William Carleton, Counselor @ Law

I'm returning home from the ACA 2013 Summit with heightened awareness of how organized angel investing is an international phenomenon.

So I'm thinking of broadening the scope of what is posted at the startuppolicy.org domain.

The buzz in the foyer after a session that included Jenny Tooth's report on policy in the UK was, how about that 105% tax benefit!

That kind of social welfare will never happen in the United States (unless Joe Wallin gets behind it), but, it might not hurt to have a ready link.

So we might organize the list on the domain by country or region of the world.

In terms of US policy, we should make a distinction between state and federal laws or programs.

And speaking of state initiatives: I have heard from someone knowledgeable in the field that six or seven different states now have non--accredited crowdfunding bills in the works. But I only know of two – Washington and North Carolina – on top of the two states – Kansas and Georgia – that have regulatory exemptions in place.

Dave Gillespie is keeping an eye out for us for activity in Ohio.

Anyone have a link or links to bills in other states?

Startup lawyer Joe Wallin testified yesterday before the House Technology & Economic Development Committee of the Washington State Legislature.

You can catch Joe's remarks from the hearing beginning at the 1:45:25 mark of the archived webcast.

Joe laid out for the Washington State legislators his proposal for a state crowdfunding bill that would stand in, at least within the confines of Washington State borders, for the failure of federal legislators to get a viable non-accredited crowdfunding bill across the finish line.

Joe has written that state crowdfunding bill, and in fact has already published it on GeekWire. I think this is a very viable approach to investment crowdfunding for non-accredited investors. State securities regulators have been and will continue to be proprietary about small offering exemptions.

Steve Reaser has informed us in a comment of an effort to introduce a state crowdfunding bill in North Carolina. So perhaps, state legislators, a race is on!

Joe also challenged the lawmakers to make sure that Washington State’s laws are at least as hospitable for startups as are the laws in California and other states.

Apropos to that point, here's probably the money quote from Joe's testimony:

"I personally think that if you're trying to create a startup ecosystem in this State, then none of our laws should be worse than the laws in the State of California. We should always outperform California when it comes to our law. And there are some circumstances in which we just don't."

To widen the scope to address startup policy at a national level, check out a global list of Joe's suggested policy reforms at startuppolicy.org.

My friend and fellow lawyer Joe Wallin thinks a lot about how laws passed by Congress - often including laws that have good purposes in the appropriate arenas - end up having adverse effects on startups.

I know this about Joe for almost as long as I've known him. In fact, we often collaborate on projects to identify threats to startups and startup investing, such as the Save Reg D campaign.

Even so, I was blown away by an email he sent last week on which I was copied, in which he laid out, bullet by bullet, what amounts to a truly pro-startup federal policy agenda. With Joe's permission, I'm posting his email below and at startuppolicy.org.

Joe Wallin's Ideas:

• Make Section 1202 permanent. Right now, it expires at the end of this year.

• Repeal Section 409A as it applies to startups. Watch this video. See also this quora post.

• Make the 60 day window on 1045 longer. 60 days is too short in startup land to find a replacement investment.

• Shorten the 5 year holding period under 1202 to 2 years.

• Repeal the bad actor provisions in the Dodd-Frank Bill. These provisions are a form of extreme overkill. They are going to make it a lot harder for startups to startup and grow.

• Repeal the increase the accredited investor threshold in the Dodd-Frank bill. Why make it harder to invest in startups?

• Repeal the second sentence of section 201(a) of the JOBS Act:

(a) Modification of Rules-

(1) Not later than 90 days after the date of the enactment of this Act, the Securities and Exchange Commission shall revise its rules issued in section 230.506 of title 17, Code of Federal Regulations, to provide that the prohibition against general solicitation or general advertising contained in section 230.502(c) of such title shall not apply to offers and sales of securities made pursuant to section 230.506, provided that all purchasers of the securities are accredited investors. Such rules shall require the issuer to take reasonable steps to verify that purchasers of the securities are accredited investors, using such methods as determined by the Commission. Section 230.506 of title 17, Code of Federal Regulations, as revised pursuant to this section, shall continue to be treated as a regulation issued under section 4(2) of the Securities Act of 1933 (15 U.S.C. 77d(2)).

