Clear and Current User Policies
California Lawyer
More Social Media

Clear and Current User Policies

June 2012

Related Articles

Time to Review User Policies January 2012

Online businesses that do not adhere to their own electronic privacy policies increasingly find themselves the target of Federal Trade Commission action. The recent consent decrees inked by the FTC, Facebook, Google, and ScanScout serve to warn business and social networking sites against misleading consumers about how they are using visitors' personal information.

Although some of these settlement terms could increase the companies' cost of doing business, their deal with the FTC lets them avoid more costly litigation and possibly stiffer penalties. Other businesses also would do well to review and update their privacy policy, terms of use, and other legal agreements.

In all three of the settled FTC cases, the agency alleged that the businesses made false or misleading representations about their privacy policies in violation of Section 5(a) of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices. (15 U.S.C. § 45(a).)

FTC Complaints
In its complaint against Facebook, the FTC alleged that the company did all of the following: Facebook told users that third-party applications that users installed on their computer - such as Farmville by Zynga - would have access only to information necessary for operating the app. In fact, the apps could access nearly all of the users' personal data.

Facebook also told users they could restrict the sharing of their data beyond a limited audience - for example, with "Friends Only." In fact, selecting that option did not prevent their information from being shared also with the third-party applications their friends used.

Facebook had promised users it would not share their personal information with advertisers, but the FTC charged that it did. Also, Facebook claimed that when users deactivated or deleted their accounts, their uploaded photos and videos would no longer be accessible. However, Facebook still allowed access to the content, according to the FTC. (See In the Matter of Facebook, Inc., FTC File No. 92-3184.)

Meanwhile, the FTC faulted Google for employing user data in ways the Internet giant told users it would not in launching its Buzz social network (now defunct) through Google's Gmail program. The FTC alleged that Google breached its own privacy policy by leading Gmail users "to believe they could choose whether or not they wanted to join the network, [but] the options for declining or leaving the social network were ineffective." (See In the Matter of Google, Inc., FTC File No. 102-3136 (Dkt. No. C-4336).)

In November 2011 the FTC also reached a settlement with online advertising network ScanScout, which places video ads on websites for advertisers. ScanScout collects information about viewers' online activities in order to post video ads that specifically target them (aka behavioral advertising). The FTC alleged that ScanScout continued to use electronic cookies stored on users' computers to track their behavior even after telling users they could opt out of that practice. (See In the Matter of ScanScout, Inc., FTC File No. 102-3185 (Dkt. No. C-4344).)

Settlement Terms
In each of the FTC settlements, the respondents agreed to do certain things beyond what would have been required in the normal course of business. For example:

- Both Facebook and Google must obtain consumers' affirmative, express consent before enacting changes that override the users' privacy preferences.

- The two companies must also establish and maintain a comprehensive program to address the privacy risks associated with both new and existing products and services and protect the privacy and confidentiality of consumers' information.

- Every two years for the next 20 years, Facebook and Google must obtain independent, third-party audits certifying that their privacy programs meet or exceed the requirements of the FTC order.

- ScanScout, meanwhile, must tell users what information it is collecting from them and for what purpose, and it must advise them of their right to "opt out" of targeted advertising.

Adhering to Section 5(a) of the FTC Act
The above-mentioned consent decrees highlight the need for businesses to act in accordance with their privacy policies.

In particular, they should ensure that the terms of use and privacy policies published on their websites reflect what information the businesses are collecting from consumers. The disclosures should be clearly stated, without unnecessary and lengthy legalese.

Businesses should examine how they use or anticipate using personal information, and fully disclose these uses to consumers.

In addition, businesses should take reasonable measures to safeguard consumers' information. To minimize the dangers from cyberhacking, they must conduct an audit of how consumer information is being safeguarded, what information is being stored, and for what duration. (The FTC settled a complaint against Twitter after alleging the company had failed to take reasonable safeguards to protect users' accounts against hacking.)

Since the vast majority of consumers simply "click through" the screens displaying the legal agreements to get to the applications on a website, there is no real downside to companies spending a little time and money to ensure that their privacy policies, terms of use, and other legal agreements reflect their current practices.

Similarly, updating these agreements should be routine. This effort should be coordinated between marketing, IT, and legal departments, with each checking off on the accuracy of the updates.

Finally, the website should clearly indicate when the privacy policy and/or agreements were updated, so users have the option to review any changes.

Michelle Sherman is Of Counsel at Slater Hersey & Lieberman in Irvine, and writes the legal blog Social Media Law Applied.

We welcome your comments!


E-mail: (will not be published)

By submitting a comment, you agree to abide by our comment policy.

Enter the characters on the left: