Social Media

Last Friday the California Senate unanimously passed legislation titled, “Privacy Rights for California Minors in the Digital World,” which prohibits certain types of marketing to minors (defined as a natural person under the age of 18 residing in California) and allows minors to delete materials they have posted online.  The bill, which already cleared the California Assembly, now has been sent to Governor Jerry Brown for approval.  If signed into law, the legislation would be effective beginning January 1, 2015. 

The bill, S.B. 365, which was introduced by Senator Darrell Steinberg, adds two new sections to the California Business & Professions Code.

Section 22580 would:

  • Prohibit an operator of a website, online service or application, or mobile application that is directed to minors from marketing or advertising on the service or application certain enumerated products or services that minors cannot otherwise legally purchase or use.  While some of these products and services may be obvious—e.g., alcohol, firearms, tobacco, and obscene materials—others—e.g., tanning and etching cream that is capable of defacing property—may be less so.  
  • Prohibit an operator of a website, online service or application, or mobile application from marketing or advertising the enumerated products or services where the operator has actual knowledge a minor is using its service or application, if the marketing or advertising is directed to that minor based on information specific to the minor such as profile, activity, address, or location, but excluding IP addresses and product identification numbers.  The operator shall be deemed in compliance with this provision if it takes reasonable actions in good faith designed to avoid marketing or advertising under these circumstances.
  • Prohibit an operator of a website, online service or application, or mobile application that is directed to minors or who has actual knowledge that a minor is using its service or application from knowingly using, disclosing, or compiling the personal information of a minor (or allowing a third party to do so) with actual knowledge that such activity is for purposes of marketing or advertising the enumerated products or services to that minor. 
  • These prohibitions do not apply, however, to the incidental placement of products or services embedded in content, if the content is not distributed by or at the direction of the operator primarily for the purposes of marketing and advertising the enumerated products or services.
  • Additionally, “marketing or advertising” is defined to require an “exchange for monetary compensation” in order “to make a communication to one or more individuals, or to arrange for the dissemination to the public of a communication, about a product or service the primary purpose of which is to encourage recipients of the communication to purchase or use the product or service.”  Thus, social media content or applications that only promote an enumerated product or service without paid placement would not fall within the scope of the bill. 

Continue Reading CA Legislature Passes Bill Establishing Online Protections for Minors

A New Jersey federal court recently held that an employee’s Facebook wall posts were protected by the Stored Communications Act (“SCA”), 18 U.S.C. § 2701 et seq., in one of the first cases to analyze the SCA’s application to the Facebook wall.  Ehling v. Monmouth-Ocean Hospital Service Corp.., No. 2:11-cv-3305 (WMJ) (D.N.J. Aug. 20, 2013).  An important factor in the court’s ruling was the fact that the employee had configured her privacy settings to restrict her posts to her Facebook “friends.”

The court found that the employer had not violated the SCA by viewing the employee’s wall, however, because a co-worker, who was one of her Facebook friends, showed the post to their employer without any prior prompting by the employer.  

This ruling provides further reason for employers to avoid unauthorized access to an employee’s social media activities.  The court’s holding is consistent with the passage by 11 states of laws prohibiting employers from demanding social media passwords from employees.  But employers that learn of social media activity by employees through passive means may still be able to take action based on that information.Continue Reading Federal Court Finds Stored Communications Act Applies to Facebook Wall Posts

Many employers have been surprised by recent rulings that two common employment policies run afoul of the National Labor Relations Act (“NLRA”) even if their employees are not union members.  Based on a legitimate interest in preserving confidentiality and privacy, many employers have adopted social media policies limiting what employees may post on Facebook or Twitter about their employer or co-workers.  Based on similar privacy considerations, employer procedures for investigating sexual harassment and other complaints often place restrictions on what employees may reveal to their co-workers or others about the allegations.  According to recent decisions, however, both policies may violate Section 7 of the NLRA, which permits employees to engage in “concerted activity” for “mutual aid and protection.”

Section 7.  It is well established under the NLRA that employees may confer with one another about their wages and other terms of employment and may take  “concerted” action in an effort to improve their working conditions.  Employees (but not managers) are protected by Section 7 of the NLRA, whether or not they are members of a union. But employers rarely face Section 7 issues since claims under Section 7 must be asserted in charges filed with the National Labor Relations Board (“NLRB”), and few employees do so.   

Confidentiality of Complaint Investigations.  Enforcement Guidance issued by the EEOC directs employers conducting investigations of workplace harassment to assure complainants that they “will protect the confidentiality of harassment complaints to the extent possible.”  Employers routinely adopt policies asking employees who are part of workplace investigations, either as complainant or witness, to keep such investigations confidential.  Such policies help ensure the integrity of investigations, prevent workplace retaliation for participation in investigations, protect the privacy of complainants, and foster an environment where employees will readily report harassment concerns.Continue Reading The NLRB Strikes Down Employer Policies on Social Media and the Confidentiality of Complaint Investigations

