Your company has just launched an innovative new social media service, and you’ve received fanfare from the press, increased website traffic, and a spike in advertising revenues. In short, the service is a complete success — until you’re served with a class action complaint seeking millions of dollars in damages and a civil investigative demand from the FTC. What did you do wrong, and what can you do to get out of this mess?
That’s the question that I recently explored as a part of a panel at the summer meeting of the Virginia Bar Association on the benefits and risks of social media. On the panel, we discussed the many ways that social media has influenced law and policy over the past few months and highlighted what businesses and their lawyers need to understand about privacy issues online in order to avoid litigation and regulatory enforcement.
One of the main reasons that companies face litigation and investigations in the social media area is that they haven’t fully evaluated the information that they are collecting through social media and how that information is (or could be) used. That is why the discussion on privacy today is coalescing around the concept of “privacy by design,” which Kashmir Hill at Forbes recently described as companies “bak[ing] privacy into their products” rather than considering privacy only reactively. (You can read more about privacy by design here.)
FTC and Congressional Activity
As I discussed in an earlier post, the FTC has said publicly that it is focusing on social media in enforcement, and we’ve seen that focus in the high-profile Google Buzz settlement from earlier this year, which identified problems arising out of a social service’s disclosure of information that consumers expected to be kept private. It also reflected the FTC’s latest thinking on how companies should be approaching the development social media services — and, particularly, its emphasis on privacy by design.
Indeed, in addition to comprehensive privacy legislation, we’ve seen bills focused on children’s privacy, geolocation information, and data breaches, with more to come. And states have been active in this area, too, with the most striking example being California’s repeatedly-defeated social networking privacy legislation, which included provisions that, if adopted, could have seriously damaged many of the social services that drive innovation and economic activity on the Internet.
At the same time, the FTC is developing its final privacy report, expected later this year, and Department of Commerce General Counsel Cameron Kerry recently announced in a speech at the Brookings Institution that the Administration and the FTC aren’t waiting for Congress to move ahead with privacy:
At the Department of Commerce, we don’t intend to wait for legislation. We are going to begin to identify pressing privacy issues that can benefit from a multi-stakeholder process and we’ll continue discussions with the FTC about baseline protections, about how to approve codes of conduct and about how to implement the multi-stakeholder process. And then we will begin to convene groups to energize this process in a conversation that today is long overdue.
Social Media Information in Litigation
Social media also is increasingly an attractive source of information for civil litigants, participants in family disputes, and government investigators, and companies that host social media data need to understand how statutes like the Electronic Communications Privacy Act affect the privacy (or lack of privacy) of the information in their possession. Among other examples, we talked about the Eastern District of Virginia’s recent decision [PDF] that the government could subpoena Twitter users’ IP addresses under the Stored Communications Act, and U.S. v. Hamilton [PDF], a corruption prosecution that relied on messages that a public official sent using his work computer.
Privacy Class Actions
Finally, social media services have been targets of class action litigation, with scores of online privacy lawsuits filed over the past year. Although the specific claims vary, plaintiffs commonly are focusing on causes of action that weren’t designed for use in the social media context, such as breach of contract, invasion of privacy and other torts, unjust enrichment, and the Computer Fraud and Abuse Act. Many of these suits identify some aspect of the way a service operates and allege that the service is liable because, they say, it does not conform with commitments that the service has made to users. More recently, plaintiffs have focused on right of publicity issues, objecting to the ways in which social media services have used information posted by their users. We discuss the questionable merits of these kinds of claims in our recent e-alert, but the bottom line for companies that operate social services is that it’s important to anticipate these lawsuits in building products, since they can impact business reputation even if they are ultimately defeated.
What is most striking about this litigation is that it is brought even though plaintiffs often cannot show any economic harm at all from the behavior they say violated the law. That lack of damages is often fatal to these plaintiffs’ cases, but it raises an important policy question about whether plaintiffs should be able to recover “damages” when they cannot show that they have been harmed. This is a key issue in both the litigation and policymaking contexts, and it is a question on which companies that operate social services will continue to focus as the next generation of privacy regulation continues to develop in the U.S.