The Interwoven Complexities of Social Media, Privacy and Data Security


Published on

CLE Presentation: Daniel C. Nelson and Jeffrey Schultz attorneys at Armstrong Teasdale

Social media has infiltrated most aspects of society, presenting a wide range of potential legal issues for any attorney or business. To gain a thorough understanding of how social media's many intersections with changing privacy law and data security requirements impact your business, this presentation will discuss how to navigate through this tangled web.

The choice of a lawyer is an important decision and should not be based solely on this presentation. All rights are reserved and content may not be reproduced, disseminated or transferred, in any form or by means, except with the prior written consent of Armstrong Teasdale.

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Interwoven Complexities of Social Media, Privacy and Data Security

  1. 1. February 27, 2013 Daniel Nelson, CIPP/US Jeffrey Schultz© 2013 Armstrong Teasdale LLP
  2. 2. What is Social Media? Web 2.0: The Interactive Web A tool for communicating Information is shared globally© 2013 Armstrong Teasdale LLP
  3. 3. What is Privacy Law? Array of statutes, regulations and guiding principles Fundamentally different legal/regulatory schemes in different jurisdictions: United States Europe •No comprehensive “law” •Comprehensive data protection scheme •Patchwork of sector-specific (e.g. HIPPA) •Strict privacy protection and jurisdiction-specific regulations •“Privacy as a human right” •Overall: less privacy protection© 2013 Armstrong Teasdale LLP
  4. 4. The Intersection  3 Perspectives: • The Social Media user’s perspective • The eDiscovery perspective • The use of others’ Social Media data© 2013 Armstrong Teasdale LLP
  5. 5. The Challenge© 2013 Armstrong Teasdale LLP
  6. 6. The Challenge“If Im applying the First Amendment, I have to apply it to a world where theres an Internet, and theres Facebook, and there are movies like ... The Social Network, which I couldnt even understand .” —Justice Stephen BreyerJustice Roberts: “I thought, you know, you push a button; it goes right to the other thing.”Justice Scalia: “You mean it doesnt go right to the other thing?” —Justice John Roberts to Justice Antonin Scalia Regarding How a Text-Messaging Service Works© 2013 Armstrong Teasdale LLP
  7. 7. What’s Happened in Social Media in 2012/2013? Pinterest continues to gain in popularity—overtook LinkedIn to become No. 3 Almost 1 billion Facebook users; 54% access via mobile; 23% of users check Facebook 5 times or more daily; 1 Million websites have integrated with Facebook 56% of customer tweets are being ignored Over 40 million photos are uploaded to Instagram every day The “Twitter Olympics” v. the “Sina Weibo Olympics” More apps using location data to connect users Fastest growing segment for social media use: 45-54 year olds Political campaigns using social media New SEC and FINRA social media guidelines© 2013 Armstrong Teasdale LLP
  8. 8. Zuckerberg’s Law of Information Sharing “I would expect that next year, people will share twice as much information as they share this year, and the next year, they will be sharing twice as much as they did the year before.”© 2013 Armstrong Teasdale LLP
  9. 9. What data does Facebook reallycollect (and keep)? The obvious: what you see on the screen “Europe v. Facebook” Group Information Request: • All friend requests and your responses; • All Event invitations and your responses; • IP address used for each Facebook login; • Camera metadata, even for photos where you untagged yourself; • Credit card information; • Geo-location information, including latitude, longitude, and time/date. -See© 2013 Armstrong Teasdale LLP
  10. 10. Is Social Media Changing Our Definition of“Privacy”? Courts allowing access to social media accounts Questions arising about who owns the data you share? Courts dealing with issues concerning GPS tracking, phone location records, and other location data collected by social media applications Do privacy settings actually make your data private?© 2013 Armstrong Teasdale LLP
  11. 11. Legislation Regarding Social Media California: illegal to impersonate others online Missouri: briefly made it illegal for teacher to “friend” students© 2013 Armstrong Teasdale LLP
  12. 12. Legislation Regarding Social Media California, Illinois, Maryland, and Michigan: illegal for employers to ask job applicants or workers for social media passwords. California, Delaware, Michigan, and New Jersey: illegal to ask students to disclose social media passwords. At least 14 states (including Missouri) introduced legislation in 2012 that would restrict employers from requesting access to social networking usernames and passwords of applicants, students or employees. SNOPA (Social Network Online Protection Act): Congress wants to make it illegal for employers and schools to ask for social media passwords of employees, students, and applicants.© 2013 Armstrong Teasdale LLP
  13. 13. Regulators FTC: • Employees/contractors who endorse their employer’s products must clearly and conspicuously disclose their relationship. SEC: • Risk Alert issued January 4, 2012 by the Office of Compliance Inspections and Examinations (Investment Adviser Use of Social Media). • Threatened action against Netflix CEO for alleged violation of Reg FD (CEO congratulated Netflix team on Facebook for surpassing 1 billion hours in monthly viewing).© 2013 Armstrong Teasdale LLP
  14. 14. Regulators (continued) NLRB: • Closely reviewing policies for compliance with section 7 rights. • Problems created by confidentiality provisions. FDA (regulations not final; long delayed): • Only addresses responses to requests re off label uses. Does not address how to utilize space limited sites like Twitter to convey risk and safety information for a fair balance. • Does not provide clear guidance on the dos and don’ts of social media marketing.© 2013 Armstrong Teasdale LLP
  15. 15. Social Media and Discovery:Many Different Approaches Considered social media under Stored Communications Act and denied production Court ordered one side to turn over its passwords Court ordered parties to friend the judge so that she could review the photos and comments in camera Court said there is no expectation of privacy in Facebook, ordered production Court reviewed plaintiff’s Facebook and MySpace accounts in camera and identified potentially relevant and discoverable information Defendant requested full access to Plaintiffs Facebook information, but the Court held that the Defendant could not discover private information where there was no showing that such information is reasonably calculated to lead to the discovery of admissible evidence; information is not protected from discovery simply because of privacy settings Trial court erred in granting full access to all of Plaintiff’s Facebook information without a showing that it would all be relevant; privacy settings, however, won’t shield information from discovery Court compelled production of Facebook information during “the relevant time frame” A party does not have a “generalized right to rummage” through private posts over a seven-year period to disprove a Plaintiff’s claim of depression-related symptoms© 2013 Armstrong Teasdale LLP
  16. 16. Where will the balance be found? Social Media is not “privileged” or entitled to other special protections But, not “open season” on everything in one’s Social Media space • Application of established rules regarding “Relevant or reasonably calculated to lead to the discovery of relevant information” Some Courts have required turnover of username/password: they have not yet addressed conflict this creates with site’s Terms of Use© 2013 Armstrong Teasdale LLP
  17. 17. Location Data© 2013 Armstrong Teasdale LLP
  18. 18. Location Data Patterns of Movement Awareness of Location© 2013 Armstrong Teasdale LLP
  19. 19. Social Media and Discovery: Location Fourth Amendment issues still being decided New Jersey Court says it’s okay for a wife to plant a GPS tracker in her (soon to be ex-) husband’s vehicle OnStar was tracking former subscribers until Senators publicly criticized Insurance companies give discounts for voluntary GPS tracking© 2013 Armstrong Teasdale LLP
  20. 20. Using Other’s Social Media Data Data Mining “Facebook” Sign In/Registration Appropriate Use/Protection of PII Jurisdictional Issues© 2013 Armstrong Teasdale LLP
  21. 21. Data Mining Data Miners are harvesting Social Media data, including usernames, interests, professional history and number of friends/followers Robust debate as to whether “public” disclosure of this information for certain purposes (i.e. social interaction with friends) renders data fair game for collection by Data Miners Potential application of Fair Credit Reporting Act (FCRA) to data miners as “Consumer Reporting Agencies”© 2013 Armstrong Teasdale LLP
  22. 22. Social Media and Children If you collect Social Media data, whose data are you getting? Facebook IPO: Estimated 3.5 million Under-13’s are Facebook Clients Facebook estimates that it closes 800,000 Under-13 accounts per year through various screening processes But, if you collect/mine social media data, need to be aware of possible COPPA implications.© 2013 Armstrong Teasdale LLP
