cookies – Techdirt (original) (raw)

Stories filed under: "cookies"

from the allow-all-cookies dept

In the middle of last year, we talked about an odd lawsuit between two bakeries, Crumbl and Dirty Dough. Crumbl’s suit against Dirty Dough claimed both theft of trade secrets and trademark infringement, the latter of which revolved around two major claims. First, the owner of Dirty Dough used to work for Crumbl. That obviously isn’t the basis of any lawsuit that would be successful on the trademark claims, but is important because there was also the accusation of theft of trade secrets. The second main claim was that Dirty Dough took some distinctive packaging that Crumbl felt constituted trademark infringement. Sounds bad, until you get into the details.

“Specifically, Dirty Dough packages its cookies in boxes that perfectly fit cookies lying side-by-side, and that include whimsical, outline-shaped drawings, including a cookie with a bite taken out of it, has a weekly rotating menu, and includes a drawing in the shape of a cookie with a bite taken out of it in its décor and marketing,” the suit says.

You alarm bells should already being going off if you know much about trademark law. Most of what is talked about in the quote above is simply not protectable via trademark. The one thing the company could hang this lawsuit’s hat on would be the depictions of branding on the packaging, but only if they truly are quite similar. The problem is, well, here is the branding side by side.

Yeah, not similar at all. And while Crumbl might be very annoyed that it suddenly finds itself competing in the marketplace alongside a former employee, none of that turns any of this into an actionable claim of trademark infringement.

As a result, Dirty Dough launched a social media and billboard campaign to go along with its defense of itself in court. Much of it was handled quite whimsically, with the owner of Dirty Dough creating a bunch of mocked up billboard images that mostly just poked Crumbl in the eye for being bullies while also taking the time to state how good Crumbl’s products were. Being human, in other words.

Sadly, as far too often happens, what would be an interesting outcome in court has instead turned into a confidential settlement.

The largest of the three companies, Logan-based Crumbl, and a company that it had sued, Dirty Dough, agreed to a settlement, according to a court document filed Friday with the U.S District Court in Utah. The court document states that both companies are “finalizing a written agreement to memorialize the settlement.”

In July, Crumbl settled a similar lawsuit it had filed against another Utah-based rival, Crave Cookies.

While we don’t have every detail of the settlement, Crumbl has been forthcoming with a few details. It called the settlement “amicable,” for instance. In addition, it revealed that Dirty Dough has agreed to make some changes to its packaging, which is somewhat disappointing. And, finally, it seems that Dirty Dough also agreed to return materials to Crumbl after the court indicated that Crumbl was likely to succeed on that claim.

According to Crumbl’s statement, “as part of the case resolution, Dirty Dough returned the Crumbl information and has agreed to change certain cookie boxes in order to eliminate any potential confusion for customers. The remaining terms of the settlement agreement are confidential.”

Crumbl’s statement concluded: ”Crumbl and Dirty Dough are pleased that they have been able to work together to resolve this dispute and each remains dedicated to serving its customers with excellence. Crumbl and Dirty Dough wish each other success in their future endeavors.”

So it’s over. And Crumbl did get something out of the suit. The trademark claims still seem quite silly, so I guess we’ll just have to see how far Dirty Dough is going to go in its packaging changes.

Filed Under: cookies, trade secrets, trademark
Companies: crumbl, dirty dough

Bakery Sues Other Bakery In Trademark Suit Over Unprotectable Elements

There are a great many things that tend to annoy me about the sorts of trademark disputes we cover here at Techdirt. Overly aggressive parties policing trademarks in ways that extend far beyond the reasonable. A USPTO that seems all too happy to grant trademarks for things that it simply shouldn’t have, causing all kinds of chaos.

