Legal Suicide for Web 2.0 start-ups: A beginner's guide

I got an email from Fred von Lohmann of the Electronic Frontier Foundation yesterday. It began, "Half the companies you blog about have copyright or privacy legal issues simmering just under the surface. Since most of them are thinly capitalized, when they get into trouble, they're likely to call EFF for legal advice. Several already have."

I called von Lohmann right away, since I've had a nagging feeling for months that too many of the interesting products I've been seeing were legally shaky. So I talked with him to come up with this list: 9 Fun Ways Web 2.0 Startups Can Commit Legal Suicide.

For more information than can fit in a blog post, you might want to check out the EFF's upcoming Compliance Bootcamp on Oct. 10 in Mountain View. I told von Lohmann I'd link to the event in exchange for this preview.

1. Ignoring the rules of Safe Harbor

Many media sharing sites, like SimplifyMedia, exist in a narrow legal framework carved out of the DMCA. But you can't take advantage of the Safe Harbor provisions of the DMCA if you don't register as a "copyright agent." All that's required is filling out a form and paying an $80 fee. You can't get protection without registering. As von Lohmann said, "The difference between you and Napster might be this form."

2. Ignoring the Terms of Service chain

This applies to sites that collect or aggregate data--like Mint, which collects its users' financial information. The sites where the data are coming from may have terms of service that prohibit their users from sharing them with third parties. Sites that collect this information may be seen as encouraging breech of contract, which is a legal exposure.

3. Falling for a sob story

If you're collecting personal information from or about people, there will be other people who want it. They may call up your company and give someone there a convincing story to get it. If your team falls for this "pretexting," or social engineering, users can sue you for exposing their information.

4. Keeping your data forever

There are few legal requirements for data retention in the U.S. Take advantage of that, and from time to time purge user-identifiable information from your service. That way, when you get subpoenaed for information that would force you to reveal more than you want to about your business or your users, or cost you a bundle fighting it, you can honestly say you don't have it. Von Lohmann notes that analytics experts generally say to keep everything for future data mining projects, but there are ways to anonymize your data while still keeping that possibility open. For example, you can overwrite the last quartet of IP addresses in you logs with null data.

5. Being open to kids

The collection of data from children younger than 13 is regulated by the COPPA, the Children's Online Privacy Protection Act. If your business doesn't see children as customers (most don't, since they don't have credit cards or mass spending power), you should make an effort to keep their personal data off the site. Asking for users to confirm that they are over 13 years old before leaving data on your service is a start.

6.Expanding into print

Thanks to Section 230 of the Communications Decency Act, you're protected from libel suits filed against you if your users write disparaging comments about other people or services on your site. That's how ZocDoc, a new Yelp-like service for finding doctors, can exist without being sued into the ground. But if you print out your user reviews, this no longer applies. So be careful if your customers or users ask for it.

7. Ignoring the bribes you have to pay

For any good idea out there, "someone will claim it infringes" with their patent, von Lohmann says. Patent trolls live to shake settlements out of companies that have money. As long as you're thinly funded or struggling, they won't come after you. Like successful parasites, they target big, juicy hosts. So don't expect a patent claim against your business until you're established. But don't expect the proposed terms will be worth fighting in court. The quick settlement is what the trolls are after, and settling makes the most business sense for most companies. Be sure to prepare for this outlay.

8. Cooperating with the police

What are you going to do when the Man comes knocking on your door? You need to know. Law enforcement agencies inexperienced with online law--that would be most local sheriffs and police--may ask for things that, if you give them up, will simply get you into deeper trouble. You need to know ahead of time what you'll do when these requests come in. The best bet is to keep a lawyer around.

9. Thinking you are in the clear

The law is a snarling beast (according to me, not von Lohmann), and start-ups run fast and often headlong into its maw. Von Lohmann's two big takeaways: First, be sure you know when you're stepping into a danger zone. Music? Financial data? Private information? Kids? Don't let yourself think you're more clever than another industry's legal machine. Second, realize that no matter how hard you try to stay clean, "You're probably doing something wrong already. For the most part it doesn't matter, but something just might."