United States: Privacy And Social Media

Last Updated: March 31 2014
Article by Theodore F. Claypoole

From every angle, social media is anathema to privacy. The very founding concept of paleolithic AOL Chatrooms and Usenet Newsgroups, and later Facebook, MySpace and the earliest blogging sites was to provide a forum for people to share with each other. People shared ideas, humor, emotions, preferences, prejudices, priorities, and often misguided attempts at profundity. Newer sites simply broadened and deepened the sharing – Twitter users share commute times and coffee temperatures, Tumblers share memes galore, and Instagramites share a wealth of doctored photographs.

We learned things about the people in our world, and they about us. Thanks to social media, we now knew that if our nearest co-worker were a tree, she would be a willow, and the celebrity she believes that she most resembles is Angelina Jolie. We also know that Shirley's kids are honor students and that Tom's brother was just released from prison (early, for good behavior), that Jeffrey lives and dies with his Eagles and that Sandra is so, so, so sad at the plight of shelter animals. Importantly, we know when people are leaving town and how long they will be gone. We know if they come into money. We learn about their families and their vulnerabilities. We learn about drinking and drug use, sexual promiscuity, and even crimes like DWI or hit and run. We see pictures of their kids, their cars, their vacations and their homes.

All of this sharing may help create communities, but it also destroys privacy. The bikini-clad body that is perfectly appropriate on the beach at St. John or Captiva may undermine the respect an employee has worked hard to earn from superiors, subordinates and peers at the office who may view the vacation pictures on Facebook. The same may be true for pictures of a drinking party among friends. Too much published information can and present obstacles when circumstances change and a spouse sues for divorce or a rival is seeking an edge for a promotion at work. We all know that kids can be the cruel, and your insistence on wearing mouse ears at a Disney theme park may reach the attention of your children's classmates, and their parents. Criminals trawl social media constantly, looking for vulnerabilities and vacations, pinpointing easy targets.

Operators of various social media outlets are well aware that their profits may increase as we expand our willingness to share personal information about ourselves, and much of the business model development for social media sites is designed to coerce, cajole, trick, taunt or tease us into revealing more information about our lives and our thoughts and opinions. Who are your friends? What discounts interest you? You "liked" the last Vin Diesel movie, will you like the next one? What is your relationship status? Who do you write to? Who do you poke? Won't you download the mobile app so we can see where you are when you access our site? Your friends have downloaded our app. Why won't you? We will ask you again in two hours.

Every bit of information we disclose is another databite to be mined and measured, sorted and sold. Online transactions provide even more opportunities, because a purchase through a social media site hits the trifecta for the site owner. With a purchase, the site registers our activity, our expenditure, our degree of interest in a good or service and an entire category of goods or services (opening our wallet demonstrates significant interest), our bank, our credit card information, our shipping address, our online ID and our passwords. In addition, the social media site may trumpet the sale to our friends attempting to induce additional transactions. And beyond this extraordinary information bounty, the social media site likely received a financial kickback from a sale made from its platform. Moreover, the data mining industry attempts to review every transaction and every posting in which we engage in order to be able to maximize the profit potential of every piece of information disclosed by that transaction or posting.

For this reason, social media is not simply a collection of online places that allow private information to escape, but social media sites are organized to draw as much participation and information out of us as possible. Like casinos built without sunlight or clocks so as to encourage your further play, the social media sites and data mining industry study online behavior and build manipulation machines designed to entice you to remain engaged and to divulge information. A search engine site may not care whether you own a particular make or model of car or that you baked cookies last night, but it cares that you told them about your car and your cookies. They make money from aggregating car owners and cookie bakers and selling information to companies who can exploit that information.

