This document summarizes a presentation on legal and regulatory compliance for Facebook marketing in Canada and the US. It provides an overview of privacy laws in both countries, recent social media court cases, and trends. Key points include Canada having a mix of federal and provincial privacy laws while the US lacks a privacy framework. Recent FTC cases against Twitter and Facebook involved deception around privacy and security. Emerging issues include class action lawsuits against Facebook in Canada and the implementation of anti-spam laws with opt-in requirements. The summary concludes with action items around developing social media policies and reviewing privacy practices.

1. Facebook Marketing
Legal and Regulatory Compliance
Socialize Toronto: Monetizing Social Media
January 27, 2012
Presenters: Fazila Nurani, PrivaTech Consulting
David M. Adler, Leavens Strand, Glover & Adler, LLC

2. Objectives
• Understanding the legal
framework and regulator
outlook on Facebook in
Canada and the U.S.
• Key questions from
participants.
• New developments in
Canada and the U.S.
Empowering Organizations to Minimize Privacy Risks

3. Context
• Facebook boasts
over 800 million
active users.
• About 17 million
Canadian and 150
million American
“monthly active
users”
• Default privacy
settings only
changed by 15-
20% of users.
Empowering Organizations to Minimize Privacy Risks

4. Canada’s Privacy Laws
• Privacy laws apply to personal information
collected, used and disclosed in the course of
commercial activities.
• Mix of federal and provincial laws:
• Personal Information Protection and Electronic Documents
Act, 2001– federally regulated businesses, and provinces
without their own private sector privacy law.
• B.C. Personal Information Protection Act, 2004
• Alberta Personal Information Protection Act, 2004
• Quebec Act Respecting the Protection of Personal Information
in the Private Sector, 1994
• Health privacy laws: Alberta, Saskatchewan, Manitoba,
Ontario, New Brunswick, Newfoundland
Empowering Organizations to Minimize Privacy Risks

5. OPCC’s Take on Facebook
• The Office of the Privacy Commissioner of Canada
investigated Facebook’s practices in August of 2009.
Key findings:
 Sharing of personal information with third-party developers
creating Facebook applications raises serious privacy risks.
 Distinction between account deactivation and deletion not clear.
 Lack of transparency in Facebook’s privacy policy.
• September 2010 – OPCC stated the issues raised have
been resolved to her satisfaction, and at the same time
announced her investigation of the “Like” button.
• Stoddart:
“Facebook is one of several rapidly growing and
evolving Internet giants that are presenting ongoing
challenges to privacy regulators around the globe.”
Empowering Organizations to Minimize Privacy Risks

6. Social Media Court Cases in Canada
General Trends:
• Blurring the divide between public
and private life.
• The more friends/fans you have,
the less the “expectation of privacy”.
• Stretching the law to fit the social
media context.
• Focus on fairness.
• Courts are turning to international cases for
guidance.
Empowering Organizations to Minimize Privacy Risks

7. Privacy in The United States
General Observations:
• US: No Privacy Framework in place
• FTC: Federal Agency Safeguarding
Consumer Privacy
• Internet’s “Implicit Bargain” = “Free”
Content in exchange for Marketing
• Online Behavioral Advertising (OBA)
• Industry Self Regulation / “Do Not
Track”
Empowering Organizations to Minimize Privacy Risks

8. Social Media Cases
Consumer Deception/Privacy Risks
• Twitter (2010-2011)
• First FTC Social Media Case
• Charges: hackers gained unauthorized admin control
• Result:
• 20 yr ban on misleading consumers
• Info Security Program subject to audit for 10 yrs
Empowering Organizations to Minimize Privacy Risks

9. Social Media Cases, Cont.
Consumer Deception/Privacy Risks
• Facebook (2011)
• Charges: deceived consumers about public availability of
private info
• Result:
• Bar on misrepresenting privacy and security
• Affirmative Consent Required for Privacy Overrides
• 30 Day access limit for deleted accounts
• Create & maintain comprehensive privacy program
• Third-party audits every 2 yrs for next 20 yrs
Empowering Organizations to Minimize Privacy Risks

10. Social Media Cases, Cont.
Consumer Deception/Privacy Risks
• Data Breach Notification Laws
• Federal: Data Accountability and Trust Act (DATA)
• State:
• www.ncsl.org
• CA: Consumers can request copy of a Web Site’s
Data Breach Notification Polcy
Empowering Organizations to Minimize Privacy Risks

11. Participants – Top 3 Questions
Empowering Organizations to Minimize Privacy Risks

12. New Developments and Path Forward
• Ongoing class action lawsuit against Facebook launched
in a Manitoba court claiming the social media site misled
users into letting their personal information be sold for a
profit.
• December 6, 2011 – OPCC released Guidelines for
online behavioural advertising.
• Coming into force soon – Canada’s new anti-spam law,
the Fighting Internet and Wireless Spam Act (“FISA”)
• Opt-in model for commercial electronic messages.
• New definitions for “family” and “personal”
relationships may pose cost implications for social
media marketers.
Empowering Organizations to Minimize Privacy Risks

13. Privacy Trends in the U.S.
• Federal Privacy Legislation
• “Do Not Track” bill from Sen. John D Rockefeller
(D-W.Va.)
• “privacy bill of rights” from Sens. John McCain (R-
Ariz.) and John Kerry (D-Mass.)
• FTC Guidelines
• Online Behavioral Advertising Principals
• Industry Initiatives
Empowering Organizations to Minimize Privacy Risks

14. Summary
• Privacy Rights
• Will continue to evolve in the U.S.
• Will be subject to new federal (and possibly state)
regulation
• Action Items
• Develop a Social Media Policy
• Review/Update your Firm’s Privacy Policy
• Conduct Due Diligence on digital marketing partners
to understand how consumer information is: 1)
gathered, 2) stored, & 3) shared
Empowering Organizations to Minimize Privacy Risks

15. Questions…?
Fazila Nurani, B.A.Sc.(E.Eng.), LL.B, CIPP/C
Senior Counsel and Lead Trainer
PrivaTech Consulting
Phone: 1-905-886-0751
Fax: 1-905-886-9974
_____________
David M. Adler
Leavens, Strand, Glover & Adler, LLC
203 North LaSalle Street, Suite 2550
Chicago, Illinois 60601
Direct: (866) 734-2568
Fax: (312) 275-7534
www.ecommerceattorney.com
Empowering Organizations to Minimize Privacy Risks