Legalities of Social Media


Published on

In the digitally connected world of today, consumers have more access than ever to brands. From Liking, Tweeting to Pinning, individuals engage with businesses in real, tangible ways daily. While this has presented brands with an entirely new sphere of opportunities, it has also opened a fresh avenue of responsibility.

The half-day Legalities of Social Media workshop, presented by Quirk’s Group CFO Andrew Allison, will school attendees in the importance of risk management and the many legal ramifications for brands operating within the growing amount of online social spaces.

  • Be the first to comment

  • Be the first to like this

Legalities of Social Media

  1. 1. PART 1 Managing the Legal Risks: Social Media in the Workplace Andrew Allison, QuirkDisclaimer: This presentation has been prepared for the sole use of the delegates who attended theworkshops held by Quirk Education in CT and JHB on 3 and 5 April 2012. Furthermore, no informationcontained in this presentation shall be construed as advice – it is for educational and information purposesonly and is provided on an "as is" basis. You accordingly assume total responsibility and risk for your use ofand reliance on the presentation.
  2. 2. If you want to learn about risk, give mining a try
  3. 3. …and morespecifically, try gold mining
  4. 4. So what does gold mining have to do with social media?
  5. 5. Translating and applying the mining industry’s risk management framework to the office environment
  6. 6. International Organization for StandardizationISO 31000: family of standards “to provide principles and generic guidelines on risk management”
  7. 7. What is risk?“The effect of uncertainty on objectives, whether positive or negative”
  8. 8. Risk management steps1. identify 2. assess 3. prioritise 4. treat
  9. 9. Risk treatment1. eliminate 2. mitigate 3. share 4. accept
  10. 10. So what is the biggest single source of risk in the office environment?
  11. 11. these guys
  12. 12. Vicarious liability(employer’s general risk)
  13. 13. What is vicarious liability?Strict – or “no fault” - liability of an employer forthe conduct of an employee acting in thecourse and scope of employment
  14. 14. Bezuidenhout NO v Eskom 2003
  15. 15. Managing the risks posed by vicarious liability1. identify 2. assess 3. prioritise 4. treat
  16. 16. Treating the risks posed by vicarious liability1. eliminate 2. mitigate 3. share 4. accept
  17. 17. …and sowhat about social media?
  18. 18. Step 1. IdentifyConduct: use of social media in the workplace
  19. 19. Step 2. Assess
  20. 20. Defamation Confidentiality4 specific risks Personal Information Intellectual Property
  21. 21. Defamation Confidentiality1st risk Personal Information Intellectual Property
  22. 22. Defamation“the intentional and wrongful publication of words orbehaviour to a third party which has the effect(objectively viewed) of injuring or undermining aperson’s or entity’s good name, status or reputation”
  23. 23. DefamationThe internet has increased the scope of and riskassociated with defamationThere are now more ways in which publication mayoccur
  24. 24. RememberDefamation includes the repeating, confirmation orproliferation of defamatory content……so beware of republishing, email forwarding, linkingand retweeting
  25. 25. Key criteriaOnce publication has been established, it ispresumed that publication was:> intentional> wrongful or unlawful
  26. 26. DefencesAgainst wrongfulness: truth for public benefit, faircomment, privilege, consent and necessityAgainst intent: mistake, jest, intoxication and insanity
  27. 27. …and, of course,vicarious liability
  28. 28. Defamationeliminate > mitigate > share > accept
  29. 29. Eliminate> Lock employees out of social media sites> Limit access for work purposes only
  30. 30. Mitigate> Training> Internet usage and email policies> Communications and brand guidelines> Management pre-approval of publications
  31. 31. Share> Disclaimers on digital properties> Website terms and conditions> Insurance
  32. 32. AcceptHope for the best and deal with it if it happens
  33. 33. “psychotic, lying, whoring, still-going- to-clubs-at-her-age skank”This guy shot JFK
  35. 35. Defamation Confidentiality2nd risk Personal Information Intellectual Property
  36. 36. Pretty much all well-drafted commercialagreements these days containconfidentiality – or non-disclosure –provisions of some sort or another.
