Privacy and Social Media

From every angle, social media is anathema to privacy. The very founding concept of paleolithic AOL chatrooms and Usenet newsgroups, and later Facebook, MySpace, and the earliest blogging sites was to provide a forum for people to share with each other. People shared ideas, humor, emotions, preferences, prejudices, priorities, and often misguided attempts at profundity. Newer sites simply broadened and deepened the sharing – Twitter users share commute times and coffee temperatures, Tumblers share memes galore, and Instagramites share a wealth of doctored photographs.

We learned things about the people in our world, and they about us. Thanks to social media, we now know that if our nearest coworker were a tree, she would be a willow, and the celebrity she believes that she most resembles is Angelina Jolie. We also know that Shirley’s kids are honor students and that Tom’s brother was just released from prison (early, for good behavior), that Jeffrey lives and dies with his Eagles and that Sandra is so, so, so sad at the plight of shelter animals. Importantly, we know when people are leaving town and how long they will be gone. We know if they come into money. We learn about their families and their vulnerabilities. We learn about drinking and drug use, sexual promiscuity, and even crimes like DWI or hit and run. We see pictures of their kids, their cars, their vacations, and their homes.

All of this sharing may help create communities, but it also destroys privacy. The bikini-clad body that is perfectly appropriate on the beach at St. John or Captiva may undermine the respect an employee has worked hard to earn from superiors, subordinates, and peers at the office who may view the vacation pictures on Facebook. The same may be true for pictures of a drinking party among friends. Too much published information can and will present obstacles when circumstances change and a spouse sues for divorce, or a rival is seeking an edge for a promotion at work. We all know that kids can be the cruel, and your insistence on wearing mouse ears at a Disney theme park may reach the attention of your children’s classmates, and their parents. Criminals trawl social media constantly, looking for vulnerabilities and vacations, pinpointing easy targets.

Operators of various social media outlets are well aware that their profits may increase as we expand our willingness to share personal information about ourselves, and much of the business model development for social media sites is designed to coerce, cajole, trick, taunt, or tease us into revealing more information about our lives and our thoughts and opinions. Who are your friends? What discounts interest you? You “liked” the last Vin Diesel movie, will you like the next one? What is your relationship status? Who do you write to? Who do you poke? Won’t you download the mobile app so we can see where you are when you access our site? Your friends have downloaded our app. Why won’t you? We will ask you again in two hours.

Every bit of information we disclose is another databite to be mined and measured, sorted and sold. Online transactions provide even more opportunities, because a purchase through a social media site hits the trifecta for the site owner. With a purchase, the site registers our activity, our expenditure, our degree of interest in a good or service and an entire category of goods or services (opening our wallet demonstrates significant interest), our bank, our credit card information, our shipping address, our online ID, and our passwords. In addition, the social media site may trumpet the sale to our friends attempting to induce additional transactions. And beyond this extraordinary information bounty, the social media site likely received a financial kickback from a sale made from its platform. Moreover, the data mining industry attempts to review every transaction and every posting in which we engage in order to be able to maximize the profit potential of every piece of information disclosed by that transaction or posting.

For this reason, social media is not simply a collection of online places that allow private information to escape, but social media sites are organized to draw as much participation and information out of us as possible. Like casinos built without sunlight or clocks so as to encourage your further play, the social media sites and data mining industry study online behavior and build manipulation machines designed to entice you to remain engaged and to divulge information. A search engine site may not care whether you own a particular make or model of car or that you baked cookies last night, but it cares that you told them about your car and your cookies. They make money from aggregating car owners and cookie bakers and selling information to companies who can exploit that information.

Until recently, there has been very little counterbalance to the siren’s call of revealing everything on social media or to the tricks and manipulations that the online media companies employ to make sharing easy, satisfying, and seemingly so necessary. Certainly there are authors writing jeremiads both in and out of the mainstream media who will despair about the morality of kids today, or about the solipsistic adults who believe that each workout or restaurant meal is worth recording for posterity and circulating to wide circle of “friends.” There seems to be an absence of concerted opposition to this kind of activity. Schools and workplaces do not appear to actively discourage sharing in social media, except to prevent a student from bullying another, or to caution workers not to release company trade secrets. Governmental restrictions are spotty at best, except for the intelligence services, judiciary, and some government agencies.

In short, prior to 2013, legislatures and regulators in the United States appeared to be more concerned about the data they could glean from social media than protecting privacy of the average citizen in the online world. Much of the rest of the industrialized world has a very different viewpoint about personal information than that we experience in the United States. In Europe, Canada, and other countries across the world, protection of each citizen’s private information is considered to be a human right, secured by statute and enforced by government and private causes of action. In the United States, by contrast, only certain classes of information are protected under federal law – financial transactions, health care transactions, and information regarding children under the age of 13 – while nearly all other data is considered to be fair game for any business or government agency that chooses to collect, store, and use the information.

