ARTICLE
19 October 2010

Privacy and Social Media: Challenges to Business

BC
Blake, Cassels & Graydon LLP

Contributor

Blake, Cassels & Graydon LLP logo
Blake, Cassels & Graydon LLP (Blakes) is one of Canada's top business law firms, serving a diverse national and international client base. Our integrated office network provides clients with access to the Firm's full spectrum of capabilities in virtually every area of business law.
Explore Firm Details
Lexpert Firm Profile
The privacy practices of many social media website operators have been, and continue to be, the subject of criticism from privacy regulators and the general public.
Canada Intellectual Property
Photo of Wendy Mee
Authors

Copyright 2010, Blake, Cassels & Graydon LLP

Originally published in Blakes Bulletin on Intellectual Property–Social Media Series, October 2010

The privacy practices of many social media website operators have been, and continue to be, the subject of criticism from privacy regulators and the general public. In early 2010, the heads of the data protection authorities in 10 different countries, including Canada, sent a public letter to Google Inc. to express their concerns about privacy issues related to GOOGLE BUZZ, the company's then newly released social networking application.

More recently, the Canadian federal Privacy Commissioner, after completing an investigation commenced in 2008 into the privacy practices of Facebook, Inc., announced another investigation. The most recent investigation relates to the "Like" button on FACEBOOK. The "Like" button allows users to indicate which products, articles and other content on the Internet they like. Many users click on this button without realizing that their personal preferences will be distributed over the Internet for the purposes of attracting Internet traffic to the "Liked" site.

This article does not analyze the current privacy practices of social media website operators, which the Privacy Commissioner has acknowledged are "presenting ongoing challenges to privacy regulators around the globe". Rather, it considers privacy issues faced by organizations that use social media to promote their businesses, such as blogs for consumer feedback and company pages on third-party-operated social networking websites, and suggests ways to address these issues.

This article focuses on the privacy principles set out in the Canadian federal Personal Information Protection and Electronic Documents Act (PIPEDA). Organizations that operate in Alberta, British Columbia or Quebec will also have to consider the private-sector privacy statutes in those provinces, which impose similar, though not identical, requirements as PIPEDA.

KNOWLEDGE AND CONSENT

One common criticism of social media website operators is that they collect, use and disclose personal information of users without their knowledge and consent. For example, one of the concerns raised by privacy regulators regarding GOOGLE BUZZ was that it "automatically assigned users a network of 'followers' from among people with whom they corresponded most often on Gmail , without adequately informing Gmail users about how this new service would work or providing sufficient information to permit informed consent decisions".

PIPEDA requires that personal information only be collected, used and disclosed with the knowledge and consent of the individual, subject to certain limited exceptions. In order for consent to be meaningful, individuals must be informed about how their personal information is collected, how it will be used by the organization, and to whom it may be disclosed.

While providing this information in a publicly available privacy policy or statement is required pursuant to PIPEDA's openness principle, this may not be sufficient in and of itself for the purposes of obtaining meaningful consent. The purposes for which the information is to be used should be brought to the attention of individuals at the time personal information is collected and consent obtained.

For example, if an organization requires users to register as a condition of the use of an interactive website or interactive section of its website, the purposes for which information provided during registration will be used and to whom it may be disclosed should be clearly explained at the time of registration.

In some circumstances, it may be appropriate to require users to read through a privacy policy or statement and to indicate their consent to the collection, use and disclosure of their personal information as described in such policy or statement, for example, by clicking an "I Accept" button, before permitting the user to participate in the social media platform.

Typically, consent should be obtained at the time of collection. However, if an organization makes material changes to its personal information handling practices and would like to use and disclose personal information it has already collected for different purposes not previously identified, affected individuals should be notified and, where appropriate, a new consent obtained. Simply posting a revised privacy policy on an organization's website may not be sufficient where material changes are made.

LIMIT USE AND DISCLOSURE

Another common criticism of organizations generally, which may have particular relevance in the social media context, is that they often require individuals to consent to a use or disclosure of their personal information that is not necessary for the purposes for which the information is provided.

PIPEDA prohibits organizations from requiring individuals to consent to collection, use or disclosure of their personal information beyond what is necessary for the purpose for which the information was provided. Accordingly, care should be taken to ensure that any proposed use or disclosure of personal information that is not directly necessary to fulfil the social media purposes for which the personal information is being provided is clearly optional.

In relation to the example of registering on a website, if an organization would like to use the registration information for marketing purposes or to share email addresses of registered users with affiliates or other third parties, this should be made clearly optional, for example, by including an opt-out box on the registration page.

LIMIT COLLECTION

Organizations may only collect personal information that is necessary to fulfill the specific and legitimate purposes that are identified at the time of collection. A common complaint is that organizations require individuals to provide more personal information than is necessary to fulfill the identified purposes. Again, with reference to the example of website registration, the registration form should not require a user to provide his/her telephone number or mailing address if all that is required to participate in an interactive website is an email address. However, provision of this information may be made optional, for example, if the individual opts-in to receiving marketing communications via these channels.

TERMS OF USE

One of the significant challenges faced by an organization engaged in social media is that it has little or no control over the information that gets posted on its page on another website, such as FACEBOOK. This has many legal implications, including from a privacy perspective. Social media sites are governed by terms of service (TOS), which may also be referred to as terms of use, a user agreement or legal notice. The TOS should prohibit users from posting personal information of third parties and should allow the organization to remove material that may offend privacy legislation or the organization's privacy policy.

One key advantage to an organization of using its own social media platform, such as an interactive section on an organization's primary website or its own freestanding site, is that the organization has some control over the content posted and control over the TOS to ensure that the foregoing issues are addressed.

If the organization uses a social media platform provided by a third party, such as a corporate FACEBOOK page or TWITTER account, the organization will be governed by the third party's TOS and privacy policy. In such case, the organization should review the platform operator's TOS to ensure that the organization has some ability to remove or edit, or request the operator to remove or edit, offensive material. This may not be the case with all third-party social media platforms.

The privacy practices of many social media platform operators continue to be criticized by the general public and by privacy regulators around the world. Accordingly, an organization should ensure that it is comfortable with the personal information practices of third-party platform operators, and that these practices do not conflict with the organization's own policies and practices.

The foregoing is not intended to provide a comprehensive overview of the privacy issues raised by the use of social media. In order to minimize the risk that an organization will be identified in the press or be the subject of an investigation by a regulator based on a violation of privacy, it is important to think about these and other privacy issues that may be raised by an organization's use of social media.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Wendy Mee
Wendy Mee
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More