  37. 37. …once again, vicarious liability
  38. 38. Confidentialityeliminate > mitigate > share > accept
  39. 39. Eliminate> Do not accept confidential material> Only accept what is strictly necessary
  40. 40. Mitigate> Training> Employment agreements and policies> Secure networks and robust IT infrastructure
  41. 41. Share> Well considered NDAs> Insurance
  42. 42. AcceptHope for the best and deal with it if it happens
  43. 43. Defamation Confidentiality3rd risk Personal Information Intellectual Property
  44. 44. The right to privacy is protected by theConstitutionHowever, there is currently no umbrella lawgoverning privacy of personal information inSouth Africa
  45. 45. Chapter 8 of ECTA contains a data protection“Code of Good Practice”, but compliance isvoluntaryIf adopted, the principles should be included inwebsite privacy policy and consequences ofbreach should be clearly stipulated
  46. 46. By contrast, the UK’s Data Protection Act hasbeen in effect since 1998 and gives effect tothe EU Data Protection Directive
  47. 47. Enter the Protection of Personal InformationBill (POPI)…to be discussed in more detail later
  48. 48. Direct MarketingOpt-in versus opt-out
  49. 49. Direct marketing Opt outECTA (section 45) and the CPA (section 11) both requiredirect marketers to provide recipients with an option to “optout”The CPA envisages an “opt out” registry (like that of theDMASA), but this has not yet been implemented
  50. 50. Direct marketing Opt outDMASA and ISPA Codes of Good Practice both endorse an“opt out” system.
  51. 51. Direct marketing Opt inPOPI, however, will implement an “opt in” framework,mirroring the approach being adopted in Europe
  52. 52. Direct marketing Opt inDirect marketing will be prohibited except:> with specific consent of the data subject> to customers, where: > the processor has obtained personal information in the context of a sale > for marketing of processor’s similar products/services > if data subject has been given opportunity to object or opt out (free of charge)
  53. 53. Direct marketing Soft opt inIn the UK, the implied “opt in” is known as a “soft optin”It applies also in the context of negotiations leadingup to a sale
  54. 54. …you know thescore by now
  55. 55. Personal Informationeliminate > mitigate > share > accept
  56. 56. Eliminate> Do not collect/process personal information> Only collect what is strictly necessary
  57. 57. Mitigate> Training> Internal policies and guidelines> IT and online security> Compliance with ECTA, CPA and POPI> Regular audits
  58. 58. Share> Detailed commercial agreements> Website terms and conditions> Insurance
  59. 59. AcceptHope for the best and deal with it if it happens
  60. 60. Defamation Confidentiality4th risk Personal Information Intellectual Property
  61. 61. What is IP?“A work or invention that is the result ofcreativity, such as a manuscript or a design,to which one has rights and for which one mayapply for a patent, copyright, trademark, etc.”
  62. 62. Intellectual Property Copyright Trademark Patent
  63. 63. COPYRIGHT
  64. 64. What is copyright?“A proprietary right which arises automaticallywhen an author reduces an idea to a materialform”
  65. 65. What is copyright?No requirement for registration (in SA)Copyright can be: > assigned (must be in writing and signed) > licenced
  66. 66. What is copyright?Copyright persists for 50 years:> from date of publication (for companies)> from the death of the author (for natural persons)
  67. 67. Moral rightsMoral rights vest in the author/creator of copyrightedworksCannot be assigned, but can be waived
  68. 68. Moral rightsMoral rights include:> the right to attribution (paternity)> the right to integrity
  69. 69. Breach of copyrightBreach or infringement of copyright may be:> direct (guilty knowledge is not a pre-requisite)> secondary/indirect (unauthorised dealing)> contributory (facilitation of infringement)
  70. 70. Important!Copyright in work produced by employee in thecourse of employment vests with employerOnline properties often comprise of many differentcopyrighted assets
  71. 71. TRADEMARKS
  72. 72. What is a trademark?A mark which distinguishes a person’s goods orservices (requirement of distinctiveness)Must be registered with CIPC and renewed every 10years
  73. 73. Breach of TMInfringer’s mark is confusingly similar in respect ofthe same goods/services (reasonable likelihood ofconfusion)Infringer’s mark is identical or similar to a registeredmark in respect of similar goods or services
  74. 74. Breach of TMDilution of trade mark:> by blurring (dilution of uniqueness; may be different or non-competing goods/services)> by tarnishment (negative/offensive use of TM)
  75. 75. Meta tags and PPCA common sense approach should be employed(certain bona fide uses protected under Trade MarksAct)> purely descriptive purposes (advertising products on an e-commerce site) would generally be ok> use of a competitor’s marks to deceive or lure consumers would generally not be ok
  76. 76. In depth – trademark This is Terri Welles
  77. 77. Intellectual Propertyeliminate > mitigate > share > accept
  78. 78. Eliminate> Use only proprietary material> Limit access to the internet / social media
  79. 79. Mitigate> Training> Internal policies and guidelines> Provide access to stock content providers> Regular audits and management sign-off
  80. 80. Share> Detailed commercial agreements> Limit liability for 3rd party IP infringements> Insurance
  81. 81. AcceptHope for the best and deal with it if it happens
  82. 82. “We’re comfortable with people using our images tobuild traffic. The point in time when they have abusiness model, they have to have some sort oflicence”. Jonathan Klein CEO, Getty
  83. 83. Who ownsyour twitter account?
