Navigating Privacy And Spam Compliance In Social Media Advertising


Published on

This presentation provides a general overview of what social media is, the types of advertising and promotional opportunities available to advertisers, and the compliance issues these may raise with resepct to Canadian privacy and anti-spam laws.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Navigating Privacy And Spam Compliance In Social Media Advertising

  1. 1. Navigating Privacy and SpamCompliance in Social MediaAdvertisingDavid ElderStikeman ElliottSeptember 20, 2011 STIKEMAN ELLIOTT LLP
  2. 2. Navigating Privacy and Spam ComplianceWhat is Social Media?■ Variety of sites, applications and platforms that allow for participating, talking and networking online, including the ability to share information and resources■ Allow networks of connections to be established■ Allow users to create, upload and disseminate original written and audio/video content
  3. 3. Navigating Privacy and Spam ComplianceTypes of Social Media■ Blogs – e.g. Wordpress, Blogger■ Wikis – e.g. Wikipedia■ Social Bookmarking – e.g. Delicious, Digg■ Social Network Sites – e.g. Facebook, LinkedIn■ Status Update Services – e.g. Twitter■ Virtual Worlds – e.g. Second Life■ Media Sharing Sites – e.g. YouTube, Flickr
  4. 4. Navigating Privacy and Spam ComplianceWhy Social Media Advertising & Promotion?■ Large and growing number of users■ Large portion of online time■ Facilitates “word of mouth” on massive scale■ Leverages consumer’s trusted relationships■ Creates brand loyalty, strong engagement■ Rich data sets allow for more precise targeting■ Deep analytics
  5. 5. Navigating Privacy and Spam ComplianceOnline Advertising Options■ Display advertising – Minimal targeting – nature of site■ Contextual advertising – Targeting based on current visit to single site search query■ Behavioural advertising – Targeting based on profile developed based on history of sites visiting, on-site activity – inferred interests and demographics■ Social advertising – Targeted based on context and interaction with site, real interests and demographics, activities of connections – Leverages social connections as examples, endorsements
  6. 6. Navigating Privacy and Spam ComplianceSocial Media Advertising & Promotion■ Display ads■ Targeted ads■ Fan pages■ Events, groups,■ Applications – contests, quizzes, games■ User reviews and discussion fora■ Social ads, Promoted tweets■ Like, +1, retweet, etc.■ Almost any on-net activity can be shared with user networks
  7. 7. Navigating Privacy and Spam ComplianceApplicable Privacy Requirements■ Knowledge & consent required for collection, use & disclosure of personal information■ Sensitivity of information and reasonable expectations of individual relevant to acceptable form of consent■ Purposes must be identified at or before collection■ Can’t require consent as condition of supply or product or service, unless required for legitimate core purposes■ Collection to be limited to what reasonably required to fulfil purposes■ Personal information to be retained only as long as reasonably necessary to fulfil purposes■ Personal information to be accurate and up-to-date■ Individual right of access■ Protected by reasonable security safeguards
  8. 8. Navigating Privacy and Spam ComplianceApplication – So far...■ OPC has taken expansive view of what constitutes personal information.■ Can include: – cookies – IP addresses – Online tracking and behavioural data? – Particular concern re mobile data/devices■ Although may appear in public domain, doesn’t mean it can be used for any purpose
  9. 9. Navigating Privacy and Spam ComplianceThe Facebook Decision■ Noted advertising was a legitimate primary purpose for collection of personal information■ Therefore, opt-out consent OK■ But social ads “more intrusive”, require enhanced explanations to users■ App developers access to personal information too open- ended, more specific consents required■ Opt-out insufficient
  10. 10. Navigating Privacy and Spam ComplianceData Protection & Security■ Rich and personalized data from social nets and apps are very valuable to identity thieves, fraudsters■ Hacking is now about organized crime, targeted and well- mobilized■ Protect user data accordingly■ Keep only what you need, de-personalize if possible – try to avoid ID theft “keys”■ Consider https connections, encryption for both stored and transmitted data
  11. 11. Navigating Privacy and Spam CompliancePrivacy Concerns■ 45% of Cdn social network users are concerned about associated privacy risks■ 83% believe companies should ask permission to track online behaviour and Internet usage■ 90% showed widespread concern about businesses that request too much personal information, don’t keep it secure, sell it to others, or use it to send spam■ Majority of social network users feel explanations of use of personal information were vague 2011 Canadians and Privacy Survey
  12. 12. Navigating Privacy and Spam ComplianceChildren & Privacy■ No COPPA in Canada, but:■ PIPEDA requires “knowledge and consent” – higher hurdle for children?■ Was amendment in C-29 which would have bolstered consent standard: “…reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use and disclosure of the personal information to which they are consenting.”■ OPC has voiced concern, sees as vulnerable group; focusing on outreach, education■ Proceed with extreme caution
