HBO's Silicon Valley: a Legal Critique - (Part Two)

Last week, we discussed the lawsuit that runs through the second season of Silicon Valley and what it can teach us about intellectual property and contract law. Yet, the standoff between Hooli and Pied Piper that leads up to the climactic episode “Two Days of the Condor” barely scratches the surface of the legal challenges that HBO’s screenwriters throw at Richard Hendricks and his crew of tech misfits. We now turn to the most recent season of Silicon Valley. Season four begins with a cameo by the Children’s Online Privacy Protection Act (COPPA) before diving into a storyline driven by intellectual property’s most notorious heel: the patent troll. Just how accurate are these plot developments from a legal perspective? Once again, Silicon Valley deserves high marks for grounding its farce in very specific legal concerns that tech companies really do face. Nevertheless (and no doubt over the protests of its legal consultants), messy verisimilitude occasionally takes a backseat to narrative economy. With so much ground to cover, we’ve decided to split things up once again, spinning this topic off into a bloated trilogy of Peter Jacksonian proportions. Today’s article will take a look at COPPA. Next week, we’ll wrap things up with a discussion of patent trolls. The Rise and Fall of PiperChat Frantically reaching again for the reset button, the show begins its fourth season by once more shaking up its protagonist tech startup. Dissatisfied with the banality of Pied Piper’s transformation into a video chat company, Richard steps down as CEO, leaving the reins with supporting player Dinesh. Rather than cash Richard out, the parties agree to let him retain ownership of his precious compression algorithm, as well as the PIED PIPER trademark. The newly rebranded PiperChat, it’s implied, will receive a free license to use Pied Piper's technology. This setup in itself raises some interesting IP questions. As discussed in Part One, it’s not clear whether or on what basis Richard’s compression technology is proprietary, so it would be interesting to see what the assignment and/or licensing agreement between him and PiperChat looks like. In addition, the PIED PIPER and PIPERCHAT trademarks are close enough to present a possible likelihood of confusion, especially in light of their shared history and similar technical framework, so forming a workable co-existence agreement might be challenging. But let’s gloss over those transactional issues in favor of the legal storyline that ends Dinesh’s short-lived tenure as PiperChat CEO.

Terms of Service and COPPA It’s Richard who first notices the predominance of preadolescent faces popping up on PiperChat’s video streams. A third of the app’s users, it turns out, are under the age of 13. When the team investigates the legal consequences of its young demographics, it’s revealed that Dinesh has neglected to attach any Terms of Service to downloads of the software. As a result, PiperChat’s practices apparently run afoul of a federal law intended to protect the personal information of minors: the Children’s Online Privacy Protection Act (COPPA, not to be confused with the Child Online Protection Act, COPA, which was intended to protect minors from harmful online content). The company’s estimated liability? $21 billion. COPPA regulates how online services collect information from users under the age of 13. Among other things, it requires service providers to obtain verifiable parental consent before collecting any personal information. The regulations are enforced by the Federal Trade Commission, and violations are treated like other unfair or deceptive trade practices under the FTC Act, with penalties up to $16,000 per violation (raised to $40,000 as of August, 2016). COPPA applies to websites and apps alike but only those that either (a) are directed towards children; or (b) provide the operator with actual knowledge that children’s information is being collected. Thus, general-audience services (i.e. those without particular kid-focused content) wishing to skirt COPPA don’t need to police their platform for underage users or even specifically exclude users under 13. But if they find out someone is under 13, they need to immediately delete that user’s information and either stop collecting or else comply with COPPA's notice-and-consent requirements.

PiperChat’s COPPA fiasco may have been inspired by the social networking platform Path. In 2013, Path was sued by the FTC for COPPA violations (and other deceptive privacy-related practices), resulting in $800,000 in civil penalties. Path wasn’t accused of being a child-directed app, but the FTC claimed that it asked for users’ date of birth at signup. Therefore, the company had actual knowledge of underage users (at least 3,000 of them, according to the FTC’s complaint) from whom it proceeded to collect information, which included both basic user information like name and location as well as photos and other content uploaded to the platform. Path neither notified parents nor obtained parental consent, and, worse, its privacy policy didn’t even accurately disclose the information it collected. Like Path, PiperChat’s COPPA non-compliance seems to have been an example of carelessness, though the explanation of Dinesh’s very costly goof is a little misleading. PiperChat looks like it would almost certainly be liable under COPPA, but it's not because it lacked Terms of Service. It's because it knowingly collected data from users under 13. The show never explicitly says so, but we can assume that, like Path, PiperChat asked for users’ age at signup and yet failed to block those who admitted being under 13 (alternatively, maybe the emphasis on the sheer number of pre-teen girls using the service is meant to suggest the app is directed at children, but, if so, that’s never spelled out). Therefore, if, like Facebook, it had just forced minors to lie about their age, things probably wouldn't have looked so bleak, Terms of Service or no.

PiperChat’s COPPA fiasco may have been inspired by the social networking platform Path. In 2013, Path was sued by the FTC for COPPA violations (and other deceptive privacy-related practices), resulting in $800,000 in civil penalties. Path wasn’t accused of being a child-directed app, but the FTC claimed that it asked for users’ date of birth at signup. Therefore, the company had actual knowledge of underage users (at least 3,000 of them, according to the FTC’s complaint) from whom it proceeded to collect information, which included both basic user information like name and location as well as photos and other content uploaded to the platform. Path neither notified parents nor obtained parental consent, and, worse, its privacy policy didn’t even accurately disclose the information it collected. Like Path, PiperChat’s COPPA non-compliance seems to have been an example of carelessness, though the explanation of Dinesh’s very costly goof is a little misleading. PiperChat looks like it would almost certainly be liable under COPPA, but it's not because it lacked Terms of Service. It's because it knowingly collected data from users under 13. The show never explicitly says so, but we can assume that, like Path, PiperChat asked for users’ age at signup and yet failed to block those who admitted being under 13 (alternatively, maybe the emphasis on the sheer number of pre-teen girls using the service is meant to suggest the app is directed at children, but, if so, that’s never spelled out). Therefore, if, like Facebook, it had just forced minors to lie about their age, things probably wouldn't have looked so bleak, Terms of Service or no.

Similarly, COPPA’s purpose and consequences are muddied a bit for comic effect. For example, it’s repeatedly suggested that PiperChat is exposing children to sexual predators. That may be so, but it doesn’t have much to do with COPPA. PiperChat’s wrongdoing stems from collecting and storing minors’ data without parental consent, not from facilitating pedophiles.

Likewise, the $21 billion fine, while grounded in truth, is probably a touch steep. The calculation comes from COPPA’s then-current statutory penalty of $16,000, multiplied by the number of individual PiperChat sessions initiated by underage users. It’s not clear whether, in such circumstances, a court would interpret every single chat session as a fresh “violation” of the FTC Act, but, regardless, the statutory maximum is rarely awarded. For example, even assuming Path’s non-compliance was limited to a single use of the app by each of the 3,000 users identified by the FTC, its maximum penalty would have been $48 million, many multiples over the $800,000 deal it struck. A recent survey indicated that the average COPPA penalty per child was $2.28. That would put PiperChat’s liability at a more manageable $3 million. Whether it’s $3 million or $21 billion, though, the latest legal travails of HBO’s fictional start-up are a teachable moment in regulatory compliance for real-life digital entrepreneurs. Despite the quibbles raised above, the show’s accuracy and attention to detail when it comes to cyberlaw are impressive. Check back with the Knowmad Law Blog next week for the final installment of our series on Silicon Valley, when we’ll take a look at tech’s favorite boogeyman: the patent troll.