  84. 84. …or who isusing it??
  85. 85. …back to mining
  86. 86. Social Media Policy• Guidelines for principle-based approach (Coca Cola)• “Big stick” approach (Commonwealth Bank)• Hybrid (educational and regulatory)
  87. 87. Risk management steps1. identify 2. assess 3. prioritise 4. treat
  88. 88. Risk treatment1. eliminate 2. mitigate 3. share 4. accept
  89. 89. the end(of Part 1)
  90. 90. BREAK
  91. 91. Managing the Legal Risks:Social Media in the WorkplaceAndrew Allison, Quirk PART 2
  93. 93. Electronic Communications & Transactions Act (ECTA)Consumer Protection Act (CPA)Protection of Personal Information Bill (POPI)
  95. 95. Purpose: WhyTo enable and facilitate electronic transactions bycreating legal certainty around transactions andcommunications conducted electronically
  96. 96. Purpose: HowBy:> developing a national e-strategy for SA> ensuring recognition and equivalence between electronic and paper-based transactions> promoting confidence in electronic transactions> providing supervision of certain service providers
  97. 97. ECTA and consumersChapter 7: Consumer ProtectionChapter 8: Personal Information & Privacy Protection
  98. 98. ECTA: Chapter 7 Section 43Must give consumers required information, including:• the price of the product or service;• contact details; and• the right to withdraw from an electronic transaction before its completion,or consumer can cancel within 14 days
  99. 99. ECTA: Chapter 7 Section 44Cooling-off period (7 days):• for contract for goods, from date of receipt• for contract of services, from date of contract
  100. 100. ECTA: Chapter 8Voluntary data protection “Code of Good Practice”Principles must be adopted in whole; cannot beadopted in part
  101. 101. ECTA: Chapter 8 Section 51Principles for collecting personal info> Must have written consent for processing of personal information> May not collect unnecessary information> Must disclose purpose(s) of processing, and may only process for such purpose(s)
  102. 102. ECTA: Chapter 8 Section 51> Must keep record of data and purpose for which it was processed for 1 year> Must not disclose data (except as required by law)> Must delete obsolete data> May use data to compile statistical profiles for trade, but must not include personal info
  103. 103. ECTA: Chapter 8 Section 50If adopted, the principles should be included inwebsite privacy policy or terms and conditions andconsequences of breach should be clearly stipulated.Remedies for breach of code are as agreed betweenthe parties.
  105. 105. CPA: Why?“To promote a fair, accessible and sustainablemarketplace for consumer products and servicesand for that purpose to establish national norms andstandards relating to consumer protection…”
  106. 106. CPA: Who?The Consumer:> A person to whom goods or services are marketed in the ordinary course of business> A user of goods or a recipient or beneficiary of services, irrespective of whether that person was party to a transaction concerning the supply of those goods or services
  107. 107. CPA: Who?Excluded from the definition of “consumers” arejuristic persons with an asset value or annualturnover of more than R2 million
  108. 108. “THANK GOD I DON’T SELL GOODS!!”
