousands of dollars in tax liability simply because they forgot to assign a “par value” to their shares.  Internet terms of service are another place where this happens — it’s all too common for websites to simply cut-and-paste terms from a different website. The end result can be a legal nightmare.  Lesson: consult an attorney before using forms that weren’t originally intended for you; the attorney can save you a lot of trouble and heartache down the road.
12. Informality in decision making. Going back to #2, above, start-ups often do lousy jobs of ensuring that the correct people make decisions and of documenting those decisions. Some decisions must be approved by stockholders (amending the certificate of incorporation to add more shares, for example), some decisions must be approved by the board (issuing more stock, for example), and other decisions can be delegated by the board to the officers. Unfortunately, when a company skips those requirements, it may end up having taken an action that it was never authorized to take.  Lesson: document all board and shareholder actions in meeting minutes and/or written consents, and ensure that officers know what authority has been delegated to them by the board.

You’ve probably noticed that a lot of those suggestion involve “see an attorney” in some form.  Yes, that can sometimes get expensive, but there are ways to keep the cost down, some of which I’ll describe in a later post.

At issue is a pre-Internet law, Section 7 of the National Labor Relations Act:

Employees shall have the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection . . .

In the non-internet world, this allows employees to get together to discuss their working conditions without having to worry about being fired.  But, what happens when those get-togethers are on Facebook or an employee’s blog?

Last month, the Acting General Counsel of the National Labor Relations Board released a new memo describing fourteen cases that help to answer that question.  In a nutshell, the answer is that the rules don’t change simply because communications and get-togethers are occurring on the internet.  In particular, the decisions focus on whether employees would “reasonably interpret” a social media policy to prohibit activity that is protected under Section 7.

Unfortunately, the Board’s definition of “reasonably interpret” doesn’t really jibe with the “reasonable person” standard that governs how we normally expect people to behave.  Instead, the NLRB’s “reasonable person” seems to be easily confused and distracted.  As a result, social media policies have to be written with an eye toward readability and clarity for easily-confused laypeople.  Here are some examples from the memo of what this means:

• While it’s a good idea to list specifically allowed activities, it’s not enough to just add a savings clause that says something like “this policy will not be interpreted or applied so as to interfere with employee rights to self-organize, form, join or assist labor organizations, to bargain collectively through representatives of their choosing or to engage in other concerted activities.”
• Examples of permitted and not permitted conduct can help explain the policy
• Poorly-defined words like “inappropriate” or “unprofessional” should be avoided, unless they can be made clear through use of examples.
• Context is key — employees are less likely to be confused by limited policies intended to protect against securities law violations or breaching trade secrets, for example, than they are by broad general policies.

I recommend the memo to anybody planning to implement a social media policy, so you can see just how the NLRB thinks about social media. Fair warning, though: some of these cases just don’t jibe with each other — in one case, a policy that prohibited “defamatory” statements might lead employees to believe the policy covered protected activity, while another policy that prohibited “statements which are slanderous” was fine.   (For those not familiar, slander is just oral defamation. Social media posts, by nature, are nearly always written and so cannot be slanderous.)   It’s a bizarre world.

I’m referring to Section 409A of the tax code, which governs how “deferred compensation” is taxed when it isn’t part of a qualified pension, profit-sharing or other sort of plan.  In tax lingo, “deferred compensation” just means compensation that may be paid out in a later tax year than the tax year you had a legal right to it. Applying this definition, a payment that’s delayed from January to December would not be “deferred compensation,” but a payment that’s delayed from December to January would be. (All assuming that the company’s tax year is the same as the calendar year.)  Our situation above qualifies —  nobody disputes that the officer has earned the money and since it may be paid out in the next tax year, it’s deferred compensation.

Here’s the problem: if the deferred compensation arrangement doesn’t meet 409A’s requirements, then the IRS treats the compensation as if it was actually paid when the officer first had the legal right to the money, and taxes it accordingly.  On top of that, there’s interest AND a 20% penalty, in addition to whatever penalties the states impose (I’ve heard, but haven’t verified, that California imposes its own 20% penalty).  All of those taxes, interest and penalties are paid by the employee. The employer, meanwhile, has its own problems — penalties for incorrect withholding, penalties for incorrect reporting, penalties for underpaying Social Security/Medicare, penalties for failing to make required deposits, and so on.  What a mess.