But perhaps the most frustrating is when a lawsuit is filed for trademark infringement on a bunch of elements strung together that don’t appear to be protectable trademarks at all. Take Crumbl, for instance. Crumbl is a cookie company out of Utah that is suing another company, Dirty Dough, for trademark infringement. At the center of the complaint are two items. First, that the founder of Dirty Dough used to work for Crumbl. Second, Dirty Dough is doing a bunch of things that Crumbl believes constitute trademark infringement. Such as:

“Specifically, Dirty Dough packages its cookies in boxes that perfectly fit cookies lying side-by-side, and that include whimsical, outline-shaped drawings, including a cookie with a bite taken out of it, has a weekly rotating menu, and includes a drawing in the shape of a cookie with a bite taken out of it in its décor and marketing,” the suit says.

As you’ll see in the filing below, that’s mostly it. Crumbl also reportedly filed a similar suit against another company called Crave.

As to the claims, well, c’mon now. Having cookies fit snugly in a box isn’t something you can trademark. Having “whimsical” drawings on that box, when they aren’t identical or even super similar, is also not something you can trademark. You’ll see in the document embedded that the packaging isn’t any more similar than the company logos the complaint also alleges are infringing (Dirty Dough on the left, Crumbl on the right).

I’m honestly struggling with this one. Both logos include an image of a cookie with a bite out of it. Other than that, they are almost perfectly dissimilar. One is just words, the other a picture. One is orange and the other black. Hell, Dirty Dough’s has its name as the majority of the logo. Where is the potential for confusion?

Bennett Maxwell, the founder of Dirty Dough, is not only going to fight this in court, but on social media as well under the hashtag #Utahcookiewars. For instance, here is a recent LinkedIN post.

It’s exactly the right tone to take with all of this. Whimsical derision is precisely what Crumbl’s lawsuit deserves on the merits.

So now we hope the courts take the same view.

Filed Under: cookie wars, cookies, trademark
Companies: crumbl, dirty dough

Moving the Web Beyond Third-Party Identifiers

from the privacy-and-cookies dept

(This piece overlaps a bit with Mike’s piece from yesterday, “How the Third-Party Cookie Crumbles”; Mike graciously agreed to run this one anyway, so that it can offer additional context for why Google’s news can be seen as a meaningful step forward for privacy.)

Privacy is a complex and critical issue shaping the future of our internet experience and the internet economy. This week there were two major developments: first, the State of Virginia passed a new data protection law, the Consumer Data Protection Act (CDPA), which has been compared to Europe’s General Data Protection Regulation; and second, Google announced that it would move away from all forms of third-party identifiers for Web advertising, rather than look to replace cookies with newer techniques like hashes of personally identifiable information (PII). The ink is still drying on the Virginia law and its effective date isn’t until 2023, meaning it may be preempted by federal law if this Congress moves a privacy bill forward. But Google’s action will change the market immediately. While the road ahead is long and there are many questions left to answer, moving the Web beyond cross-site tracking is a clear step forward.

We’re in the midst of a global conversation about what the future of the internet should look like, across many dimensions. In privacy, one huge part of that discussion, it’s not good enough in 2021 to say that user choice means “take it or leave it”; companies are expected to provide full-featured experiences with meaningful privacy options, including for advertising-based services. These heightened expectations—some set by law, some by the market—challenge existing assumptions around business models and revenue streams in a major way. As a result, the ecosystem must evolve away from its current state toward a future that offers a richer diversity of models and user experiences.

Google’s Privacy Sandbox, in particular, could be a big step forward along that evolutionary path. It’s plausible that a combination of subscription services, contextual advertising and more privacy-preserving techniques for learning can collectively match or even grow the pie for advertising revenue beyond what it is today, while providing users with compelling and meaningful choices that don’t involve cross-site tracking. But that can’t be determined until new services are built, offered and measured at scale.