This second sentence is what has hung up the SEC. Why require SEC regulations at all. Repeal the current regulatory barriers directly!

Also, the crowdfunding bill ought to be amended. Bill and I have sets of amendments that are places to start.

Also see this on quora.com.

It's possible startuppolicy.org will be a place where Joe might further iterate his list, or where others might add or develop policy ideas.

Photo: "Petition of Ohioans to the Senate and House of Representatives Regarding Land Sale Policy, 01/10/1810," The U.S. National Archives / Flickr.

Washington State legislators have introduced a bill (pdf) in the Washington State Senate that would make it unlawful for employers to ask employees or job applicants for passwords to social networking accounts.

If it passes, Washington will join at least six other states with similar laws.

Five Internet lawyers recently "graded" how those six other states did in defining what should be meant by "social media," "social networking site," or the like, for purposes of their respective statutes.

Comparing the Washington bill against the six state statutes we know of, the Washington bill is model most closely after the Illinois Act.

Here is a link to a redline (pdf) that takes the Illinois Act as the baseline and tracks changes in the Washington Senate bill against that. The comparison highlights how the sponsors of the Washington bill are dropping a couple of exceptions that would benefit employers; presumably the Washington legislators have seen the Illinois bill (or something very much like it) and have deliberately chosen to leave out some of the employer-friendly exceptions?

Among the express exceptions to be found in one or more of the other state statutes:

• email;
• passwords for employer devices;
• actions taken to facilitate investigations of misconduct or illegal behavior.

I'm noticing different lawyers reacting differently to these laws, depending on whether they feel individual privacy protection should extend to online activities beyond or other than those on Facebook, Twitter, LinkedIn and their ilk.

For instance, Eric Goldman faults the California statute for imprecision; he thinks the California definition of "social media" fails because it can include everything. By contrast, the group of internet lawyers issuing “grades” on this blog generally preferred the statutes that try, like California’s, to protect a broader set of online activities.

I must admit to being skeptical as to whether laws like these are needed. But maybe, with Facebook use being so ubiquitous now, there is actually a problem out there with overreaching employers, something legislators are picking up on.

Related posts on this blog:

• The “grading the legislatures” post on my blog: http://www.wac6.com/wac6/2013/01/grading-the-social-media-savvy-of-six-state-legislatures.html (includes links to different state statutes)
• Follow up post on lessons from the "grading” project: http://www.wac6.com/wac6/2013/01/the-takeaway-from-our-project-to-grade-legislative-definitions-of-social-media.html
• Post comparing the California statute against Illinois': http://www.wac6.com/wac6/2012/10/defining-social-media-legislatively.html (in which I show my hand on drafting preferences)

Image: Paul O'Rear / Flickr.

The takeaway from our project to grade legislative definitions of social media may be this: legislatures, don't do it.

You'll get it wrong, you'll define a set of services that may be gone tomorrow, and you'll miss addressing the broader problem.

If you're going to legislate to protect employee internet behavior from overreaching employers, don't get distracted by narrowly defining the genus that would contain Facebook.

It's no accident that the internet lawyers grading the work of California, Delaware,Illinois, Maryland, Michigan and New Jersey prefer Maryland's statute. Maryland chose to avoid defining "social media" or "social networking site." Instead, the Maryland statute focuses on whether the circumstance at hand involves a user name or password, and leaves vague the nature of the account or service to which the user name or password relates.

Pulling the project's critique into sharpest focus is an alternative definition proposed by one of our graders, Kyle Hulten:

“'Personal Internet account' means any personal account for a password protected Internet based service."