What’s the easiest way out of this? That’s easy: don’t do that. Instead, see your attorney about how to structure the deferred compensation so it isn’t affected by Section 409A. One easy way is usually to make the payment subject to a “substantial risk of forfeiture,” which would mean that the IRS won’t consider it to be awarded until that risk goes away. But, in typical IRS fashion, they’ve defined “substantial risk of forfeiture” in its own byzantine way:

Compensation is subject to a substantial risk of forfeiture if entitlement to the amount is conditioned on the performance of substantial future services by any person or the occurrence of a condition related to a purpose of the compensation, and the possibility of forfeiture is substantial. . . . 

So, basically, there’s only a risk of forfeiture if (i) it depends on somebody (either you or somebody else) providing substantial services in the future, or (ii) if it depends on a condition related to why you’re getting the compensation.  With that understanding, the “you’ll earn $8,000 per month, but we’ll pay you later” can be fixed by changing how and why it’s awarded: “If you are successful in obtaining external financing in excess of $200,000, we will pay you $8,000 for each month between now and the date the financing comes in.” Now, there’s a “substantial risk of forfeiture,” and the 409A problem, along with all those taxes, penalties and interest, goes away.

Two important caveats: 409A also requires the plan to be in writing, and has some specific requirements for what has to be in it, and when the plan has to be written.  But, that’s easy to deal with. And, see an attorney who knows about this stuff. 409A is just too complicated to be adequately addressed in a blog post.

[Graphic courtesy of DonkeyHotey on Flickr.]

Recall that many corporations incorporate in Delaware partially because of the Delaware Court of Chancery, which handles matters related to its corporate law. The Court’s judges (called “Chancellors” in Delaware) are well known for their expertise in corporate law.  Further, because the Court of Chancery is considered to be a “court of equity,” juries are rarely involved — the Court’s decisions are made by its Chancellors. And, unlike in many other states, the Delaware General Assembly considers its courts to be assets and funds them better than many other states. The end result is that Delaware provides a fast and fair forum to resolve disputes.

That’s all fine and good, but how do you know that your dispute will end up in the Court of Chancery? After all, most states (including North Carolina) take the view that their courts should be open to hearing about disputes between corporations and their shareholders, even if the corporation is organized in a different state. Sure those courts should still use Delaware’s corporate law to decide the case, but non-Delaware courts are not as expert as the Court of Chancery, they’re probably not as well funded and they probably use juries. As a result, plaintiff’s attorneys will try to maximize settlement values by suing anywhere but Delaware, frustrating one of the reasons that companies incorporate in Delaware to begin with.

Now, getting into Delaware is pretty easy if there’s a contract involved since many contracts between corporations and shareholders require disputes arising from the contract to be resolved there. But, what about disputes that don’t arise from contracts, like suits against directors for a claimed breach of fiduciary duty or derivative suits?

Recently, corporations have been solving this problem by putting similar language in their bylaws or certificates of incorporation — at last count, 195 corporations have done this.   Netsuite, Inc. has a very typical clause:

Unless the Corporation consents in writing to the selection of an alternative forum, the Court of Chancery of the State of Delaware shall be the sole and exclusive forum for (i) any derivative action or proceeding brought on behalf of the Corporation, (ii) any action asserting a claim of breach of fiduciary duty owed by any director, officer or other employee of the Corporation to the Corporation or to the Corporation’s stockholders, (iii) any action asserting a claim arising pursuant to any provision of the DGCL [the Delaware General Corporation Law], (iv) or any action asserting a claim governed by the internal affairs doctrine. Any person or entity purchasing or otherwise acquiring any interest in shares of capital stock of the Corporation shall be deemed to have notice of and consented to the provisions of this Article VI, Section 8.

Of course, this type of provision may not always be a good idea — litigating in Delaware can be expensive and inconvenient when all the evidence is in a different state. So, the cost/benefit analysis doesn’t always favor this sort of provision. That makes this a good thing to talk with your lawyer about.

One caveat: in early 2011, a Federal Court in California refused to uphold this sort of provision when Oracle’s board of directors had injected it into the company’s bylaws without a stockholder vote. (Interestingly, nearly a third of the companies with these provisions are based in California.) Further, there are a bunch of class-action suits pending in Delaware seeking to void these bylaw provisions when the company’s board placed them in the bylaws without a stockholder vote. So, right now, the best practice appears to be to place the restriction directly in a corporate charter, with stockholder approval.

SOPA is intended to fight piracy of both copyrighted works (like music and movies) and physical goods (like face Gucci purses) by going after the websites and other internet services that make these goods available. That makes a lot of sense if the people who are running those websites are held responsible. Unfortunately, SOPA is an enormous overreach that tramples all over the rights of overseas internet services.

Here’s the problem: these bills require advertising networks and payment processors (e.g. credit-card companies or paypal) to cut off access to websites when they receive a complaint that the website infringes either a copyright or trademark. There’s no court-order required: if they get a complaint, they have to cut off the website. Further, if the advertising network or payment processor doesn’t, then the person giving the notice can hale them into court to demand an explanation of why they didn’t!

Now, yes, the site has a chance to contest the order once they find out about it — if they do, then they have to both identify themselves to the person (or company) who issues the complaint and agree to be sued in the United States! But, even if they do, there’s no requirement that the advertiser or payment processor reinstate service. In fact, it’s likely that the site would continue to be cut-off until a judge says they’re legit.

The big problem is that the companies who would be most likely to issue these complaints — the content industry — has a horrible track record. The Digital Millennium Copyright Act has a vaguely similar notice-and-takedown procedure, and the content industry is famous for issuing completely bogus complaints. Consider, for example, the bogus takedown of a video that supported filesharing or Warner Brothers’ admission that it issued takedown requests on material it didn’t own.  SOPA would allow the content industry to similarly impede the speech of foreign websites, without any judicial oversight. (Even worse, think about the havoc one rogue guy issuing bogus complaints could cause.)

The EFF has more in their article What’s Wrong With SOPA. Well worth the read.

Take a deep breath — chances are that you don’t owe anywhere close to that much. There are two ways to compute franchise taxes, and Delaware has simply calculated the taxes for what is often the more expensive method, known as the “Authorized Shares Method.” In this method, if you have 5,000 or fewer authorized shares, the franchise tax is $75; if it’s between 5,000 and 10,000, it’s $150; and it goes up by another $75 for every 10,000 shares thereafter.  Note that these are authorized shares, not issued shares. So, a company with, say, a million shares would owe $7,575 under this method.

Luckily, the other “Assumed Par Value” method typically leads to much smaller taxes. In this method, take your gross assets (from your federal tax return) and divide them by the number of issued shares to get your “Assumed Par Value.”  Then, look in your certificate of incorporation for the “par value” of each of your authorized shares (It’s typically very close to $0 — I typically use $0.0001 ) and add them up, BUT if the par value for any share is less than the Assumed Par Value you just calculated, then use the Assumed Par Value.  Divide by $1,000,000, round up, and then multiply by $350.  That’s your new franchise tax. As you can see, the minimum value this way is $350.

Now, it’s possible to really minimize your franchise taxes by only authorizing 5,000 shares and using the Authorized Shares method — that reduces it from $350 down to $75. But, 5,000 shares isn’t much, especially if you want to grant stock options or seek investors. At that point, the money you spend increasing the number of shares probably eclipses the $275 you save in franchise taxes.

Fair warning here: one mistake that I’ve seen lay people make, especially when they try to save money by using forms they found on the internet or using one of those “we’re not attorneys, we just help you fill out and file your forms” services, is to create their shares with no par value. That’s completely legal under Delaware law, but without par values, the assumed par value method isn’t available.  And that can turn a $350 tax bill into a $7,575 bill.

[Graphic courtesy of DonkeyHotey on Flickr.]

However, that precision comes at a cost: most people find that very precise legal-speak very hard to read. So, those terms won’t help if you actually want to communicate your expectations to your users. And, if they understand your expectations, maybe they won’t want to bring that claim to begin with.  So, instead of thinking about terms as a legal fortress around a service, it might be a good idea to think of them as a trade-off between protecting your legal needs and effectively communicating with your users.

Of course, that doesn’t mean that terms of service should be sloppy or not well-thought through.  It’s still possible to write well, and precisely, in everyday language (or, at least, in language that’s close to everyday language). And an occasional legal term won’t necessarily destroy the readability of the terms.

I’ve attached a sample “Plain English” Terms of Service on the Resources page to demonstrate how Terms of Service don’t have to be written in legal-speak. These terms cover the seven basic concepts listed in this blog post while still being readable enough for most people to understand. Unfortunately, it’s hard to avoid legal language entirely, but I think it’s better than most Internet terms I’ve seen.

That was 1998, and the Copyright Office then put out some interim regulations about how to tell them about the agent.  Basically, you put the required information on a piece of paper (the Copyright office provides a sample form, but there’s no requirement to use it), attach a check for $105, and mail it to them.  The Copyright Office then scans all the paper and posts them on its website. It’s a bit low-tech for the Digital Millennium Copyright Act, but it works.

Now, 13 years later, the Copyright Office is finally getting around to thinking about the final regulations and they’re asking for comments. They are proposing an electronic system to replace the paper-based system, and requiring people who registered in paper under the old rules to re-file through the new electronic system.  That, combined with a new requirement that companies renew their registrations every two years, will help deal with one current problem the Copyright Office has: the directory contains hundreds of registrations for defunct services.

The changes have been needed for a long time. Luckily, it seems that the Copyright Office has gotten it substantially right.  The proposed system should be faster, more reliable and much easier to use, both for service providers and for content owners.

Concerns? The Copyright Office is requesting that comments be submitted electronically at their website.  All comments have to be in by November 28 and will be posted on the Copyright Office’s website.  Following that, replies to the first set of comments will be accepted until December 27.

On September 15, Sony followed this up by modifying their Terms of Service to include this:

Any dispute resolution proceedings, whether in arbitration or court, will be conducted only on an individual basis and not in a class or representative action or as a named or unnamed member in a class, consolidated, representative or private attorney general legal action, unless both you and the Sony entity with which you have a dispute specifically agree to do so in writing following initiation of the arbitration. [Uppercase converted to lowercase for readability.]

Sony’s terms allow users to opt out of arbitration and the class action waiver within 30 days of first accepting the terms. They also allow claims in small-claims court, without arbitration.

Why would I want this in my terms of service?

Arbitration and restricting class actions are two ways to avoid the high cost and slow speed of litigation and by reducing the amount of formality in lawsuits and by significantly restricting discovery (the process by which litigants collect documents, conduct depositions and so on.)  In arbitration, litigants can have their disputes resolved by experts in their field. Further, arbitration is typically a private matter; judicial proceedings are not — most of the evidence will become public. As a result, they are a good way to ward off the occasional sleazy attorney who wants to extract a quick settlement from a company that wants to avoid the cost and distraction of a multi-year lawsuit, even if there is little to no merit behind the suit.

But, arbitration is not for everybody — many Internet services do not require it at all, instead relying on “forum selection” clauses to push suits into their local courts. The answer often revolves around the service provider’s comfort with the informality of arbitration and the likelihood that a dispute will arise.

Unfortunately, the law surrounding class-action waivers outside of arbitration is not so clear — the Supreme Court’s opinion only applies to waivers in arbitration, not in court. And, different states may have different rules regarding whether waivers are enforceable outside of arbitration — California, for one, does not enforce them. So, for now at least, the only sure way to avoid class-actions is to require individual arbitration.

While many of the changes only clarify the existing rules, there are five main places which might impact smaller service providers:

1.  Broadening the amount of information protected

The proposed rules would classify the following as “Personal Information” about a child:

• Photographs, videos or recordings of the child, even if it is not linked to other information
• Persistent IDs like cookies, IP addresses or hardware serial numbers when they are used beyond supporting the service’s internal operations, even if they are not linked to other information
• User/screen names when used beyond supporting the services’ internal operations
• Any identifier which links the activities of a child across different websites or services
• Geolocation data

These changes reflect a shift toward the understanding that children have on-line identities which may not identify their real-world persona, but which should still be protected anyway.

2. Improving notification of the service’s practices

In an attempt to make privacy policies more usable by parents, the proposed rules change the information that must be provided.  In particular, each operator must provide contact information (including, newly, a physical address), and cannot have a single operator be the point-of-contact for a service where multiple operators may collect children’s information. The notice has been made shorter — it still must contain a description of what information is collected and how it is used and disclosed, but no longer needs to mention whether the information is collected directly or passively and does not need to provide as many specifics about third party recipients of information or the notice that the operator cannot condition a child’s use of the service on providing more personal information than is necessary.

In addition, the proposed rules require service providers to put a link to their privacy policy close to where information is collected and have spelled out the requirements of the various notices which the rules require to be sent directly to parents.

3. Tightening “verifiable parental consent”

Most significantly here, the old “email plus” method, where a service would email a parent and then follow up with another contact (even another email) sometime later has been abandoned — the FTC is concerned that the child will just supply his/her own address. In its place, the FTC would allow service providers to ask the FTC to approve a new mechanism for obtaining parental consent. The FTC would have 180 days to respond and, if they approved it, then any other service provider could use the same mechanism.

