If your clients operate on the Internet and collect customer data, what advice can you give them to help them stay clear of danger?
There has been a considerable push back in recent years regarding the data collected by social networks and Internet service providers. It is difficult to have a conversation about social media without people listing reasons why they are not on it, or why they are thinking about closing their account. Usually, their love-hate relationship with social media is centered on privacy concerns: what information is collected and stored about them, who it is being shared with, and the seeming inability to prevent “tracking” and “data mining.”
In October 2011 a law student from the University of Vienna used an Irish law to request a copy of all the information Facebook maintained on his use of the site since 2008. He was surprised to receive a computer disk with a reported 1,222 pages of information. The disk included posts, pokes, and messages he thought he had deleted. It also included personal chat and instant messages with friends containing personal information.
In its privacy disclosures, Facebook tells users that it is not only collecting information from their own use of Facebook but also information about how their Facebook friends interact with them, as well as metadata available through the devices they use to access Facebook. Facebook states that it may collect information such as IP address, GPS location, Internet service, browser type, websites visited, and many other categories of data.
To be fair, these sites are free, and it should not be surprising that they support themselves by giving advertisers access to an incredibly large number of possible customers who can receive targeted advertising based on how they use the site, their interests and likes, and personal information.
The FTC is not pursuing these actions only against social media behemoths such as Facebook and Google. If your clients operate on the Internet and collect customer data, they may be at risk. How can they protect themselves?
Comply with Published Policies
When businesses do not comply with the terms of their own website privacy policies, they may be in violation of Section 5(a) of the FTC Act.
The 2011 consent decrees that the FTC entered into with Facebook, Google, and online advertiser ScanScout highlight the need for businesses to make sure they are acting in accordance with their privacy policies. Businesses are well advised to take the following actions:
- Examine how you are using personal information or anticipate using it, and fully disclose these uses to consumers; and
- Take reasonable measures to safeguard consumer information. Because of the risks of cyber hacking, it is also worthwhile to conduct an audit on how consumer information is being safeguarded and what information is being stored and for how long a period. The FTC settled a complaint against Twitter for its alleged failure to take reasonable safeguards to protect users’ accounts against hackers.
In all these complaints, the FTC alleged that the respondents made false or misleading representations about their privacy policies in violation of Section 5(a) of the FTC Act. The FTC Act prohibits unfair or deceptive acts or practices. 15 U.S.C. Section 45(a).
The consent decrees entered into by Facebook, Google, and ScanScout in order to avoid more costly litigation and possibly stiffer penalties are similar in some key respects, and include some terms that will increase their costs of doing business. As is sometimes the case with the FTC, the Commission conditioned the settlements on these businesses agreeing to change their business practices in ways that may place them at a competitive disadvantage to their competitors because some of the additional privacy measures they must now take are not required of other companies under current law.
Learn from Others’ Mistakes
It is instructive to know how other businesses allegedly violated the terms of their privacy policies with users because the same may be true for your clients.
Facebook complaint. In its complaint against Facebook, In the Matter of Facebook, Inc., FTC File No. 092 3184, the FTC alleged:
- Facebook told its users that third-party apps that users install—such as FarmVille by Zynga—would have access only to user information needed for the apps to operate. In fact, the apps could access nearly all the users’ personal data.
- Facebook told users that they could restrict sharing of data to limited audiences—for example, with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with the third-party applications their friends used.
- Facebook promised users it would not share their personal information with advertisers. Facebook did, according to the FTC.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible, when in fact Facebook allowed access to the content, according to the FTC.
- Facebook also claimed that it complied with the U.S.-EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union, but it did not.
Google complaint. Google is also faulted for making use of its users’ data in ways that were contrary to what they told them with the launch of Google’s Buzz social network through its Gmail web-based e-mail product. The FTC alleged that “Google led Gmail users to believe that they could choose whether or not they wanted to join the [Buzz] network, [but] the options for declining or leaving the social network were ineffective,” In the Matter of Google, Inc., FTC File No. 102 3136. Google was apparently trying to immediately ramp up its social network in order to compete with Facebook. The Buzz launch ended up being a public relations nightmare for Google, with thousands of consumers reportedly complaining that they were concerned about public disclosures of their e-mail contacts, from which Google tried to create immediate Buzz connections for users. In some cases, use of the e-mails disclosed ex-spouses, therapists, employers, or competitors.
In the ScanScout action, the company Tremor Video, Inc., is also subject to the settlement order because ScanScout merged with Tremor Video. This settlement, therefore, also highlights the importance of your client doing an audit of a target company’s social media activity before acquiring or merging with it, so your client will have more information concerning the legal risks of the deal.
The costs of non-compliance. In each of these cases, the FTC is making the settling party take actions over and above what they would have been required to do in the normal course of business, thereby making it more challenging and expensive for them to do business.
These consent decrees require the settling party to do the following:
- Tell users what information is being collected and for what purpose, with the right to “opt out” of the targeted advertising (ScanScout);
- Obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences (Facebook, Google);
- Establish and maintain a comprehensive privacy program to address privacy risks associated with new and existing products and service, and protect the privacy and confidentiality of consumers’ information (Facebook, Google); and
- Every two years, for the next 20 years, obtain independent, third-party audits certifying that the privacy program meets or exceeds the requirements of the FTC order (Facebook, Google).
We can expect to see more privacy actions being filed by governmental agencies and private parties, so this is an area where businesses need to monitor what reasonable measures are being taken to secure the type of consumer information that they are collecting, and also provide clear notice to consumers on what information is being captured, how it is being used, and with whom it is being shared. Proactive safeguard measures now are very likely to save your clients money in the long run.