Editor’s Note: This article is authored by two BakerHostetler partners — an information governance practice leader and a new media, advertising, IT and privacy partner— and an associate. It is the third of a four-part series.
In our first two articles, we discussed the ways in which companies collect, analyze and use data about in connection with social media, which we have termed “social data,” for a number of important purposes, such as increasing engagement with their target audience and improving business intelligence. But for all of the potential rewards social data promise, smart companies are thinking in advance about the legal and ethical implications of collecting and using social data.
The way organizations choose to collect, use and share data can affect consumer trust. And establishing an effective and responsible social data framework actually is demonstrably good for business. Before launching into a social data initiative, companies should ensure that their proposed collection and use of social data complies with all relevant legal requirements and is consistent with their consumer’s expectations and their corporate brand. Establishing a legal and ethical framework to govern social data projects in advance can help companies avoid missteps and pitfalls, and protect their reputation in the marketplace.
Legal Considerations and Best Practices
Here are recommendations to help ensure that a company’s social data use complies with legal requirements and stays on the right side of consumer expectations.
- Transparent Privacy Policies
Letting consumers know the types of data to be collected, and the ways that data will be used, is crucial to gaining consumer trust. Providing clear and accurate disclosures as to a company’s online services’ data practices, and actually complying with these representations to consumers, is required by California law and has been deemed necessary to avoid deceptive or unfair business practices by the Federal Trade Commission. Other countries, such as Canada and EU member nations, have even more consumer protective data privacy laws.
Some companies are adding social media functionality to their own sites and apps, allowing users to post or share content and activities on and off of the service. Privacy policies need to explain how this works by default, and what privacy settings or options are available to limit sharing. Privacy policies should also explain how users can change or remove content they have posted (minors in California have certain statutory rights in this regard), and the limitations to changes and removals.
- Compliance with Third Party Platform Terms
This was the case with the Sunlight Foundation, a nonprofit organization that works to make government and politics more transparent. It operated a Twitter account called “Politwoops,” which preserved and published deleted Tweets of politicians using Twitter’s API. On June 3, 2015, Twitter shut down Politiwoops because preserving deleted Tweets violated its developer agreement. Given the negative consequences that can come with non-compliance, it is very important to ensure that when using a third party platform the use of platform data comply with the platform’s rules, and that customers or other parties are not encouraged to engage in practices that would violate the platform’s terms and policies.
- Reasonable Data Protection Procedures
- Compliance with Legal and Self-Regulatory Restrictions
For instance, while a platform may obtain the right from users to let other users re-post or otherwise use user-posted content on the platform, most do not obtain the rights from users, or grant users the right to remove platform content and post it in other places such as on a company’s own web site or in its off-platform advertising, marketing and promotion. Such uses should be cleared by getting permission from the user who posted the content. Otherwise, a company may face copyright infringement, rights of publicity and false endorsement claims.
Companies that serve or advertise to children should be particularly careful with social media including integrating social media plug-ins on their own web sites. The Children’s Online Privacy Protection Act restricts collection, use and sharing of certain data (including IP address, unique identifiers, geolocation data, pictures and name and contact information) of children under 13 absent verified parental consent or narrow exceptions. This makes most social media features and functionality out-of-bounds for children.
Social data is valuable for enabling targeted advertising, since the advertiser can limit ads to consumers that fit a profile suggesting they would be interested in the product or service advertised. When these profiles are gathered based on user activities across sites and services, there are legal and self-regulatory requirements that may apply. California law requires web sites and mobile apps to include certain disclosures in their privacy policies when they engage in such activities, or permit others to do so in connection with their service. The U.S. advertising and publishing industries have developed a notice and opt-out program for interest-based ads based on user profiles developed from collecting data about their activities across time and services. For more information see www.aboutads.info
- Social Data Record Retention
Companies facing the threat of potential future litigation or regulatory investigation should retain data collected from social media services for a reasonable period of time. Data collectors may face harsh penalties for spoliation of electronic records evidence, as recent case law has raised the bar for maintenance and production of electronic files such as databases, and emails in anticipation of and during litigation. It is therefore important to implement comprehensive record retention policies and procedures with respect to data collected from social media to the extent it may be relevant to the threatened litigation or government investigation.
- Consider Privacy and Security Early and Reassess Practices Regularly
As social media evolves, as technology increases, as the company gains more experience and its comfort level grows its social media data practices will change. By instituting privacy-by-design and security-by-design into the development process privacy and security impacts can be identified and mitigated as a practice, campaign or product is being designed, rather than as an afterthought when it may be too costly or time consuming to make changes. Also, given that social media, and thus how you use it, is evolving, companies should reassess practices regularly and determine if they need update its policies and procedures.
In our fourth and final article in this series, we will discuss ethical considerations in the collection, analysis, and use of social data.
Co-Authors Alan Friel and Jenna Felz of BakerHostetler
This article first appeared on Bloomberg BNA’s Big Law Business on September 15, 2015.