4. Dealing with third party recipients

Under the proposed revisions, when service providers disclose children’s personal information to third parties, the service provider would have to take “reasonable measures” to make sure that the third party actually had reasonable procedures to protect that information. This section is new — the current version has no similar restriction and relies on the recipient to act appropriately.

5. Deleting information when done with it

Under the proposed changes, a service provider may only keep information for “as long as is reasonably necessary to fulfill the purpose for which the information was collected,” after which it must be deleted. This addition is also brand new.

Have input?

The FTC is asking for public input and is specifically asking 26 (!) questions in the notice of the rule (see pp. 105-112) — instructions for sending comments are on the front page of the notice.

[Photo courtesy of Oleg1975 on Flickr.]

DMCA Notices. The Digitial Millennium Copyright Act grants website owners some immunity from suits based on infringing material the site’s users post, provided that they jump through a few hoops. One of those hoops is that the website list somebody who content owners can contact if they find infringing material on the website. The Terms of Service is a great place to find this.

Termination Provisions. For users who have accounts on the service, how do they terminate their account? What happens to material they’ve previously uploaded to the service? When can the website operator terminate the user’s account? Getting back to DMCA protection, the website must have a policy of terminating accounts of repeat infringers to be covered by the DMCA — this should be mentioned in the Terms.

Amendment: How can the Terms be updated? What sort of notice will the user get? Are there terms that cannot be amended? Just a few years ago, the answer to this last question would have been of course not. But, in the wake of the dropbox fiasco, users sometimes demand specific protections that cannot be taken back out.

Privacy Policy: While not usually included in the Terms of Service, the service should have a privacy policy that lists what personal information the service collects, how it’s collected and what the service does with that information.

That, like the original post, is only a partial, and necessarily incomplete, list — the terms of service itself has to be customized to the service it’s intended for.

[Photo courtesy of Lee Maguire]

There are, however, a few more technical requirements that website operators often miss, possible losing their protection:

(1)  You have to register an agent to receive those notices of claimed infringement.  The copyright office publishes a form for doing this — that and $105 will get the agent registered.

(2) You have to put a notice on the website informing copyright owners how to get in touch with that agent.  Typically, this is put either in a section in the Terms of Service or in a separate link from the front page called something like “DMCA complaints.”

(3) You have to have a policy of terminating repeat infringers, and you have to tell your users about this policy.  Again, something that should go into the Terms of Service.

Now, failing to do these things does not mean that a website owner is automatically liable for any infringing content his users put on his site.  BUT, not doing those things sure makes it easier for copyright owners to sue him for those infringements.

[Copyright logo from Mike Seyfang via Flickr.]

But, what does it mean to consent? What, exactly, does a service provider have to do?

Luckily (or not), the EU has a Working Party that, in a wonderful display of over-bureaucracy, recently published a 38-page “Opinion on the definition of consent” to help explain what service providers have to do to obtain consent. The useful stuff is on p. 35, where six requirements of consent are given:

1. Consent must be freely given, without “risk of deception, intimidation or significant negative consequences.”
2. Consent must be specific, and cannot simply be a “blanket consent.”
3. Consent must be informed: first, users have to be able to understand what they are consenting to, and why — in particular, “the use of overly complicated legal or technical jargon would not meet the requirements of the law”; and second, the information “should be clear and sufficiently conspicuous so that users cannot overlook it.”
4. Consent must be explicit with regard to sensitive data — there must be an active response.
5. Consent must be unambiguous.
6. Consent cannot be based on inaction or silence. There must be some affirmative indication.  (Yes, there’s some overlap here.)

On top of that, the opinion talks about the need to be able to withdraw consent.

Now, technically, that’ s just an opinion of a “working party” and is not binding law, but if you’re planning to offer services to customers in the EU, it’s a good place to start to see how you should go about getting your users’ consent.

Luckily, an awful lot of this can be done at the same time that users agree to their terms of service. Presenting a prominent statement, written in plain English (or plain French or . . .) describing the cookies that would be placed in the user’s browser and how they are used and asking the user to click a check-box to consent would probably do it. The statement should also tell the user what he should do if he wants to revoke that consent. But, if the use of the cookies changes, the request has to be made again.

The downside is that a lot more planning has to go into using cookies, especially when it comes to third-party cookies.