And sometimes, to make change happen, band-aids need to be ripped off. By ending its support for third-party identifiers on the Web, that’s what Google is doing. Critics of the move will focus on the short-term impact for those smaller advertisers who currently rely on third-party identifiers and tracking to target specific audiences, and will need to adapt their methods and strategies significantly. That concern is understandable; level playing fields are important, and centralization in the advertising ecosystem is widely perceived to be a problem. However, the writing has been on the wall for a long time for third-party identifiers and cross-site tracking. Firefox blocked third-party cookies by default in September 2019; Apple’s Safari followed suit in April 2020—Firefox first made moves to block third-party cookies as far back as 2013, but it was, then, an idea ahead of its time. And the problem was never the cookies per se; it was the tracking they powered.

As for leveling the playing field for the future, working through standards bodies is an established approach for Web companies to share information and innovate collectively. Google’s engagement with the W3C should, hopefully, help open doors for other advertisers, limiting any reinforcement effects for Google’s position in Web advertising.

Further, limits on third-party tracking do not apply to first-party behavior, where a company tracks the pages on its own site that a user visits, for example when a shopping website remembers products that a user viewed in order to recommend other items of potential interest. While first-party relationships are important and offer clear positive value, it’s also not hard to imagine privacy-invasive acts that use solely first-party information. But Google’s moves must be contextualized within the backdrop of rapidly evolving privacy law—including the Virginia data protection law that just passed. From that perspective, they’re not a delaying tactic nor a substitute for legislation, but rather a complementary piece, and in particular a way to catalyze much-needed new thinking and new business models for advertising.

I don’t think it’s possible for Google to put privacy advocates’ minds at ease concerning its first-party practices through voluntary action. To stop capitalizing totally on its visibility into activity within its network would leave so much money on the table Google might be violating its fiduciary duty as a public company to serve its shareholders’ interest. If it cleared that hurdle and stopped anyway, what would prevent the company from going back and doing it later? The only sustainable answer for first-party privacy concerns is legislation. And that kind of legislation will struggle to be feasible until new techniques and new business models have been tested and built. And that more than anything is the dilemma I think Google sees, and is working constructively to address.

Often, private sector privacy reforms are derided as merely scratching the surface of a deeper business model problem. While there’s much more to be done, moving beyond third-party identifiers goes deeper, and deserves broad attention and engagement to help preserve good balances going forward.

Filed Under: 3rd party cookies, cookies, identification, privacy
Companies: google

from the important,-but-not-as-important dept

Google made some news Wednesday by noting that once it stops using 3rd party cookies to track people, it isn’t planning to replace such tracking with some other (perhaps more devious) method. This news is being met cynically (not surprisingly), with people suggesting that Google has plenty of 1st party data, and really just doesn’t need 3rd party cookie data any more. Or, alternatively, some are noting (perhaps accurately) that since Google has a ton of 1st party data — more than just about anyone else — this could actually serve to lock in Google’s position and diminish the alternatives from smaller advertising firms who rely on 3rd party cookies to bootstrap enough information to better target ads. Both claims might be accurate. Indeed, in the “no good deed goes unpunished” category, the UK has already been investigating Google’s plans to drop 3rd party cookies on the grounds that it’s anti-competitive. This is at the same time that others have argued that 3rd party cookies may also violate some privacy laws.

And, yes, it’s possible that it can be both good for privacy and anti-competitive, which raises all sorts of interrelated issues.

In theory cookies should have been very pro-privacy. After all, they’re putting data on end user computers where they have control over them. Users can delete those cookies or block them from being placed. In theory. The reality, though, is that deleting or blocking cookies takes a lot of effort, and while there are some services that help you out, they’re not always great. In an ideal world, we would have built tools that made it clearer to end users what information cookies were tracking, and what was being done with that information — as well as consumer-friendly tools to adjust things. But that’s not the world we ended up in. Instead, we ended up in a world where the hamfisted use of 3rd party cookies is generally just kinda creepy. In the past, I’ve referred to it as the uncanny valley of advertising: where the advertising is not so well targeted as to be useful, but just targeted enough to be creepy and annoying by reminding you that you’re being tracked.

