Advising Clients on Internet Privacy Policies

Vol. 29 No. 6


Michelle Sherman ( is Of Counsel with Slater Hersey & Lieberman LLP in Irvine, California, focusing on litigation matters and advising businesses on their use of social media and the Internet.

If your clients operate on the Internet and collect customer data, what advice can you give them to help them stay clear of danger?

There has been a considerable push back in recent years regarding the data collected by social networks and Internet service providers. It is difficult to have a conversation about social media without people listing reasons why they are not on it, or why they are thinking about closing their account. Usually, their love-hate relationship with social media is centered on privacy concerns: what information is collected and stored about them, who it is being shared with, and the seeming inability to prevent “tracking” and “data mining.”

In October 2011 a law student from the University of Vienna used an Irish law to request a copy of all the information Facebook maintained on his use of the site since 2008. He was surprised to receive a computer disk with a reported 1,222 pages of information. The disk included posts, pokes, and messages he thought he had deleted. It also included personal chat and instant messages with friends containing personal information.

In its privacy disclosures, Facebook tells users that it is not only collecting information from their own use of Facebook but also information about how their Facebook friends interact with them, as well as metadata available through the devices they use to access Facebook. Facebook states that it may collect information such as IP address, GPS location, Internet service, browser type, websites visited, and many other categories of data.

Facebook should not be singled out, of course. Other Internet sites state in their terms of use that users are giving them permission to gather information beyond what they are manually entering into the site. Google’s privacy policy, for example, alerts users that it may collect device information (hardware model, operating system, phone number), IP address, GPS location, and much more.

To be fair, these sites are free, and it should not be surprising that they support themselves by giving advertisers access to an incredibly large number of possible customers who can receive targeted advertising based on how they use the site, their interests and likes, and personal information.

But even with terms of use and privacy policies that generously discuss what can be done by these sites, social media and Internet service providers have gotten themselves into legal problems by also providing general assurances that they are said not to keep. We have seen this happen in complaints that the Federal Trade Commission (FTC) brought against Facebook, Google, Myspace, and Twitter. We are also seeing more class actions filed for alleged privacy breaches based on, among other things, an online service provider allegedly not taking reasonable safeguards to protect sensitive consumer information and not notifying consumers of the data breach in a timely manner. See, e.g., In re Sony Gaming and Networks Customer Data Security Breach Litigation, MDL No. 2258, 2011 U.S. Dist. LEXIS 93069 (Aug. 18, 2011).

The FTC is not pursuing these actions only against social media behemoths such as Facebook and Google. If your clients operate on the Internet and collect customer data, they may be at risk. How can they protect themselves?


Comply with Published Policies

When businesses do not comply with the terms of their own website privacy policies, they may be in violation of Section 5(a) of the FTC Act.

The 2011 consent decrees that the FTC entered into with Facebook, Google, and online advertiser ScanScout highlight the need for businesses to make sure they are acting in accordance with their privacy policies. Businesses are well advised to take the following actions:

  1. Ensure that the published policies on your websites for terms of use and privacy reflect what information you are collecting from consumers, and that the disclosures are clearly stated without unnecessary and lengthy legalese;
  2. Examine how you are using personal information or anticipate using it, and fully disclose these uses to consumers; and
  3. Take reasonable measures to safeguard consumer information. Because of the risks of cyber hacking, it is also worthwhile to conduct an audit on how consumer information is being safeguarded and what information is being stored and for how long a period. The FTC settled a complaint against Twitter for its alleged failure to take reasonable safeguards to protect users’ accounts against hackers.

In all these complaints, the FTC alleged that the respondents made false or misleading representations about their privacy policies in violation of Section 5(a) of the FTC Act. The FTC Act prohibits unfair or deceptive acts or practices. 15 U.S.C. Section 45(a).

The consent decrees entered into by Facebook, Google, and ScanScout in order to avoid more costly litigation and possibly stiffer penalties are similar in some key respects, and include some terms that will increase their costs of doing business. As is sometimes the case with the FTC, the Commission conditioned the settlements on these businesses agreeing to change their business practices in ways that may place them at a competitive disadvantage to their competitors because some of the additional privacy measures they must now take are not required of other companies under current law.


Learn from Others’ Mistakes

It is instructive to know how other businesses allegedly violated the terms of their privacy policies with users because the same may be true for your clients.