  109. 109. CPA: GoodsIncludes any literature, music, photograph, motionpicture, game, information, data, software, code,or other intangible product written or encoded onany medium, or a licence to use any such intangibleproduct
  110. 110. CPA: Consumer RightsThe CPA recognises 8 fundamental rights ofconsumers
  111. 111. CPA: Right #1Protection against unfair discriminatory marketing (atany step in the sales process)
  112. 112. CPA: Right #2The right to privacy:> Restrictions on direct marketing> “Opt-out” registry to be established> Already contained in ECTA
  113. 113. CPA: Right #3The right to choose:> The right to select suppliers (supply of goods/services must not be made conditional upon supply of other goods/services, unless it would be to the consumer’s benefit to do so)
  114. 114. CPA: Right #3The right to choose – fixed term contracts:> Does not apply to transactions between juristic persons> Contracts may not exceed 24 months> Consumer may cancel at any time on 20 business days’ notice
  115. 115. CPA: Right #3The right to choose:> Pre-authorisation of repairs/maintenance: where supplier takes possession of consumer’s property to provide repair/maintenance services, no cost may be incurred without consumer’s approval of estimate
  116. 116. CPA: Right #3The right to choose:> Cooling-off period (direct marketing): consumer may return goods within 5 business days from the date of contract or the date on which goods were delivered> This does not apply to electronic transactions (7 day cooling-off period under ECTA)
  117. 117. CPA: Right #3The right to choose:> Right to cancel advance reservation, booking or order (reasonable deposit and cancellation charges may be levied)
  118. 118. CPA: Right #3The right to choose:> The right to choose/examine goods (must materially correspond with descriptions/samples)
  119. 119. CPA: Right #3The right to choose:> Unsolicited goods may be kept/returned unless: • supplier advises of error within 10 business days and collects goods within 20 business days; or • goods have clearly been misdelivered and supplier fails to collect after 20 business days notice by the recipient
  120. 120. CPA: Right #4The right to plain/understandable language:> To be aimed at the ordinary consumer of the class of persons for whom the information is intended (average literacy skills; minimal consumer experience of the particular goods/services)
  121. 121. CPA: Right #4The right to plain/understandable language:> Price must be disclosed (subject to s43 ECTA)> Product labelling and trade descriptions must be accurate and not misleading
  122. 122. CPA: Right #5The right to fair/responsible marketing:> General standards (must not be false, misleading, deceptive, fraudulent)> Bait marketing is prohibited> Negative option marketing is prohibited
  123. 123. CPA: Right #5The right to fair/responsible marketing:> Competitions • Must be conducted fairly • Promoter may not require consideration to be paid for entry to a competition • Promoter must prepare competition rules • The competition and the draw must be audited
  124. 124. CPA: Right #5The right to fair/responsible marketing:> Competitions (ineligibility for prizes) • A winner to whom it is unlawful to supply the prize • A director/employee/consultant of the promoter • A supplier of goods/services in connection with competition
  125. 125. CPA: Right #5The right to fair/responsible marketing:> Competitions (offer requirements) • Benefit/prize and entry steps must be identified • Closing date and basis of draw must be defined • Must state how results will be announced • List person, place and date at/from which rules may be obtained and prize will be received
  126. 126. CPA: Right #6The right to fair and honest dealing:> Unconscionable conduct> False, misleading or deceptive representations> Fraudulent schemes and offers> Pyramid schemes> Over-selling and over-booking
  127. 127. CPA: Right #7The right to fair, just and reasonable t’s and c’s:> May not include unfair, unreasonable or unjust contract terms> Notice of certain terms is required> Certain prohibited transactions, agreements, terms and conditions
  128. 128. CPA: Right #8The right to fair value, good quality and safety:> Right to demand quality services> Right to safe, good quality goods
  129. 129. CPA: Right #8The right to fair value, good quality and safety:> Implied warranty of quality (s56) • Irrelevant whether defect is patent or latent (no more voestoots for suppliers) • 6 month return period: repair, replace or refund • Further 3 month return period if goods or components have been replaced or repaired
  130. 130. CPA: Right #8The right to fair value, good quality and safety:> Liability for damage cause by goods (s61) • Strict product liability (i.e. no fault necessary) • Liability is joint and several • Applies to producer, importer, distributor, retailer • Relates to death, injury, illness, loss of or damage to property, and economic loss