Until recently, there has been very little counterbalance to the siren's call of revealing everything on social media or to the tricks and manipulations that the online media companies employ to make sharing easy, satisfying and seemingly so necessary. Certainly there are authors writing jeremiads both in and out of the mainstream media who will despair about the morality of kids today, or about the solipsistic adults who believe that each workout or restaurant meal is worth recording for posterity and circulating to wide circle of "friends". There seems to be an absence of concerted opposition to this kind of activity Schools and workplaces do not appear to actively discourage sharing in social media, except to prevent a student from bullying another, or to caution workers not to release company trade secrets. Governmental restrictions are spotty at best, except for the intelligence services, judiciary and some government agencies.

In short, prior to 2013, legislatures and regulators in the United States appeared to be more concerned about the data they could glean from social media than protecting privacy of the average citizen in the online world. Much of the rest of the industrialized world has a very different viewpoint about personal information than that we experience in the U.S.. In Europe, Canada and other countries across the world, protection of each citizen's private information is considered to be a human right, secured by statute and enforced by government and private causes of action. In the U.S., by contrast, only certain classes of information are protected under federal law – financial transactions, health care transactions, and information regarding children under the age of 13 – while nearly all other data is considered to be fair game for any business or government agency that chooses to collect, store and use the information.

The Federal Trade Commission (FTC) and state attorney generals have been the traditional protectors of online privacy for lightly-regulated industries like social media. But through much of the development of social media and socially-oriented Internet sites, these enforcement agencies have tended only to enforce the privacy policies that a site chose to publicize. If a social media site had claimed not to gather certain information, but it indeed gathered that information, then the FTC would assert claims upon that site. However, if the social media site had a vague privacy policy that never clearly disclosed all of the information it gathered, or if the site gathered and sold massive amounts of personal data from its users, and the site revealed its behavior in its privacy policy, then no enforcementaction would be initiated because the site was not breaking any known laws.1 In other words, for most personal data about people, their activities and their transactions, it seems that a social media site would not be regulated for use or abuse of this data, only for misrepresenting what data was collected and how such data was used. Deep intrusions of privacy may be allowed, as long as the site doesn't directly misrepresent what it is doing.

The FTC has moved beyond this positionduring the past three years by using its powers to enforce privacy policies on social media sites to sue transgressors, and then to force the transgressive sites into settlements that include a long-term consent order permitting the FTC to have a tighter grip on the site's policies. For example, In November 2011, the FTC claimed that Facebook had lied to consumers by repeatedly stating that personal information would be kept private, while repeatedly allowing that personal information to be shared and made public. In settling this claim, Facebook agreed to a 20-year consent order protecting its member's privacy in more specific ways. That agreement mandates that Facebook receive explicit consent of its users before disclosing private information. Following up on this, in September 2013, the FTC announced an inquiry into whether Facebook's proposed new privacy policies, disclosed in August 2013, violated the 20-year consent agreement. . In its proposed new policies, Facebook was planning to use its members' names and pictures in advertising products the members had "liked" or for which they had given a favorable comment, and the new policy provided that Facebook automatically assumed that the parents of teenage Facebook users had granted permission for their children's names to be used in advertising. The original FTC claim relating to an allegedly misleading privacy policy has thereby enabled the FTC to exercise much greater influence into Facebook's future treatment of consumer data. The FTC also has obtained similar 20-year consent orders in place with Twitter, MySpace and Google.

State breach notice laws affecting social media privacy have some relatively consistent elements and some experimental elements. These laws address the way that a social media company must behave after a breach of security relating to a site-user's personal information. Over 45 U.S. jurisdictions have some sort of data breach notice law. While these statutes come in a variety of flavors -- some include obligations triggered by simple exposure of personal data while others are not triggered until the exposed data is at risk of theft and misuse -- their basic function is the same: if a company exposes/loses certain kinds of data relating to individuals, then the company must provide notice of the loss to the data subjects (and often to law enforcement and credit services). Nearly all of these laws would apply to companies collecting personal data about their users and failing to appropriately guard the data from unauthorized breach or disclosure . However, social media sites are considered to provide a special class of service where the essential purpose of the enterprise is to enable people to provide information about themselves to a larger public. The social media companies only facilitate this exercise. Therefore, in the regular course of using social media, people are exposing their own private data, even health care data, financial information and information about their children, and self-exposure will not trigger the state breach notice laws. It is, however, likely that a failure by a social media company to protect a user's private data beyond that company's privacy settings would trigger these laws. For example, if a Texas social media user had set her account to "friends only", and the social media site exposed her account more broadly, then the site would be subject to state law breach notice requirements.

A social media site might have trouble meeting its obligations with respect to breachesbecause for each user whose account was compromised, the site must determine if the exposure included private and legally protected subject matter as defined in each applicable statute. Rather than undertake this Herculean task, the site may determine simply to notify all its members about the mistake, whether or not such notice is mandated by a particular state law. Of course, as with other enterprises, social media companies that accept credit card payments or otherwise keep customer financial account data are expected to protect this data and are obligated to notify customers where financial data was compromised.

As social media grows in importance in many American lives, states are tackling specific aspects of privacy intrusions that are raised in the news and that capture the imagination of legislatures and the public. For example, the concern about disclosure of personal information on social media sites has manifest in the field of worksite protections. In the past two years, a new wave of privacy laws has been sweeping state legislatures; at this writing, 12 states currently have laws specifically restricting employers from demanding access to their employees' social media sites when those sites are not fully public.2 Nearly all of these laws were passed in 2013, and other legislatures are currently considering legislating similar employer restrictions. One of the newest and broadest of these laws, passed in September 2013 and signed into law in New Jersey, prohibits employers from seeking access to "a person account", such as a friends-only account at Facebook. Further, the law prohibits employers from "shoulder surfing" or making an employee access a personal account while management watches, from requiring an applicant or employee to change the privacy settings on a restricted account to a less-restrictive setting so that the employer can access it, or by forcing the employee to accept an employer's "friend" request. The law also prohibits an employer from retaliating or discriminating against a job applicant or employee for refusing to provide log-in information to the employer, for reporting violations of this law to the New Jersey Commissioner of Labor, or from testifying or participating in an investigation into a violation of the law.

The New Jersey law contains exceptions for financial service firms that are required by statute to monitor employees' social media communications. Similarly, in September of 2013, Illinois amended its social media password law to exempt the financial services sector, because many companies in this sector – banking, securities sales, and insurance – are required to monitor certain employee's correspondence of all types with customers or prospective customers. Most states with laws in this space have broad definitions of the type of sites protected. For example, the recently passed Nevada statute classifies a social media account as "any electronic service or account or electronic content, including, without limitation, videos, photographs, blogs, video blogs, podcasts, instant and text messages, electronic mail programs or service, online services or Internet website profiles." The penalties for these laws vary widely, with California, Colorado, Illinois, New Jersey and Oregon creating administrative remedies, Illinois, Maryland, Michigan, Oregon, Utah and Washington providing a private right of action (some with penalty caps), and Arkansas, Nevada, and New Mexico not addressing remedies at all in their statutes. Other aspects of the laws vary by state. Oregon bans colleges from asking for social media passwords. Washington allows employers to be granted access to social media sites when making factual determinations in the course of conducting an investigation. New Mexico's restrictions only apply to job applicants and not to employees.

Despite these laws, employers are still allowed to review social media pages that are available to the general public, and employees may volunteer access to their social media accounts or may choose to "friend" work associates, including their superiors, . Taking advantage of these voluntary actions does not violate any of the new social media forced access laws. However, because of the recent trend toward increasing the protection accorded to personal online accounts and communications, employers should document how they obtained any social media information regarding employees how they obtained access to it.. The trend toward increased protection is not uniform, though, and highlights uncertainty in a number of jurisdictions as to the degree to which privacy in social media should be protected.. Most states have not approved [any?] such protections, and those that have passed a password protection law are inconsistent with respect to penalties, definitions, and the scope of protections..