Twitter recently released its bi-annual transparency report, detailing the number of requests that the company has received from governments for user information or to take down content.  According to the report, the company received 1,157 requests for user information in the first six months of 2013, the highest amount since Twitter began releasing its report.  Twitter reports that 78% of the requests came from United States sources, and globally the company provided some or all information requested in 55% of cases. Continue Reading Twitter Releases Bi-Annual Transparency Report

Recently, the National Network to End Domestic Violence (NNEDV) and Facebook launched a guide intended to assist individuals who have been victims of domestic violence.  The guide offers tips to individuals who have suffered abuse on “how to use Facebook in a way that ensures that they stay connected with

Continue Reading Facebook and NNEDV Develop Privacy and Safety Guide for Survivors of Abuse

Personalization of the shopping experience is a hot topic in the travel industry.  It has also prompted privacy regulators to consider the implications for the consumer.  For example, the Article 29 Data Protection Working Party in April issued a letter to the International Air Transportation Association (IATA) on this topic and a

Continue Reading Personalization of travel shopping

California Attorney General Kamala Harris failed in her first attempt to sue a company for failing to post a privacy policy on a mobile app.

Harris alleged that Delta Airlines violated the California Online Privacy Protection Act (“CalOPPA”) by failing to include a privacy policy on its mobile app- The lawsuit, in the California Superior Court in San Francisco, was the first enforcement action under CalOPPA since it came into force in 2004.

On Thursday, the district court granted Delta’s motion to dismiss the complaint, concluding that the Airline Deregulation Act (ADA) pre-empts the state’s claims. The ADA provides that “a State….may not enact or enforce a law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier.” Courts have construed the scope of preemption by the ADA broadly, and the majority of courts which have considered the issue have held that the ADA preempts the application of state consumer protection laws to airlines. See Morales v. Trans World Airlines, 504 U.S. 374 (1992). The judge decided that the operation of a mobile app for air travel services is “related to price, route or service of an air carrier” and thus agreed with Delta’s argument that the California AG’s claim is pre-empted.
Continue Reading Delta succeeds in dismissing California AG’s first CalOPPA case

On April 29, Craigslist was successful in fighting off a motion to dismiss filed by three screenscraping sites (3Taps, Padmapper and Lovely) in its pending litigation in the Northern District of California.   In Craigslist Inc. v. 3Taps Inc., No. CV 12-03816 (N.D. Cal.), Craigslist sued these sites, alleging that

Continue Reading Craigslist wins first step against screenscapers – lesson for drafting TOUs

Yesterday, a bill that would reform the Electronic Communications Privacy Act of 1986 (“ECPA”) was approved by the Senate Judiciary Committee on a voice vote. Under ECPA, as it currently stands, police need only a subpoena, issued without approval by a judge, to access private e-mails that have already been

Continue Reading ECPA Reform Bill Sails Through Senate Judiciary Committee

The Federal Trade Commission has released its much anticipated revised COPPA FAQs.  Although these FAQs are not legally binding, they provide informal guidance to industry on staff’s interpretations of the COPPA Rule. 

For the most part, the FAQs reiterate past guidance and emphasize key provisions of the new COPPA Rule and its Statement of Basis and Purpose.  However, here are 5 key things that the revised COPPA FAQs clarify:

  1. Operators are not legally required to obtain parental consent for certain information that was collected before the effective date of the new COPPA Rule and that was not considered “personal information” under the original COPPA Rule.  Specifically, parental consent is not required for the following categories of information that were collected before July 1, 2013:  (1) photos, videos, and audio files containing a child’s image or voice; (2) screen or user names that function as online contact information (unless the operator combines them with new information after July 1, 2013); and (3) persistent identifiers (unless the operator continues to collect the persistent identifiers or combines them with new information after July 1, 2013).  (FAQ 4)
  2. Operators of child-directed sites and online services that do not target children as their primary audience may not block children from participating in the site or service altogether, although the operator may offer different activities to users based on age. (FAQ 38) This would seem to allow an operator to block the child from all interactive features that could enable the sharing of personal information, as long as the child can continue to use portions of the site that do not require or enable the sharing of personal information. 
  3. Third-party services that are integrated on child-directed sites will be deemed to have “actual knowledge” if, in the future, a formal industry standard or agreed-upon convention is developed under which sites or services signal their child-directed nature to integrated third parties.  However, the mere collection of a URL from a child-directed site or service is unlikely to constitute actual knowledge.  (FAQ 39)  This guidance builds on a blog post published by the FTC’s Chief Technologist, Steve Bellovin.
  4. An operator of a child-directed site or service does not need to notify parents or obtain parental consent before collecting pictures from children, as long as it either blurs the child’s facial features or prescreens and deletes photos of children before posting them online.  (FAQs 43-45)  (But don’t forget to scrub for metadata as well — photo metadata that contains precise geolocation information may trigger the COPPA Rule.)
  5. A third party who is integrated on a child-directed site may rely on the “support for internal operations” exception to support the third-party’s own internal operations.  There actually was text in the final COPPA Rule’s Statement of Basis and Purpose supporting this point, but the revised COPPA FAQs make this point crystal clear.  (FAQ 77)

In addition, the COPPA FAQs clarify how the COPPA Rule applies in the classroom:Continue Reading FTC Releases Revised COPPA FAQs: Here’s What’s New