The actual death knell for 3rd party cookies happened a while back. Firefox and Safari phased out 3rd party cookies a long time ago, and Google announced plans to do the same a year ago, with an actual target date for implementation a year from now. Today’s news was more about what happens next, with Google promising not to use some sneaky method to basically replace cookies with something even worse. There is a concerted effort by some to track you through a “hashed email address”. This is really creepy and kinda sketchy.

As a side note, a few years back, we were approached by a company doing this. They basically asked us to hand over a hashed set of emails we had collected. We looked over the details, and highlighted that they wanted us to use their hash, meaning that they could easily reverse the hash and figure out the emails. We explained that they must be mistaken, because that’s really not all that different from just handing over emails, which would be a violation of our own privacy policy. We were told that, no, the whole idea was everyone had to use the same hash, and it was fine because the email addresses were hashed (ignoring the point we made about that being meaningless if everyone is using the same hash). We rejected this deal, even though they were actually offering decent money. I do sometimes wonder how many other publishers just coughed up everyone’s emails, though.

So, Google’s latest point is that it’s not going to use some other unique identifier, and recognizes that the hashed email based-identifier is a bad idea:

We realize this means other providers may offer a level of user identity for ad tracking across the web that we will not ? like PII graphs based on people?s email addresses. We don?t believe these solutions will meet rising consumer expectations for privacy, nor will they stand up to rapidly evolving regulatory restrictions, and therefore aren?t a sustainable long term investment. Instead, our web products will be powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers and publishers.

Instead, Google is pushing for a different kind of solution — what it has referred to for a while now as a “Privacy Sandbox.” The idea is not to track individuals but rather to dump you into a “cohort” of similar users, thereby not needing unique identifiers, just slightly more general ones. Google has taken to calling this cohort setup “Federated Learning of Cohorts”, or FLoC, which it recently declared to be 95% as good at targeting ads, but in a less creepy way.

In many ways, this is obviously better than the use of full-on individual tracking via 3rd party cookies (or hashed emails). It’s sort of a step away from individual targeting and at least a very slight movement back towards contextual advertising, which is something I’ve argued both Google and Facebook should do. But it’s still not ideal. You still have the concerns about how much data Google has about you, and you still have the concerns about whether or not this locks in Google’s position. Those don’t go away with this move.

And, of course, there’s the other framework to think about this: the never-ending threat of new privacy laws. So much of the focus on privacy legislation is (stupidly) about fighting the last battles, and that’s why things like the GDPR and California’s CCPA focused on useless and counterproductive cookie notifications. In some ways, this could be seen as a step towards getting ahead of that coming meteor, sidestepping it by saying “okay, okay, there are no more third party cookies.”

In the end, you can’t argue that this is a great solution or a terrible one. It is… just a change. A change that helps one aspect of how our current online privacy paradigm works, but which might cause other problems. It’s good in that it’s a further step towards the end of 3rd party cookies, which have been abused in creepy ways for too long. But it doesn’t really fix overall privacy issues, and could still help lock Google into a position of dominance.

Filed Under: ads, cookies, online ads, privacy, third party cookies
Companies: google

One Of The World's Largest Web Tracking Companies Leaks Tons Of Personal Info From An Unsecured Server

from the so-happy-to-have-contributed-to-the-leak-by-using-the-internet dept

Advertisers want to know everything about you. So do sites that buy ad inventory and allow middlemen to let their trackers run free, tracing people from site to site, following them into their email inboxes, and tracking them across platforms and devices if need be.

BlueKai, owned by Oracle, deploys these pervasive trackers, sinking its hooks into a reported 1% of the world’s internet traffic. BlueKai is the kind of clever no one really respects. It’s more along the lines of “devious.” But it is very, very effective.

BlueKai relies on vacuuming up a never-ending supply of data from a variety of sources to understand trends to deliver the most precise ads to a person’s interests.