  13. 13. Navigating Privacy and Spam ComplianceAppropriation of Personality■ Relevant to social ads that use name, likeness of someone in network in association with endorsement, sale■ Canadian law recognizes tort of misappropriation of personality, but only “old media” cases■ Similar claims being made in other jurisdictions re social media ads, implied endorsements■ Important to have clear and unambiguous consent■ May still be liability if claims relate to fake profiles
  14. 14. Navigating Privacy and Spam ComplianceCanada’s Anti-Spam Legislation: Summary■ Prohibits sending commercial electronic messages without express consent (some exceptions)■ Creates identification, contact and unsubscribe obligations■ Prohibits the installation of a computer program without express consent (some exceptions)■ Prohibits the alteration of transmission data or rerouting of messages without express consent■ Creates detailed disclosure requirements to obtain consent■ Creates significant monetary penalties for non-compliance■ Creates private right of action for damages stemming from
  15. 15. Navigating Privacy and Spam ComplianceCore Anti-Spam Requirement■ prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless:■ Have the express or implied consent of the recipient■ Message is in the prescribed form: – identifies sender/person on whose behalf sent – contact info for sender/person on whose behalf sent■ No cost, easy unsubscribe mechanism: – Same means as message sent, or other electronic means – Gives Electronic address/web link for unsubscribe – Effective “without delay”, no later than 10 business days
  16. 16. Navigating Privacy and Spam ComplianceKey Definitions I■ “electronic message” means a message sent by any means of telecommunication, including a text, sound, voice or image message.■ “electronic address” means an address used in connection with the transmission of an electronic message to a) an electronic mail account; b) an instant messaging account; c) a telephone account; or d) any similar account.
  17. 17. Navigating Privacy and Spam ComplianceKey Definitions II1(2) For the purposes of this Act, a commercial electronic message isan electronic message that, having regard to the content of themessage, the hyperlinks in the message to content on a website orother database, or the contact information contained in the message,it would be reasonable to conclude has as its purpose, or one of itspurposes, to encourage participation in a commercial activity,including an electronic message that a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land; b) offers to provide a business, investment or gaming opportunity; c) advertises or promotes anything referred to in paragraph (a) or (b); or d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.
  18. 18. Navigating Privacy and Spam ComplianceKey Definitions III6. (1) It is prohibited to send or cause or permit to be sent to anelectronic address a commercial electronic message unless a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and b) the message complies with subsection (2) [requirements as to sender ID, contact info, unsubscribe] …(5) This section does not apply to a commercial electronic message a) that is sent by or on behalf of an individual to another individual with whom they have a personal or family relationship, as defined in the regulations; …9. It is prohibited to aid, induce, procure or cause to be procured thedoing of any act contrary to any of sections 6 to 8.
  19. 19. Navigating Privacy and Spam ComplianceNot Just for eMail■ Applies to broad array of electronic messages: instant messaging, SMS, social media■ Broad application to commercial activity – not just outright sales pitch■ Generally require express consent to send■ Could be liable if seen to induce social net user to send commercial message to another without consent
  20. 20. Navigating Privacy and Spam ComplianceAnti-Spam Issues for Social Ads■ Proposed regs define “personal relationship” narrowly■ Issue with “forward-to-a-friend” – suggesting or enabling forward could attract liability■ Identification requirements exhaustive, could be particularly challenging in social media space■ Twitter just announced will be introducing some ads into user’s timelines – can’t opt out
  21. 21. Navigating Privacy and Spam ComplianceBest Practices - Privacy■ Don’t leave it to social net operator or ad aggregator/server■ Stay on top of Canadian and international laws and trends re privacy, spam■ Assume the worst; law of unintended consequences --test and test again■ Transparency re collection, use and disclosure practices■ Prominent, easy to understand, access – FAQs, layers■ Get best consent you can – scroll and click■ Keep records – onus on you to prove
  22. 22. Navigating Privacy and Spam ComplianceMore Best Practices - Privacy■ Choose partners carefully■ Caution re third party sharing■ Great caution re aggregation with off-net info■ Extra caution re location information■ Monitor User Generated Content■ Robust security – firewall, encryption, limit retention■ Be aware of perceptions, reasonable expectations
  23. 23. Navigating Privacy and Spam ComplianceBest Practices - Spam■ Don’t spam – and tell users not to■ Review/modify practices for obtaining/developing target lists, choose vendors/partners carefully■ Review/modify formats for electronic marketing■ Ensure effective and timely unsubscribe■ Review/modify program installations, associated disclosures and consent■ Ensure consent records are retained and retrievable■ Engagement of marketing, brand, technical resources to detect issues, ensure compliance
  24. 24. For further information David Elder STIKEMAN ELLIOTT LLP www.stikeman.comSLIDE 24 STIKEMAN ELLIOTT LLP