  131. 131. CPA: Who can bring a claim?> Consumer in personal capacity> Groups of interested consumers (class actions)> A person acting in the public interest> Association acting on behalf of members> Authorised person acting on behalf of an incapacitated person
  132. 132. CPA: Penalties> Damages claim> Fine> Imprisonment – up to 12 months (10 years for disclosure of private information)> Administrative penalty: up to R1 million or 10% of annual turnover, whichever is greater
  134. 134. POPI Why?> To give effect to the Constitutional right to privacy> To regulate the collection/processing of personal information> To provide individuals with rights and remedies> To establish an Information Protection Commission
  135. 135. POPI Who?“Data Subject” - a person to whom personal informationrelates“Responsible Party” – any person which, alone or withothers, determines the purpose of and means for processingpersonal information
  136. 136. POPI What?“Personal Information” includes:> race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical health, disability, religion, belief, culture, language and birth;> education, or medical, financial, criminal or employment history;> identifying number, symbol, e-mail address, physical address, telephone, number or other particular assignment;> personal opinions, view or preferences (or opinions about individual)> confidential correspondence
  137. 137. POPI PrinciplesLike the CPA, POPI is based on 8 fundamental principles ofdata protection
  138. 138. POPI Principle 1AccountabilityResponsible party must ensure compliance with Principlesand measures in Act.
  139. 139. POPI Principle 2Processing Limitation> Processing must be lawful and be done in a reasonable manner which doesn’t infringe privacy of data subject> Processing must, for given purpose, be adequate, relevant and not excessive
  140. 140. POPI Principle 2Processing LimitationPersonal information may only be processed (broadly):> with the data subject’s consent> if processing is necessary for completion of a contract> if it protects a legitimate interest of the data subject> if in compliance with an obligation imposed by law
  141. 141. POPI Principle 2Processing LimitationInformation must be collected from the data subject,except:> where info is contained in public record or has been made public by the data subject;> data consents to collection from another source;> collection from another source would not prejudice legitimate interest of the data subject
  142. 142. POPI Principle 3Purpose Specification> Information must be collected for specific, explicitly defined and lawful purpose> Data subject must be made aware of purpose> Records of information must not be retained longer than is necessary for achieving purpose of collection/processing
  143. 143. POPI Principle 4Further Processing Limitation> Must be compatible with purpose of collection (Principle 3)> Must consider relationship with data subject, the purpose and the further purpose, the consequences of further processing and the nature of the information
  144. 144. POPI Principle 4Further Processing LimitationWill be compatible with purpose of collection if:> Data subject consents or info is publicly available> Further processing is necessary to comply with law> Information is used for historical, statistical or research purposes and will not be published in identified form.
  145. 145. POPI Principle 5Quality of InformationResponsible party must take reasonably practicable stepsto ensure that information is complete, accurate, notmisleading and updated where necessary
  146. 146. POPI Principle 6OpennessResponsible party must notify the Information ProtectionRegulator before collecting information (need only begiven once)
  147. 147. POPI Principle 6OpennessResponsible party must ensure data subject is aware of:> information being collected and purpose of collection> name and address of responsible party> whether collection is voluntary or mandatory> consequences of failure to provide information
  148. 148. POPI Principle 6OpennessResponsible party must ensure awareness:> where information is collected direct from data subject, before collection (unless data subject is already aware);> in any other case, before information is collected or as soon as reasonable practicable after it has been collected
  149. 149. POPI Principle 7Security Safeguards> Responsible party must secure integrity of personal information in its possession or under its control> Operators (who process personal information on behalf of a responsible party) must process information only with knowledge of responsible party and treat it as confidential
  150. 150. POPI Principle 8Data Subject ParticipationData subject has the right:> to request details of information held by a responsible party> to request correction or deletion of personal information that is inaccurate, irrelevant, excessive, incomplete, out of date, misleading or unlawfully obtained> to request deletion of a record that responsible party is no longer authorised to hold
  152. 152. …it’s ok to be afraid