Privacy law is important for the vast majority of business owners and managers to understand, particularly those whose businesses operate online and employ social media as a marketing tool. Privacy law is not one of the areas of law we consider “overhyped,” as running afoul of privacy laws can be exceptionally costly to your business. Accordingly, your social media strategy, including your company’s social media policy, should be created with privacy law in mind.
Unfortunately, “privacy law” is also an incredibly broad subject that cannot be given due treatment within the confines of anything less than a legal treatise. Nevertheless, keeping the answers to the following questions in mind as you define your social media strategy (and your online strategy generally) will go a long way toward protecting your business, your customers, and ultimately the integrity of your brand:
What is privacy law and how does it affect my business?
“Privacy law” is a general term to describe laws that require businesses and other organizations to adopt particular protocols designed to protect the personally identifiable information (“PII”) of consumers. The term “privacy law” also encompasses torts affecting the personal right to privacy, which are generally common laws governed state specifically. Many privacy laws affect US businesses, particularly those businesses that operate in the health care, financial, and education industries, and those businesses who target or knowingly accept information from children.
No all-encompassing law exists that requires businesses to protect data, even certain PII. Still, if your business collects any PII, you are likely subject to privacy laws that will affect the way you collect, use (including sell, share, and transfer), store, and destroy PII. And all individuals and businesses can be liable for wrongfully invading another’s personal right to privacy.
What information do privacy laws require my business to protect?
Privacy laws generally require businesses to protect PII. PII is defined by the U.S. Department of Commerce’s National Institute of Standards and Technology as:
“any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as a name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
The definition of PII turns on whether the information can be used to “distinguish” or “trace” an individual’s identity or whether the information is “linked” or “linkable” to an individual.
So if the information (1) can be used to identify an individual (i.e. “distinguish”), (2) can be used “to make a determination about a specific aspect of an individual’s activities or status” (i.e. “trace”), (3) is logically associated with other information about an individual (i.e. “linked”), or (4) if there is a possibility of the information being logically associated with other information about individual (“linkable”), then it is PII, and you may have an obligation to protect it.
What triggers the requirement for my business to protect PII?
Businesses that operate in certain industries and handle particular types of PII have an inherent obligation to protect that PII. Therefore, simply collecting the PII triggers the obligation to protect it. These industries include among others the health care, financial, and education industries. Also, any company that knowingly collects information from or targets children (minors under age 13) has to comply with the provisions of COPPA, which includes provisions related to privacy.*
International laws, or more specifically laws of other nations, vary significantly from US law and are outside the scope of this post. However, simply having a web presence available to consumers in a particular nation can subject you to that nation’s laws regarding protection of PII. You may be subject to liability for violating the laws of other nations and should approach international privacy laws accordingly.
What is my business required to do to protect PII?
What happens if my business does not properly protect PII?
First and foremost, you will damage your relationship with your customers. In addition, you may be subject to legal liability that could negatively affect your bottom line even further. Privacy statutes often prescribe damages based on the number of instances of “misuse” in a given time period. While these damages are often capped at a certain amount per period (e.g. $25, 000 per year), they also often come coupled with stringent compliance requirements, including periodic audits.
How can my business implement this knowledge and effectively incorporate it into our social media strategy?
It is also advisable to educate your employees on torts such as the public disclosure of private facts, as sharing information with or about an individual in a public forum can invite liability, even if the information is truthful.
Another tort with ramifications particularly related to social media is appropriation. Appropriation is defined generally as the use of a person’s name, likeness, or identity for commercial purposes without consent. Your company should implement a policy regarding the use of other’s information for commercial endorsement, and educate employees on the ramifications of associating a person with your brand. Check out Derrick Harris’ post for more information on how this issue (and related issues) is currently making Facebook’s already busy legal department even busier.
While I believe the importance of privacy law cannot be “overhyped,” I also believe that educating your employees is the single most important tool for protecting your company. You can spend unlimited money on advice as to what you need to know about privacy law, but if your employees who are engaging on social media don’t know how to use the information, that money is wasted. To protect your brand, develop a social media policy through which you educate your employees about these issues and provide a vehicle in the policy (e.g. dedicated e-mail, hotline, etc.) through which they can ask questions about their social media activity without fear of reprisal.
Where can I learn more about privacy law?
Should you have any questions regarding privacy law or any other social media topic, please contact us or subscribe to our free Q&A service. Stay tuned for our next post in the Social Media Legal Issues series, which will discuss a number of issues related to privacy law, including protecting your trade secrets and other confidential information.