United States: Privacy And Social Media

Last Updated: March 31 2014
Article by Theodore F. Claypoole

From every angle, social media is anathema to privacy. The very founding concept of paleolithic AOL Chatrooms and Usenet Newsgroups, and later Facebook, MySpace and the earliest blogging sites was to provide a forum for people to share with each other. People shared ideas, humor, emotions, preferences, prejudices, priorities, and often misguided attempts at profundity. Newer sites simply broadened and deepened the sharing – Twitter users share commute times and coffee temperatures, Tumblers share memes galore, and Instagramites share a wealth of doctored photographs.

We learned things about the people in our world, and they about us. Thanks to social media, we now knew that if our nearest co-worker were a tree, she would be a willow, and the celebrity she believes that she most resembles is Angelina Jolie. We also know that Shirley's kids are honor students and that Tom's brother was just released from prison (early, for good behavior), that Jeffrey lives and dies with his Eagles and that Sandra is so, so, so sad at the plight of shelter animals. Importantly, we know when people are leaving town and how long they will be gone. We know if they come into money. We learn about their families and their vulnerabilities. We learn about drinking and drug use, sexual promiscuity, and even crimes like DWI or hit and run. We see pictures of their kids, their cars, their vacations and their homes.

All of this sharing may help create communities, but it also destroys privacy. The bikini-clad body that is perfectly appropriate on the beach at St. John or Captiva may undermine the respect an employee has worked hard to earn from superiors, subordinates and peers at the office who may view the vacation pictures on Facebook. The same may be true for pictures of a drinking party among friends. Too much published information can and present obstacles when circumstances change and a spouse sues for divorce or a rival is seeking an edge for a promotion at work. We all know that kids can be the cruel, and your insistence on wearing mouse ears at a Disney theme park may reach the attention of your children's classmates, and their parents. Criminals trawl social media constantly, looking for vulnerabilities and vacations, pinpointing easy targets.

Operators of various social media outlets are well aware that their profits may increase as we expand our willingness to share personal information about ourselves, and much of the business model development for social media sites is designed to coerce, cajole, trick, taunt or tease us into revealing more information about our lives and our thoughts and opinions. Who are your friends? What discounts interest you? You "liked" the last Vin Diesel movie, will you like the next one? What is your relationship status? Who do you write to? Who do you poke? Won't you download the mobile app so we can see where you are when you access our site? Your friends have downloaded our app. Why won't you? We will ask you again in two hours.

Every bit of information we disclose is another databite to be mined and measured, sorted and sold. Online transactions provide even more opportunities, because a purchase through a social media site hits the trifecta for the site owner. With a purchase, the site registers our activity, our expenditure, our degree of interest in a good or service and an entire category of goods or services (opening our wallet demonstrates significant interest), our bank, our credit card information, our shipping address, our online ID and our passwords. In addition, the social media site may trumpet the sale to our friends attempting to induce additional transactions. And beyond this extraordinary information bounty, the social media site likely received a financial kickback from a sale made from its platform. Moreover, the data mining industry attempts to review every transaction and every posting in which we engage in order to be able to maximize the profit potential of every piece of information disclosed by that transaction or posting.

For this reason, social media is not simply a collection of online places that allow private information to escape, but social media sites are organized to draw as much participation and information out of us as possible. Like casinos built without sunlight or clocks so as to encourage your further play, the social media sites and data mining industry study online behavior and build manipulation machines designed to entice you to remain engaged and to divulge information. A search engine site may not care whether you own a particular make or model of car or that you baked cookies last night, but it cares that you told them about your car and your cookies. They make money from aggregating car owners and cookie bakers and selling information to companies who can exploit that information.

Until recently, there has been very little counterbalance to the siren's call of revealing everything on social media or to the tricks and manipulations that the online media companies employ to make sharing easy, satisfying and seemingly so necessary. Certainly there are authors writing jeremiads both in and out of the mainstream media who will despair about the morality of kids today, or about the solipsistic adults who believe that each workout or restaurant meal is worth recording for posterity and circulating to wide circle of "friends". There seems to be an absence of concerted opposition to this kind of activity Schools and workplaces do not appear to actively discourage sharing in social media, except to prevent a student from bullying another, or to caution workers not to release company trade secrets. Governmental restrictions are spotty at best, except for the intelligence services, judiciary and some government agencies.

In short, prior to 2013, legislatures and regulators in the United States appeared to be more concerned about the data they could glean from social media than protecting privacy of the average citizen in the online world. Much of the rest of the industrialized world has a very different viewpoint about personal information than that we experience in the U.S.. In Europe, Canada and other countries across the world, protection of each citizen's private information is considered to be a human right, secured by statute and enforced by government and private causes of action. In the U.S., by contrast, only certain classes of information are protected under federal law – financial transactions, health care transactions, and information regarding children under the age of 13 – while nearly all other data is considered to be fair game for any business or government agency that chooses to collect, store and use the information.

The Federal Trade Commission (FTC) and state attorney generals have been the traditional protectors of online privacy for lightly-regulated industries like social media. But through much of the development of social media and socially-oriented Internet sites, these enforcement agencies have tended only to enforce the privacy policies that a site chose to publicize. If a social media site had claimed not to gather certain information, but it indeed gathered that information, then the FTC would assert claims upon that site. However, if the social media site had a vague privacy policy that never clearly disclosed all of the information it gathered, or if the site gathered and sold massive amounts of personal data from its users, and the site revealed its behavior in its privacy policy, then no enforcementaction would be initiated because the site was not breaking any known laws.1 In other words, for most personal data about people, their activities and their transactions, it seems that a social media site would not be regulated for use or abuse of this data, only for misrepresenting what data was collected and how such data was used. Deep intrusions of privacy may be allowed, as long as the site doesn't directly misrepresent what it is doing.

The FTC has moved beyond this positionduring the past three years by using its powers to enforce privacy policies on social media sites to sue transgressors, and then to force the transgressive sites into settlements that include a long-term consent order permitting the FTC to have a tighter grip on the site's policies. For example, In November 2011, the FTC claimed that Facebook had lied to consumers by repeatedly stating that personal information would be kept private, while repeatedly allowing that personal information to be shared and made public. In settling this claim, Facebook agreed to a 20-year consent order protecting its member's privacy in more specific ways. That agreement mandates that Facebook receive explicit consent of its users before disclosing private information. Following up on this, in September 2013, the FTC announced an inquiry into whether Facebook's proposed new privacy policies, disclosed in August 2013, violated the 20-year consent agreement. . In its proposed new policies, Facebook was planning to use its members' names and pictures in advertising products the members had "liked" or for which they had given a favorable comment, and the new policy provided that Facebook automatically assumed that the parents of teenage Facebook users had granted permission for their children's names to be used in advertising. The original FTC claim relating to an allegedly misleading privacy policy has thereby enabled the FTC to exercise much greater influence into Facebook's future treatment of consumer data. The FTC also has obtained similar 20-year consent orders in place with Twitter, MySpace and Google.

State breach notice laws affecting social media privacy have some relatively consistent elements and some experimental elements. These laws address the way that a social media company must behave after a breach of security relating to a site-user's personal information. Over 45 U.S. jurisdictions have some sort of data breach notice law. While these statutes come in a variety of flavors -- some include obligations triggered by simple exposure of personal data while others are not triggered until the exposed data is at risk of theft and misuse -- their basic function is the same: if a company exposes/loses certain kinds of data relating to individuals, then the company must provide notice of the loss to the data subjects (and often to law enforcement and credit services). Nearly all of these laws would apply to companies collecting personal data about their users and failing to appropriately guard the data from unauthorized breach or disclosure . However, social media sites are considered to provide a special class of service where the essential purpose of the enterprise is to enable people to provide information about themselves to a larger public. The social media companies only facilitate this exercise. Therefore, in the regular course of using social media, people are exposing their own private data, even health care data, financial information and information about their children, and self-exposure will not trigger the state breach notice laws. It is, however, likely that a failure by a social media company to protect a user's private data beyond that company's privacy settings would trigger these laws. For example, if a Texas social media user had set her account to "friends only", and the social media site exposed her account more broadly, then the site would be subject to state law breach notice requirements.

A social media site might have trouble meeting its obligations with respect to breachesbecause for each user whose account was compromised, the site must determine if the exposure included private and legally protected subject matter as defined in each applicable statute. Rather than undertake this Herculean task, the site may determine simply to notify all its members about the mistake, whether or not such notice is mandated by a particular state law. Of course, as with other enterprises, social media companies that accept credit card payments or otherwise keep customer financial account data are expected to protect this data and are obligated to notify customers where financial data was compromised.

As social media grows in importance in many American lives, states are tackling specific aspects of privacy intrusions that are raised in the news and that capture the imagination of legislatures and the public. For example, the concern about disclosure of personal information on social media sites has manifest in the field of worksite protections. In the past two years, a new wave of privacy laws has been sweeping state legislatures; at this writing, 12 states currently have laws specifically restricting employers from demanding access to their employees' social media sites when those sites are not fully public.2 Nearly all of these laws were passed in 2013, and other legislatures are currently considering legislating similar employer restrictions. One of the newest and broadest of these laws, passed in September 2013 and signed into law in New Jersey, prohibits employers from seeking access to "a person account", such as a friends-only account at Facebook. Further, the law prohibits employers from "shoulder surfing" or making an employee access a personal account while management watches, from requiring an applicant or employee to change the privacy settings on a restricted account to a less-restrictive setting so that the employer can access it, or by forcing the employee to accept an employer's "friend" request. The law also prohibits an employer from retaliating or discriminating against a job applicant or employee for refusing to provide log-in information to the employer, for reporting violations of this law to the New Jersey Commissioner of Labor, or from testifying or participating in an investigation into a violation of the law.

