10. Social Media’s Effect on Privacy and Security Compliance
Unfortunately, the enhanced ability to collect and store consumer data has dramatically increased the risks that data will be shared more broadly than understood or intended by consumers (such as with third party advertisers or affiliates that are many layers removed from consumers), or used for purposes that were not disclosed—or even contemplated—at the time of collection.
While many businesses enjoy the promotional advantages of social media, they fail to properly ensure they have good compliance programs in place. Recent Federal Trade Commission (FTC) settlements with Facebook, Twitter, and Google—as discussed in this chapter—highlight the risk of using social media without properly structured and implemented privacy and security compliance guidelines.
Because smaller companies are not immune from the FTC’s enforcement reach, these cases serve as an important reminder about the risks inherent whenever companies collect consumer information, particularly when that information is private (for example, date of birth, sexual orientation, financial or medical history) or designated by the consumer as such (for example, contacts, friends list, buying practices, reading lists). In light of the ever-increasing scrutiny by the FTC of consumer data privacy and data protection issues, companies should take steps to ensure that their privacy and security policies, statements, and practices are truthful, nondeceptive, factually supportable, and consistent with evolving legal standards and industry best practices.
(Companies collecting information from children younger than 13 years old are also reminded of their obligations to comply with COPPA, as discussed in Chapter 7, “The Law of Social Advertising.”)
This chapter highlights the security and privacy risks inherent in the use of social media by examining recent FTC regulatory action brought against Facebook, Twitter, and Google. Readers will gain insights learned from their reported missteps to assist them in avoiding liability and regulatory scrutiny.
Note
In December 2010, the FTC released a draft report—entitled “Protecting Consumer Privacy in an Era of Rapid Change”1—which proposed a new framework for the online and offline collection and use of consumer data consistent with the following three principles: (1) privacy by design—that is, companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services (for example, by collecting only the data needed for a specific business purpose and retaining such data only as long as necessary to fulfill that purpose), (2) simplified consumer choice—that is, companies should present choices to consumers at the point of data collection, and may forego choice altogether for “commonly accepted” uses of consumer information (such as product/service fulfillment, first-party marketing, fraud prevention, or internal operations), and (3) greater transparency—that is, companies should increase the transparency of their practices with respect to the collection, use and sharing of consumer information (for example, by providing consumers with clearer, shorter, and more standardized privacy statements describing a company’s data practices, in easy-to-understand language). The FTC released its final report on March 26, 20122. As much of the FTC’s recent past (and expected future) enforcement activity regarding a company’s data security and privacy practices is being measured against these principles, companies would be wise to follow them.
Privacy Compliance
The Google Buzz launch debacle is a perfect example of the serious consequences that can occur when a company neglects to abide by its own privacy policy. Within days after releasing its social networking service in February 2010, Google faced strong public criticism, a complaint3 filed with the FTC, and a consumer class-action lawsuit alleging violations of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), the Computer Fraud and Abuse Act (CFAA), and other privacy violations inconsistent with Google’s privacy policy.4
Google Buzz was a platform that enabled users to share updates, comments, photos, videos, and other information through posts (or buzzes) made either publicly or privately to individuals or groups of users. Google used the information of consumers who signed up for Gmail, including first and last name and email contacts, to populate the social network. According to the allegations in the complaint, without prior notice or the opportunity to consent, Google Buzz was automatically added to all Gmail users, and the program automatically converted into “followers” the contacts with whom users emailed and “chatted” the most. By default, the users’ information and followers were also made public, including their photos. As noted in the complaint, the automatic public generation of email lists could reveal the names of a user’s psychiatrist, attorney, romantic partner, children, job recruiters, or other personal information.
On May 31, 2011, U.S. District Court Judge James Ware granted approval of an $8.5 million class-action settlement to be divided among the plaintiffs’ attorneys ($2.125 million) and various privacy-related advocacy groups, nonprofits, and education organizations.
Likewise, on October 24, 2011, the FTC finalized its settlement with Google.5 The FTC found that Google used deceptive tactics and violated its own privacy policy by using information provided for Gmail for another purpose (social networking) without obtaining consumers’ permission in advance. Although Google led Gmail users to believe that they could choose whether they wanted to join the network, the options for declining or leaving the social network were ineffective. Even Gmail users who thought they turned off Google Buzz remained in the social network.
According to the terms of the FTC settlement, Google is prohibited from making further privacy-related representations inconsistent with its privacy policy and is required to obtain express affirmative user consent before sharing information with a third party in any manner that differs from its practices as it existed when the user’s information was first collected. The settlement further requires Google to implement a comprehensive privacy program and to undergo independent privacy audits every 2 years for the next 20 years.