Kyle explains his definition this way:

"[I]t’s simple to understand and it’s appropriately broad. I understand there may be some whom are uncomfortable with the ambiguity in the definition of 'personal account' but that’s language I trust a judge can interpret."

The comments of another of our graders, Venkat Balasubramani, contains additional advice to legislatures. It's great stuff, and if you follow how Venkat keeps up on the Technology & Marketing Law Blog with the subject of ownership of social media accounts, you'll know his view is informed by a close reading of all the recent cases on the subject:

"One thing drafters should worry about is whether these laws may unintentionally prevent the employer from trying to get access to mixed accounts (used for both business and personal) that were created or accessed by the employee after the employment relationship commenced. The few 'ownership' disputes over social media accounts that we've seen (along with personal experience) indicate that accounts are typically mixed — there's no clear factual answer of whether the account properly belongs to either the employer or the employee. I think a carveout that somehow makes clear that these statutes are not intended to alter ownership rules would be useful or something to consider."

That's not all. Venkat thinks that legislatures might do well to anticipate mischief resulting from (mis)use of Klout-like services:

" . . .I would consider whether 'social media credit checks' are covered by the statute. If a service aggregates publicly available data and makes certain judgments about you, should this information be off-limits to employers?"

Like Kyle, Venkat also offered thoughts on how to approach drafting legislation in this area:

"I would go with something pretty minimalist. 'A social media account is any network-based service that allows you to post or transmit content that's tied to a profile.' Then maybe box this in with private or public accounts. My qualm with most the of the definitions is that they try to get too granular and in doing this don't account for changes or new services. Also, they don't really do a good job of getting into the private vs. public distinction, which is really the most important thing."

Finally, I want to quote at length the comments of Doug Cornelius, publisher of Compliance Building, which came in after the Tuesday post went to press. Doug says there is a business solution to the problem that may obviate the need for legislatures to intervene:

"I applaud the legislative efforts, although I think they are using lots of energy when there are bigger problems. The problem should be addressed by the social media platforms. Not only should they fix the problem, they can probably turn it into a revenue source.

"In the financial services industry, there are regulatory requirements to monitor employees’ interactions with customers. That’s easy to do with platforms controlled by the firm, like email, but difficult with the ever-changing platforms in social media. The solution. The social media platform should allow a company to monitor an employee’s account provided the company pays a monitoring fee. Of course the employee will need to consent to the monitoring. The platform gets a revenue stream and the company gets the monitoring and record-keeping it needs. The employee ends up with 'big brother' but only if the company thinks it’s a big enough problem that it is willing to pay the monitoring fee."

By the way, Doug graded the six legislative efforts, too, and his ranking pretty much matched that of Tuesday's group. Which state do you suppose ranked best with Doug? You guessed it:

"Of the six, I find Maryland’s to be the best. It does not limit its scope to social media. Maryland just uses the term 'personal account or service' but does not try to define it."

My thanks again to  Venkat Balasubramani, Jeremy Freeland, Jay Gairson, Kyle Hulten and Danan Margason for their work, insight and sense of fun in tackling this project. Thanks to Doug, too, for getting into the spirit and for the terrific contribution.

All of us, I noticed Tuesday and I notice again today, happen to be male. I do want it to be known that several lawyers I asked to participate are female; I guess they didn't have the inclination or else the time to participate.

Picture of Maryland State Senate by Mark Peters / Flickr.

Grades are in!

The project

Five internet lawyers, Venkat Balasubramani, Jeremy Freeland, Jay Gairson, Kyle Hulten and Danan Margason, have independently "graded" how six state legislatures have written up what should be meant by "social media" or "social networking site."

The states - identified as a group in a Wired post earlier this month - are California, Delaware, Illinois, Maryland, Michigan and New Jersey. Each has enacted a law to prohibit employers from requiring employees and job applicants to turn over passwords.

The grades

With no further ado, let's look at how each legislature did, moving from best to worst.