The Federal Trade Commission (FTC) and state attorneys general have been the traditional protectors of online privacy for lightly-regulated industries like social media. But through much of the development of social media and socially-oriented Internet sites, these enforcement agencies have tended only to enforce the privacy policies that a site chose to publicize. If a social media site had claimed not to gather certain information, but it indeed gathered that information, then the FTC would assert claims upon that site. However, if the social media site had a vague privacy policy that never clearly disclosed all of the information it gathered, or if the site gathered and sold massive amounts of personal data from its users, and the site revealed its behavior in its privacy policy, then no enforcement action would be initiated because the site was not breaking any known laws. (The exception to this rule seemed to be the 2006 ruling against Choicepoint, costing the company $10 million in civil penalties for providing personal information to identity thieves.) In other words, for most personal data about people, their activities, and their transactions, it seems that a social media site would not be regulated for use or abuse of this data, only for misrepresenting what data was collected and how such data was used. Deep intrusions of privacy may be allowed, as long as the site doesn’t directly misrepresent what it is doing.

The FTC has moved beyond this position during the past three years by using its powers to enforce privacy policies on social media sites to sue transgressors, and then to force the transgressive sites into settlements that include a long-term consent order permitting the FTC to have a tighter grip on the site’s policies. For example, in November 2011, the FTC claimed that Facebook had lied to consumers by repeatedly stating that personal information would be kept private, while repeatedly allowing that personal information to be shared and made public. In settling this claim, Facebook agreed to a 20-year consent order protecting its member’s privacy in more specific ways. That agreement mandates that Facebook receive explicit consent of its users before disclosing private information. Following up on this, in September 2013, the FTC announced an inquiry into whether Facebook’s proposed new privacy policies, disclosed in August 2013, violated the 20-year consent agreement. In its proposed new policies, Facebook was planning to use its members’ names and pictures in advertising products the members had “liked” or for which they had given a favorable comment, and the new policy provided that Facebook automatically assumed that the parents of teenage Facebook users had granted permission for their children’s names to be used in advertising. The original FTC claim relating to an allegedly misleading privacy policy has thereby enabled the FTC to exercise much greater influence into Facebook’s future treatment of consumer data. The FTC also has obtained similar 20-year consent orders in place with Twitter, MySpace, and Google.

State breach notice laws affecting social media privacy have some relatively consistent elements and some experimental elements. These laws address the way that a social media company must behave after a breach of security relating to a site-user’s personal information. Over 45 U.S. jurisdictions have some sort of data breach notice law. While these statutes come in a variety of flavors – some include obligations triggered by simple exposure of personal data while others are not triggered until the exposed data is at risk of theft and misuse – their basic function is the same: if a company exposes/loses certain kinds of data relating to individuals, then the company must provide notice of the loss to the data subjects (and often to law enforcement and credit services). Nearly all of these laws would apply to companies collecting personal data about their users and failing to appropriately guard the data from unauthorized breach or disclosure. However, social media sites are considered to provide a special class of service where the essential purpose of the enterprise is to enable people to provide information about themselves to a larger public. The social media companies only facilitate this exercise. Therefore, in the regular course of using social media, people are exposing their own private data, even health-care data, financial information, and information about their children, and self-exposure will not trigger the state breach notice laws. It is, however, likely that a failure by a social media company to protect a user's private data beyond that company’s privacy settings would trigger these laws. For example, if a Texas social media user had set her account to "friends only," and the social media site exposed her account more broadly, then the site would be subject to state law breach notice requirements.

A social media site might have trouble meeting its obligations with respect to breaches because for each user whose account was compromised, the site must determine if the exposure included private and legally protected subject matter as defined in each applicable statute. Rather than undertake this Herculean task, the site may determine simply to notify all its members about the mistake, whether or not such notice is mandated by a particular state law. Of course, as with other enterprises, social media companies that accept credit card payments or otherwise keep customer financial account data are expected to protect this data and are obligated to notify customers where financial data was compromised.

As social media grows in importance in many American lives, states are tackling specific aspects of privacy intrusions that are raised in the news and that capture the imagination of legislatures and the public. For example, the concern about disclosure of personal information on social media sites has manifest in the field of worksite protections. In the past two years, a new wave of privacy laws has been sweeping state legislatures; at this writing, 12 states currently have laws specifically restricting employers from demanding access to their employees’ social media sites when those sites are not fully public. (The states that have passed these laws are Arkansas, California, Colorado, Illinois, Maryland, Michigan, New Jersey, New Mexico, Nevada, Oregon, Utah, and Washington.) Nearly all of these laws were passed in 2013, and other legislatures are currently considering legislating similar employer restrictions. One of the newest and broadest of these laws, passed in September 2013 and signed into law in New Jersey, prohibits employers from seeking access to “a person account,” such as a friends-only account at Facebook. Further, the law prohibits employers from “shoulder surfing” or making an employee access a personal account while management watches, from requiring an applicant or employee to change the privacy settings on a restricted account to a less-restrictive setting so that the employer can access it, or by forcing the employee to accept an employer’s “friend” request. The law also prohibits an employer from retaliating or discriminating against a job applicant or employee for refusing to provide log-in information to the employer, for reporting violations of this law to the New Jersey Commissioner of Labor, or from testifying or participating in an investigation into a violation of the law.

