Best Practices for Social and Mobile Media As Privacy Laws Evolve

As social media and mobile devices and apps (“social-mobile”) continue to proliferate in the corporate enterprise, and e-commerce firms rely evermore on these technologies to assist promotion and sales, these forms of collaboration and information-sharing are putting a new spin on compliance issues.

A tidal wave of publications and seminars has proliferated of late that address many of these issues. Topics range from preventing trade secrets from leaking on Facebook to the ethics of monitoring current and potential employees in and out of the workplace.

Garnering much less attention are the compliance and risk issues that new marketing initiatives using social-mobile can present. To minimize such issues, legal departments and other counsel on whom these businesses depend for advice must develop a working relation- ship with marketing and IT in order to fully understand how information acquired through social-mobile initiatives is being collected, stored and used by the company, and to assess the impact on the company's electronic discovery, records-retention and regulatory-compliance obligations.

In the United States, several hundred state laws govern data captured by companies, including social-mobile data. These laws include statutes regarding:

• Data security and breach response;
• Records retention and destruction; and
• Data privacy regulations aimed at protecting personal information of employees and customers.

An alphabet soup of federal regulations also govern this data (e.g., HIPAA, the Health Insurance Portability and Accountability Act, http://bit.ly/16IvtE; COPPA, the Children's Online Privacy Protection Act, http://bit.ly/jYYFvT; FACTA/FCRA, the Fair and Accurate Credit Transactions Act, and the Fair Credit Reporting Act, http://bit.ly/udH44K and http://bit.ly/3Pu0Fe, respectively; ECPA, the Electronic Communications Privacy Act, http://bit.ly/GkNog; and the VPPA, the Video Privacy Protection Act, http://bit.ly/Hus9r). As emerging technologies continue to challenge societal expectations of privacy, new methods for collecting, storing, aggregating and sharing information continue to push the boundaries of our legal frameworks. As a result, we are now seeing:

• Major data breaches reported almost daily;
• An up-swell in class actions related to privacy violations, along with new damage theories;
• Significant increases in Federal Trade Commission (FTC) scrutiny and fines, and increased scrutiny and fines imposed by other watchdog agencies; and
• An increased focus of public and political attention on data-privacy and security issues.

These issues and events create significant risks for any company caught unprepared in the social-mobile data frenzy.

Tip of the Iceberg

As companies increase their efforts to collect, use and share social-mobile data, they should expect legal challenges to increase.

Last year, The Wall Street Journal examined 101 popular smartphone applications and found that more than half transmitted a phone's unique identifier to third parties without users' permission, and 47 sent the phone's location to third parties. Five apps went further, sending users' gender, age and other personal data to third parties. Negative publicity and several lawsuits against the companies publishing these apps have heightened awareness, but the problem hasn't abated. A recent patent application filed by Apple describes a framework for deploying and
pricing ads based on information derived from consumers' browsing and searching activities, and the contents of their media library. It also describes using the contents of friends' media libraries to better target ads, and explains how Apple could tap “known connections on one or more social networking websites” to accomplish this. Given the intent to leverage what many consider personal and private information, the company would be well advised to develop a well thought-out legal and compliance strategy regarding the collection and use of this data before deploying the technology.

If these examples seem extreme, consider that IBM recently announced a new retail technology that enables stores to offer targeted third-party products and services to consumers at checkout. The solution allows shoppers who use mobile devices to scan orders, redeem digital coupons, access loyalty points and pay for orders at self-service pay stations. The related compliance issues are significant for retail establishments large and small.

Complicating the issues is the pervasive legal ambiguity and inconsistency as to what information is protected and subject to regulation among jurisdictions. There has also been an expansion in the definition of protected private information. For example, the California Supreme Court, in Pineda v. Williams Sonoma, 51 Cal. 4th 524 (2011) (http://bit.ly/uJiNtf), recently held that customer ZIP codes are private information subject to protection under a state law governing what information can be collected as part of face-to-face credit-card transactions. Federally, Congress and the Supreme Court have shown an ever-increasing interest in defining geospatial reference data on smart phones and IP addresses as private information.

Unfortunately, most companies still view social-mobile data as marketing information, not as private, and protected, records. But along with the ability to tie this data to specific individuals comes the need to treat it as other private information is treated. This is especially true when the data is used for purposes unrelated to why it was originally collected.

Best Practices: Seven Privacy and Risk Priorities

To avoid privacy-related lawsuits targeted against the use of social-mobile data, it's vital that companies have a clear plan about:

• What they are collecting;
• How they are collecting social-mobile data;
• How they are storing the data;
• With whom the data is being shared;
• What level and type of consent they have to use the data; and
• How long the information will be kept.

Seven best practices for counsel to keep in mind follow.