The Legal Implications of Social Networking Part Two: Privacy

As social media and networking continue to revolutionize modern-day marketing and become the norm for organizations of all types, shapes and sizes, it is even more important to adequately address the legal risks associated with social media use. In Part One of our Legal Implications series, we laid out some background and identified key areas of legal risk.   In the next few posts InfoLawGroup is going to look deeper at some of these risks. In this post we explore some of the privacy legal issues that companies should address if they want to leverage social media.

Background

Why are privacy-related legal issues a key concern in the social media context? The entire marketing model inherent in the use of social media involves direct communication with, and gathering key information about, clients and customers in order to more efficiently and effectively deliver goods and services. The more granular and accurate the information about a social media user, the more valuable to companies seeking to leverage it. Naturally, as they collect and use information about social media users, organizations will come into contact with sensitive personal information about those users. This sensitive information goes beyond “traditional” personally identifiable information, and can include geo-location information, photographs and videos, relationship information (friends of friends), online behavioral information, political viewpoints and more.

The types of information available to a company employing a social media strategy will vary based on the platforms used, the method of interaction within a given platform (e.g. fan page versus company profile), technical constraints and policies, and the nature of the strategy itself. In analyzing privacy legal issues, organizations should ask the following questions:

• What types of personal information will the organization have access to?

• What types of personal information will the organization collect, and how will it use that information?

• What legal restraints exist with respect to the collection and use of the personal information (e.g. regulations, contracts, internal policies, etc.)

While this post focuses on privacy legal risk, it must be noted that the collection and use of personal information derived from social media may pose additional moral, reputational and business issues (which go beyond the scope of this article). As such, even if a practice is legal, the “big picture” must always be taken into account.

Key Privacy Legal Issues

• Social Media Platform Terms of Use

The first place to look for privacy legal obligations are the terms of use of a particular social media platform. Social media platforms attempt to balance privacy concerns of their users against commercial use of user information by laying out specific limitations and conditions related to the collection and use of personal information. For example, for applications built by companies for use in Facebook, organizations may not use a user’s friends list outside of the application, even if a user consents to such a use (organizations, however, may use connections between two users that have both connected to the application). As a general rule, companies can only use the Twitter API to reproduce, modify, create derivative works, distribute, sell, transfer, publicly display, publicly perform, transmit, or otherwise use Twitter content.

In addition, certain privacy-related terms and conditions may apply depending on the specific social media activities or functionality a company leverages within a social media platform.   Organizations seeking to leverage social media need to understand and implement the (sometimes confusing and often very detailed) rules of multiple platforms, and for multiple functionalities and activities within a platform.

For example, on Facebook, organizations that set up a Fan Page are not allowed to collect information from users unless they have obtained their consent.  In contrast, companies wishing to develop and launch a Facebook application can only request information from users that is necessary to run the application, but do not need consent for every data collection. Facebook also imposes certain limits on what and how personal information can be collected when using a Facebook application. For example, for all data obtained through the Facebook API except “basic account information,” organizations must obtain explicit consent from the user to use that data for any purpose other than displaying it back to the user in the application. Companies are prohibited by Facebook from soliciting or collecting user profile login information, such as usernames or passwords.  Consider the number of platforms and the number of rules within a platform, and the fact that these rules often change, and it becomes apparent that compliance can get tricky.

Unfortunately, the failure to follow these privacy-related terms of use can (and already has) get companies into legal trouble. That trouble can arise directly with the social media platform provider in the form of a banning or a breach of contract action. In addition, a violation of the obligations set forth in a social media platform's terms of the use may be alleged as the basis for lawsuits against companies using social media.

• Regulatory Privacy Issues

An organization’s social media activities may also raise regulatory concerns. In the United States, the FTC has not been shy about bringing actions under the FTC Act for “unfair” or “deceptive” business practices. As with a normal website privacy policy, if an organization does not follow its privacy policy related to a social media application and personal information related thereto, the FTC could allege that such failure is a deceptive trade practice.

A particular area of concern for violations of privacy policies arises when companies integrate social media functionality directly into their websites. Some company websites may embed social media functionality that allows users to comment on a website post or article using Facebook or Twitter’s comment platform. The user comments are displayed both on the website and on the social media platform. The question is to what extent does the website’s general privacy policy apply to the information gathered through the embedded social media platform. The second question is whether the organization’s handling and use of such personal information violates the website’s general privacy policy.   As the lines between an organization's general website presence and their social media presence blur even more over time, consistent privacy practices will become increasingly important (note:  InfoLawGroup has developed privacy policy language to address this situation).

Beyond general regulatory authority present in consumer protection acts, some specific privacy regulations may apply in the social media context. For example, for employers that use social media to vet potential employment candidates, the information obtained from a social media site may constitute a “consumer report” under the Fair Credit Reporting Act and similar state laws (this topic is discussed in more detail in the upcoming part of this series concerning social media and employment issues). In addition, there has been some activity around the Children's Online Privacy Protection Act (COPPA) and social media, including FTC actions against a social media site for children and a mobile phone game developer that created games for children.  In fact the FTC recently released proposed revisions to COPPA intended to address social media that is used often by children.

The collection and dissemination of information from social media users may be even more problematic when information concerning European users is at issue. Under the EU Data Protection Directive, personal data is defined as "any information relating to an identified or identifiable natural person”. This definition is generally much broader than most U.S. laws that reference personally identifiable information (those definitions typically require a first name/first initial and last name in combination with other specified data elements such as social security number, financial account number, driver’s license number, etc.). Regulators in Europe have reported that information derived by or from social media sites constitutes personal data under EU law.  For example, one German state has indicated that the “Like” button on Facebook is in violation of German privacy law. If the EU Directive does apply to information from a social network, the transmission of personal data of a European resident to the United States could violate various requirements concerning transborder data flow.

Finally, as the definition of personal information expands in the United States (the FTC has defined personal information broadly in the social media context to mean “information respondent collects from or about an individual”), it is likely that information relating to individuals collected from social media activities will be more closely regulated.  It is therefore important to keep up with the regulatory environment and legislation being proposed on both the Federal and State levels.

Conclusion

Participation and a presence in the social media context can be very valuable for organizations, and that value is likely to increase significantly in the future. Most organizations will seek to discover as much information about social media users as possible, and as more of our lives (social and commercial) are lived on the Internet, this information will be highly sought after.

This of course will raise significant privacy issues; privacy issues that current law may not fully address. In the U.S., we anticipate an evolution in the social media context that will initially involve regulators utilizing their broad and general regulatory authority (e.g. the FTC Act), and then may result in the passage of more specific laws and regulations. Even without specific regulatory constraints, organizations looking to leverage social networking today should carefully review the social media platform TOUs and their existing privacy policies, and develop policies and practices that address social media where appropriate. In addition, companies should analyze how existing laws in relevant jurisdictions might apply to their collection, processing, storage and distribution of personal information obtained from social media.  A reasonable balancing of these privacy legal risks against the commercial advantages to be derived from social media is the best course of action.