Recent legislative developments will bring significant changes to the legal environment in which Internet service providers ("ISPs") operate. Specifically, within the last several weeks the Congress has enacted: (1) the Child Online Protection Act, intended to regulate the transmission over the Internet of material that is harmful to minors; (2) the Protection of Children from Sexual Predators Act of 1998, which gives ISPs new obligations to report suspected child pornography; (3) the Children's Online Privacy Protection Act, which limits the collection and use of personal information obtained from children; and (4) the Digital Millennium Copyright Act, which significantly affects the law concerning on-line copyright infringement. Because some of these developments will require prompt action by ISPs to ensure their compliance with the new laws, we are providing this update to clients and friends with an interest in the Internet. We also are providing with this memo a separate "compliance checklist" to help ISPs ensure that their operations meet the requirements of the new legislation.
I. Online Copyright Infringement: The Digital Millennium Copyright Act
The courts have not been entirely clear in defining the liability of Internet service providers for storing or transmitting copyrighted material. Two courts have suggested that an ISP might be required to pay damages to a copyright owner simply because users of the ISP's services posted copyrighted material without the ISP's knowledge or direct involvement. (1) Other courts have found that ISPs might be liable for their users' actions where the ISPs were notified of possible infringement and failed to remove or block access to infringing material, or where ISPs benefited financially from infringing material that they had the right and ability to block or remove. (2) These judicial decisions have presented conflicting and uncertain guidance to ISPs, which generally have no knowledge of the contents of the millions of bits of information moving through their facilities.
The Digital Millennium Copyright Act ("DMCA" or "Act") clarifies the liability of ISPs for acts of infringement committed through the use of their facilities. The new Act offers broad protections for ISPs that unknowingly transmit or store copyrighted material, but also requires ISPs to take specific action in order to qualify for those protections.
A. Provisions of the DMCA
The DMCA generally provides that ISPs do not commit copyright infringement when they transmit, route or provide "intermediate and transient storage" for information provided by their customers or other persons. The DMCA also immunizes ISPs from liability when they cache infringing materials on their networks, provide hypertext links to infringing materials or store infringing materials at a user's request (e.g., by hosting a website or chatroom). Each of these activities is subject to slightly different immunities and exceptions.
When an ISP transmits, routes or provides intermediate and transient storage in connection with the transmission or routing of material that infringes a copyright, the ISP is not liable for infringement if the ISP did not initiate the transmission or routing, did not select the recipients of the material (except as an automated response to the request of another person) and did not modify the material's contents. (3)
When an ISP caches infringing material that is made available online by someone other than the ISP, the ISP is not liable for infringement so long as the ISP does not modify the content of the cached material. (4)
When an ISP provides hypertext links to infringing material or stores infringing material on the ISP's system at a user's request, the ISP is not liable for infringement so long as the ISP:
- does not have actual knowledge that the material infringes a copyright;
- is not aware of facts or circumstances from which infringing activity is apparent; and
- does not "receive a financial benefit directly attributable to the infringing activity, in a case in which the service provider has the right and ability to control such activity." (5)
To this point, the Act's ISP provisions largely apply to ISPs the existing law of contributory and vicarious copyright infringement, which historically has defined the limited circumstances under which bookstores and other distributors of copyrighted material may be found liable for infringements committed by others. (6) The Act goes on, however to address the more troubling question of when and how an ISP must respond when it receives a communication claiming that material on the ISP's system infringes a copyright. Specifically, the Act requires an ISP to remove, or disable access to, any linked, stored or cached material when the ISP receives a written notice concerning that material that substantially meets the following requirements:
- the notice must contain a physical or electronic signature of a person authorized to act on behalf of the copyright owner;
- the notice must identify the copyrighted work claimed to have been infringed;
- the notice must identify the infringing material to be blocked or removed by the ISP and provide sufficient information to permit the ISP to locate that material;
- the notice must contain information reasonably sufficient to permit the ISP to contact the complaining party;
- the notice must state the complaining party's good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent or the law; and
- the notice must contain a statement that the information in the notice is accurate and that, under penalty of perjury, the complaining party is authorized to act on behalf of the copyright owner. (7)
