Copyright 2010, Blake, Cassels & Graydon LLP
Originally published in Blakes Bulletin on Intellectual Property–Social Media Series, October 2010
The privacy practices of many social media website operators have been, and continue to be, the subject of criticism from privacy regulators and the general public. In early 2010, the heads of the data protection authorities in 10 different countries, including Canada, sent a public letter to Google Inc. to express their concerns about privacy issues related to GOOGLE BUZZ, the company's then newly released social networking application.
More recently, the Canadian federal Privacy Commissioner, after completing an investigation commenced in 2008 into the privacy practices of Facebook, Inc., announced another investigation. The most recent investigation relates to the "Like" button on FACEBOOK. The "Like" button allows users to indicate which products, articles and other content on the Internet they like. Many users click on this button without realizing that their personal preferences will be distributed over the Internet for the purposes of attracting Internet traffic to the "Liked" site.
This article does not analyze the current privacy practices of social media website operators, which the Privacy Commissioner has acknowledged are "presenting ongoing challenges to privacy regulators around the globe". Rather, it considers privacy issues faced by organizations that use social media to promote their businesses, such as blogs for consumer feedback and company pages on third-party-operated social networking websites, and suggests ways to address these issues.
This article focuses on the privacy principles set out in the Canadian federal Personal Information Protection and Electronic Documents Act (PIPEDA). Organizations that operate in Alberta, British Columbia or Quebec will also have to consider the private-sector privacy statutes in those provinces, which impose similar, though not identical, requirements as PIPEDA.
KNOWLEDGE AND CONSENT
One common criticism of social media website operators is that they collect, use and disclose personal information of users without their knowledge and consent. For example, one of the concerns raised by privacy regulators regarding GOOGLE BUZZ was that it "automatically assigned users a network of 'followers' from among people with whom they corresponded most often on Gmail , without adequately informing Gmail users about how this new service would work or providing sufficient information to permit informed consent decisions".
PIPEDA requires that personal information only be collected, used and disclosed with the knowledge and consent of the individual, subject to certain limited exceptions. In order for consent to be meaningful, individuals must be informed about how their personal information is collected, how it will be used by the organization, and to whom it may be disclosed.
For example, if an organization requires users to register as a condition of the use of an interactive website or interactive section of its website, the purposes for which information provided during registration will be used and to whom it may be disclosed should be clearly explained at the time of registration.
LIMIT USE AND DISCLOSURE
Another common criticism of organizations generally, which may have particular relevance in the social media context, is that they often require individuals to consent to a use or disclosure of their personal information that is not necessary for the purposes for which the information is provided.
PIPEDA prohibits organizations from requiring individuals to consent to collection, use or disclosure of their personal information beyond what is necessary for the purpose for which the information was provided. Accordingly, care should be taken to ensure that any proposed use or disclosure of personal information that is not directly necessary to fulfil the social media purposes for which the personal information is being provided is clearly optional.
In relation to the example of registering on a website, if an organization would like to use the registration information for marketing purposes or to share email addresses of registered users with affiliates or other third parties, this should be made clearly optional, for example, by including an opt-out box on the registration page.
Organizations may only collect personal information that is necessary to fulfill the specific and legitimate purposes that are identified at the time of collection. A common complaint is that organizations require individuals to provide more personal information than is necessary to fulfill the identified purposes. Again, with reference to the example of website registration, the registration form should not require a user to provide his/her telephone number or mailing address if all that is required to participate in an interactive website is an email address. However, provision of this information may be made optional, for example, if the individual opts-in to receiving marketing communications via these channels.
One key advantage to an organization of using its own social media platform, such as an interactive section on an organization's primary website or its own freestanding site, is that the organization has some control over the content posted and control over the TOS to ensure that the foregoing issues are addressed.
The privacy practices of many social media platform operators continue to be criticized by the general public and by privacy regulators around the world. Accordingly, an organization should ensure that it is comfortable with the personal information practices of third-party platform operators, and that these practices do not conflict with the organization's own policies and practices.
The foregoing is not intended to provide a comprehensive overview of the privacy issues raised by the use of social media. In order to minimize the risk that an organization will be identified in the press or be the subject of an investigation by a regulator based on a violation of privacy, it is important to think about these and other privacy issues that may be raised by an organization's use of social media.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.