This presentation provides a general overview of what social media is, the types of advertising and promotional opportunities available to advertisers, and the compliance issues these may raise with resepct to Canadian privacy and anti-spam laws.
Navigating Privacy And Spam Compliance In Social Media Advertising
1. Navigating Privacy and Spam
Compliance in Social Media
Advertising
David Elder
Stikeman Elliott
September 20, 2011
STIKEMAN ELLIOTT LLP www.stikeman.com
2. Navigating Privacy and Spam Compliance
What is Social Media?
■ Variety of sites, applications and platforms that allow for
participating, talking and networking online, including
the ability to share information and resources
■ Allow networks of connections to be established
■ Allow users to create, upload and disseminate original
written and audio/video content
3. Navigating Privacy and Spam Compliance
Types of Social Media
■ Blogs – e.g. Wordpress, Blogger
■ Wikis – e.g. Wikipedia
■ Social Bookmarking – e.g. Delicious, Digg
■ Social Network Sites – e.g. Facebook, LinkedIn
■ Status Update Services – e.g. Twitter
■ Virtual Worlds – e.g. Second Life
■ Media Sharing Sites – e.g. YouTube, Flickr
4. Navigating Privacy and Spam Compliance
Why Social Media Advertising & Promotion?
■ Large and growing number of users
■ Large portion of online time
■ Facilitates “word of mouth” on massive scale
■ Leverages consumer’s trusted relationships
■ Creates brand loyalty, strong engagement
■ Rich data sets allow for more precise targeting
■ Deep analytics
5. Navigating Privacy and Spam Compliance
Online Advertising Options
■ Display advertising
– Minimal targeting – nature of site
■ Contextual advertising
– Targeting based on current visit to single site search query
■ Behavioural advertising
– Targeting based on profile developed based on history of sites
visiting, on-site activity – inferred interests and demographics
■ Social advertising
– Targeted based on context and interaction with site, real
interests and demographics, activities of connections
– Leverages social connections as examples, endorsements
6. Navigating Privacy and Spam Compliance
Social Media Advertising & Promotion
■ Display ads
■ Targeted ads
■ Fan pages
■ Events, groups,
■ Applications – contests, quizzes, games
■ User reviews and discussion fora
■ Social ads, Promoted tweets
■ Like, +1, retweet, etc.
■ Almost any on-net activity can be shared with user networks
7. Navigating Privacy and Spam Compliance
Applicable Privacy Requirements
■ Knowledge & consent required for collection, use & disclosure of
personal information
■ Sensitivity of information and reasonable expectations of individual
relevant to acceptable form of consent
■ Purposes must be identified at or before collection
■ Can’t require consent as condition of supply or product or service,
unless required for legitimate core purposes
■ Collection to be limited to what reasonably required to fulfil purposes
■ Personal information to be retained only as long as reasonably necessary
to fulfil purposes
■ Personal information to be accurate and up-to-date
■ Individual right of access
■ Protected by reasonable security safeguards
8. Navigating Privacy and Spam Compliance
Application – So far...
■ OPC has taken expansive view of what constitutes
personal information.
■ Can include:
– cookies
– IP addresses
– Online tracking and behavioural data?
– Particular concern re mobile data/devices
■ Although may appear in public domain, doesn’t mean it
can be used for any purpose
9. Navigating Privacy and Spam Compliance
The Facebook Decision
■ Noted advertising was a legitimate primary purpose for
collection of personal information
■ Therefore, opt-out consent OK
■ But social ads “more intrusive”, require enhanced
explanations to users
■ App developers access to personal information too open-
ended, more specific consents required
■ Opt-out insufficient
10. Navigating Privacy and Spam Compliance
Data Protection & Security
■ Rich and personalized data from social nets and apps are
very valuable to identity thieves, fraudsters
■ Hacking is now about organized crime, targeted and well-
mobilized
■ Protect user data accordingly
■ Keep only what you need, de-personalize if possible – try
to avoid ID theft “keys”
■ Consider https connections, encryption for both stored
and transmitted data
11. Navigating Privacy and Spam Compliance
Privacy Concerns
■ 45% of Cdn social network users are concerned about
associated privacy risks
■ 83% believe companies should ask permission to track
online behaviour and Internet usage
■ 90% showed widespread concern about businesses that
request too much personal information, don’t keep it
secure, sell it to others, or use it to send spam
■ Majority of social network users feel explanations of use
of personal information were vague
2011 Canadians and Privacy Survey
12. Navigating Privacy and Spam Compliance
Children & Privacy
■ No COPPA in Canada, but:
■ PIPEDA requires “knowledge and consent” – higher hurdle for
children?
■ Was amendment in C-29 which would have bolstered consent
standard:
“…reasonable to expect that the individual understands the nature,
purpose and consequences of the collection, use and disclosure of
the personal information to which they are consenting.”
■ OPC has voiced concern, sees as vulnerable group; focusing on
outreach, education
■ Proceed with extreme caution
13. Navigating Privacy and Spam Compliance
Appropriation of Personality
■ Relevant to social ads that use name, likeness of
someone in network in association with endorsement,
sale
■ Canadian law recognizes tort of misappropriation of
personality, but only “old media” cases
■ Similar claims being made in other jurisdictions re social
media ads, implied endorsements
■ Important to have clear and unambiguous consent
■ May still be liability if claims relate to fake profiles
14. Navigating Privacy and Spam Compliance
Canada’s Anti-Spam Legislation: Summary
■ Prohibits sending commercial electronic messages without
express consent (some exceptions)
■ Creates identification, contact and unsubscribe obligations
■ Prohibits the installation of a computer program without
express consent (some exceptions)
■ Prohibits the alteration of transmission data or rerouting of
messages without express consent
■ Creates detailed disclosure requirements to obtain consent
■ Creates significant monetary penalties for non-compliance
■ Creates private right of action for damages stemming from
15. Navigating Privacy and Spam Compliance
Core Anti-Spam Requirement
■ prohibited to send or cause or permit to be sent to an
electronic address a commercial electronic message unless:
■ Have the express or implied consent of the recipient
■ Message is in the prescribed form:
– identifies sender/person on whose behalf sent
– contact info for sender/person on whose behalf sent
■ No cost, easy unsubscribe mechanism:
– Same means as message sent, or other electronic means
– Gives Electronic address/web link for unsubscribe
– Effective “without delay”, no later than 10 business days
16. Navigating Privacy and Spam Compliance
Key Definitions I
■ “electronic message” means a message sent by any
means of telecommunication, including a text, sound,
voice or image message.
■ “electronic address” means an address used in
connection with the transmission of an electronic
message to
a) an electronic mail account;
b) an instant messaging account;
c) a telephone account; or
d) any similar account.
17. Navigating Privacy and Spam Compliance
Key Definitions II
1(2) For the purposes of this Act, a commercial electronic message is
an electronic message that, having regard to the content of the
message, the hyperlinks in the message to content on a website or
other database, or the contact information contained in the message,
it would be reasonable to conclude has as its purpose, or one of its
purposes, to encourage participation in a commercial activity,
including an electronic message that
a) offers to purchase, sell, barter or lease a product, goods, a service,
land or an interest or right in land;
b) offers to provide a business, investment or gaming opportunity;
c) advertises or promotes anything referred to in paragraph (a) or (b);
or
d) promotes a person, including the public image of a person, as being
a person who does anything referred to in any of paragraphs (a) to
(c), or who intends to do so.
18. Navigating Privacy and Spam Compliance
Key Definitions III
6. (1) It is prohibited to send or cause or permit to be sent to an
electronic address a commercial electronic message unless
a) the person to whom the message is sent has consented to
receiving it, whether the consent is express or implied; and
b) the message complies with subsection (2) [requirements as to
sender ID, contact info, unsubscribe]
…
(5) This section does not apply to a commercial electronic message
a) that is sent by or on behalf of an individual to another individual
with whom they have a personal or family relationship, as defined
in the regulations;
…
9. It is prohibited to aid, induce, procure or cause to be procured the
doing of any act contrary to any of sections 6 to 8.
19. Navigating Privacy and Spam Compliance
Not Just for eMail
■ Applies to broad array of electronic messages: instant
messaging, SMS, social media
■ Broad application to commercial activity – not just
outright sales pitch
■ Generally require express consent to send
■ Could be liable if seen to induce social net user to send
commercial message to another without consent
20. Navigating Privacy and Spam Compliance
Anti-Spam Issues for Social Ads
■ Proposed regs define “personal relationship” narrowly
■ Issue with “forward-to-a-friend” – suggesting or enabling
forward could attract liability
■ Identification requirements exhaustive, could be
particularly challenging in social media space
■ Twitter just announced will be introducing some ads into
user’s timelines – can’t opt out
21. Navigating Privacy and Spam Compliance
Best Practices - Privacy
■ Don’t leave it to social net operator or ad aggregator/server
■ Stay on top of Canadian and international laws and trends re
privacy, spam
■ Assume the worst; law of unintended consequences --test and
test again
■ Transparency re collection, use and disclosure practices
■ Prominent, easy to understand, access – FAQs, layers
■ Get best consent you can – scroll and click
■ Keep records – onus on you to prove
22. Navigating Privacy and Spam Compliance
More Best Practices - Privacy
■ Choose partners carefully
■ Caution re third party sharing
■ Great caution re aggregation with off-net info
■ Extra caution re location information
■ Monitor User Generated Content
■ Robust security – firewall, encryption, limit retention
■ Be aware of perceptions, reasonable expectations
23. Navigating Privacy and Spam Compliance
Best Practices - Spam
■ Don’t spam – and tell users not to
■ Review/modify practices for obtaining/developing target lists,
choose vendors/partners carefully
■ Review/modify formats for electronic marketing
■ Ensure effective and timely unsubscribe
■ Review/modify program installations, associated disclosures
and consent
■ Ensure consent records are retained and retrievable
■ Engagement of marketing, brand, technical resources to
detect issues, ensure compliance
24. For further information
David Elder
delder@stikeman.com
STIKEMAN ELLIOTT LLP www.stikeman.com
SLIDE 24 STIKEMAN ELLIOTT LLP