The Canal Street Blog

Business-focused legal discussion

Social Media Legal Issues: (Post Number 3): Privacy Law, Privacy Policies, and Your Company’s Social Media Strategy

Privacy law is important for the vast majority of business owners and managers to understand, particularly those whose businesses operate online and employ social media as a marketing tool. Privacy law is not one of the areas of law we consider “overhyped,” as running afoul of privacy laws can be exceptionally costly to your business. Accordingly, your social media strategy, including your company’s social media policy, should be created with privacy law in mind.

Unfortunately, “privacy law” is also an incredibly broad subject that cannot be given due treatment within the confines of anything less than a legal treatise. Nevertheless, keeping the answers to the following questions in mind as you define your social media strategy (and your online strategy generally) will go a long way toward protecting your business, your customers, and ultimately the integrity of your brand:

What is privacy law and how does it affect my business?

“Privacy law” is a general term to describe laws that require businesses and other organizations to adopt particular protocols designed to protect the personally identifiable information (“PII”) of consumers. The term “privacy law” also encompasses torts affecting the personal right to privacy, which are generally common laws governed state specifically. Many privacy laws affect US businesses, particularly those businesses that operate in the health care, financial, and education industries, and those businesses who target or knowingly accept information from children.

No all-encompassing law exists that requires businesses to protect data, even certain PII. Still, if your business collects any PII, you are likely subject to privacy laws that will affect the way you collect, use (including sell, share, and transfer), store, and destroy PII. And all individuals and businesses can be liable for wrongfully invading another’s personal right to privacy.

What information do privacy laws require my business to protect?

Privacy laws generally require businesses to protect PII. PII is defined by the U.S. Department of Commerce’s National Institute of Standards and Technology as:

“any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as a name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

The definition of PII turns on whether the information can be used to “distinguish” or “trace” an individual’s identity or whether the information is “linked” or “linkable” to an individual.

So if the information (1) can be used to identify an individual (i.e. “distinguish”), (2) can be used “to make a determination about a specific aspect of an individual’s activities or status” (i.e. “trace”), (3) is logically associated with other information about an individual (i.e. “linked”), or (4) if there is a possibility of the information being logically associated with other information about individual (“linkable”), then it is PII, and you may have an obligation to protect it.

While this general definition is a solid guideline, particular statutes may define PII differently. Also, if drafting your privacy policy, you may want to define PII more narrowly to potentially decrease the compliance burden on your business.*

What triggers the requirement for my business to protect PII?

Businesses that operate in certain industries and handle particular types of PII have an inherent obligation to protect that PII. Therefore, simply collecting the PII triggers the obligation to protect it. These industries include among others the health care, financial, and education industries. Also, any company that knowingly collects information from or targets children (minors under age 13) has to comply with the provisions of COPPA, which includes provisions related to privacy.*

The FTC has pursued companies for failing to properly adhere to their published privacy policies. Because there is no general requirement for businesses to publish a privacy policy, many businesses choose not to adopt one for fear of inviting liability. However, this tact is wrongheaded not only because many states require websites to post privacy policies (e.g. California’s Online Privacy Protection Act), but also because consumers expect a certain level of privacy regardless of whether a policy is posted. Your business will inevitably be damaged by the “misuse” of PII, even if such use does not subject your business to legal liability.

International laws, or more specifically laws of other nations, vary significantly from US law and are outside the scope of this post. However, simply having a web presence available to consumers in a particular nation can subject you to that nation’s laws regarding protection of PII. You may be subject to liability for violating the laws of other nations and should approach international privacy laws accordingly.

*It should be noted that businesses with a statutorily created obligation to protect PII likely cannot “contract away” the burden through privacy policy language.

What is my business required to do to protect PII?

The answer to this question largely depends on the type of business you operate and the states (and countries) in which you do business. Generally, procedures will include encrypting the transmission and storage PII, preventing access to PII except by certain employees, having procedures in place to properly dispose of PII, and, of course, honoring your privacy policy. However, procedures are often specific to the type of industry, and can vary widely based on state privacy laws. Consult an attorney to discuss your particular situation.

What happens if my business does not properly protect PII?

First and foremost, you will damage your relationship with your customers. In addition, you may be subject to legal liability that could negatively affect your bottom line even further. Privacy statutes often prescribe damages based on the number of instances of “misuse” in a given time period. While these damages are often capped at a certain amount per period (e.g. $25, 000 per year), they also often come coupled with stringent compliance requirements, including periodic audits.

Moreover, under contract law principles you could potentially be subject to damages for the breach of your privacy policy—this in addition to any fines levied by the FTC for unfair or deceptive practices. Eric Goldman discusses some of the nuances of this issue as it relates to contract law in his posts on the JetBlue and RockYou privacy policy breach cases.

How can my business implement this knowledge and effectively incorporate it into our social media strategy?

Once you know what you are required (either by the terms of your own privacy policy or by relevant law) to protect, you can educate your employees on how to approach sharing information through social media. Your social media policy is a good place to describe protected information, the terms of your privacy policy, and the ramifications of wrongful disclosure.

Your employees should know that everything your company shares should be shared in accordance with its privacy policy. And “you” should not share anything through a social media platform if you have an obligation to protect it, even if you “share” it only with its “owner” (i.e. the person it identifies), as social media messaging platforms may not be properly encrypted.

It is also advisable to educate your employees on torts such as the public disclosure of private facts, as sharing information with or about an individual in a public forum can invite liability, even if the information is truthful.

Another tort with ramifications particularly related to social media is appropriation. Appropriation is defined generally as the use of a person’s name, likeness, or identity for commercial purposes without consent. Your company should implement a policy regarding the use of other’s information for commercial endorsement, and educate employees on the ramifications of associating a person with your brand. Check out Derrick Harris’ post  for more information on how this issue (and related issues) is currently making Facebook’s already busy legal department even busier.

While I believe the importance of privacy law cannot be “overhyped,” I also believe that educating your employees is the single most important tool for protecting your company. You can spend unlimited money on advice as to what you need to know about privacy law, but if your employees who are engaging on social media don’t know how to use the information, that money is wasted. To protect your brand, develop a social media policy through which you educate your employees about these issues and provide a vehicle in the policy (e.g. dedicated e-mail, hotline, etc.) through which they can ask questions about their social media activity without fear of reprisal.

Where can I learn more about privacy law?

The Electronic Privacy Information Center’s online guide to privacy resources is a great place to start to learn more about privacy law. However, we recommend you seek professional advice when developing a privacy policy and other privacy related initiatives, as these issues are complex and mistakes can be costly.

Should you have any questions regarding privacy law or any other social media topic, please contact us or subscribe to our free Q&A service. Stay tuned for our next post in the Social Media Legal Issues series, which will discuss a number of issues related to privacy law, including protecting your trade secrets and other confidential information.