Maryland recently adopted a new privacy act, however privacy laws won’t really work until …

TL;DR; – they prevent companies from denying services to people that use technology to block tracking and ads. 

Maryland recently adopted the Maryland Online Data Privacy Act of 2024, available here: It goes into effect in October of 2025. Does it increase Maryland consumer privacy rights? – yes (sort of). But it follows many other laws that really just do not address the key issue, and it perpetuates the privacy law and compliance cat-and-mouse game. That “game” is obtaining consent. To understand the cat-mouse, read the Sephora decision. Sure, there are other provisions like data minimization – but making a claim solely based on that would be hard. Claims are almost always based on failure to obtain consent.  So, as long as a provider can comply with the consent rules, they are 90% of the way to the clear.

The advertising business, which has been around for centuries but really took off with the advent of radio and TV, thrived for 50+ years without tracking or massively collecting personal information on consumers. The Internet just acted as a giant enabling device – and all these privacy laws have really done virtually nothing to slow it down because of one word: consent.  The new Maryland law does not really change this concept. To elaborate: 

There are basically two types of services on the Internet – those that cost money (so called “paywalled services”), and so called “free” services – which are primarily the user-to-user social media sites. I say “so called” because they are not truly free – you are the product – these sites even expressly tell you – your personal data is productized. There are also some hybrid types – the best example are the hardware manufacturers like Roku and Smart TV makers, that you pay one time for the product, but the product then comes laden with data gathering, Personal Information collecting and selling software.

So what is the key legal change we need to really make privacy a right? Forcing any data collector to respect a consumer’s technological choice to block tracking and advertising. Period.

As it stands now, US privacy-consent law is mostly opt out, and when its opt in, the providers force you to agree – so it’s a Hobson’s choice – don’t use my service, or agree to use of your Personal Information. 

In a truly free market competitive system this would work – because you could make a choice based on the service, and how much you valued your privacy (and if the laws and user interfaces were better, a knowing understanding of how they would use your Personal Information).  However, our actual system is dominated by essentially only a few providers – Meta, X, Reddit, Google YouTube, TikTok and maybe one or two others.  None of those providers give you a choice to not allow them to use and sell your Personal Information – because their service simply does not work if you do not consent. All this does is result in horrid user interfaces – pop up consents and re-confirmations with gibberish, unintelligible explanations of how they use your Personal Information. Try using a browser that technologically blocks those uses – many services just do not work at all.

While those observations are bad enough, the same happens on paid services – banks, hospitals, insurance companies, streaming providers (easily the worst) – services we pay for – many will not work at all if you block third party tracking on a browser.

So, is the new Maryland privacy law good?  Apart from the fact it should have been enacted 10 years or more ago, I guess its a start, but its just the same can getting kicked down the road – its just a little harder to kick – but all of the service providers that rely on selling your Personal Information already have this figured out. The Genie is way too far out of the bottle to meaningfully fix our privacy systems in the US.  Instead users have to suffer through horrible user interfaces and user experiences for sake of us “consenting” to who-knows-what they do with our Personal Information, just to connect to their friends and family on social media. 

Effective advertising does not need all the personal data – in fact, artificial intelligence can now probably do a better job of just guessing your preferences based on whatever you are searching for, viewing or browsing on, without knowing one actual personal detail about you . . . 


Now is the winter of our discontent – so begins the first Act of the Chronicles of the Corporate Transparency Act

The Corporate Transparency Act went into full effect on January 1, 2024. For all existing “reporting companies” on 12/31/2023 – they must complete the filing by January 1, 2025.  New reporting companies formed in the US on and after 1/1/2024 must file within 90 days of formation. The filing is done at – either by downloading a fillable PDF, or by completing the form online.

A “reporting company” is essentially any corporation or LLC formed by filing with an applicable State corporation office in the US, unless the entity is exempt (see for a list) – and that list has some oddball exemptions, for example, accounting firms are exempt, but not law firms, and “Venture capital fund adviser[s]” are also exempt.  So the first issue is that any existing or newly formed company must determine if it is exempt from this disclosure.