California is taking steps to protect the privacy of some social media users from users' own poor judgments. In Autumn 2013, California enacted a law that would require social media sites to allow young registered users to erase their own comments from the sites. This is a first step in the U.S. toward the "right to be forgotten" that has been debated in Europe over the past decade. Teens who may have posted embarrassing statements will now have the right to clear those statements from the site's memory banks. The mechanism for enforcement has not as yet been determined, but we do know some of the limitations of the law. The statute only covers the teen's own posts not posts made by others. A child can only erase his or her own statements, not the comments, "like" buttons or other posts surrounding those statements.3 A teen cannot erase pictures of himself or herself that others have posted, or statements about that teen that third parties posted, no matter how embarrassing or offensive those pictures or statements may be. The library of Congress is currently archiving public tweets on Twitter, and other third party sites archive social media data. These archive sites are not covered by the California law. And from a policy standpoint, is there a downside to permitting young bullies, racists, and fraudsters to eliminate the evidence of their statements? Although some of this speech may have legal implications and may be required in court proceedings, under the new California law these statements may be required to be deleted.

In an equally bold move, in 2013 the California legislature also addressed the broad concern of consumers who are being silently tracked by software over the Internet. Tracking tools used by social media are one of the ways these sites derive revenues, capturing user's behavior and then selling targeted advertising designed to match or appeal to the type of behavior a specific user exhibits. Many sites use persistent beacons, cookies and other tools that follow a person's web usage and send information about that user's visits and habits to the site or other third parties. Some Internet browser programs are now including anti-tracking technology, permitting a user to attempt to reject these monitoring tools or at least to advise sites that use the tools that this user does not wish to be tracked in this way. California's new law will not force sites to stop tracking consumers, and it will not even force those sites to acknowledge and follow "do not track" instructions received by consumer's browser. Instead, the California law requires companies to disclose whether the sites will honor "do not track" instuctions from their users. Presumably, it is thought that Internet surfers will avoid sites that do not honor such requests. It is also likely that the Californa attorney general's office, which fought for this law, will be posting a "naughty and nice" list of companies which will and won't respect their user's wishes not to be tracked. This law follows several years of failure by Internet sites (including social media) and privacy advocates agree to a method permitting people to opt-out of being tracked online. It is unlikely that the California law will itself cause major changes in social media company behavior, but this is the first statute to advance the conversation on tracking of private online movements, and it could lead to further action by legislatures across the country.

Led by the states, the U.S. is developing laws and regulations to protect certain aspects of people's information on social media. As social media sites evolve to make the dissemination of information more easy, our society is beginning to recognize the problems inherent in such dissemination, and the use and protections to which such information is entitledB.Both the FTC and state legislatures are taking steps to protect the American public from inappropriate intrusions on their privacy through social media – even if they are only protecting us from our own poor judgment.

Originally published in the January 2014 edition of Business Law Today.

Footnotes

1 The exception to this rule seemed to be the 2006 ruling against Choicepoint, costing the company $10 million in civil penalties for providing personal information to identity thieves.

2 The states that have passed these laws are Arkansas, California, Colorado, Illinois, Maryland, Michigan, New Jersey, New Mexico, Nevada, Oregon, Utah and Washington.

3 a new case has ruled that use of the "like" button on social media is Constitutionally protected speech. Bland v. Roberts, Case No. 12 – 1671, 4th Cir, September 18, 2013.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Theodore F. Claypoole
 
In association with
Related Video
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert
Email Address
Company Name
Password
Confirm Password
Mondaq Topics -- Select your Interests
Accounting and Audit
Anti-trust/Competition Law
Consumer Protection
Corporate/Commercial Law
Criminal Law
Employment and HR
Energy and Natural Resources
Environment
Family and Matrimonial
Finance and Banking
Food, Drugs, Healthcare, Life Sciences
Government, Public Sector
Immigration
Insolvency/Bankruptcy, Re-structuring
Insurance
Intellectual Property
International Law
Law Practice Management
Litigation, Mediation & Arbitration
Media, Telecoms, IT, Entertainment
Privacy
Real Estate and Construction
Strategy
Tax
Transport
Wealth Management
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.