Header graphic for print
Inside Privacy Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

Regulators Take Aim at Social Networking Privacy

Posted in Congress, Federal Trade Commission, Social Media, United States

Over the past few weeks, online publishers have seen regulators’ focus on privacy in the social media context reach the boiling point.  Just this week, Politico reported that FTC Chairman Jon Leibowitz confirmed in a letter to Sen. Mark Pryor that “FTC staff are carefully monitoring the privacy and security issues associated with social networking sites.”  Sen. Pryor, who chairs the Consumer Protection Subcommittee of the Senate’s Committee on Commerce, Science, and Transportation, had expressed concern about privacy and security issues in the context of social media apps, and so we expect that social media privacy issues will play a key role in forthcoming online privacy legislation.  (We’ve posted Sen. Pryor’s letter to Leibowitz here.)

The announcement of the FTC’s focus on social networking comes on the heels of the FTC’s highly publicized settlement with Google over its Buzz product, which Erin Egan reported on earlier this year and was just approved by the court last weekAccording to FTC blogger Lesley Fair, the agency alleged that consumers “weren’t adequately informed that certain information that had been private — including the people they chatted with or emailed most often — would be shared publicly by default.”

For other online publishers, the headline from the Google Buzz settlement is the requirement that Google implement a comprehensive “privacy by design” program across all of its products.  In a recent speech, FTC Consumer Protection Bureau Chief David Vladick pointed to this aspect of the Google settlement as a key shift in the agency’s expectations for social media providers generally.  In fact, the FTC has announced that it wants the privacy by design provisions of the Google settlement to “serve as a guide to industry.”  Privacy by design programs, it said, are a “good idea for all companies” and should be “flexible and scalable.”

The FTC also announced on its blog three key features that it will be looking for in evaluating other companies’ privacy programs:

  • “Mean what you say and say what you mean.”  As it has for years, the touchstone of the FTC’s privacy inquiries will continue to be inconsistencies between the privacy promises a company makes and what it actually delivers.
  • “Bake it in.”  This element is a new focus on what most in the industry have been calling “privacy by design.”  The point is that the FTC doesn’t want privacy to be an afterthought but an essential part of the product design process.
  • “Evaluate your privacy ecosystem.” Finally, the FTC wants companies to realize that privacy isn’t “set it and forget it.”  Instead, just as the business and regulatory environments are constantly changing, companies will need to continue to benchmark their privacy efforts against what the government expects and what they and their competitors are delivering.  In addition to viewing privacy as a competitive benefit, the FTC sees real value in — and will expect in enforcement investigations — ongoing evaluation and staff training on privacy issues.

This intense focus on social media isn’t limited to the federal government:  As Steve Satterfield noted last week, social networking privacy legislation has been defeated yet again in the California Senate.  The legislation, if adopted, would have required a user’s express agreement to sharing of any information about him or her and would have imposed a 96-hour window for deleting all information about a user on the service, even information posted by third parties.

So what are companies that care about social media doing to manage these risks?  First, many are following the FTC’s guidance by reviewing their existing practices and developing their own internal privacy by design programs.  These programs are important to avoiding privacy problems in the first place and to showing regulators that a company is serious about privacy if a complaint does develop.

Second, it’s critically important that companies that care about privacy participate in policymaking — both at agencies and in legislatures — because it’s hard for regulators to know how their rules will impact industry if we don’t tell them.  There are many opportunities to get involved, such as the FTC’s request for comments on updates to its online advertising disclosure guidance, which closes July 11 — and we’re sure to see more activity on social media privacy in the coming weeks and months.

UPDATE:  The deadline for comments on the Dot Com Disclosures update has been extended to August 10.