Maryland

 "(1) Subject to paragraph (2) of this subsection, an employer may not request or require that an employee or applicant disclose any user name, password, or other means for accessing a personal account or service through an electronic communications device. (2) An employer may require an employee to disclose any user name, password, or other means for accessing nonpersonal accounts or services that provide access to the employer’s internal computer or information systems."

Grade: B

Venkat points out that Maryland's is the "'no definition' definition" of social media. Presumably, courts are going to have to decide what is meant by "a personal account or service through an electronic communications device."

But the graders as a group like Maryland's approach the best.

Jay comments in part, "Good job covering almost all of the user's private passwords, and making a solid exemption for when the employer has an ownership interest in the account." Jay's only quibble is that Maryland's approach "restricts itself to a 'personal account,' which means if the new employee has a business the account might not be covered - even if separate from the employer's business."

---

California

"As used in this chapter, 'social media' means an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations."

Grade: B

Of California's definition, Jeremy comments:

"I like it. It addresses just about any content a candidate may have made available over the internet that can’t be located by a searcher without knowledge of a user name. For example, if a candidate regularly shares their political or religious opinions in comments on newspaper articles, but does so under an alias, then even though the comments are publicly available, they couldn’t be associated with the candidate. With this definition, a candidate couldn’t be required to disclose the alias, and couldn’t be associated with his or her comments."

Similarly, Jay finds that the California definition "covers essentially all electronic services and accounts."

Danan perceives a troublesome lack of internal consistency within the statute:

"[T]hroughout the statute the legislature repeatedly refers to 'personal social media,' but the definition above only uses the term 'social media.' (e.g. 'An employer shall not require or request an employee… [to] disclose a username or password for the purpose of accessing personal social media.'). Thus we are left to wonder what 'personal' means. Is there some social media that is not 'personal,' and thus accessible by the employer?"

---

Michigan

“'Personal internet account' means an account created via a bounded system established by an internet-based service that requires a user to input or store access information via an electronic device to view, create, utilize, or edit the user’s account information, profile, display, communications, or stored data."

Grade: B-

Michigan's definition is Danan's personal favorite. He comments:

"I really like Michigan’s definition. It’s not limited to 'social media' per se, but it’s a good characterization of the types of sites we want to keep private. Basically, Michigan’s definition includes any site that has a login and a 'profile' of some sort. This includes every social media account, but it also includes bank websites, online ticketing sites, message boards, Dropbox, and virtually every other site somebody could theoretically log into and store private information. This is exactly what legislatures should be trying to protect from employer access."

But Jeremy dissents:

"This is exponentially complex drafting – 4 verbs (view, create, utilize and edit) apply to 5 nouns (account information, profile, display communications, and stored data). I think the principle appears good, but it’s too challenging to apply – more appealing to litigators than in-house counsel trying to establish a compliance program."

---

New Jersey

“'Social networking website' means an Internet-based service that allows individuals to construct a public or semi-public profile within a bounded system created by the service, create a list of other users with whom they share a connection within the system, and view and navigate their list of connections and those made by others within the system."

Grade: D+

Yep, we've fallen off a cliff now.

Notes Venkat, "It's confusing as to whether any functionality listed in the definition brings a service within the bounds of the statute."

Kyle comments:

"New Jersey’s law doesn’t protect private profiles, nor would it protect email accounts. While social networking sites are all about 'connections,' I think the point of this type of legislation is to protect the privacy of potential employees, so I don’t think it’s wise to limit the protection to sites where you only have information about your social connections."

---

Illinois

"For the purposes of this subsection, 'social networking website' means an Internet-based service that allows individuals to: (A) construct a public or semi-public profile within a bounded system, created by the service; (B) create a list of other users with whom they share a connection within the system; and (C) view and navigate their list of connections and those made by others within the system. 'Social networking website' shall not include electronic mail."