In 2010, Facebook also found itself the target of an FTC investigation for failing to abide by its privacy promises. According to the complaint,6 Facebook engaged in the following unfair and deceptive acts or practices:
• In December 2009, Facebook changed its website so certain information that users may have previously designated as private (such as their friends list, gender, or city of residence) was made public. However, Facebook failed to warn users of the change or to obtain their opt-in consent before implementing the new privacy settings.
• Facebook claimed that third-party apps that users installed would have access only to user information that they needed to operate. However, the apps could access nearly all the users’ personal data, including data the apps did not need.
• Facebook claimed that users could restrict sharing of data to limited audiences (for example, with friends only). However, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
• Although Facebook promised users that it would not share their personal information with advertisers, it did not honor this promise.
• Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. However, Facebook allowed access to such content, even after users had deactivated or deleted their accounts.
On November, 29, 2011, Facebook reached a settlement with the FTC. The proposed settlement7 bars Facebook from misleading consumers about how the company uses their personal information, requires that the company get consumers’ approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.
Specifically, under the proposed settlement, Facebook is:
• Precluded from making misrepresentations about the privacy or security of consumers’ personal information (including the extent to which consumers can control the privacy of their personal information);
• Required to obtain consumers’ affirmative express consent (opt-in) before enacting changes that override their privacy preferences;
• Required to, prior to sharing a user’s nonpublic user information with any third party, which materially exceeds the restrictions imposed by a user’s privacy setting(s), (a) “clearly and prominently disclose to the user, separate and apart from any “privacy policy,” “data use policy,” “statement of rights and responsibilities” page, or other similar document: (1) the categories of nonpublic user information that will be disclosed to such third parties, (2) the identity or specific categories of such third parties, and (3) that such sharing exceeds the restrictions imposed by the privacy setting(s) in effect for the user”; and (b) “obtain the user’s affirmative express consent”;
• Required to prevent anyone from accessing a user’s information more than 30 days after the user has deleted such information or terminated his or her account;
• Required to establish and maintain a comprehensive privacy program designed to address privacy risks related to the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
• Required, within 180 days, and every 2 years thereafter for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC’s order, and to ensure that the privacy of consumers’ information is protected.
What lessons can companies learn from the Facebook settlement?
• First, companies handling personally identifiable information and other consumer data should adopt a comprehensive privacy program that is reasonably designed to protect the privacy and security of such information, including controls and procedures, such as monitoring and auditing, to identify and prevent predictable risks.
• Second, like any other advertising claim, what companies represent about how they handle consumer information has to be truthful, not deceptive, and objectively supportable.
• Third, whenever companies represent that consumer data will be kept private, they should obtain opt-in consent from users before implementing new privacy settings affecting how this data is used. (User consent may be obtained when the user returns to the business’s website, re-logs in to the business’s mobile app, or otherwise next interacts with the business.)
• Fourth, important changes in a company’s privacy practices (how they share data with third parties, for example) should be disclosed clearly (that is, with minimal “geek-speak and legal mumbo-jumbo”8) and conspicuously, and not merely in their privacy policies or other legal boilerplate.
• Finally, at least annually, companies should audit their privacy practices and should consider, particularly if large volumes of personally identifiable and other consumer information are regularly collected, voluntarily submitting to periodic independent, third-party audits certifying that they have legally adequate privacy programs in place.
Security Compliance
In addition to holding companies liable for their failures to abide by their privacy policies, the FTC will hold companies accountable for failures in honoring their representations regarding their security practices.
On March 11, 2011, in the agency’s first such case against a social networking service, the FTC finalized a proposed settlement with Twitter, which resolved charges that Twitter deceived consumers and put their privacy at risk by failing to safeguard their personal information.9 Specifically, the FTC claimed that Twitter, contrary to the statements contained in its privacy policy, did not provide reasonable and appropriate security to prevent unauthorized access to consumers’ personal information and did not honor the consumers’ privacy choices in designating certain tweets as nonpublic. Hackers exploited these failures and obtained administrative control of the Twitter system, which led to two high-profile hacker attacks in 2009. (See side note.) These intruders were able to gain unauthorized access to nonpublic tweets and user information, reset any user’s password, and send unauthorized tweets from any user account.
Note
In January 2009, a hacker used an automated password-guessing tool to gain unauthorized administrative control of Twitter. At the time, Twitter’s system did not have a safeguard in place to automatically lock users from accessing the site if they failed to enter the correct password after a certain number of attempts. After “guessing” the correct site password (happiness), the hacker was able to send out phony tweets from any Twitter account, including those belonging to the official feed for FOX News and then-President-elect Barack Obama (offering his more than 150,000 followers a chance to win $500 in free gasoline).
In April 2009, another hacker was able to gain administrative access to a Twitter employee’s email account, where the employee’s Twitter administrative password was stored in plain text. Once in the administrative account, the hacker reset at least one Twitter user’s password and could access nonpublic user information and tweets for any Twitter user.