The New Jersey law contains exceptions for financial service firms that are required by statute to monitor employees’ social media communications. Similarly, in September of 2013, Illinois amended its social media password law to exempt the financial services sector, because many companies in this sector – banking, securities sales, and insurance – are required to monitor certain employee’s correspondence of all types with customers or prospective customers. Most states with laws in this space have broad definitions of the type of sites protected. For example, the recently passed Nevada statute classifies a social media account as “any electronic service or account or electronic content, including, without limitation, videos, photographs, blogs, video blogs, podcasts, instant and text messages, electronic mail programs or service, online services or Internet website profiles.” The penalties for these laws vary widely, with California, Colorado, Illinois, New Jersey, and Oregon creating administrative remedies; Illinois, Maryland, Michigan, Oregon, Utah, and Washington providing a private right of action (some with penalty caps); and Arkansas, Nevada, and New Mexico not addressing remedies at all in their statutes. Other aspects of the laws vary by state. Oregon bans colleges from asking for social media passwords. Washington allows employers to be granted access to social media sites when making factual determinations in the course of conducting an investigation. New Mexico’s restrictions only apply to job applicants and not to employees.

Despite these laws, employers are still allowed to review social media pages that are available to the general public, and employees may volunteer access to their social media accounts or may choose to “friend” work associates, including their superiors. Taking advantage of these voluntary actions does not violate any of the new social media forced access laws. However, because of the recent trend toward increasing the protection accorded to personal online accounts and communications, employers should document how they obtained any social media information regarding employees how they obtained access to it. The trend toward increased protection is not uniform, though, and highlights uncertainty in a number of jurisdictions as to the degree to which privacy in social media should be protected. Most states have not approved such protections, and those that have passed a password protection law are inconsistent with respect to penalties, definitions, and the scope of protections.

California is taking steps to protect the privacy of some social media users from users’ own poor judgments. In autumn 2013, California enacted a law that would require social media sites to allow young registered users to erase their own comments from the sites. This is a first step in the United States toward the “right to be forgotten” that has been debated in Europe over the past decade. Teens who may have posted embarrassing statements will now have the right to clear those statements from the site’s memory banks. The mechanism for enforcement has not as yet been determined, but we do know some of the limitations of the law. The statute only covers the teen’s own posts and not posts made by others. A child can only erase his or her own statements, not the comments, “like” buttons, or other posts surrounding those statements. (A new case has ruled that use of the “like” button on social media is constitutionally protected speech. Bland v. Roberts, Case No. 12 – 1671, 4th Cir., September 18, 2013.) A teen cannot erase pictures of him or herself that others have posted, or statements about that teen that third parties posted, no matter how embarrassing or offensive those pictures or statements may be. The Library of Congress is currently archiving public tweets on Twitter, and other third-party sites archive social media data. These archive sites are not covered by the California law. And from a policy standpoint, is there a downside to permitting young bullies, racists, and fraudsters to eliminate the evidence of their statements? Although some of this speech may have legal implications and may be required in court proceedings, under the new California law these statements may be required to be deleted.

In an equally bold move, in 2013 the California legislature also addressed the broad concern of consumers who are being silently tracked by software over the Internet. Tracking tools used by social media are one of the ways these sites derive revenues, capturing user’s behavior and then selling targeted advertising designed to match or appeal to the type of behavior a specific user exhibits. Many sites use persistent beacons, cookies, and other tools that follow a person’s web usage and send information about that user’s visits and habits to the site or other third parties. Some Internet browser programs are now including anti-tracking technology, permitting a user to attempt to reject these monitoring tools or at least to advise sites that use the tools that this user does not wish to be tracked in this way. California’s new law will not force sites to stop tracking consumers, and it will not even force those sites to acknowledge and follow “do not track” instructions received by consumer’s browser. Instead, the California law requires companies to disclose whether the sites will honor “do not track” instructions from their users. Presumably, it is thought that Internet surfers will avoid sites that do not honor such requests. It is also likely that the California attorney general’s office, which fought for this law, will be posting a “naughty and nice” list of companies which will and won’t respect their user’s wishes not to be tracked. This law follows several years of failure by Internet sites (including social media) and privacy advocates to agree on a method permitting people to opt-out of being tracked online. It is unlikely that the California law will itself cause major changes in social media company behavior, but this is the first statute to advance the conversation on tracking of private online movements, and it could lead to further action by legislatures across the country.

Led by the states, the United States is developing laws and regulations to protect certain aspects of people’s information on social media. As social media sites evolve to make the dissemination of information easier, our society is beginning to recognize the problems inherent in such dissemination, and the use and protections to which such information is entitled. Both the FTC and state legislatures are taking steps to protect the American public from inappropriate intrusions on their privacy through social media – even if they are only protecting us from our own poor judgment.