In the United States, companies are still primarily under a “self-regulation” model when it comes to privacy considerations. There are exceptions for regulated entities (i.e. financial institutions subject to Gramm-Leach-Bliley Act and healthcare providers subject to the Health Information Portability and Accountability Act) which must follow statutory based regulations on the development of privacy and security policies. In particular, the Federal Trade Commission, in its “Protecting Consumer Privacy” framework of 2010, identified four key steps business should take to create a “fair information practices” approach:
(1) businesses should provide notice of what information they collect from consumers and how they use it;
(2) consumers should be given choice about how information collected from them may be used;
(3) consumers should have access to data collected about them; and
(4) businesses should take reasonable steps to ensure the security of the information they collect from consumers.
The FTC framework applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device and concluded that companies should:
A. Promote consumer privacy throughout the organization at every stage of development
- Incorporate protections into their practices (i.e. data security, collection limits, retention practices, and data accuracy)
- Maintain data management procedures throughout the business life cycle
B. Simplify consumer choice
- Allow for normal business use without requiring a choice
- Otherwise offer a choice to permit use at a time and in a context in which the consumer is making a decision about his or her data
C. Increase the transparency of their data practices
- Privacy notices should be clearer, shorter, and more standardized
- Provide reasonable access to the consumer data they maintain (proportionate to the sensitivity of the data and the nature of its use)
- Provide prominent disclosures and obtain affirmative express consent before using consumer data in a materially different manner than originally claimed
- All stakeholders should work to educate consumers about privacy practices[1]
A social media policy should focus on the identification of risks associated with the corporate presence in a social network. A social media policy should provide: (i) clarification that an employee’s opinion does not represent the opinion of the employer; (ii) clarification that workplace gossip is not tolerated and could have reprimand or termination consequences; and (iii) clarification that inappropriate language (i.e. racially or sexually offensive, harassment, indecent comments or pictures, or even anything which would reasonably be understood as defamatory or disparaging) associated with either the corporate account or referencing the company may also lead to reprimand or termination consequences. Other company policies may need to be reiterated in this policy, for example: (a) an employee’s obligation to protect the confidentiality of client or company information, (b) employment related obligations (i.e. anti-harassment), or (c) security risks to the company.
In a 2010 study,[2] there were eight factors identified that should be considered in a social media policy: (i) security concerns, (ii) legal issues (i.e. for a regulated entity), (iii) content that is acceptable versus not acceptable, (iv) employee’s use of social networks (especially referencing the company), (v) employee’s access to a company page or account on a social network, (vi) conduct deemed a risk to the company within the social network context that could result in disciplinary action or termination (e.g. violation of HIPAA), (vii) administration considerations for the company’s page or account in the social network; and (viii) allowance for citizen or consumers use or posting to the social network page (e.g. a company blog).
Both the framework on privacy policy considerations and the considerations for a social media policy should be assessed when developing these company policies. The Federal Trade Commission has used its authority to protect consumers from “unfair business practices” by bringing Section 5 claims against companies. In two social media cases brought by the Federal Trade Commission, both Twitter and Google were ordered to stop practices deemed to violate a consumer’s privacy rights and both companies are now subject to 20 years of audits to confirm compliance to the order. A company should not blindly jump onto the social media bandwagon; at a minimum a company should consider the risks to brand, confidentiality obligations and a company’s interests within a social network.
[1] See the Federal Trade Commission’s “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers” (2010).
[2] “A National Survey of Social Media Use in State Government: Friends, Followers and Feeds,” (NASCIO 2010).