[…]

BlueKai… uses more covert tactics like allowing websites to embed invisible pixel-sized images to collect information about you as soon as you open the page — hardware, operating system, browser and any information about the network connection.

[…]

BlueKai can also tie your mobile web browsing habits to your desktop activity, allowing it to follow you across the internet no matter which device you use.

All the information BlueKai grabs has to go somewhere so it can be packaged and sold to marketers. Considering how much data BlueKai is able to obtain about the average internet user, you’d think it would place a premium on keeping this data secure — if not for the security of unsuspecting trackees, then to prevent its valuable stash from falling into a competitor’s hands.

Unfortunately for a whole lot of internet users, BlueKai doesn’t seem to believe this information — or the people who generated it — is worth protecting.

[F]or a time, that web tracking data was spilling out onto the open internet because a server was left unsecured and without a password, exposing billions of records for anyone to find.

Security researcher Anurag Sen found the database and reported his finding to Oracle through an intermediary — Roi Carthy, chief executive at cybersecurity firm Hudson Rock and former TechCrunch reporter.

TechCrunch reviewed the data shared by Sen and found names, home addresses, email addresses and other identifiable data in the database. The data also revealed sensitive users’ web browsing activity — from purchases to newsletter unsubscribes.

Oracle’s response was to blame “two companies” for “not properly configuring their services.” The two companies have not been named. Whoever these companies are, they collect data on a wide range of activities. TechCrunch examined the exposed data and found extensive records tied to individuals — an astonishing pool of data that even indicated if a tracked person’s device was in need of a software update. That’s on top of the wealth of purchase and internet history that linked people to purchases, web searches, and other activity. Sitting in with everything else was personally identifiable info like addresses, phone numbers, and email addresses.

Very few people want all of this information in the hands of marketers. (BlueKai says it strips identifiable info before handing it over to its ad-serving customers.) And they definitely don’t want it in the hands of people even more nefarious than ordained spyware pushers like BlueKai. The company has created a one-stop shop for phishers, stalkers, and identity thieves. And then it left the door unlocked for an undetermined amount of time.

Filed Under: cookies, data leak, personal info, privacy, security, tracking
Companies: bluekai, oracle

Yes, This Site Uses Cookies, Because Nearly All Sites Use Cookies, And We're Notifying You Because We're Told We Have To

from the even-though-it's-silly dept

If you’re visiting our site today (and I guess, forever into the future if you don’t click “got it”) you will now see a notification at the bottom of the site saying that this site uses cookies. Of course, this site uses cookies. Basically any site uses cookies for all sorts of useful non-awful, non-invasive purposes. We use cookies, for example, to track your preferences (including when you turn off ads on the site, which we let you do for free). In order to make sure those ads are gone, or whatever other preferences stay in place, we use cookies.

For the last few years, of course, you’ve probably seen a bunch of sites pop up boxes “notifying” you that they use cookies. For the most part, this has to do with various completely pointless EU laws and regulations that probably make regulators feel good, but do literally nothing to protect your privacy. Worst are the ones that suggest that by continuing on the site you’ve made some sort of legal agreement with the site (come on…). These cookie notification pop ups do not help anyone. They don’t provide you particularly useful information, and they don’t lead you to a place that is more protective of your actual privacy. They just annoy people, and so people ignore them, leave the site, or (most commonly) just “click ok” to get the annoying bar or box out of the way to get to the content they wanted to see in the first place.

Here’s the stupendously stupid thing about all of this: you are already in control. If you don’t like cookies, your browser gives you quite a lot of control over which ones you keep, and how (and how often) you get rid of them. Some browsers, like Mozilla’s Firefox Focus browser, automatically discard cookies as soon as you close a page (it’s great for mobile browsing, by the way). Of course, that leads to some issues if you want to remain logged in on certain pages, or to have them remember preferences, but for those you can use a different browser or change various settings. It’s nice that the power to handle cookies is very much up to you. We here at Techdirt like it when the control is pushed out to the ends of the network, rather than controlled in the middle.

But, because it makes some privacy regulators feel like they’ve “done something”, they require such a pointless “cookie notification” on sites. Recently, one of our ad providers told us that we, too, needed to include such a cookie notification, or else we’d lose the ability to serve any ads from Google, who (for better or for worse) is one of the major ad providers out there. We did not get a clear explanation for why we absolutely needed to add this annoying notification that doesn’t really help anyone, but the pleas were getting more and more desperate, with all sorts of warnings. We even asked if we could just turn off the ads entirely (which would, of course, represent something of a financial hit) and they seemed to indicate that because we still use other types of cookies (again, including cookies to say “don’t show this person any ads”), we had to put up the notification anyway.

The last thing we were told is that if we didn’t put up a cookie notification within a day, Google would “block us globally.” I’m honestly not even sure what this means. But, either way, we’re now showing you a cookie notification. It’s silly and annoying and I don’t think it serves your interests at all. It serves our interests only inasmuch as it gets our partner to stop bugging us. Don’t you feel better?

You can click “got it” and make it go away. You can not click it and it will stay. You can block cookies in your browser, or you can leave them. You can toss out your cookies every day or every week (not necessarily a bad practice sometimes). You’re in control. But we have to show you the notification, and so we are.

Filed Under: advertising, control, cookie notification, cookies, eu, preferences, privacy, privacy theater, silly pointless regulations, silly regulations
Companies: techdirt

Chrome's Move To Stomp Out Third Party Cookies? Good For Privacy, Good For Google's Ad Business… Or Both?

from the people-are-so-bad-at-systems-thinking dept

We’ve talked in the past how efforts solely focused on “protecting privacy” without looking at the wider tech ecosystem and the challenges its facing may result in unintended consequences, and now we’ve got another example. Google has announced that it’s beginning a process to phase out support for third-party cookies in Chrome. Looking at this solely through the lens of privacy, many privacy advocates are celebrating this move, saying that it will better protect user privacy. But… if you viewed it from a more competitive standpoint, it also does much to give Google significantly more power over the ad market and could harm many other companies. Former Facebook CSO, Alex Stamos’ take is pretty dead on here:

I think we will see this pattern in tech policy play out repeatedly over the next decade:

  1. Media blows up anti-tech narrative with no thought to countervailing equities
  2. Legislators/regulators act on the narrative
  3. Both are outflanked by tech co?s more tied into the reality

— Alex Stamos (@alexstamos) January 14, 2020

A win for privacy may be a loss for competition — and nearly every big regulatory effort to “deal with” big internet companies is going to play right into those companies’ hands.

For years I’ve been talking about how we need to view privacy as a series of tradeoffs, or any attempt to regulate privacy will go badly. Here, this is even pre-regulation, but just based on the nature of the public narrative that third party cookies must obviously be bad. They can be, but not always. And the end result here is that the “trade off” for protecting more privacy is giving more of the ad market to Google. I’m guessing that most privacy advocates would argue that they don’t want to do that. But if you look solely through the lens of 3rd party cookies and no further — that’s what you get.

Filed Under: 3rd party cookies, chrome, competition, cookies, privacy, tradeoffs
Companies: google

from the lack-of-respect dept

One of the most visible manifestations of the EU’s General Data Protection Regulation (GDPR) is the “cookie banner” that pops up when you visit many sites for the first time. These are designed to give visitors the opportunity to decide whether they want to be tracked, and if so by whom. Any business operating Internet sites in the EU should theoretically use them or something similar, or risk a GDPR fine of up to 4% of global turnover. Cookie banners may be tiresome, but at least they give users some measure of control over how much they are tracked online. But do they? Few of us have the skills or the time to check that our wishes are obeyed by every site. Fortunately, three researchers in France — Célestin Matte, Nataliia Bielova, Cristiana Santos — possess both, and have conducted the first rigorous study of this area. They’ve written a good summary of their full academic paper.

An initial scan of 22,949 Web sites from the EU domains, as well as .org and .com, showed 1,426 that had cookie banners based on the Interactive Advertising Bureau Europe Transparency and Consent Framework, the main industry standard for this area. Of those, the team of researchers took a close look at 560 Web sites from .uk, .fr, .it, .be, .ie and .com domains to detect possible GDPR violations. Shockingly, they found four types of violations in cookie banners, across 305 Web sites — 54% of the sample:

Consent stored before choice

The cookie banner stores a positive consent before the user has made their choice in the banner. Therefore, when advertisers request for consent, the cookie banner responds with the positive consent even though the user has not clicked on a banner and has not made their choice yet.

No way to opt out

The banner does not offer a way to refuse consent. The most common case is a banner simply informing the users about the site’s use of cookies

Pre-selected choices

The banner gives user a choice between one or more purposes or vendors, but some of the purposes or advertisers are pre-selected: pre-ticked boxes or sliders set to “accept”.

Non-respect of choice

The cookie banner stores a positive consent in the browser even though the user has explicitly refused consent.

That’s a pretty dismal state of affairs. The GDPR is designed to give control to those visiting Web sites in the EU, and yet over half of the latter studied in detail fail to respect users’ choices. One person who has shown himself unwilling to accept the GDPR being flouted in this way is the privacy campaigner Max Schrems. Over the years, he has launched — and won — multiple legal challenges involving privacy and the GDPR. Now his privacy organization noyb.eu is turning its attention to disrespectful cookie banners:

noyb.eu identified countless violations of European and French cookie privacy laws as CDiscount, Allociné and Vanity Fair all turn a rejection of cookies by users into a “fake consent”. The privacy enforcement non-profit noyb.eu filed three formal [GDPR] complaints with the French Data Protection Authority (CNIL) today.

Up to 565 “fake consents” per user. Despite users going through the trouble of “rejecting” countless cookies on the French eCommerce page CDiscount, the movie guide Allocine.fr and the fashion magazine Vanity Fair, these webpages have sent digital signals to tracking companies claiming that users have agreed to being tracked online. CDiscount has sent “fake consent” signals to 431 tracking companies per user, Allocine to 565 and Vanity Fair to 375, as the analysis of the data flows now show.

Schrems points out that one company taking advantage of “fake consent” is Facebook, which is happy to place cookies after people have clearly objected to all tracking. That means the scale of the potential GDPR breach is considerable. It will be some time before CNIL hands down its decision, but based both on Schrems’ track record and on the facts of the case, it seems probable that he will prevail once more. Although the initial ruling will only apply to France, it is likely to be followed by data protection authorities in other EU countries. If any of the Web sites mentioned above challenge a result that goes against them, there may be a referral to the EU’s top court, whose decision will be definitive and apply across the whole region. That, in its turn, is likely to influence online privacy laws around the world, as the GDPR is already doing.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: cookie banners, cookies, eu, gdpr, max schrems, privacy

from the c-is-for-court-costs dept

You learn quite a bit writing for this site. For instance, did you know that Milano cookies aren’t a style of cookie, but are rather an actual trademarked name of a dessert from Pepperidge Farm? I didn’t. Yes, the two biscuit cookies with a layer of chocolate in between, which most of us ignorant fools just call a cookie sandwich, is jealously protected by Pepperidge Farm. Case in point is the company’s lawsuit against Trader Joe’s for selling what it claims is an infringing cookie.

Pepperidge Farm is calling out Trader Joe’s for allegedly being some kind of cookie monster, claiming in a new lawsuit that the grocery company is infringing on its trademark for selling a cookie that it says is a ripoff of its Milano cookie. By selling a product called Crispy Cookies, Trader Joe’s is damaging Pepperidge Farm’s goodwill and confusing shoppers, according to the lawsuit reported by Reuters. Though Trader Joe’s cookie is more rectangular, it has rounded edges, “mimicking an overall oval shape,” the lawsuit says. The grocery chain also uses similar packaging, the complaint claims.