Twitter’s privacy policy stated, “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.” According to the FTC complaint, Twitter failed to prevent unauthorized administrative control of its system (and therefore violated its privacy policy) by, among other matters, failing to:
• Require that administrative passwords be hard to guess, and establish policies that: “(i) prohibit the use of common dictionary words as administrative passwords; and (ii) require that such passwords be unique”—that is, different from any password that the employee uses for other programs, websites, and networks;
• Prohibit storage of administrative passwords in plain text within employees’ personal email accounts;
• Suspend or disable administrative passwords after a reasonable number of failed login attempts;
• “[P]rovide an administrative login web page that is made known only to authorized persons and is separate from the login web page for other users;”
• Enforce periodic changes of administrative passwords (setting them to expire every 90 days, for example);
• “[R]estrict each person’s access to administrative controls according to the needs of that person’s job;” and
• “[I]mpose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.”10
Under the terms of the settlement, Twitter must implement a comprehensive information security program that is reasonably designed to protect the privacy and security of nonpublic consumer information, and is prohibited from misrepresenting the extent to which it protects such information for 20 years. An independent auditor must conduct assessments every other year for 10 years to determine whether Twitter’s information security program adequately protects consumer information as required by the settlement. In addition, Twitter is required to file a report describing its compliance with the settlement and alert the FTC to any change in the corporation that may affect its compliance obligations. Each violation of the FTC settlement order may result in a civil penalty of up to $16,000.
Legal Insight
In the class-action case of Claridge v. RockYou,11 plaintiffs alleged that social network application developer RockYou failed to secure and safeguard its users’ personally identifiable information (PII) (including their email addresses and passwords, as well as their login credentials for social networking sites such as Facebook and MySpace), resulting in a breach affecting more than 32 million users. In particular, according to the allegations in the complaint, RockYou stored its users PII in an unencrypted database (in clear or plain text) with poor network security, despite the representations in its privacy policy that it “uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information.” On April 11, 2011, a federal district court denied the defendant’s motion to dismiss, and allowed plaintiffs’ negligence and breach of contract claim to proceed. The court held that the loss of personal information alone was sufficient grounds for the claim, even if there are no actual damages as traditionally understood (for example, unauthorized charges on a credit or debit card resulting from the identity theft). Rather, a user’s PII “constitutes valuable property that is exchanged not only for defendant’s products and services, but also in exchange for defendant’s promise to employ commercially reasonable methods to safeguard the PII that is exchanged. As a result, defendant’s role in allegedly contributing to the breach of plaintiff’s PII caused plaintiff to lose the ‘value’ of their PII, in the form of their breached personal data.”12 The decision is important because it contrasts with the overwhelming majority of other cases which have generally refused to confer Article III standing—that is, the legal right to bring a claim based on a concrete (actual, not hypothetical) and particularized (personal and individual) injury—upon consumers whose online personal information has been disclosed and whose only injury is the loss of the data itself.13
On December 15, 2011, the parties in Claridge v. RockYou submitted a settlement14 for court approval. Under the terms of the proposed settlement, RockYou agreed: (i) to undergo two independent audits of its security policies for 3 years to ensure that consumers’ personal information is stored in a secure and commercially reasonable manner; (ii) to correct any deficiencies in its policies to the extent such audits reveal any credible security threats; (iii) to pay the lead plaintiff $2,000 (as an “incentive award” for bringing the claim); and (iv) to pay plaintiff’s attorney’s fees of $290,000. It is important to note that the proposed settlement does not void the district court’s April 2011 decision—future litigants are free to rely upon it as precedent (or persuasive authority) for the proposition that the loss of personal information alone is sufficient to confer standing.
The Twitter, Facebook, and Google FTC settlements highlight the security and privacy risks associated with social media. Companies that engage in social networking and deal with any form of personal information should proceed with caution because, as can be seen, privacy and security have become lightning rod topics for both the FTC and consumer advocacy groups. While consumers who use social networking sites may choose to share some information with others, they still have a right to expect that their personal information will be kept private and secure. At a minimum, as part of their privacy and security compliance guidelines, companies should require the following:
• Passwords must be unique and different from what their employees, who have administrative control of the companies’ system, use to access third-party programs and networks.
• All administrative passwords must be changed periodically.
• All passwords in personal email accounts must be stored encrypted rather than in plain text.
Bottom line: If you represent that you will keep your users’ information private and secure, you better make good on that promise. As the FTC is demanding of Facebook, Google, and Twitter, companies should audit their privacy and security practices at least annually and ensure that they are consistent not only with applicable law, but also with the policies and statements they have communicated to consumers.