If a company is not exempt, now it must gather all the relevant documentation for “beneficial owners”.  A beneficial owner is:

  • “with respect to an entity, an individual who, directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise … exercises substantial control over the entity [or] owns or controls not less than 25 percent of the ownership interests of the entity;”
  • but does not include “(i) a minor child, as defined in the State in which the entity is formed, if the information of the parent or guardian of the minor child is reported in accordance with this section; (ii) an individual acting as a nominee, intermediary, custodian, or agent on behalf of another individual; (iii) an individual acting solely as an employee of a corporation, limited liability company, or other similar entity and whose control over or economic benefits from such entity is derived solely from the employment status of the person; (iv) an individual whose only interest in a corporation, limited liability company, or other similar entity is through a right of inheritance; or (v) a creditor of a corporation, limited liability company, or other similar entity, unless the creditor meets the requirements of subparagraph (A).”


Each beneficial owner and each “company applicant” has to report identification information and it is onerous: 

(A) The full legal name of the individual;

(B) The date of birth of the individual;

(C) A complete current address consisting of: (1) In the case of a company applicant who forms or registers an entity in the course of such company applicant’s business, the street address of such business; or (2) In any other case, the individual’s residential street address;

(D) A unique identifying number and the issuing jurisdiction from one of the following documents: (1) A non-expired passport issued to the individual by the United States government; (2) A non-expired identification document issued to the individual by a State, local government, or Indian tribe for the purpose of identifying the individual; (3) A non-expired driver’s license issued to the individual by a State; or (4) A non-expired passport issued by a foreign government to the individual, if the individual does not possess any of the documents described in paragraph (b)(1)(ii)(D)(1), (b)(1)(ii)(D)(2), or (b)(1)(ii)(D)(3) of this section; and

(E) An image of the document from which the unique identifying number in paragraph (b)(1)(ii)(D) of this section was obtained.


Unfortunately this affects nearly all of our corporate and business clients, the majority of which will not be exempt.  While I recognize that the purposes of this Act are laudable – to prevent, or least make easier to discover, funding of illegal activity (see note), the Act, like so many other laws and regulations, is going to be a major burden to small business with, in the author’s view, little benefit.  Criminals are going to either not report, report fraudulently, or avoid reporting by hiding under an exemption.

And to top it all off, the use of this Act to actually commit fraud has already started.  When you visit the main page, at the top, the site warns “Alert: FinCEN has been notified of recent fraudulent attempts to solicit information from individuals and entities who may be subject to reporting requirements under the Corporate Transparency Act.” Sooner or later this database will also likely be breached and sensitive data leaked to hackers and other criminals for misuse.

 (note:  From the opening of the proposed rules for the CTA “Illicit actors frequently use corporate structures such as shell and front companies to obfuscate their identities and launder their ill-gotten gains through the U.S. financial system. Not only do such acts undermine U.S. national security, but they also threaten U.S. economic prosperity: shell and front companies can shield beneficial owners’ identities and allow criminals to illegally access and transact in the U.S. economy, while creating an uneven playing field for small U.S. businesses engaged in legitimate activity.”)

 For assistance in compliance with the CTA, please contact Mike Oliver


Celebrating our 10th Anniversary!

Ten years ago today Kim and I arrived at our new temporary offices to start the firm. On our first anniversary I did a short retrospective of that 1st year. I do not recall having any thoughts of how long or even if we would be around in 5 or 10 years – it was more just surviving day to day back then.

A lot has happened over the years but we have been blessed that our core team has remained in tact and we have been able to hire Jen to help Kim and her growing Trademark practice thrive. We would not have made it 10 years without Larry, Karri, Tina and Jen with us, and also Lisa, Melissa, Adam and Pamela – all who helped us along the way.