Yeah, about that packaging. The claim that they’re similar? Yeah, that’s not actually true.

The differences in trade dress abound, from the colors to the specific shapes of the packaging, not to mention that clearly labeled Trader Joe’s logo on its product. Claims that the packaging was designed to look like Pepperidge Farm packaging are clearly not true. As for the trademark claim on the cookie itself? Look, when it comes to the trademark protections of food items, these things are really specific. Recall that in the EU there was an attempt to trademark Kit Kat’s shape, which was specific enough to require four bars with the exact shape that Kit Kats are sold in…and even that was recommended to be rejected by the EU. In this case, the shapes of the cookies are different, the types of filling are slightly different, and the actual type of cookies used in each are different (the Milano is a vanilla wafer cookie, and the Trader Joe’s product is just a plain old cookie). So, different ingredients and different shapes. Where is the trademark violation?

It’s worth noting as well that Milanos first appeared as a cookie in the 1950s, yet Pepperidge Farm only got the trademark on the cookie in 2010, which seems to undercut the theory that its only with this trademark that it could survive in the first place. It seems unlikely that anyone is going to Trader Joe’s and thinking they’re buying something from Pepperidge Farm. Given the weakness in the other areas of the claim, I’d expect this suit to meet a quick end.

Filed Under: cookies, milano, trademark
Companies: pepperidge farm, trader joe's

Throwback Thursday: Eat'n Park Still Suing Over Smiley Face Cookies After All This Time

from the :( dept

The more things change, the more they stay the same, as the saying goes. Over half a decade ago, Techdirt covered a bakery out of Pennsylvania that used trademark laws to keep another bakery from putting smiley-faces on its cookies. Frankly, it’s one of those stories we cover where the immediate question of how trademarks could be twisted into this nonsense is immediately followed by the assumption that the whole thing will soon go away, never to be repeated again.

Not so much in this case, as it turns out. Eat’n Park recently once again brought a federal trademark suit against another company for daring to put the universal symbol for happiness on a cookie.

Eat’n Park this week sued a Chicago company in federal court over its use of a cookie that the Pittsburgh restaurant chain says is too similar to its trademarked Smiley face cookie. The suit filed Tuesday said Chicago American Sweet & Snacks sells cookies called “Smiley’s” that Eat’n Park says are a lot like its product. Eat’n Park has sold its Smiley cookies since 1985 and has filed numerous trademark infringement suits against various companies over the years to protect the design.

It should be noted that the dispute also seems to be about the two company logos for their respective smiley-face cookie brands, not just about the baked goods. Here are the logos for both.

Now, let’s leave aside for a moment the fact that the two logos don’t look anything alike and are about as likely to be confused with one another as my manly physique is likely to be confused with a professional bodybuilder’s. Instead, I’d like to propose that there should be a provision in trademark law that goes something like this: if your distinctive logo is so generic that tons of your competitors keep accidentally coming upon the same base design as yours, nobody gets to trademark it. Think of it as something like an independent invention test for patents. We can call it the Geigner rule, because vanity is my trademark, jerks.

“In this particular case, the “Smiley’s Cookies” logo name and design used by the company infringes on our brand trademark,“ said spokesman Kevin O’Connell.

If it was audible, Mr. O’Connell would be hearing the sound of my eyes rolling. Nobody is associating a smiley-face cookie with any particular brand, because the very idea seems like the kind of thing that everyone came up with when making cookies in their home kitchens. Maybe it’s time someone do a cookie with an “R” encircled by the treat, huh?

Filed Under: cookies, smiley faces, trademark
Companies: chicago american sweets & snacks, eat'n park