[Picture courtesy of Yuri Long, used with permission under a Creative Commons Attribution 2.0 license.]

Now, the original documents are targeted specifically for Delaware Corporations. That’s great–Venture Capitalists often want their portfolio companies to be incorporated in Delaware–but Delaware doesn’t always make sense for early stage companies (See, this blog post and others in the series for why). So, I modified them for North Carolina corporations and, along the way, made a variety of other tweaks. The results are posted on the Series AA Financing Documents page, along with a lot more information about them.

Please note that while the Y Combinator has been kind enough to allow the revised documents to be posted here, they weren’t involved in the changes (they haven’t even seen them yet) and, as a result, do not endorse them. If you need a useful set of Delaware docs, please check out the original versions at the Y Combinator website. Also, please note that I have never been involved in any financing in which Y Combinator was involved, and, apart from a couple of emails, have no relationship with them at all apart from thinking they’re pretty cool.

[Piggy Bank photo used under a Creative Commons License courtesy of Ken Teegardin. Original Here. He asked for a link to SeniorLiving.org. Happy to oblige.]

The complaint asks for three main things. First, there’s a request for an injunction preventing Universal from using the Cezanne font and from making or selling any new products that contain the font. Second, destruction of all articles “bearing unauthorized and infringing copies of the CEZANNE Font Software” as well as any materials that “bear the result of” Universal’s use of the font. And, third, a bunch of monetary damages, which they claim exceed $1.5M.

Unless Universal decides to settle for nuisance value, this is going to be an uphill battle for P22.

First, copyright protection of typefaces is a bit complicated.  The general rule is that the typeface itself cannot be protected by copyright, but the font software used to create the typeface can be. P22′s attorney is going to have a tough time asserting otherwise, since he said the following on his website:

By law, type designers in the U.S. cannot protect their work by copyright. Currently, copyright law is meant to protect the expression of a creative idea; it does not cover any object or design that is intrinsically utilitarian, which the Copyright Office considers type fonts to be. The Copyright Office will, however, protect the software as a literary work that creates the font. The Copyright Office still requires that no claim be made for the actual design of the font.

The net effect is that it’s an infringement to copy font files, but the font owner’s rights to use the font end when the font hits the page. So, the T-shirts themselves, since they do not contain the font files are not infringing and the “impoundment” remedy of Section 503 of the Copyright Act doesn’t apply. If there’s any copyright infringement here at all, it would only be in the copying of the font software during the creation process.

So…. Next stop is the license agreement. (Side note: don’t use small grey text on a slightly lighter grey background for your EULA.) Unfortunately for P22, its license agreement is a mess. Most importantly, it does not clearly delimit what the user can, and cannot, do with the software. It includes nebulous language like “Most alphanumeric fonts are allowable without additional licensing provided that the Grant of License guidelines are met.” Which ones? Did they decide after the fact that Cezanne was not one of those “most alphanumeric fonts”? That’s ambiguous language–we can’t tell from the agreement if Universal was obligated to pay more, or not–and, unfortunately for P22, ambiguous language is construed against the drafter.

But, it’s even worse for P22: let’s assume that the license agreement is crystal clear, and that Universal breached it. Does that make Universal liable for copyright infringement? Not yet, because now we run into the same problem that the 9th Circuit ran into in MDY v. Blizzard. Did Universal’s breach implicate copyright law, or was it just a breach of contract? Under MDY, limits on use are generally treated solely as contract obligations. For P22, that means they’d be limited to what Universal should have paid originally. Now, MDY isn’t binding law in New York, where this action was filed, but it’s pretty likely that the judge will, at least, pay attention to it.

Now, P22 does have one potentially winning argument: if. during the design and production of the merchandise, Universal made unauthorized copies of the Cezanne font file beyond any clear limits in the license agreement, then could be liable for those infringements. But, that would only entitle P22 to a single award of statutory damages, for a maximum of $150,000, not the $1.5M it’s seeking.

However, now they’ve opened up a new can of worms for themselves surrounding when they can disclose it. Here’s what their new Terms of Service say:

To be clear, aside from the rare exceptions we identify in our Privacy Policy, no matter how the Services change, we won’t share your content with others, including law enforcement, for any purpose unless you direct us to.

That sounds exactly like what I’d want. As an attorney, if I stored client information in Dropbox, I’d be particularly concerned about whether they can disclose it to law enforcement without my permission. It is surprising, though . . . what happens if law enforcement comes to them with a warrant?  Unfortunately, what the Terms of Service gives, the Privacy Policy takes away:

We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request . . .