We also would not have come this far without our clients. We are very thankful of the trust our clients put in us, many of whom have been with us from the start. We strive every day to provide a great work environment for our staff, and great personal, professional, efficient and knowledgeable legal service to our clients.

While our practice is very busy and at least I still take it day by day, with 10 years behind us, we can now look forward to another 10 years!

Best regards, Mike

So You received a copyright infringement letter – now what?

You get home and in your mail is a letter, typically from a law firm – accusing you of infringing some obscure copyrighted image you posted on a blog, website or other online location – often one you posted many years before.  It asks for a large payment (at least to you) – often several thousand dollars – to remedy the past alleged infringement.  Many times the law firm sending the letter is a one trick pony – this is all they do – that is to say, they literally make money by threatening (and suing) small alleged infringers.  If the law firm is a real firm – that is to say, they do other things and are enforcing rights of a smaller client as an example, then you probably should take it more seriously.

These copyright holders are often referred to as “copyright trolls” – in reference to their modus operandi of putting copyrighted material on the web – often easy to download, with hidden or hard to find license terms, and then scouring the web and sending these letters, in the hopes that a number of recipients just pay up – because it’s too expensive to hire lawyers.  Done incorrectly by the troll . . . and they can go to jail.  However the trolls often have enough evidence that the claim appears facially valid – and coupled with the possibility of a lawsuit or losing, and the high cost of lawyers – probably a lot of people just pay.  What should you do?

One option of course is do nothing and ignore it . . . and while in many cases the copyright holder might never actually sue you – there is a risk that they do sue you – and often that suit might be in a remote court.  At that point it will probably cost a lot of money to defend it, or settle.  Copyright cases must be brought only in federal court.  So step 1 is to check PACER, and see how “litigious” the plaintiff is. If the plaintiff actually follows through and sues, it is obviously more risky to do nothing. We also recommend internet searching the plaintiff and the lawyer.  Often you may find others who have won, or otherwise successfully defended against them – or worse, you might discover they are “Prenda like” (see the link above) and then you would definitely consider rejecting their offer or reporting them to the authorities for extortion.

Step 2 is to investigate what you did, when you did it, and where you did it.  We have handled many of these cases. A common statement is something to the effect that “I hired a web developer that handled this” – and more rarely “they got the images and told me they were free.”  Just because something is posted on the internet does not make it free.  Just because you had a web developer do it for you does not exonerate you.  Even the free sites, like Pixabay, have license terms.  Some allow unrestricted commercial use, some do not, or require attribution.  If a third party did this, you should review your contract with the developer, and see if they represented that they would create an infringement free website. You might have an indemnification right – in which case you need to make a claim against the developer. If you personally did this, you should see if you can track back to where you copied the image from.  Some sites, particularly social media sites, have very permissive use rights for people on their platform – though often the original image is copied by another user from somewhere else and posted without permission of the owner of the copyright.  You also need to determine if you just linked to the content, or whether you actually copied it and reposted it.  In short, you need to determine if in fact you are responsible for the image or other content that is claimed to be an infringement.  If you copied the image and did not modify it, you need to review the meta data in the image.  Meta data, a portion of which is also referred to as copyright management information or CMI, can be attached to an image to note the author, where to obtain permission, the web site of where the image is available from, and other information. In most cases, it is a violation of US law to modify any CMI in an image.

Step 3 is, if you are a business, to review your insurance policies. In most cases copyright infringement is not within coverage.  However, infringements that are contained in advertising can be, and if you had special insurance, known as media liability1, the policy may cover it. Note that a business is not a formal construct – if you were operating as a sole proprietor and purchased insurance, you should check the policy. You may also have purchased “umbrella” personal coverage that might provide insurance coverage.

Step 4 is to determine  if in fact you are infringing, and if so, whether you have a defense.