Facebook complaint. In its complaint against Facebook, In the Matter of Facebook, Inc., FTC File No. 092 3184, the FTC alleged:

  1. Facebook told its users that third-party apps that users install—such as FarmVille by Zynga—would have access only to user information needed for the apps to operate. In fact, the apps could access nearly all the users’ personal data.
  2. Facebook told users that they could restrict sharing of data to limited audiences—for example, with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with the third-party applications their friends used.
  3. Facebook promised users it would not share their personal information with advertisers. Facebook did, according to the FTC.
  4. Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible, when in fact Facebook allowed access to the content, according to the FTC.
  5. Facebook also claimed that it complied with the U.S.-EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union, but it did not.

Google complaint. Google is also faulted for making use of its users’ data in ways that were contrary to what they told them with the launch of Google’s Buzz social network through its Gmail web-based e-mail product. The FTC alleged that “Google led Gmail users to believe that they could choose whether or not they wanted to join the [Buzz] network, [but] the options for declining or leaving the social network were ineffective,” In the Matter of Google, Inc., FTC File No. 102 3136. Google was apparently trying to immediately ramp up its social network in order to compete with Facebook. The Buzz launch ended up being a public relations nightmare for Google, with thousands of consumers reportedly complaining that they were concerned about public disclosures of their e-mail contacts, from which Google tried to create immediate Buzz connections for users. In some cases, use of the e-mails disclosed ex-spouses, therapists, employers, or competitors.

According to the FTC, Google breached its privacy policy when it launched Buzz because Google’s policy told Gmail users that “[w]hen you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.” According to the FTC, Google used Gmail users’ information for a different purpose without telling them by starting a social networking site with the information.

ScanScout complaint. As noted above, the FTC is not limiting its targets to online giants. In November 2011 the FTC reached a settlement with the online advertiser ScanScout. ScanScout is an advertising network that places video ads on websites for advertisers. ScanScout collects information about consumers’ online activities (i.e., behavioral advertising) in order to post video ads targeted to the people visiting the website. The FTC alleged that there was a discrepancy between the online service and their website privacy policy:

[F]rom at least April 2007 to September 2009, ScanScout’s website privacy policy discussed how it used cookies to track users’ behavior. The privacy policy stated, “You can opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies.” However, changing browser settings did not remove or block the Flash cookies used by ScanScout. . . . The claims by ScanScout were deceptive and violated Section 5(a) of the FTC Act. In the Matter of ScanScout, Inc., FTC File No. 102 3185.

In the ScanScout action, the company Tremor Video, Inc., is also subject to the settlement order because ScanScout merged with Tremor Video. This settlement, therefore, also highlights the importance of your client doing an audit of a target company’s social media activity before acquiring or merging with it, so your client will have more information concerning the legal risks of the deal.

The costs of non-compliance. In each of these cases, the FTC is making the settling party take actions over and above what they would have been required to do in the normal course of business, thereby making it more challenging and expensive for them to do business.

These consent decrees require the settling party to do the following:

  1. Tell users what information is being collected and for what purpose, with the right to “opt out” of the targeted advertising (ScanScout);
  2. Obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences (Facebook, Google);
  3. Establish and maintain a comprehensive privacy program to address privacy risks associated with new and existing products and service, and protect the privacy and confidentiality of consumers’ information (Facebook, Google); and
  4. Every two years, for the next 20 years, obtain independent, third-party audits certifying that the privacy program meets or exceeds the requirements of the FTC order (Facebook, Google).


Stay Vigilant

We can expect to see more privacy actions being filed by governmental agencies and private parties, so this is an area where businesses need to monitor what reasonable measures are being taken to secure the type of consumer information that they are collecting, and also provide clear notice to consumers on what information is being captured, how it is being used, and with whom it is being shared. Proactive safeguard measures now are very likely to save your clients money in the long run.







Advertisement: LawPay: The Way ABA Attorneys Get Paid



MyCase. Start your free trial. More billable hours. Everything all in one place.
Thomson Reuters ad. Put accurate law into action. Practical Law helps you move forward with fearless confidence. Request a free trial. (right arrow). Thomson Reuters logo. Thomson Reuters. The answer company.

  • About GPSolo magazine

  • Subscriptions

  • More Information

  • Contact Us