Although the law oftentimes has a difficult time keeping pace with the rapid growth of technologies and business models, this is not entirely the case as it relates to companies that collect and use consumers’ information in new ways. Here, the law (in the form of the FTC) is keeping close stride. The FTC’s zealous enforcement and regulatory activity seeking to protect consumers from new and emerging forms of data security and privacy risks should serve as a wake-up call to all businesses to take these risks seriously. With the right combination of due diligence and strategic risk management (see Figure 10.1), companies collecting and using consumer data can hopefully avoid liability and regulatory scrutiny.
Figure 10.1 Legal Tips for Social Media Data Security and Privacy Compliance.
Chapter 10 Endnotes
1 See FTC’s Preliminary Staff Report Protecting Consumer Privacy in an Era of Rapid Change: A Framework Businesses and Policymakers (Dec. 1, 2010), available at http://www.ftc.gov/os/2010/12/101201privacyreport.pdf.
2 See FTC’s Staff Report Protecting Consumer Privacy in an Era of Rapid Change: A Framework Businesses and Policymakers (Mar. 26, 2012), available at http://ftc.gov/os/2012/03/120326privacyreport.pdf
Unlike in its 2010 draft report (wherein the FTC’s recommendations applied to all commercial entities that collect or use consumer data that can be linked to a specific consumer, computer, or other device), the FTC concludes in its final report that its privacy framework should not apply to “companies that collect only non-sensitive data from fewer than 5,000 consumers a year, provided they do not share the data with third parties.”
Moreover, whereas the preliminary report noted that choice shouldn’t be necessary for certain “commonly accepted practices,” the final Report concludes that choice needn’t be provided for data practices which are “consistent with the context of the transaction or the company’s relationship with the consumer, or where required or specifically authorized by law.” The FTC noted that many of the five “commonly accepted practices” identified in the preliminary report would generally meet this revised standard, although there may be exceptions.
3 In the Matter of Google Inc., Complaint, Request for Investigation, Injunction, and Other Relief (Feb. 16, 2010), available at http://epic.org/privacy/ftc/googlebuzz/GoogleBuzz_Complaint.pdf
4 In Re Google Buzz Privacy Litigation, Case No. 5:10-CV-00672-JW (N.D. Cal. Feb. 17, 2010)
5 In the Matter of Google Inc., FTC File No. 102 3136 (Oct. 24, 2011). A copy of the Decision and Final Order is available at http://www.ftc.gov/os/caselist/1023136/111024googlebuzzdo.pdf.
6 In the Matter of Facebook, Inc., FTC File No. 092 3184 (Nov. 29, 2011). A copy of the draft complaint is available at http://www.ftc.gov/os/caselist/0923184/111129facebookcmpt.pdf.
7 In the Matter of Facebook, Inc., FTC File No. 092 3184 (Nov. 29, 2011). A copy of the agreement containing consent order is available at http://www.ftc.gov/os/caselist/0923184/111129facebookagree.pdf.
8 See FTC staff attorney Leslie Fair’s 12/2/11 FTC blog post “Lessons from the Facebook Settlement (even if you are not Facebook),” available at http://business.ftc.gov/blog/2011/12/lessons-facebook-settlement-even-if-youre-not-facebook.
9 In the Matter of Twitter, Inc., FTC File No. 092-3093 (Mar. 11, 2011). A copy of the decision and order is available at http://www.ftc.gov/os/caselist/0923093/110311twitterdo.pdf.
10 In the Matter of Twitter, Inc., FTC File No. 092-3093 (Mar. 11, 2011). A copy of the complaint is available at http://www.ftc.gov/os/caselist/0923093/110311twittercmpt.pdf.
11 Claridge v. RockYou, Inc., Case No. 4:09-CV-6032-PJH (N.D. Cal. Dec. 28, 2009)
12 Order Granting in Part and Denying in Part Motion to Dismiss (Docket No. 47) (Apr. 11, 2011), Claridge v. RockYou, Inc., Case No. 4:09-CV-6032-PJH (N.D. Cal. Dec. 28, 2009)
13 A plaintiff must establish a number of requirements to have his/her case heard in ederal court, including Article III of the United States Constitution which provides, among other matters, that “The Judicial Power shall extend to all Cases ...[and] to Controversies....” To satisfy Article III, a plaintiff “must show that (1) it has suffered an ‘injury in fact’ that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.” Friends of the Earth, Inc. v. Laidlaw Envtl. Sys. (TOC), Inc., 528 U.S. 167, 180-81 (2000)
14 Plaintiff’s Motion for Approval of Class Action Settlement (Docket No. 55) (Dec. 15, 2011), Claridge v. RockYou, Inc., Case No. 4:09-CV-6032-PJH (N.D. Cal.) (Dec. 28, 2009)