In determining if you are infringing and if you might have a defense, some of the factors are:

  • How long ago did this occur?  Was it continuing?  If the initial act occurred more than 3 years ago and the infringement is not a continuing infringement, the statute of limitations may apply and bar the claim.
  • How was the image used – thumbnail? Embedded link (an image tag that references another server), full resolution or lesser resolution?  In some cases some uses of images like thumbnails are less likely to infringe than full resolution copies.
  • Did the image have a copyright notice on it? (please note, such notice could be contained in meta data/CMI and may not be visible)
  • Did you try and remove any CMI?
  • Was the image used in connection with a recent news event, relevant to that event, and associated with reporting on such event?
  • Was the image posted on social media and is that where it came from (some social media sites have broad licenses to re-use those images by other users – at least within those platforms)
  • Did the site generate any revenue of any kind (including 3rd party advertising?)
  • Was the image used in more than one location, in emails, text messages, or posted on other sites?  Each such use might be a separate infringement.
  • If the content is a video and the claim is related to an image in the video (and not the video itself), how long was the image viewable and how prominent was the image?
  • Did the copyright holder provide evidence of registration? A copyright holder in the US cannot sue in court without an actual registration certificate (although they can sue inside of the copyright office, and simultaneously file an application)
  • If evidence was provided, are there any defects in the registration?  Often, the registration is a “group registration” but in fact did not qualify – in which case the registration would be invalid. Group registrations are complex and often authors file them as group registrations but the images are not grouped correctly which can result in a defective registration.
  • Did the copyright holder typically license the image?  How (for example, alone, or solely in a group of other images)?  What was a typical license fee for the image/group?
  • Did you make any effort to try and license the image, investigate etc? Did you get legal advice/clearance?

Some notes about common misperceptions.  The first is that many people immediately think they have a fair use right to use the content. Fair use is a somewhat limited concept in most cases outside of real news reporting.  Every piece of content is not news.  For example, where you ate today and what the food looked like is not news in the typical fair use sense.  If you grab an image that is copyrighted and include it in your foodie blog, that is not normally going to be a fair use just because you think it is news.  However, if the blog is not commercial – in the sense of the blog does not earn you any money – either directly or indirectly, such as from advertising, then that is factor in fair use, though not dispositive.   The second is that many people’s immediate reaction is – well only like 50 people saw the image, or “only my family saw the image” or similar.  Copyright law does not turn on the external number of views.  An infringement occurs if you exercise any exclusive right in the copyright, regardless of whether even one person saw it.  Having said the above, to be sure, fair use is a real legal concept and there are cases in which the unlicensed use of a copyright is permitted under that doctrine.

At this point then, if you have determined there might be an infringement, the question is how to resolve the issue.  Even if you feel like you were making a fair use, just the elimination of risk can have some value.  So then you need to determine – what can a copyright holder recover in damages?

In the US, if the registration was filed within 90 days of publication, or before the infringement occurred, the copyright holder can recover statutory damages and attorneys’ fees.  Those statutory damages range from $750 to $30,000, however, criminal infringement can carry a damage award of $150,000 per infringement.  Having noted that, however “In a case where the infringer sustains the burden of proving, and the court finds, that such infringer was not aware and had no reason to believe that his or her acts constituted an infringement of copyright, the court in its discretion may reduce the award of statutory damages to a sum of not less than $200.” This is known as an “innocent infringer.” To be an innocent infringer, however, the work needs to have omitted a copyright notice.  If you see a work that has a copyright notice on it (and again, that can be contained in meta data), and you infringe, you cannot be an innocent infringer.

One note about “per infringement” – an infringement is a single exercise of an exclusive right – again, without regard to how many people see the work.  So, for example, the posting of an image on a website is a single act of infringement – whether 1 person or a million saw it.  However, then embedding it in an email . . . is a separate instance of infringement.

Step 5 is now to determine whether to try and resolve the claim yourself, ignore it, or hire a lawyer to resolve it. A few notes on what we have seen:

1. A fair number of letters we see omit a copy of the registration certificate, or any explanation of the claim of infringement.   We would normally never resolve such a claim without seeing the registration certificate and verifying at least to some extent, that the registration is valid.

2. The dollar amount requested is often very bizarre.  For example, $3,568.  How is that determined?  The letters often make no explanation.  In our view, the number should be an even number, most typically based on $200, or $750, unless some evidence of bad faith infringement is shown.

3. The release included or provided if you do pay is often woefully inadequate.  For example, it often is related to a single example.  If a client pays, then it should be released for all uses of any kind in any media through the date of payment. The releases often include other notoriously oppressive language, like arbitration clauses, weird venue clauses in other states, and a variety of other terms that are oppressive and unfair, like future liquidated damages clauses.

While we have helped many of our regular business clients with these issues – it can be tough to help a “one off” personal infringement – as our fees rather quickly approach the amount sought by the copyright troll.

And a final note – if things get very bad and you get sued – HIRE A LAWYER (not us, as we generally restrict our litigation to inside the USPTO).  You may have rights under the AntiSLAPP legislation applicable in many states.  The copyright law generally gives the prevailing party a right to recover their fees – and in some cases in actual court, you can make a special type of offer, and if the plaintiff ultimately wins, but less or equal to your offer, then they have to pay your fees.

First CCPA Fine heralds bad news for many websites

First CCPA Fine heralds bad news for many websites

The first fine under the California Consumer Privacy Act was issued this week against Sephora U.S.A., Inc. The complaint alleged in part “The right to opt-out is the hallmark of the CCPA. This right requires that companies follow certain straightforward rules: if companies make consumer personal information available to third parties and receive a benefit from the arrangement—such as in the form of ads targeting specific consumers—they are deemed to be “selling” consumer personal information under the law.”

There are three important observations arising from both this allegation, and the consent by Sephora:

  • “Selling” Personal Information does not just mean literally collecting actual personal information and selling it – it means, according to the California attorney general, collection of essentially any information about a web site visitor (for example, what browser they are using) and then providing that to a third party, who then uses that to track such website visitor in their own network of customers – even if the tracking company does not actually know who that person is;
  • Websites that use ANY tracking technology must meet the fairly onerous disclosure notification rules that the site sells personal information – for example Sephora had stated (as most websites do today) that they “do not sell personal information”; and
  • For all practical purposes any website visitor has the right to completely opt out of “tracking” essentially anything, and the site must provide this ability to opt out and respect it.

The other matter of significance from the complaint and resulting consent fine is that if a user instructs their browser to send a do not track signal (also known as a global privacy control, or GPC), the website must honor it.

Finally, Sephora was unable to establish that the analytics providers were “service providers,” which would have resulted in the transaction not being a sale, because they did not have valid service provider agreements with these providers – indeed, the complaint goes to great lengths to note that Sephora exchanged personal information for free or reduced price analytic services.

Under the CCPA, a service provider agreement must:

“(1) Specif[y] that the personal information is sold or disclosed by the business only for limited and specified purposes.

(2) Obligat[e] the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.

(3) Grant[] the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’ obligations under this title.

(4) Require[] the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.

(5) Grant[] the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.”

CCPA, § 1798.100(d).

Virtually no analytics provider online terms of service meet these requirements.

The whole matter is also strange in that Sephora was given 30 days notice of the violations and for some reason chose not to comply. Did they decide to contest the claims, and then later decided not to? If so, it was a costly decision.

As a result of this decision, all websites using any form of third party (data sharing) analytics providers needs to make sure that they review the agreement with the analytics company carefully to see if they meet the above requirements. If not, they need to either obtain such an agreement, or cease using such provider. They also need to make full disclosure about what data is shared (sold) to the analytics provider, and provide a full opt out notice – and of course, ensure that the site respects GPC, and respects any opt out request. This is going to be very challenging to accomplish for many reasons – in part because in most cases, these analytics providers do not actually know who the person is – they just have all the data that identifies the electronic interaction – so they are going to have to devise a system to scan their identifiers for the requests. In short, this decision is going to make using web analytics all but impossible except where the analytics are limited solely to the website operator.