In my view, that’s perfectly reasonable, but certainly conflicts with what their Terms of Service say.  I wonder how long it’ll be before this little nugget starts making the rounds.

To the software publisher, client-sharing its source code can have some of the same problems that plain open-sourcing the code would: potential loss of control and potential embarrassment if the code doesn’t look as professional as the publisher would like. Plus, there’s the question of whether the publisher really wants his customers to know about each other and start talking. And, finally, there’s also the risk that the source code could be released beyond just authorized customers. But, client-shared source also creates the opportunity to fix bugs faster and to see exactly how your clients are using your software, possibly discovering new uses for your software. Further, it can boost client confidence — it’s like source-code escrow on steroids.

If you’re thinking about client-sharing your source code, here are a few things that your license agreement should address:

1. How and when will customer-contributed code be incorporated back into the main branch of your software development?
2. Who owns contributed code? What if it contains code that the customer doesn’t really have the rights to?
3. What are your responsibilities when a customer modifies your code and the combined result breaks?
4. Will your customers pay to have access to your source code?
5. How will you monitor compliance with the license?

Clyde: Hey Karen, how’s the startup going?

Karen: Hi Clyde. It’s going great — we almost have our alpha product ready and there’s a lot of excitement, but . . . Well, we’re running out of money and need to find some more investors.

Clyde: Hey! I can help! I know some investors who might be interested in your business. How about if I introduce you for, say, 2% of what you take in? You don’t have to pay me unless they invest.

Any attorney who works with startups has seen a version of Clyde at some point. Sometimes, Clyde is just a friend of the founder. Sometimes, Clyde is trying to make a business out of introductions. And, sometimes, Clyde hangs around startup events, chatting up founders, talking up his ‘introduction’ services.

But, if Karen’s not exceedingly careful with Clyde and folks like him, she may end up in a heap of trouble.

Here’s the problem — Clyde is basically offering to help arrange securities transactions for Karen — he wants to broker the deal for her.  But, by law, brokers have to register with the Securities & Exchange Commission and, usually, with state regulators where the customers live. And, using an unregistered broker to sell securities is a violation of the securities laws.

What does that mean?  Well, the big thing is that the investors get the right to get their money back, plus interest.  That’s a “heads, we win, tails, you lose” situation: If the company does well, the investors simply hold onto their shares; if the company does not due well, then they just sue to rescind the transaction.  On top of that, the company can sometimes be held criminally liable.

There is, in theory, a narrow exception to these rules that allow people to help in securities transactions, without being a broker.  I say “in theory,” because there’s no rule or specific case which sets out this exception. Instead, it’s arisen from a few cases where somebody told the SEC what they were planning to do, and the SEC told them whether they thought that violated the law. Here’s how the SEC explained it in 2008:

Here are some of the questions that you should ask to determine whether you are acting as a broker:

• Do you participate in important parts of a securities transaction, including solicitation, negotiation, or execution of the transaction?
• Does your compensation for participation in the transaction depend upon, or is it related to, the outcome or size of the transaction or deal? Do you receive trailing commissions, such as 12b-1 fees? Do you receive any other transaction-related compensation?
• Are you otherwise engaged in the business of effecting or facilitating securities transactions?
• Do you handle the securities or funds of others in connection with securities transactions?

A “yes” answer to any of these questions indicates that you may need to register as a broker.

Last year, the SEC modified this even further, saying “ . . . any person who receives transaction-based compensation in connection with another person’s purchase or sale of securities must register as a broker-dealer . . .”

What does that mean for Clyde and Karen? Well, a 2% commission is definitely “transaction-based compensation,” since Clyde would get paid based on how successful the sales were.

What can Karen do? That’s easy — avoid doing those things that the SEC warned about. Karen may be OK if she only pays Clyde a flat fee and all he does is introduce Karen to investors without telling them anything about Karen’s company. But, once he starts telling investors about Karen’s company, or she starts paying him based on the fundraising, that’s where they both start getting in trouble. (Of course, without a clear-cut law, there’s no guarantee either way.  So, talk to your attorney.)

In my view, Karen’s best bet would be to ignore Clyde and generate some buzz by releasing her alpha product–nothing attracts money like success. And, all along, she should have been developing her network so that when the time came, she had a few potential leads to talk with.