When an ISP receives a notification that substantially complies with these requirements, the ISP must act expeditiously to remove or block access to the allegedly infringing material. The Act exempts the ISP from liability for taking down or blocking access to such material in response to the required notice, and provides that failure to take down or block access pursuant to notice will result in loss of the ISP's statutory exemptions from liability. (8)
The Act also provides for "counter-notification" by a user who placed the material as to which a complaint was received. Under these provisions, the ISP must promptly advise its user when the ISP receives a notice that material (such as a website) stored on the ISP's system at the user's request contains material that infringes the notifying person's copyright. The user then may send a written counter-notification, stating that the notice -- or the ISP's removal or disabling of access to the user's material -- is the result of mistake or misidentification. If the counter-notification complies with the Act, then the ISP must provide the asserted copyright owner with a copy of the counter-notification. If the purported copyright owner then does not notify the ISP that it has filed a court action seeking to restrain the alleged infringement, the ISP must replace or unblock the user's material within 10 to 14 business days of the ISP's receipt of the counter-notification. (9)
B. Actions Required of ISPs
In order to be fully eligible for the DMCA's protections, ISPs must take certain actions as soon as possible after the Act becomes law. Notably, each ISP must designate an agent to receive notices of claimed infringement, and must post that designation on-line and file the designation with the U.S. Copyright Office. (10) ISPs also must implement, and inform their users of, a policy for termination of the privileges of users who repeatedly infringe copyrights. (11) Finally, ISPs must ensure that they do not interfere with so-called "standard" technical measures for protection of copyrighted works. (12)
II. Indecent Communications: The Child Online Protection Act
The 1998 Budget Act includes an enactment called the Child Online Protection Act ("COPA"), which substantially revives the failed Communications Decency Act of 1996 ("CDA"). Like the CDA, COPA goes beyond banning obscene communications and child pornography (which are unlawful and not protected by the First Amendment) and seeks to control the transmission over the Internet of communications that are merely offensive or indecent. Like the CDA, COPA faces a constitutional challenge from the American Civil Liberties Union and other persons and organizations, and a federal district court has entered a temporary restraining order against enforcement of COPA until those constitutional claims can be heard and resolved. (13)
If upheld and permitted to take effect, the new legislation will prohibit anyone from knowingly making a communication for commercial purposes over the World Wide Web that "includes any material that is harmful to minors" without taking specified measures to restrict minors' access to that material. (14) COPA also provides that anyone making a commercial communication over the World Wide Web may not disclose any information collected "for the purposes of restricting access to such communications to individuals 17 years of age or older without the prior written or electronic consent of the . . . [adult individual concerned or that person's parent] . . .." (15)
Fortunately, COPA includes an express exemption from liability for ISPs. Specifically, COPA provides that "a person shall not be considered to make any communication for commercial purposes" to the extent that person is "engaged in the business of providing an Internet access service" or is "similarly engaged in the transmission, storage, retrieval, hosting, formatting, or translation . . . of a communication made by another person, without selection or alteration of the content of the communication . . .." (16) However, COPA imposes on ISPs an obligation to notify all new customers of the availability of "parental control protections" (e.g., blocking software) that may assist the customers in limiting access to material that is harmful to minors. (17)
In its effect on content providers, as opposed to ISPs that merely act as passive conduits for Internet-based speech, COPA appears to have the same constitutional defect as the original Communications Decency Act. Specifically, the legislation would force content providers either to implement expensive access-limiting measures or forego speech that is lawful for adults because that speech might be unsuitable for minors. Accordingly, the constitutional challenge to COPA, which already has resulted in a temporary restraining order prohibiting the legislation's enforcement, has a substantial chance of ultimate success.
III. Duty To Report Child Pornography: The Protection Of Children From Sexual Predators Act of 1998
Congress also has enacted legislation that creates new liability and increased penalties for distribution of child pornography. For ISPs, the most important provision of this legislation is the requirement that electronic communication service providers report any facts or circumstances from which violations of federal child pornography laws are apparent to "a law enforcement agency or agencies designated by the Attorney General. (18) " If an ISP "knowingly and willfully fails to make a [required] report," the ISP will be fined not more than $50,000 for a first violation and not more than $100,000 for each subsequent violation. (19) The new legislation does not require ISPs to monitor "any user, subscriber or customer" or the content of any communication of any user, subscriber or customer, (20) and immunizes ISPs from civil lawsuits for any good-faith actions taken to comply with the legislation.