  23. 23. Other Jurisdictions In many respects, U.S. Privacy laws are much less comprehensive than laws of many foreign states. In addition, U.S. law often much more lenient with respect to the use and disclosure of Personal Information Jurisdictional issues are far from settled. Thus, even if a contemplated collection or use of data is legal under U.S. law, consideration should still be given to other jurisdictions’ law if the data subjects are foreign citizens© 2013 Armstrong Teasdale LLP
  24. 24. Use of Third Parties to collect data May not provide insulation from liability COPPA, for example, defines an “Operator” as a: person who operates a website…or an online service and who collects or maintains personal information…, or on whose behalf such information is collected or maintained… 15 U.S.C. 6501 Recent COPPA amendments, moreover, explicitly extend the Act’s coverage to third party collectors European data protection schemes place significant responsibility on the data “controller” which may be the person on whose behalf data was collected© 2013 Armstrong Teasdale LLP
  25. 25. Registering/Logging In Through Facebook Facebook’s Policy: When you connect with a game, application or website - such as by going to a game, logging in to a website using your Facebook account, or adding an app to your timeline - we give the game, application, or website (sometimes referred to as just "Applications" or "Apps") your basic info (we sometimes call this your "public profile"), which includes your User ID and your public information. We also give them your friends User IDs (also called your friend list) as part of your basic info. Source:© 2013 Armstrong Teasdale LLP
  26. 26. User Data obtained from Facebook You will have a privacy policy that tells users what user data you are going to use and how you will use, display, share, or transfer that data. In addition, you will include your privacy policy URL in the App Dashboard, and must also include a link to your apps privacy policy in any app marketplace that provides you with the functionality to do so. Source:© 2013 Armstrong Teasdale LLP
  27. 27. What this means… No privacy policy: Potential Liability for Unfair Trade Practices Not following your policy: Potential liability for Deceptive Trade Practices Numerous Trade Practice enforcements by both the F.T.C. and State Attorneys General.© 2013 Armstrong Teasdale LLP
  28. 28. U.S. Regulators can bite U.S. v. Path, Inc.: filed 1/31/13 • Path: social networking site operating through an iOS app • App collected and stored information from user’s mobile address book, even if user did not elect this option. • FTC challenged the practice is a Deceptive Trade Practice because the collection violated Path’s published privacy policy. • FTC also alleged that violations of the Children’s Online Privacy Protection Act because, among other things, the App allowed for the knowing collection of personal data of children under age 13, and allowed children to post text, photos, and the child’s precise location. • Settlement with the FTC that included $800,000 payment, as well as audited monitoring for next 20 years© 2013 Armstrong Teasdale LLP
  29. 29. Jurisdictional Issues Technology is moving much faster than the law You are subject to privacy laws in your home jurisdiction But, strong regulatory urge to hold entities to the laws of the data subject’s jurisdiction • Google’s Italian criminal prosecution • U.S. Statutes that purport to apply to collection of U.S. Citizen data by overseas collectors • Cloud computing issues: where is the data anyway? Many questions remain to be resolved© 2013 Armstrong Teasdale LLP
  30. 30. Privacy Principles In the absence of clear regulatory guidance, generally accepted privacy principles provide some assistance: • Notice: Individuals should be told what is being collected, how it is being collected, and how it is being used • Choice: Individuals should be given meaningful options on collection and use of PII • Access: Individuals should be able to find out what PII is being collected and retained, and have a right to correct or complete the information • Security & Integrity: Data is from reputable source, is not stale, and is appropriately secured.© 2013 Armstrong Teasdale LLP
  31. 31. Contacts Jeff Schultz, Dan Nelson, CIPP/US Partner Partner Armstrong Teasdale LLP Armstrong Teasdale LLP 314.259.4732 314.552.6650 schultz/1a/810/507© 2013 Armstrong Teasdale LLP