Grade: D

Here's Kyle on the Illinois definition:

"Again, I think email should be captured by these statutes. The conjunctive list is better than Delaware’s in the sense that it is clearly demarcated. I also like the fact that there is no ambiguity about whether or not email is protected—even if they did come down on the wrong side of the issue in my opinion. The worst part about this definition is that it doesn’t include private profiles. I assume private profiles are intended to be covered under the 'semi-public' definition, but why they didn’t also explicitly include private profiles is difficult to understand."

---

Delaware

"'Social networking site' means an internet-based, personalized, privacy-protected website or application whether free or commercial that allows users to construct a private or semi-private profile site within a bounded system, create a list of other system users who are granted reciprocal access to the individual’s profile site, send and receive email, and share personal content, communications, and contacts."

Grade: D

Delaware and Illinois received the same grade. 

By now it should be clear that our graders, as a group, don't appreciate definitions of social media that are too restrictive. They are bring policy judgments to bear in their grading!

Danan writes:

"I could write an entire essay on the number of sites Delaware’s definition excludes, but let’s start with Twitter. When I follow somebody on Twitter, I am not ‘creating a list of users that are granted reciprocal access.’ No, their access to my profile and tweets was available before I followed them, and unless they follow me back I can’t send a direct message or have any other unique access. On Facebook, too, I cannot ‘create’ a list of users. If I friend somebody they need to actively accept my request. I am not unilaterally creating anything."

Similarly, Jay notes:

"Delaware restricts the definition to peer-to-peer networking sites that grant privacy features. If everything on the site defaults to public, or there is no privacy policy or functions in place, the user has no right to protect his or her password? That does not make any sense at all."

---

The graders

A few words about each grader:

• Venkat Balasubramani of Focal PLLC is an IP and internet lawyer who blogs at Spam Notes and, along with Eric Goldman, at Technology & Marketing Law Blog.
• Jeremy Freeland brings a background of experience within the management teams of emerging companies to bear on his practice at Snow Creek Technology Law PS.
• Jay Gairson practices immigration, technology, and IP law, serving entrepreneurs and emerging technology companies.
• Kyle Hulten serves the business community practicing at inVigor Law Group PLLC. He blogs at the iVLG blog.
• Danan Margason is an attorney at Reed Longyear in Seattle and focuses his practice in the areas of internet and technology Law with a special emphasis on privacy work. He blogs at Interwebsblog.com.

To follow in a subsequent post: two of our graders take a stab at proposing how they would write a definition of social media.

Photo credit: victoriabernal / Flickr.

Suppose you were a state legislator and you wanted to do something to stop employers from demanding that employees turn over their Facebook passwords.

Or maybe you *are* a state legislator and are considering introducing a bill to do just such a thing.

You know the governor won't sign a bill that applies only to Facebook accounts. Besides, some employers are asking employees for Twitter passwords. And who knows what the popular social media or social networking services of tomorrow will be?

So you need to come up with a definition for "social media" or "social networking." You need to include such a definition in your bill, so the executive and the courts know what kinds of activities you are trying to place beyond the legitimate reach of the employment relationship.

An enterprising staffer brings you two definitions she has found in laws passed recently in other states. Here they are:

“'Social networking site' means an internet-based, personalized, privacy-protected website or application whether free or commercial that allows users to construct a private or semi-private profile site within a bounded system, create a list of other system users who are granted reciprocal access to the individual’s profile site, send and receive email, and share personal content, communications, and contacts."

"As used in this chapter, 'social media' means an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations."

Which of the two definitions do you prefer? Would your opinion be influenced if you knew which came from California and which from Delaware?

***

Sometime next week on this blog we'll compare, contrast and assign grades to the definitions used in six different state laws that address the problem – or something very near like it – described above.

The "we" are a handful of internet/privacy lawyers who are following this protocol. (If you practice in this area and want to participate, jump in, there is still time! Grades are due Monday.)

Photo: "Representative Elaine Gordon votes NO" (1984) / Flickr.