IV. The Children's Online Privacy Protection Act
This new legislation, signed by President Clinton in October as part of the Omnibus Appropriation Act, gives the Federal Trade Commission (FTC) one year in which to promulgate regulations governing the on-line collection of information from children. The regulations will apply to any "operator of a website or online service directed to children" or "any operator that has actual knowledge that it is collecting personal information from a child . . .." (21) The FTC's regulations must give effect to the following requirements:
The Children's Online Privacy Protection Act also offers website operators some safe harbors and exceptions. Notably, website operators need not obtain verifiable parental consent for information that is obtained from a child to respond on a one-time basis to a specific request, and that is not maintained in retrievable form by the operator or used to make a subsequent contact with the child. (23) More generally, children's website operators may comply with the statute by observing industry self-regulatory guidelines approved by the FTC. (24) The FTC must approve or reject such self-regulatory guidelines within 180 days of the filing of a request for approval of those guidelines. (25)
In order to ensure compliance with the new copyright and indecency legislation, ISPs should take certain actions as soon as practicable. Those actions are set out on the attached "Compliance Checklist."
In order to ensure their compliance with legislation enacted in October 1998, ISPs should take the following actions as soon as practicable.
1. Playboy Enterprises, Inc. v. Frena, 839 F. Supp. 1552 (M.D. Fla. 1993); Sega Enterprises, Ltd. v. MAPHIA, 857 F. Supp. 679 (N.D. Cal. 1994).
2. See Religious Technology Center v. Netcom On-line Communication Services, Inc., 907 F. Supp. 1361 (N.D. Cal. 1995); see also Playboy Enterprises, Inc. v. Webbworld, Inc., 968 F. Supp. 1171 (N.D. Tex. 1997).
3. 17 U.S.C. § 512 (a) (1998). The ISP also may not make any copy of the material ordinarily accessible to anyone other than the intended recipients and must not keep any copy for longer than reasonably necessary for the ISP's transmission, routing or connection activities. Id.
4. Id. § 512 (b). Caching is the practice of temporarily storing popular Internet material locally, in the ISP's server, so that the ISP's users can access that material more readily.
5. Id. § 512 (c), (d).
6. The Act expressly does not displace existing law: in other words, an ISP that does not qualify for the statutory immunity defined in the DMCA still may seek to establish that it is not liable for infringement under pre-DMCA judicial decisions interpreting the Copyright Act.
7. 17 U.S.C. § 512 (f) (1998).
8. Id. § 512 (g).
9. Id. § 512 (g) (2).
10. Id. § 512 (j). The Copyright Office has issued interim regulations for filing the required information, and the relevant requirements are summarized in the attached Compliance Checklist.
11. Id. § 512 (i) (l) (A).
12. Standard technical measures are any reasonable digital locks and keys or other copyright protection measures that have been developed through an open, multi-industry standard-making process. Id. § 512 (i) (2).
13. "Federal Judge Blocks Internet Smut Law," The New York Times, section A, page 24 (Nov. 20, 1998).
14. H.R. 3783, proposed 47 U.S.C. § 231 (a) (1). The phrase "material that is harmful to minors" is defined to include any communication, recording, image or other matter where "the average person, applying contemporary community standards, would find, taking the material as a whole and with respect to minors, that such material is designed to appeal to or panders to the prurient interest . . . [and] taken as a whole, lacks serious literary, artistic, political, or scientific value for minors." Id., proposed 47 U.S.C. § 231 (e) (6).
15. Id., proposed 47 U.S.C. § 231 (d).
16. Id., proposed 47 U.S.C. §231 (b). COPA also states that its prohibitions reach only those who "knowingly cause the material that is harmful to minors to be posted on the World Wide Web or knowingly solicit such material to be posted on the World Wide Web." Id., proposed 47 U.S.C. § 231 (e) (2) (B).
17. H.R. 3783 §103 (d). Like the original Communications Decency Act, COPA makes it an affirmative defense for a website operator or other content provider to restrict access to minors through credit cards, access codes or other "reasonable measures that are feasible under available technology." Id., proposed 47 U.S.C. § 231(d).
18. H.R. 3494 §604, to be codified at 42 U.S.C. § 227 (b)(1). The Attorney General is tasked to make the required designations not later than 180 days after the effective date of the legislation. Id. § 227 (b)(2).
19. Id. § 227 (b)(3).
20. Id. § 227 (e).
21. A website or online service directed to children is a "commercial website or online service that is targeted to children" or "that portion of a commercial website or online service that is targeted to children." Children's Online Privacy Protection Act § 1302 (10).
22. Id. § 1302 (9).
23. Id. § 1303 (b) (2).
24. Id. § 1304.
25. Id. § 1304 (b) (3).
26. The Copyright Office will replace the interim regulations with a set of permanent regulations after public notice and an opportunity for comment. At that time, ISPs can expect to be required to make an additional, permanent designation under the DMCA.