CURRENT MONTH (March 2024)
Fourth Circuit’s Ruling in Sony Music v. Cox Communications and ISP Liability
By Brian Jones, J.D. Candidate, Class of 2026, University of Chicago
In Sony Music Entertainment v. Cox Communications Inc., Sony (along with other record companies and music publishers) sued the defendant internet service provider (ISP) for not adequately policing its users for violating copyright law by pirating music. On February 20, 2024, the Fourth Circuit held that Cox was contributorily liable but not vicariously liable. On March 19, the court declined to rehear the case en banc. The Fourth Circuit’s reasoning is discussed below:
Cox does not qualify for the DMCA’s Safe Harbor Provision
Under the Digital Millennium Copyright Act (DMCA), ISPs are not liable for the copyright infringement of their users if they adopt a termination policy for repeat infringers. In this case, Sony Music and other record companies hired the anti-piracy company MarkMonitor to notify ISPs when users were infringing their copyright by pirating music online. The court held that Cox’s policy was inadequate under the DMCA because the company resisted terminating infringers in order to continue collecting their subscription payments.
Cox is not vicariously liable
To be vicariously liable for the infringement of its users, the ISP must (1) directly profit from the infringement and (2) have a right and the ability to supervise the user. The court found that Cox did not directly benefit for three main reasons:
- All subscribers paid the same fee regardless of whether they infringed copyright.
- The financial benefit of the continued subscription fees did not flow “directly from the copyright infringement itself.”
- There was no evidence that Cox’s service was favored by subscribers due to a lenient termination policy for repeated copyright infringement.
Cox is still contributorily liable
To be contributorily liable for the infringement of its users, the ISP must (1) have knowledge of the infringing activity and (2) materially contribute to it.
- The court required knowledge of a substantial certainty that the ISP’s users would infringe if their subscriptions were not terminated. Cox did not argue against the lower court’s assumption that its knowledge of past infringement was enough to constitute substantial certainty, and so the Fourth Circuit did not allow Cox to raise it on appeal.
- Cox’s choice to continue providing its service to repeat infringers was deemed a material contribution to their infringement.
FTC Enforcement Actions in 2024 Focus on Location Data
By Jessica Varda, J.D. Candidate, Class of 2026, Louis D. Brandeis School of Law at the University of Louisville
Three Federal Trade Commission (FTC) enforcement actions in the first quarter of 2024 focused on mass collectors’ mishandling of sensitive personal data—specifically, browsing and location data—as violations of Section 5(a) of the FTC Act, 15 U.S.C. Sec. 45(a)(1), which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The actions highlight the FTC’s focus on protecting sensitive data, and defining browsing and location data as sensitive. The FTC is also focusing on purpose as a major factor of consideration, stating that consumer choice requires knowledge of the full scope of consent; companies may not use data for any purposes other than those expressly stated. In each instance, the FTC found that the companies had some safeguards and data protection plans in place, but these either were made moot by the way in which contracts were implemented, or the companies failed to follow up or audit the actual use of any data they sold. In a blog summarizing the main points of the three actions and the FTC’s goals, the FTC stated: “Promises and contract clauses are important, but they must be backed up by action.”
The three actions by the FTC were as follows: On January 9, 2024, the FTC announced a proposed settlement with X-Mode Social, Inc. and its successor Outlogic, LLC, a data broker, following the FTC’s complaint against X-Mode/Outlogic for allegedly selling—without telling consumers or obtaining their consent—consumers’ precise location data collected from consumers’ phones through mobile apps. On January 18, the FTC announced a proposed settlement with InMarket Media, LLC, a data aggregator, following the FTC’s complaint against InMarket for allegedly collecting information similarly to X-Mode and also without notifying consumers or obtaining their consent, aggregating it into audience segments, and selling it to advertisers. And on February 22, the FTC announced a proposed settlement with software provider Avast Limited, a security software company, following the FTC’s complaint against Avast (based in the United Kingdom, through its Czech subsidiary) for allegedly unfairly selling granular and re-identifiable browsing information amassed through its antivirus software and browser extensions, in violation of promises that Avast would protect consumers’ privacy and that any disclosure of browsing information would be aggregate and anonymous.