The New Jersey law contains exceptions for financial service firms that are required by statute to monitor employees' social media communications. Similarly, in September of 2013, Illinois amended its social media password law to exempt the financial services sector, because many companies in this sector – banking, securities sales, and insurance – are required to monitor certain employee's correspondence of all types with customers or prospective customers. Most states with laws in this space have broad definitions of the type of sites protected. For example, the recently passed Nevada statute classifies a social media account as "any electronic service or account or electronic content, including, without limitation, videos, photographs, blogs, video blogs, podcasts, instant and text messages, electronic mail programs or service, online services or Internet website profiles." The penalties for these laws vary widely, with California, Colorado, Illinois, New Jersey and Oregon creating administrative remedies, Illinois, Maryland, Michigan, Oregon, Utah and Washington providing a private right of action (some with penalty caps), and Arkansas, Nevada, and New Mexico not addressing remedies at all in their statutes. Other aspects of the laws vary by state. Oregon bans colleges from asking for social media passwords. Washington allows employers to be granted access to social media sites when making factual determinations in the course of conducting an investigation. New Mexico's restrictions only apply to job applicants and not to employees.

Despite these laws, employers are still allowed to review social media pages that are available to the general public, and employees may volunteer access to their social media accounts or may choose to "friend" work associates, including their superiors, . Taking advantage of these voluntary actions does not violate any of the new social media forced access laws. However, because of the recent trend toward increasing the protection accorded to personal online accounts and communications, employers should document how they obtained any social media information regarding employees how they obtained access to it.. The trend toward increased protection is not uniform, though, and highlights uncertainty in a number of jurisdictions as to the degree to which privacy in social media should be protected.. Most states have not approved [any?] such protections, and those that have passed a password protection law are inconsistent with respect to penalties, definitions, and the scope of protections..

California is taking steps to protect the privacy of some social media users from users' own poor judgments. In Autumn 2013, California enacted a law that would require social media sites to allow young registered users to erase their own comments from the sites. This is a first step in the U.S. toward the "right to be forgotten" that has been debated in Europe over the past decade. Teens who may have posted embarrassing statements will now have the right to clear those statements from the site's memory banks. The mechanism for enforcement has not as yet been determined, but we do know some of the limitations of the law. The statute only covers the teen's own posts not posts made by others. A child can only erase his or her own statements, not the comments, "like" buttons or other posts surrounding those statements.3 A teen cannot erase pictures of himself or herself that others have posted, or statements about that teen that third parties posted, no matter how embarrassing or offensive those pictures or statements may be. The library of Congress is currently archiving public tweets on Twitter, and other third party sites archive social media data. These archive sites are not covered by the California law. And from a policy standpoint, is there a downside to permitting young bullies, racists, and fraudsters to eliminate the evidence of their statements? Although some of this speech may have legal implications and may be required in court proceedings, under the new California law these statements may be required to be deleted.

In an equally bold move, in 2013 the California legislature also addressed the broad concern of consumers who are being silently tracked by software over the Internet. Tracking tools used by social media are one of the ways these sites derive revenues, capturing user's behavior and then selling targeted advertising designed to match or appeal to the type of behavior a specific user exhibits. Many sites use persistent beacons, cookies and other tools that follow a person's web usage and send information about that user's visits and habits to the site or other third parties. Some Internet browser programs are now including anti-tracking technology, permitting a user to attempt to reject these monitoring tools or at least to advise sites that use the tools that this user does not wish to be tracked in this way. California's new law will not force sites to stop tracking consumers, and it will not even force those sites to acknowledge and follow "do not track" instructions received by consumer's browser. Instead, the California law requires companies to disclose whether the sites will honor "do not track" instuctions from their users. Presumably, it is thought that Internet surfers will avoid sites that do not honor such requests. It is also likely that the Californa attorney general's office, which fought for this law, will be posting a "naughty and nice" list of companies which will and won't respect their user's wishes not to be tracked. This law follows several years of failure by Internet sites (including social media) and privacy advocates agree to a method permitting people to opt-out of being tracked online. It is unlikely that the California law will itself cause major changes in social media company behavior, but this is the first statute to advance the conversation on tracking of private online movements, and it could lead to further action by legislatures across the country.

Led by the states, the U.S. is developing laws and regulations to protect certain aspects of people's information on social media. As social media sites evolve to make the dissemination of information more easy, our society is beginning to recognize the problems inherent in such dissemination, and the use and protections to which such information is entitledB.Both the FTC and state legislatures are taking steps to protect the American public from inappropriate intrusions on their privacy through social media – even if they are only protecting us from our own poor judgment.

Originally published in the January 2014 edition of Business Law Today.


1 The exception to this rule seemed to be the 2006 ruling against Choicepoint, costing the company $10 million in civil penalties for providing personal information to identity thieves.

2 The states that have passed these laws are Arkansas, California, Colorado, Illinois, Maryland, Michigan, New Jersey, New Mexico, Nevada, Oregon, Utah and Washington.

3 a new case has ruled that use of the "like" button on social media is Constitutionally protected speech. Bland v. Roberts, Case No. 12 – 1671, 4th Cir, September 18, 2013.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Morris, Manning & Martin, LLP
Ostrow Reisin Berk & Abrams
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Morris, Manning & Martin, LLP
Ostrow Reisin Berk & Abrams
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions