Legal Bytes : Advertising & Media Lawyer & Attorney : Reed Smith Law Firm : Marketing & Intellectual Property : Legal Bytes Law Blog

Social Media in Action in Advertising and Marketing

Brand Awareness

The official Starbucks page has more than 6.8 million fans and counting. The Starbucks YouTube channel has more than 6,000 subscribers and more than 4.5 million upload views of videos. On Flickr, there are two Starbucks groups, each with more than 3,500 members, and a combined total of more than 21,000 photos. And more than 840,000 people are following Starbucks on Twitter. Starbucks’ own social network, Starbucks V2V, has nearly 24,000 members.

In this section, we explore the legal issues involved in the use of branded pages and promotions and contests, taking into account the different aspects of U.S., German and UK laws and regulations.

Branded Pages

United States

Branded social media pages created and hosted using a third-party service allow companies to quickly and easily establish a social media presence. In order to do so, companies, like individuals, must register and agree to abide by the terms of use and policies that apply to these services and host companies. As discussed in “Promotions and Contests” below, this may not only restrict a company’s ability to use the branded page for promotional and advertising purposes, but may also grant or restrict rights within the media with which a brand owner might not otherwise have to contend. The third party bears much of the responsibility for regulating the actions of the users who access, use and interact with the service. The third party, for example, is responsible for responding to “take down” notices received pursuant to the Digital Millennium Copyright Act (“DMCA”) and for establishing age limits for users (See also Chapter 2 Commercial Litigation). The terms of service applicable to Facebook and YouTube specifically prohibit use by children under the age of 13, while Twitter allows access only by individuals who can enter into a binding contract with Twitter.[7]Facebook, YouTube and Twitter prohibit the uploading or posting of content that infringes a third-party’s rights, including intellectual property, privacy and publicity rights, and they provide instructions for submitting a DMCA take-down notice.[8] Although the third-party’s terms of service provide a framework for both a company’s and individual user’s activities, can a company afford not to monitor its branded page for offensive or inappropriate content, trademark or copyright infringement, or submissions obviously made by or containing images of children?

Creating a presence and beginning the conversation is easy. Controlling the conversation is nearly impossible. Looking again at Starbuck’s as an example, a search for “Starbucks” on Flickr currently yields nearly 300,000 results, and on MySpace yields more than 91,000 results; and there are more than 3,400 unofficial “Starbucks” pages on Facebook. This is the current state of affairs, despite the fact that as a part of the registration process for a page, Facebook asks that individuals “Please certify that you are an official representative of this brand, organisation, or person and that you are permitted to create a Facebook Page for that subject,” coupled with an electronic signature. As an additional deterrent, Facebook includes the following note: “Fake Pages and unofficial ‘fan pages’ are a violation of our Pages Guidelines. If you create an unauthorised Page or violate our Pages Guidelines in any way, your Facebook account may be disabled.” Similarly, Twitter has an “Impersonation Policy” that prohibits “non-parody impersonation.”[9]

Despite these efforts by social media platforms such as Facebook and Twitter, can these “legal” conditions and requirements realistically act as a deterrent or a meaningful enforcement mechanism? More significantly, will a company be forced to rely upon these third parties to provide remedies or enforce these terms before acting—or instead of acting? So what are a company’s options in managing its brand image? While a company could have a claim for copyright or trademark infringement (see Chapter 14 – Trademarks) and could attempt to shut down impersonator and unofficial sites by contacting the social media platform to demand that the infringer and infringing material be removed, these measures could become (and may already be) virtually impossible to implement because of sheer volume. Further, depending upon the message being conveyed on an unofficial page, a company might not want to shut it down. For example, there are three unofficial “I love Starbucks” pages and more than 500 “I love Starbucks” groups. If a consumer cares for a Frappaccino, they can join one of the more than a dozen groups dedicated to various flavors. But for every “I love Starbucks” page or group, there is an “I hate Starbucks” group (more than 500) or “Starbucks sucks” page (211). How does a company respond to these so-called “suck sites”? As previously mentioned, a company could try to litigate on the basis of intellectual property infringement, but that could prove to be an endless battle.

United Kingdom

As in the United States, advertisers in the UK have embraced viral marketing, advergames, promotions, user-generated content, blogs and brand ambassadors online, as well as exploiting existing social networking sites to grow brand awareness and promote products and services. Social networks offer advertisers reach and engagement of an unprecedented level, combined with clear branding opportunities. However, with that opportunity comes inevitable risk. In-house counsel need to keep abreast of what their businesses are promoting on social media properties to ensure compliance and minimise risk, while maximising the opportunities to reach new audiences and promote the brand.

Later in this chapter, we deal explicitly with the risks associated with corporate blogging and user-generated content, and how companies can take action to help prevent infringement of rights and non-compliance with regulation. In relation to branded pages, our guide for advertisers concerning the addition of terms and conditions for online advertisements (including use and effectiveness of disclaimers and appropriate warnings) is available on the Reed Smith website. The guide covers issues such as linking to other sites and dealing with difficult users.

Germany

European companies also make use of the possibilities that social networks open up for them. Let’s take German car manufacturers as an example. A popular brand owner, BMW, has its own branded page on Facebook and even localised pages for several countries, including Germany, Indonesia, Mexico and South Africa. The discussion board on the page mainly deals with maintenance and repair issues. However, BMW seems to ignore the questions posted by users and leaves it to other users to respond to these queries. BMW also asks its users to vote on polls and gives them the opportunity to showcase their loved ones. In contrast to BMW’s approach, all-time competitor Mercedes Benz does not have a discussion board for users to post their queries, and fans are not allowed to post on Mercedes’ wall. It need not be mentioned that apart from the official pages, there are numerous unofficial pages, sub-pages and groups relating to the car manufacturers. As a side note: Porsche tops both BMW and Mercedes regarding the number of fans—it has more than 582,000 fans on Facebook (BMW: 493,000, Mercedes: 241,000). While Porsche, like Mercedes, does not have a discussion page, it allows the users to design their own Porsche and post it to their walls. All of these gimmicks and interactions allow the user to feel close to “their brand,” and giving them the opportunity to display their own designed Porsche on their wall is concurrently giving Porsche positive endorsement.

The legal aspects of these brand interactions do not differ materially from the issues raised under U.S. law, as the terms and conditions of the third-party providers like YouTube, Twitter and Facebook are essentially the same. What must be taken into account, though, is that while the European Union has harmonised laws in many areas, including in the area of misleading or false advertising, of commerce on the Internet, and on consumer protection, these laws have been implemented differently in every country. The scope of socially acceptable content may also differ widely within the European Union, given the differences between countries such as Sweden, Bulgaria, the UK, and Spain. Brands that choose to treat Europe as one homogenous state in the course of their social media campaigns run a very real risk of contravening local laws and, possibly just as importantly, offending local sensibilities.

A new phenomenon in the advertising world that reaches the Internet at high speed is so-called “fake advertising.” Using the automotive industry again, a video shows a compact car of a German manufacturer driven by a man wearing a traditional Palestinian scarf. He parks the car in front of a street café and activates a belt containing explosives. The guests of the café do not even realise this as no noise or other effect of the explosion reach the outside of the car. The spot finishes with a scroll outlining the model of the car (a Volkswagen) and displaying the slogan “Small but tough.” The German car manufacturer had nothing to do with this spot. Virals like this can be very professional in appearance, which makes the determination that it is a fake advertisement difficult. This example triggers various legal questions concerning both the producer of the viral and the company whose products are “advertised.” While the advertised company may have claims for trademark infringement, copyright infringement, claims based on unfair competition and even based on tort (passing off and endangering the goodwill of a company) against the producer of the viral, the same company is also at risk of being held liable if the viral infringes third-party rights, and the advertised company had in any way initiated or agreed to the viral (for instance by way of holding a contest for the best video spot involving its compact car and an unsuccessful participant subsequently airs the spot on his Facebook profile). There are many examples of established companies seeking to embrace social media by running user-generated advertising campaigns, only for things to go horribly wrong.

Promotions and Contests

United States

Many companies are using their social media presence as a platform for promotions, offering sweepstakes and contests within or founded upon social media and user networks. There are giveaways for the first 10 people to re-Tweet a Tweet. Companies can partner with YouTube to sponsor contests that are featured on YouTube’s Contest Channel, or sponsor contests available on a company-branded channel. While YouTube’s terms of service are generally silent on the issue of sweepstakes and promotions, Facebook’s terms of service specifically prohibit offering contests, giveaways or sweepstakes on Facebook without their prior written consent. Even those who merely use Facebook to publicize a promotion that is otherwise administered and conducted entirely off of Facebook must comply with the Promotions Guidelines. In December 2009, Facebook revised its Promotions Guidelines to specifically require, among other things, that (1) the sponsor take full responsibility for the promotion and follow Facebook’s Promotion Guidelines and applicable laws; (2) the promotion is open only to individuals who are at least 18 years of age; (3) the official rules contain an acknowledgement that the promotion is not sponsored, endorsed or administered by, or associated with, Facebook, as well as a complete release for Facebook from each participant; and (4) the sponsor submit all promotion materials to his or her Facebook account representative for review and approval at least seven days prior to the start of the promotion.[10] In addition, Facebook’s Promotion Guidelines prohibit, among other things: (1) using Facebook’s name in the rules except as otherwise required by the Promotion Guidelines; (2) conditioning entry in the promotion upon a use providing content on Facebook (including, making a post on a profile or Page, status comment or photo upload); (3) administering a promotion that users automatically enter by becoming a fan of your Page; or (4) administering the promotion on the Facebook site, other than through an application on the Facebook Platform.[11] Many companies, however, appear to be ignoring Facebook’s terms.

Other companies have taken their contests off of a particular social media platform and instead operate a contest-specific URL. As a result, several companies have sprung up to assist advertisers in their social media endeavors, including Votigo, Wildfire and Strutta, just to name a few. One such company is Folgers. Folgers recently launched a social media contest to celebrate the 25^th anniversary of its famous Folgers jingle, “The Best Part of Wakin’ Up.” The contest, located at a dedicated URL, encourages people to submit their take on the iconic jingle (See “User-Generated Content” below for issues relating to UGC.) Entrants have a chance to win $25,000 and potentially have their jingle featured in a future Folgers Coffee commercial. In addition to the Grand Prize awarded for the jingle itself, daily prizes and a grand prize will be awarded via random drawings to individuals who submit votes in the jingle contest. It doesn’t take much imagination to come up with the legal issues and challenges—consumer, talent union and regulatory—that might be raised. What if the winner is a member of a union? Who owns the video submissions? Will the semi-finalists, finalists and/or winners be required to enter into a separate agreement relating to ownership of the master recording?

Despite the undeniable reach of social media, participation is not always easy to come by. Just ask FunJet Vacations. In fall 2009, FunJet sponsored a giveaway whereby individuals who uploaded a photo or video of themselves making a snow angel were entered in a drawing for a four-night vacation in the Mexico or Caribbean. Seems like an easy sell, especially given the winter we had here in the Northeast, right? Wrong. According to Mike Kornacki, who assisted Funjet Vacations in the giveaway, “on the 1^st level market reach Funjet was at 384,000 individuals for Facebook and 1.05 million for Twitter” and Funjet only received “313 total submissions over 5 days.”[12] So what happened? Those who did participate were unwilling to share the giveaway with their networks because “they didn’t want the competition.”[13] Individuals Mr. Kornacki surveyed who didn’t participate said “it was too hard to enter the drawing.” Seriously? Taking a photo of yourself making a snow angel and uploading it to a micro-site is too hard? Those individuals must find Flickr, YouTube and Shutterfly simply unbearable.

Regardless of the platform or website a contest is featured on, the same laws apply online as in offline contests, but they may apply in unique or novel ways, and their applicability may be subject to challenge. Because social media is often borderless and global, companies must also consider the possibility that individuals from across the globe may find out about the contest and wish to enter. Unless a company plans to research the promotion and sweepstakes laws in every country around the globe (and translate the official rules into every language), eligibility should be limited to those countries where the company does business and/or has legal counsel. This represents both an opportunity and a challenge—both fraught with legal and regulatory possibilities.

In the United States[14], a sponsor cannot require entrants to pay consideration in order to enter a sweepstakes. Unlike skill-based contests, the golden rule of “no purchase necessary to enter or to win” applies. In addition, depending upon how the promotion is conducted and what the aggregate value of prizes awarded in the promotion are, New York, Florida and Rhode Island have registration requirements (New York and Florida also require bonding[15]). In New York and Florida, where the aggregate prize value exceeds $5,000, a sponsor must register the promotion with the state authorities, and obtain and file with the state a bond for the total prize amount.[16] In Rhode Island, where the aggregate prize value exceeds $500 and the promotion involves a retail sales establishment, a sponsor must register the promotion with the Rhode Island Secretary of State.[17]

Germany

As already highlighted earlier in this chapter, companies that wish to conduct promotions, sweepstakes, raffles and similar activities in Europe need to be aware that while there is certainly European harmonised law, the Member States may have implemented the Directives differently. Certain jurisdictions like France are known for adding little tweaks and adopting a very restrictive and consumer-protective approach to advertising. While the above-mentioned golden rule of “no purchase necessary to enter or to win” provides minimum guidance for contests in Europe, companies should nevertheless obtain local clearance advice. Various provisions in local law make the running of promotions on a European-wide basis a challenge. Italy, for instance, requires that if the raffle or contest is actively promoted in Italy, the organising company must have someone on the ground in Italy to conduct it. This gives rise to a flourishing business segment of promotion agencies. A company that advertises a promotion via a social network should not fall prey to the assumption that because the promotion is run from a “.com” homepage it is subject to U.S. law only, or that it could adopt the law of a particular country while excluding all other jurisdictions. As soon as a promotion is aimed at the citizens of a European country, that country is likely to assume jurisdiction and deem its laws applicable to the promotion.

Brand Interaction

Bloggers

United States

“People are either going to talk with you or about you.”[18] So how do you influence the conversation? Many companies are turning to amplified word-of-mouth marketing, by actively engaging in activities designed to accelerate the conversations consumers are having with brands, including the creation of Facebook applications based on a company or its product. (See Chapter 2 – Commercial Litigation) In July 2009, for example, Starbucks created a Facebook application where users could share a virtual pint of ice cream with friends. Other examples include the use of third-party bloggers to create product reviews, offering giveaways on third-party blogs or creating a company-sponsored blog (see “Customer Service and Customer Feedback” below).

Companies often provide products to bloggers so that the blogger can write a (hoped-for favourable) review of the product. While this practice is generally acceptable, companies and bloggers who fail to disclose the connection between blogger and company face regulatory scrutiny and consumer backlash. In spring 2009, Royal Caribbean was criticised for posting positive reviews on travel review sites with a viral marketing team, the “Royal Champions,” which was comprised of fans who posted positive comments on various sites such as Cruise Critic. In return for positive postings, the Royal Champions were rewarded with free cruises and other perks. Royal Caribbean has acknowledged that the Royal Champions program exists, but denies that it was ever meant to be secretive or that members were instructed to write positive reviews.

In addition to backlash from consumers who might feel as if they’ve been duped or that a blog is a glorified advertisement and the blogger an instrument of a particular company, companies and bloggers who fail to disclose material connections (such as the provision of free products or other perks to the blogger) may come under regulatory scrutiny. In 2009, the Federal Trade Commission (“FTC”) revised its Guides Concerning the Use of Endorsements and Testimonials in Advertising (the “FTC Guides”)[19]. The FTC Guides provide a general principle of liability for communications made through endorsements and testimonials: “Advertisers are subject to liability for false or unsubstantiated statements made through endorsements, or for failing to disclose material connections between themselves and their endorsers. Endorsers also may be liable for statements made in the course of their endorsements.”[20]

In general, a company that provides products to a blogger for purposes of a product review should never instruct the blogger regarding what to say in the review, or ask to review or edit the review prior to posting. While companies should provide bloggers with up-to-date company-approved product information sheets, those information sheets should not reflect the company’s opinion or include prices. In the event of a negative review, the company has the option of not providing products to the blogger for future reviews. The company should also caution its personnel about engaging in inflammatory disputes with bloggers (“flaming”) on any blogs. In addition, since under the FTC Guides a company could be liable for claims made by a blogger, the company should monitor product reviews made by bloggers to ensure that the claims made are truthful and can be substantiated.

United Kingdom

Applying the principles described above in relation to the United States helps identify, from the perspective of English law and regulation, the main risks associated with external corporate blogging and participating in social networking sites:

• Damage to reputation: This typically arises if a blogger says something that may tarnish the reputation of the company in the eyes of other readers. It could be an innocent criticism of the product or company or a more deliberate campaign.
• Breaching advertising regulations: This can cause damage to brand reputation, particularly where the breach leads to advertising regulators publishing adverse adjudications about the owner of the brand
• Liability for infringement of intellectual property rights: The biggest risk here is that a participant or blogger copies content for the blog post from another source without permission. Music is particularly risky, but any image, text or creative material may have been sourced from a third party without their knowledge.
• Liability for defamation or illegal content: Defamation is perhaps one of the greatest risks, especially if blog participants are given a free reign. See our later chapter concerning defamation.
• Breaching data protection laws and/or invading privacy: See our later chapter for more details concerning these risks.
• Leaking confidential information: Often risks emanate not from external sources but from employees within the company engaging in blogging. Details of a new product launch or disclosure of poor financial figures can innocently be disclosed if safeguards are not put in place. This can cause damage to the business and, potentially, breach of corporate securities rules.

Germany

Advertisement in blogs is also increasingly happening in Europe, but the European Commission has not initiated legislative action yet. A prominent example for using blogs for advertisement was constituted by the Coty Prestige Lancaster Group. The company decided to launch a teaser campaign prior to the traditional campaign for the perfume ck-IN2U. They created rather attractive and sexy fake identities in various blogs and used them to tease the blogosphere about the perfume. And at the end of each post, they added the sentence “what are you in2?” After being found out, Coty Prestige Lancaster Group quickly stopped the campaign. While many bloggers perceived this behaviour as contravening an unwritten blogger’s code of ethics (and indeed blog operators are looking for ways of prohibiting unwanted advertising activities in their blogs), the more crucial question is whether the multiple five-digit-claims that the responsible advertising agency has received will hold up. Under German law, for example, the agency may be obligated, pursuant to the legal institute of “agency by necessity,”, to pay to the blog operators the amount saved by avoiding the traditional booking of advertising space on the blog or surrounding the blog. Comparable decisions have been made with regard to the unauthorised use of photographs. However, court decisions on advertisement in blogs have not reached the press…yet.

Customer Service and Customer Feedback

Blogs also foster customer feedback and engagement with a brand. General Motors, for example, has at least two blogs: the Fast Lane[21]and the Lab[22]. According to General Motors, the Fast Lane is “a forum for GM executives to talk about GM’s current and future products and services, although non-executives sometimes appear here to discuss the development and design of important products. On occasion, Fast Lane is utilised to discuss other important issues facing the company.”[23] The Lab is “a pilot program for GM, an interactive design research community in the making.”[24] The Lab lets consumers “get to know the designers, check out some of their projects, and help [the designers] get to know [the consumers]. Like a consumer feedback event without the one-way glass.”[25] Both General Motors blogs, of course, link to General Motor’s Facebook page, where a consumer can become a fan. Similarly, Starbucks has its “Ideas In Action” blog, where consumers share ideas with the company. The customer feedback received via the blog and social networks led to the creation of a store-finding and menu-information application for the iPhone, and a second application that will let customers use the iPhone as their Starbucks card. According to Stephen Gillett, Starbucks’ chief information officer, “We think it’s really talking to our customers in new ways.”[26]

Once you’ve started the conversation, you can use social media to provide nearly instantaneous customer service and receive customer feedback. Major credit card companies and international banks are providing customer services via Twitter. Think kids say the darndest things? Wait until you see what customers say once they start talking.

A major retailer launched its Facebook page in July 2009. In September, the company posted a seemingly innocent question: “What do you think about offering [our site] in Spanish?” The company didn’t get the constructive dialogue that it was looking for. According to the company’s senior director of interactive marketing and emerging media, “It was a landmine. There were hundreds of negative responses flowing in, people posting racist, rude comments.” Oops, now what? Do the tenets of free speech demand that a company leave such comments posted on its branded social media page? Or, can the company selectively remove such comments? In this case, they removed the post, hoping that the commenters would go away. They did…this time.

Still doubt the power of social media? In September 2009, a major washing machine company interacted with a so-called “mommy-blogger” through Twitter, turning what started out as a negative into a positive. After what she described as a frustrating experience with the company’s customer service representative and her new washing machine, Heather Armstrong, Tweeter and author of Dooce.com, aired her grievances with the company and its product on Twitter. Ms. Armstrong sent a Tweet to her more than 1 million followers urging them not to buy from the company. Three minutes later, another Tweet with more criticism. Another three, equally barbed Tweets followed. Within hours several appliance stores had contacted Ms. Armstrong via Twitter offering their services. Then came a Tweet from the manufacturer asking for her number, and the next morning a company spokesperson called to say they were sending over a new repairman. By the following day, the washing machine was working fine. That’s an example of tackling a social media problem creatively rather than deciding to let it slide, and turning it into a positive customer experience. And another twist: @BoschAppliances offered Ms. Armstrong a free washing machine, which went to a local shelter.

So what does a company do if it finds itself or its products the subject of a negative or false post? First, it depends on where the post was made. Was it a company-operated blog or page, or a third-party site? Second, it depends on who posted the negative comment. Was it a company employee? (See Chapter 6 – Employment) Was it the author of the blog? Was it a third-party commenter on a blog? Was it a professional reviewer (journalist) or a consumer? More perniciously, was it a competitor? Finally, the content of the post should be considered. Is a right of free speech involved? Was anything in the post false or defamatory? (See Chapter 2 – Commercial Litigation) Companies should seek to correct any false or misleading information posted concerning the company or its products. This can be done by either seeking removal of the false post or by responding to the post to provide the public with accurate information. Where a post is defamatory, litigation may be an option. (See Chapter 2 – Commercial Litigation) In the case of a negative (but truthful) product review or other negative opinion posted about the company, if the comments are made on a company-operated blog or page, the company, has the right to remove any posting it desires, subject, of course, to its policies and the terms on which the blog is made available. Where comments are made on a third-party’s blog, a company could attempt to contact the author of the blog and seek removal of the post. However, depending upon the content of the post, it may not be in the company’s best interest to take it down.

One of the central tenets of social media is open dialogue. Where a company avails itself of the benefits of social media but then inhibits the conversation by selectively removing posts, it may face a public-relations fiasco. One approach to responding to negative posts may be to have an authorised company representative respond to the post on behalf of the company in order to further engage the consumer in dialogue. If a company prefers not to have such a conversation in an open forum, the company could seek to contact the poster offline to discuss the poster’s negative opinion of the company or its products. This is the approach that this company took when faced with negative Tweets from Ms. Armstrong.

User-Generated Content

United States

UGC covers a broad spectrum of content, from forum postings, to photos to audiovisual content such as video, and may provide the greatest potential for brand engagement. Companies frequently and increasingly create promotions around UGC (for example, urging consumers to submit content-rich descriptions of why they love a certain product or service). Don’t think, however, “the consumer did it” is an iron-clad defense against claims of intellectual property infringement or false advertising. Especially in contests that are set up as a comparison of one brand to another, things can get dicey.

Following the court’s denial of its motion for summary judgment, on February 23, 2010, Quiznos settled its nearly three-year-old dispute with Subway stemming from the “Quiznos v. Subways Ad Challenge.” The Challenge solicited videos from users depicting that Quiznos’ sandwiches have more meat than Subway’s sandwiches. In 2007, Subway filed a lawsuit against Quiznos[27] claiming that by airing the winning video from the Quiznos contest, Quiznos had engaged in false and misleading advertising under the Lanham Act. In denying Quiznos’ motion for summary judgment, the court found that Quiznos was a provider of an interactive computer service, but declined to decide whether the UGC videos at issue were “provided” by Quiznos or by a third party (a requirement for CDA immunity). The court determined that it was a question of fact as to whether Quiznos was actively responsible for the creation of the UGC.[28]

Following the court’s decision in the Quiznos/Subway case, the question that remains is: how much control is too much? At what point, is a sponsor of a UGC promotion “actively responsible” for the UGC?

As discussed in the section on “Branded Pages” above, if a company is accepting UGC submissions through use of a third-party platform (e.g., Facebook or YouTube), odds are that the third-party’s terms of service already prohibit content that is infringing, defamatory, libelous, obscene, pornographic or otherwise offensive. Nonetheless, whenever possible, a company should establish community requirements for UGC submissions prohibiting, for example, infringing or offensive content. Similarly, although the third-party’s terms of service most likely provide for notice and take-down provisions under the DMCA, companies should have procedures in place in the event they receive a notice of copyright infringement. Another reason to implement your own policy is that the services such as Facebook and Twitter may themselves have a safe harbor defense as Internet service providers under the DMCA, whereas a company using an infringing work in a commercial context, whether or not through a third-party service, would not likely have such a defense available to it should an infringement claim arise. Although the third-party’s terms of service provide a framework for both a company’s and an individual user’s activities, it is still recommended that a company monitor its branded page for offensive content, blatant copyright infringement, or submissions obviously made by, or containing, images of children. In advance of the UGC promotion, companies should establish policies concerning the amount of monitoring, if any, they plan to perform concerning content posted via their branded pages.

In addition to issues relating to content and intellectual property, companies should take steps to ensure that UGC displayed on their social media pages does not violate the rights of publicity of the individuals appearing in the displayed content. In January 2009, a Texas teenager and her mother sued Virgin Mobile for using one of her personal photos uploaded on Flickr for an Australian advertisement. The lawsuit insisted that Allison Chang’s right-of-publicity had been exploited and that the use of her photo violated the open-source license under which her photo was submitted. Although the case was dismissed over a discrepancy in jurisdiction, the message is clear that if you seek to use UGC in a commercial context, whether or not on a social media page, best practice would be to obtain releases from any individuals depicted in your work.

Companies should make clear that by submitting UGC to the company, the submitter is granting the company a worldwide, royalty-free right and non-exclusive license to use, distribute, reproduce, modify, adapt, translate, publicly perform and publicly display the UGC. However, this does not give a company a license to transform the UGC into a commercial or print advertisement. In fact, in the event that a company seeks to transform a UGC video into a television commercial or made-for-Internet commercial, the company must obtain a release from any individuals to be featured in the ad and take into consideration the SAG and AFTRA requirements set forth in the commercials contract.

United Kingdom

A question that arises often where a company includes social media elements or features on its own properties, or in advertising or promotional campaigns, is whether those elements or features should be moderated.

A conservative and perhaps safer approach is for brands to moderate sites for unwelcome content or comments. Moderation can take several forms: (i) pre-moderation; (ii) post-moderation; and (iii) reactive moderation. The fact that moderation affords control to the brand owner and helps them limit any potentially risky business means that brand owners often favour a pro-moderation approach. However, moderation itself can be a risky business and can sometimes be one that advertisers and their advertising agencies or others ought not to do themselves.

By checking all material prior to publication, the operator of a site could be said to assume responsibility for the material that appears. This makes pre-moderation a relatively high-risk and labour-intensive approach. However, many brand owners feel uncomfortable about not moderating, and the decision may well come down to the sort of site in question. For example, we recommend that any site used by children ought to be properly moderated by specialists who are also provided with guidelines on how to carry out their role. Equally, sites that carry less risk may be better suited to a post-moderation or even reactive moderation approach, whereby moderation only takes place in response to feedback from users.

We recommend that moderation, and whether to take responsibility for moderation, be considered carefully, taking into account the nature of the product or service in question and the potential propensity for damage to the brand. In some circumstances, it may be appropriate to outsource moderation activity to a specialist company that can shoulder the administrative burden. In addition, sites that carry user-generated content should include terms of use with appropriate warranties. Finally, brands may wish to seek insurance for liability created by user-generated content.

Where advertisers are considering using third-party sites for advertising purposes (for example, Facebook), they may also consider whether or not to moderate the areas of the site that are within the control of the advertiser.

The alternative to a moderated environment is for a brand or agency to allow the site or property to operate without moderation. There are many downsides to this approach. For example, when content is unmoderated, the quality of material posted is difficult to control. There is, on the face of it, a legal advantage to unmoderated sites, in that a brand or site operator can more easily seek an exemption from liability for anything that is defamatory, infringing or otherwise unlawful. This exemption is afforded by local laws deriving from the E-Commerce Directive, as discussed in later chapters, and the only material condition of the exemption is that the operator of the site provides a process for removing offending content expeditiously upon being made aware of it. However, guidance from UK government agencies counsels against unmoderated environments generally.

In the case of either moderated or unmoderated sites, it is essential that the process for the removal of content is easy, and that concerned individual users can report inappropriate content to the operator swiftly. The operator must then be able to deal with the complaint or problem and have clear guidelines for doing so. It is recommended that operators provide a link on each page of the website that clearly directs users to the process for reporting inappropriate content. Phrases such as “Report Abuse,” “Complain about this content” or “Flag as inappropriate” are all commonly used as links. The operator of a site should also require clarity in a complaint and seek to ensure the user is required to explain exactly why a complaint is being made, so as to enable the assessment of the merits of any objection.

Germany

The laws in Europe concerning liability for UGC are similar to those in the United States in some respects, but in other areas are markedly different. Importantly, the laws in Europe are developing quickly in this area and are, some might say, becoming more conservative and in favour of rights holders than in the United States.

The European Union regulated certain aspects of electronic commerce in its Directive 2000/31/EC (“Directive”). The Directive was introduced to clarify and harmonise the rules of online business throughout Europe, with the aim of boosting consumer confidence. It also seeks to contribute to the proper functioning of the internal market by ensuring the free movement of information society services between the Member States. The Directive applies to the Member States of the European Economic Area (“EEA”), which includes the 25 Member States of the EU plus Norway, Iceland and Liechtenstein.

The Directive contains specific provisions on liability for hosting services. The general principle is that a service provider shall not be liable for the information stored if the provider does not have actual knowledge of illegal activity or information, and where a claim for damages is made, is not aware of facts or circumstances from which it would have been apparent to the service provider that the activity or information was unlawful. If the service provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information, there is no liability. Hence the service provider must act immediately upon gaining knowledge that the material is unlawful by either removing or disabling access to the material.

The Directive further makes clear that a service provider has no obligation to monitor the content. The Directive states that Member States must not impose a general obligation on service providers to monitor the information that they transmit or store. A service provider can make use of the aforementioned limitations in liability as long as it is clear that the content is content from someone else, i.e. UGC. Hence in case of UGC advertisements or uploads, the service provider has to avoid assuming such UGC as its own content to avoid liability in connection with such content. The critical question for companies using UGC arises when the company assumes UGC as its own content. It is likely that UGC will be considered as a company’s content if it is made as part of the company’s own offering. A recent decision of the German Supreme Court[29] illustrates the thin line between third-party content and own content. In the case, the defendant offered free cooking recipes on its website www.chefkoch.de.  Every user can upload its own recipes with pictures on that website. One user uploaded a picture from a different cookbook website – the plaintiff’s. The Supreme Court considered the defendant liable as publisher of the picture by placing its logo on each uploaded recipe, among other things. The defendant hence should have checked the legality of each picture that was uploaded by users. In practice, this may be an impossible task. Many companies that attempt to “clear” user-uploaded content before publication find that the majority of submissions are unusable.

Even if a company does not assume responsibility for third-party content, it is crucial that terms and conditions set forth clear rules regarding UGC.

The Bottom Line: You need to have specific Terms and Conditions in place regarding content uploaded by users. Those terms and conditions should specify that such content does not violate any third-party rights, including moral rights and copyrights, and does not contain any defamatory, libelous, racial, pornographic content. You should indicate UGC as such. You should not use UGC for your own offering or otherwise you might assume liability for its content. You need to observe the notice and take-down principle. In case specific illegal content will be repeatedly uploaded, you need to take measures to prevent such continuous infringement, i.e., terminate user access, or install certain filter software. You must not automatically assume that you will be protected by safe harbour defences.

Talent Compensation

Commercial or Content?

In traditional television and radio media, the 30-second spot has reigned supreme as the primary advertising format for decades. Within that format, in order to help create compelling TV and radio spots, advertisers have frequently engaged professional on-camera and voiceover actors pursuant to the terms contained in industry-wide union contracts with the Screen Actors Guild (“SAG”) and the American Federation of Television and Radio Artists (“AFTRA”), as well as musicians under a contract with the American Federation of Musicians (“AFM”).[30] Those contracts dictate specific minimum compensation amounts for all performers who appear in commercials, depending upon the exhibition pattern of those spots.

Now, with companies rapidly shifting advertising dollars online, the cookie-cutter paradigms of traditional media have given way to the limitless possibilities of the Internet, mobile and wireless platforms and other new media—including social media. While 30-second spots remain one part of the new media landscape, creative teams have been unleashed to produce myriad forms of branded content that straddle traditional lines separating commercials and entertainment. This has understandably created confusion and uncertainty amongst advertisers, agencies, talent and studios, to name only a few of the major players, with respect to the applicability of the SAG, AFTRA and AFM contracts in these unique online and wireless venues.

As a threshold matter, it is important to note that the SAG, AFTRA and AFM contracts apply only to Internet/New Media content that falls with the definition of a commercial. Commercials are defined as “short advertising messages intended for showing on the Internet (or New Media) which would be treated as commercials if broadcast on television and which are capable of being used on television in the same form as on the Internet.” Put simply, if the content in question cannot be transported intact from the Internet to TV or radio for use as a commercial, then it is not covered by the union contracts and the advertiser is not obligated to compensate performers in accordance with those contracts, and can negotiate freely for appropriate terms. Thus, branded entertainment content and other forms of promotion that don’t walk and talk like a commercial will not fall within the coverage of the union contracts.

Made Fors and Move Overs

If the content in question does fall within the definition of a commercial, the advertiser must determine whether the content constitutes an original commercial designed for Internet/New Media exhibition (a so-called “Made For”) or an existing TV or radio commercial transported to the Internet/New Media (a “Move Over”).

If the commercial is a Made For, under current provisions in the union contracts, advertisers may negotiate freely with the performers for appropriate terms, with no minimums required, except that pension and health contributions must be paid on any amounts paid. Note, however, this period of “free bargaining” will expire April 1, 2011, at which time contractual minimums will apply absent any new understandings mutually agreed upon.

In the case of Move Overs, the union contracts do provide for minimum levels of compensation, depending upon the length of use for the spot. For eight weeks or less, performers must be paid 133 percent of the applicable session fee. For a one-year cycle, payment equals 350 percent of such fee.

User Placed or Generated Content

As noted above, the union contracts that govern the payment of performers are generally based upon the exhibition patterns for commercials. But what happens when we enter a world where advertisers no longer control where and when commercials appear (e.g., YouTube)? Or to go even one step further, what happens when the advertiser doesn’t even produce the commercials? Is the advertiser obligated to pay the actors under the union agreements? The answer is “no,” but the person who posted the materials without permission is liable for invasion of privacy and publicity. Unfortunately, the pockets of those posters are generally too shallow to warrant an action by the actor.

These are fertile areas for disagreement between the advertising industry and the unions. But the industry position is clear: an advertiser cannot be held liable for compensating performers for an unauthorised exhibition of a commercial, nor is that advertiser responsible for policing such unauthorised use. Similarly, an advertiser cannot be held responsible for paying performers who appear in user-generated content, so long as the advertiser hasn’t actively solicited and exhibited that content.

Current Legal and Regulatory Framework in Advertising

United States

Depending on the advertising activity, various federal and/or state laws may apply including, for example, section 5 of the FTC Act (See Chapter – 2 Commercial Litigation), the Lanham Act (See Chapter 2 – Commercial Litigation and Chapter 14 – Trademarks), the DMCA, the CDA (See Chapter 2 – Commercial Litigation), CAN-SPAM and state unfair trade practice acts.

Europe

The Directive 2006/114/EC dated 12 December 2006 regulates misleading and comparative advertising; the Directive 2005/29/EU dated 11 May 2005 regulates unfair business-to-consumer commercial practices.

In addition, there are numerous self-regulatory regimes and organisations dealing with advertising regulation. These national bodies cannot be ignored. On a European level, the European Advertising Standards Alliance (“EASA”) acts as the chief self-regulator. EASA is based in Brussels and is a European voice of the advertising industry. It acts as the European coordination point for advertising self-regulatory bodies and systems across Europe.

Bottom Line—What You Need to Do

Social media implications and applications to advertising and marketing cannot be ignored. While active or passive participation can enhance and promote brand presence, a danger of brand damage also always exists, and risks should be minimized by prudent planning. All companies, regardless of whether or not they elect to actively participate in the social media arena, should have policies in place to determine how to respond to negative comments made about the company and/or its brands. Companies that seek to play a more active role should have policies in place that govern marketing agency and/or employee interaction with social media, as well as the screening of UGC. It is critical, however, that companies not simply adopt someone else’s form. Each social media policy should be considered carefully and should address the goals and strategic initiatives of the company, as well as take into account industry and business-specific considerations.

Companies operating campaigns in numerous jurisdictions, even across Europe, cannot take a one-size-fits-all approach to compliance with advertising laws and regulation. By its nature, social media has additional pitfalls for advertisers. A non-compliant or culturally insensitive message on a social media destination can cause significant harm to a brand.

Social Media in Action in Data Privacy & Security

Personal data collected by social media companies is at risk from all sides. Thieves want to profile, steal and resell personally identifiable information and data. Employees are tempted to misuse customer data, for monetary gain or to satisfy idle curiosity, perhaps with no malicious purpose at all.[5]  Even standard business processes pose risks to personal data. Not forgetting that social media companies themselves want to gain commercial leverage from the data collected.

Social media enterprises collect, store, use, share, and dispose of personal data every day, including eCommerce-related non-public financial information (for example, credit, banking and payment information). Each of these inflection points is an opportunity for something to go wrong, for a law to be broken or a data subject put at risk. This chapter explains some things social media companies and companies that use social media should know.

Company Obligations Set Forth in the User Agreement

User agreements are private agreements between the publisher and its users, and they define the rights and obligations of each party. Typically, user agreements have at least two components: (1) a privacy policy and (2) a terms of use. While there is no legal distinction between putting them into one document rather than splitting them, social media and web-based services recognise the increased importance privacy and data protection play—not only in law and regulation, but also to consumers. In Europe, regulatory guidance suggests separating terms of use and terms relating to data protection and privacy. Creating a separate document, page or display makes these terms conspicuous, and in a visual and distinctive manner create a better “notice and disclosure” or transparency and consent argument, should a consumer or a regulator challenge the efficacy of notice to consumers.

Privacy policies are statements made by companies about their practices regarding personal information. Companies on the Internet, social media or otherwise, post privacy policies to disclose information practices in accordance with federal and state statutes.[6] Terms of use, on the other hand, describe the terms and conditions governing the relationship between the user and the publisher or operator of the service. Because privacy policies are effectively part of the terms and conditions—the rights and obligations—between the parties, we may simply refer to them as the “agreement” in these materials.

Because these agreements run between and among publishers and users (and sometimes a company that is using a service or website), a company’s obligation with respect to personal data will change depending upon whether it is the social media service (e.g., Facebook, MySpace or Twitter), a company-sponsored fan site (e.g., a Starbucks sponsored fan site on MySpace) or an unrelated third-party fan site.

Social Media Companies

Social media companies, as authors of these agreements, have the primary responsibility to ensure all personally identifiable information that is collected, used, stored and shared, is used in accordance with the user agreement (and, of course, law and regulation). But, this does not mean that social media companies must be overly conservative in their user agreements. Most social media companies do not charge any recurring user fees for use of their site or service. So, access to and data from users in the community is a social media company’s primary commodity to monetise the site.

This ability to commercially exploit data is tempered by data protection and privacy laws. The need for ‘information monetisation’ can create in an adversarial relationship between the site user and the social media company. As a result, many consumer advocacy organisations are analysing and notifying consumers of updates to social media website user agreements.[7] These consumer watchdog organisations can generate considerable controversy; take for example, Facebook’s Terms of Service update in February 2009. At that time, The Consumerist flagged a series of changes to the Facebook Terms of Service, including deletion of the following text:[8]

You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content.

From this deletion, The Consumerist author, Chris Walters, opined that: “Now, anything you upload to Facebook can be used by Facebook in any way they deem fit, forever, no matter what you do later,” Walters wrote. “Want to close your account? Good for you, but Facebook still has the right to do whatever it wants with your own content.” Ultimately, The Consumerist blog created a firestorm, which caused Facebook to repeal its Terms of Service changes three days after the blog was posted.

The Terms of Service change is not the only example of the tension created over the use of consumer information and consumer disclosures. In the early days of 2007, Facebook launched its Beacon advertisement system that sent data from external websites to Facebook, ostensibly for the purpose of allowing targeted advertisements. Certain activities on partner sites were published to a user’s News Feed. Soon after Beacon’s launch, civic action group, MoveOn.org, created a Facebook group and online petition demanding that Facebook not publish their activity from other websites without explicit permission from the user.[9] In less than ten days, this group gained 50,000 members. Beacon amended its Terms of Service as a result.[10] A class action lawsuit was filed against Facebook as a result of Beacon. The lawsuit was ultimately settled in September 2009[11], and the Beacon advertisement service was shut down.

Facebook has, nonetheless, continued to press on the outside of the envelope with respect to consumer privacy. At the F8 Conference this April, Facebook announced a series of changes to its privacy policies sure to draw considerable attention.[12] The changes include:

Allowing external websites to add a “Like” button. If the user of that external website clicks the “Like” button, that user’s Facebook page will be modified to reflect information about the user’s use of that external site. The user’s Facebook friends will be able to view such information.

Partnering with sites like Pandora and Yelp! to provide for “instant personalization.” This means that when a Facebook user visits those sites, unless she has taken specific elections on her Facebook privacy settings, those sites will download “can pull in information from your Facebook account, which includes your name, profile picture, gender and connections (and any other information that you've made visible to the public). If you visit Pandora, for example, the site could also pull in your favorite music artists, create playlists accordingly, and then notify your Facebook friends.”[13]

In the immediate aftermath of the Facebook changes, members of the United States Congress have already expressed intent to pass laws putting the onus on companies like Facebook to get specific consent from consumers before rolling out new information sharing platforms.[14]

Compared to the United States, Europe has traditionally taken a more stringent approach to data protection. Article 8 of the Charter of Fundamental Rights of the European Union explicitly provides a fundamental right to protection of personal data within the EU. There is also a greater focus on raising awareness. For example, Europe even organised a “European data protection day”, held annually on 28 January.[15] As a result, social networking sites tend to be the subject of far greater public scrutiny than in the United States. Privacy groups and thorough press coverage ensure that any changes to the privacy policies of service providers and any risks or abuses related to these services are comprehensively discussed and brought to the attention of social media users. The Guardian story covering the changes to Facebook’s Privacy Policy in 2009 titled “Facebook privacy change angers campaigners”[16] and a headline from The Sun titled “Teen Weapons Shock On Bebo”,[17] are just two examples of the press coverage social networking sites receive.

Company or Third-Party Sponsored Fan Site or Portal

Many companies, however, do not own or operate a social media website, and thus, do not author the social media user agreement. Instead, these companies are monitoring content regarding their products and services on fan sites/portals run by another company. For example, Starbucks does not operate its own social media website, but operates portals on MySpace, Facebook, Twitter and YouTube. The key for removing information that may be detrimental to Starbucks or any brand is to know where the content lies (on a company or third-party sponsored portal), and the user agreement of the social media website the offending information lies upon.

For portals or fan sites that are sponsored by the marketing company, it is simple for the company to remove offending information. Facebook, MySpace and YouTube offer page administration options for content removal on company-sponsored portals. For these services, the company can directly control content posted to the portal by designating in its administrative options to pre- or post-screen user-generated content. Twitter, however, works differently. On the company-sponsored Twitter profile, the company can control what “Tweets”[18] it sends to its followers, but the company cannot directly control what is “retweeted”[19] by others from the company-sponsored tweets.[20]

For portals or fan sites that are not sponsored, it is more difficult to administer content and remove known privacy violations. Removal of third-party content involving your company or brand is governed by the respective social media site’s user agreement. These will be different depending on the site or service. Take, for example, if one of your employees records a confidential session (a health care visit, tax preparation, loan application meeting, etc.) between the employee and one of your customers. Could the company seek removal of the confidential video? The question of whether a corporation could remove this content on behalf of its customer is different depending upon what social media service is used.

• On YouTube the answer is no. On YouTube, the remedy for removing content is flagging it for removal. Under the YouTube privacy policy, YouTube will not permit privacy flagging on behalf of other people.[21] Alternatively, companies could issue cease-and-desist e-mails directly to the employee posting the content on YouTube.
• On Facebook the answer is possibly. On Facebook, the remedy for removing content is reporting abuse of Facebook’s Statement of Rights and Responsibilities (the “Terms”).[22] In Section 5 of the Terms, Facebook will not permit posting of “anyone’s identification documents or sensitive financial information on Facebook.”[23] Depending on the content of the private information disclosed in the videotaped confidential meeting, a company could report a violation on behalf of its customer.
• On MySpace the answer is yes. On MySpace, the remedy for removing content is submitting a request to delete inappropriate content that violates the website’s Terms of Use Agreement.[24] Under the Terms of Use Agreement in Section 8, any postings that would violate the privacy and/or contractual rights of another party are prohibited.[25] In this scenario, there would be both an individual privacy right on behalf of the customer and a contractual confidentiality right of the company (provided a proper confidentiality provision is in place with the employee).

Notwithstanding the removal of some content by social network providers from the service, it may still surprise some users how their data is stored and used by social networking sites, even in some cases after it has been removed or the user is no longer a member of the site. In addition, social media sites employ technological measures that recognise a user’s computer. For example, according to Twitter’s terms of use, Twitter can collect and use a user’s “automatic” information, such as a user’s IP address or cookies. Whether these provisions will be sufficient to satisfy the upcoming changes in law which will require Twitter to obtain European users’ consent before using their cookies remains to be seen.[26]

Notwithstanding the contractual user agreement rights and obligations on social media, a number of national and international laws also govern this area.

Company Obligations Set Forth in National and International Law

U.S. position

Today, businesses operate globally with technology that knows no national boundaries. Nothing comes more naturally than sharing and sending information halfway around the world. Social media epitomises that modern, global ethos.

Every jurisdiction in the world can claim the right to protect its citizens–and information about them. The United States has a very different concept of “personal information” and adequate protection of it than the European Union; the European laws are not necessarily across all of its Member States. And so it goes, in every part of the world. A social media company can be completely compliant with United States law and still run afoul of legal mores elsewhere. By way of example, Facebook experienced a culture clash with Canada’s privacy commissioner with respect to the disposal of personal information. Facebook had been retaining data on subscribers who quit, so that they could more easily rejoin should they choose to do so later. Canada’s privacy commissioner determined that Facebook’s retention of data was a violation of Canada’s Personal Information Protection and Electronic Documents Act, and negotiated a settlement that provides that, “Collected personal information can be kept only for a specified time and must be deleted or destroyed when no longer needed.”[27]

Europe position

Social media services accessible in Europe will also have to comply with the relevant legislation, the implementation of which may differ between Member States. They may also be subject to any additional national measures.

The EU’s Article 29 Data Protection Working Party has set forth an opinion on online social networking.[28] This Opinion, adopted June 12, 2009, opines that “social networking services” or “SNS” are generally data controllers, and SNS subscribers are generally data subjects. In the view of these authors, even those SNS located outside the EU are bound to respect EU strictures on data processing and onward transfer as to residents of EU member countries. Where a subscriber’s information is only available to a self-selected circle of friends, the Opinion posits that the exception allowing sharing of personal information within households applies. However, when access to the subscriber’s information is shared more broadly, with or without that subscriber’s consent, “the same legal regime will then apply as when any person uses other technology platforms to publish personal data on the web.”[29] The Working Paper goes on to state a number of other positions regarding marketing by SNS, complaint procedures, and (advocating) the availability of pseudonyms.

United Kingdom position

The UK has its own domestic data protection law in place which implements the EU Data Protection Directive.[30] The Data Protection Act 1998 (‘Act’) requires organisations processing personal data to comply with eight distinct data protection principles. The UK also has in place domestic legislation implementing the EU e-Privacy Directive.[31]

The UK Government is currently at odds with the European Commission for failing to properly implement the Data Protection Directive and e-Privacy Directive at national level. The European Commission commenced infringement proceedings against the UK for its failure to guarantee the confidentiality of electronic communications (such as emails and internet browsing) which protection is otherwise enshrined in European legislation. This action was triggered by secret trials conducted in 2006-2007 by the UK telecommunications provider, British Telecom, of a behavioural advertising technology being developed by the company Phorm. This technology enabled the monitoring of an individual’s Internet use without the user’s consent or knowledge, the results of which enabled companies to more effectively target advertising to users. In a failed attempt to bypass data protection laws, Phorm matched a user’s IP address with a unique identifier which was then provided to advertisers, together with profiling information about browsing history. If the UK fails to change its domestic legislation to ensure the privacy of online communications, this action may result in a hearing before the European Court of Justice.[32]

Privacy Policies/Notices: Guidance and General Principles

On both sides of the Atlantic surveys have been carried out to assess whether privacy policies sufficiently and clearly inform users of how their personal data will be used and for what purposes. Although in the UK privacy policies are not a legal requirement under the Act, a privacy policy is a simple way to satisfy the fair processing requirement, which is one of the data protection principles under the Act. Regulatory guidance supports the use of clear and simple privacy policies which adapt a “layered” approach, with the most important information highlighted in a clear manner.

Nonetheless, the surveys have highlighted a need for existing privacy notices to be clearer and more user-friendly. As a means to an end, organisations should make sure that their privacy policies focus primarily on informing the consumer and not on protecting the entity.[33]

Privacy policies should be reviewed regularly to make sure that they continue to comply with any changes in the data processing activities of an organisation and the relevant data protection and privacy laws applicable.

There are obvious benefits to ensuring privacy policies are transparent. Not only will consumers be less likely to complain, it may also provide a competitive advantage from consumers having more confidence in the organisation and how their personal data is being processed. This may lead to consumers entrusting the organisation with further personal data it would not otherwise have received. This seems to be one of the most important trends in social media today – do users trust the site operator?

The Next Direction in Privacy Law [34]

The main challenge for social media companies is that the regulatory privacy obligations seem to be developing on-the-fly in this area. There was no US law clearly forbidding Facebook from partnering with several dozen other sites to share information regarding subscriber usage of affiliate sites. There was no law clearly forbidding Facebook from making such activity logs visible to the subscribers’ friends. Facebook even provided a pop-up, opt-out mechanism to help respect subscriber privacy choices. Yet following a class action lawsuit, discussed above, Facebook shut down its Beacon program and donated $9.5 million to a non-profit foundation to promote online safety and security.[35] Clearly, as important as existing laws are the developing sensibilities of both consumers and privacy officials. The predominant theme appears to be a profound antipathy toward the aggregation and use of information of consumer behavior, however well disclosed. Social media companies need to proceed very carefully in capitalising on the wealth of information that they are assembling, developing subscriber and policymaker support for programs in the works, and adequately disclosing program information to consumers, at a minimum, in the user agreement. Moreover, companies need to realise that even where the law has been slow to catch up, consumer reaction and the threat of regulatory or legal action has often shaped privacy practices in social media. Keeping on top of those trends is critical.

Take, for example, the 2009 global industry initiative to address concerns over behavioral advertising. In 2009, the American Association of Advertising Agencies, Association of National Advertisers, Interactive Advertising Bureau, Direct Marketing Association and the Better Business Bureau, completed a joint business initiative and released the “Self-Regulatory Principles for Online Behavioral Advertising”.[36] The trade groups worked closely with the Council of Better Business Bureaus in crafting the principles. The initiative was in response to urging by the FTC that unless the industry adopted polices, government regulators would step in.

The industry effort covers the categories the FTC identified as the key areas of concern: education, transparency, consumer control, data security, material changes, sensitive data and accountability. The Council of Better Business Bureaus, along with the Direct Marketing Association, are now developing additional policies to implement accountability programs to give some teeth to the self-regulatory rules and to foster widespread adoption of the principles.

This initiative appears to have now crossed over to Europe and there is discussion of a special “behavioural” advertising logo that will be displayed in all behavioural advertising. Looking forward, privacy and data protection law will continually be outpaced by technological developments. To take a recent example, the Google Buzz social networking service that was launched in February 2010 has been at the centre of a torrent of criticism by users and privacy groups who claim that the new service has violated rights to privacy. Google Buzz was an attempt by the search giant to convert its Gmail service into a social network. A particularly controversial feature was that Gmail users were automatically signed up to Buzz and a ‘ready-made’ social network of ‘friends’ for them to follow was created using information from Gmail accounts of the contacts with whom they most frequently email and chat.

Following the ferocity of public reaction, Google has been forced to adapt many of the features of Buzz, including removing the automatic links between Buzz and content posted by users on other Google services (e.g., Picasa photo albums), making the option to opt-out of Buzz altogether more prominent in the email facility and adopting an ‘auto suggest’ rather than an ‘auto-follow model’. In April 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, and the heads of the data protection authorities in France, Germany, Israel, Italy, Ireland, Netherlands, New Zealand, Spain and the United Kingdom sent a strongly-worded letter to the chief executive officer of Google Inc. to express their concerns about privacy issues related to Google Buzz.[37]. The authorities noted that:

“While your company addressed the most privacy-intrusive aspects of Google Buzz in the wake of this public protest and most recently (April 5, 2010) you asked all users to reconfirm their privacy settings, we remain extremely concerned about how a product with such significant privacy issues was launched in the first place.” And, in a statement seemingly directed at every company looking to launch innovative products in this space, the regulators warned, “It is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise. Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world.”

Whilst legal action by users who feel their rights have been infringed is inevitable (for example, a woman in Florida has already instructed lawyers regarding the misuse of her personal data), the problem for Google may spread far wider. In trying to make the “getting started experience as quick and easy as possible”[38] to compete with other social networking services, they have potentially alienated users and may now have a harder task convincing the millions of users on Facebook and Twitter to migrate to Buzz instead.

Another social media phenomenon is the exploitation of geo-location technology. Four Square is a location-based game which can be downloaded onto a user’s phone and which turns city maps into a game board. Users can “check-in” via their phones and this information is fed to Twitter, where the user’s location is made public. By “checking in,” the application is able to recommend places to go, things to do nearby and tips from other users for that location. Whilst this application clearly has its benefits, users appear undeterred by the implications of revealing their whereabouts, or, indeed, where they are not; this could pave the way for a new wave of privacy concerns.

Company Engagement in (or Avoidance of) Third-party Legal Disputes

Increasingly, information gathered by social media sites is at the center of legal controversies to which social media companies themselves are strangers.

• Social media sites are routinely used for sting operations seeking out sexual predators.[39]
• On the other hand, one criminal defendant in a forcible rape case tried to enter into evidence the victim’s Facebook status page. He claimed that this social media showed that the victim’s complained-of bruising resulted from heavy drinking on other occasions.[40]
• A Canadian court allowed discovery of a Facebook profile in a motor vehicle accident suit, despite the document being subscriber-designated as limited access.[41]
• If an employer terminates an employee for cause, recommendations that the employers had made regarding that employee on a site like LinkedIn may be evidence of pretext.[42]
• Subscribers’ posts may violate their own company’s privacy policies, or even reveal their own company’s trade secrets.[43]
• Subscribers may later regret their social media postings, but the evidence that those posts were made can be crucial and published if there is a public interest justification.[44] One MySpace subscriber posted an article heavily critical of her hometown. Six days later she removed it. But, in the meantime, it had been republished in her hometown newspaper, arousing the ire of her community to the extent her family had to close its business and move. The subscriber sued the paper who republished the article. The court held that the initial MySpace publication made any subsequent republication fair game, and non-actionable.[45]
• Presenting perhaps even additional complications, courts in some countries, like New Zealand and Australia, have allowed official court process to be served over social medial sites.[46] The UK Courts are following New Zealand and Australia having recently allowed an injunction to be served on a defendant through Twitter for the first time.[47]

Both the social media enterprise and individual companies on social media can protect themselves. As stated above, each social media enterprise already has (or should have) a detailed suite of policies, reflected in the user agreement, to determine how the company fits in to the substance and process of third-party legal actions. Likewise, all companies should put policies in place governing employees’ actions on social media to avoid company vicarious liability.

Ultimately, subscribers should also take steps to protect themselves because regulators can do only so much to protect subscribers’ personal data and privacy.

Children

The popularity of social networking with young people makes the issue of data protection and privacy more acute. A central concern is that young people lack the awareness of the associated risks of these services and the potential for abuse when revealing personal data. Online risks for young users include illegal and age-inappropriate content, improper contact and conduct, including victimisation or grooming and potentially risky behaviors. Whilst the United States has laws and regulations to protect the privacy of children online, the FTC has announced plans to accelerate review of its regulations with an eye towards imposing more stringent standards.[48]

The impact of digital media on privacy issues for young people has been a key focus in both the UK and throughout Europe. In the UK, for example, the Information Commissioner has published numerous good practice notes for website operators whose sites are directed at children. The Home Office Task Force on Child Protection on the Internet has also published in 2008 good practice guidance for providers of social networking and other interactive services[49].

Whilst a focus of legislators has been to raise awareness amongst users of the risks associated with social networking (for example, through the annual EU “Safer Internet Day”), more recently there has been a focus on the contribution that service providers can make to security in the online environment. Following almost a year of discussions, in February 2009 the European Commission and major social networking companies, including Facebook, Bebo, and MySpace, agreed the “Safer Social Networking Principles for the EU”[50]. These principles were aimed at giving young people extra protection from violations of their privacy and the potential abuse of their personal information. Key principles include: ensuring services are age-appropriate for the intended audience[51]; empowering users through tools and technology to manage the service[52]; providing easy-to-use mechanisms for users to report conduct or content that violates the Terms of Service of the provider; encouraging users to employ a safe approach to personal information and privacy; and assessing the means for reviewing illegal or prohibited content.

However, a year on, the review of the implementation of the principles published by the European Commission on 9 February 2010 suggests that whilst the principles have been a step forward in tackling online risks for young people, more still needs to be done. According to the Commission less than half of social networking companies make profiles of users aged under 18 visible only to friends by default, and only one-third replied to user reports requesting assistance.[53] Whilst currently the Commission is in favor of a multi-stakeholder collaboration with providers and adopting a ‘best practice approach’ to manage potential risks, if providers do not toe the line, the consequence may be regulatory intervention.

Protections To Deter Criminal Activity

Data security class action litigation usually focuses not on the (often judgment-proof) criminal wrongdoers themselves, but on the companies those wrongdoers happened to work for, with, or through. Moreover, governments around the world have drafted businesses into the war against identity theft. Hefty fines can result from a lack of due diligence.

The penalties for breaches of the Data Protection Act 1998 in the UK are currently under review.[54] The UK Government has proposed to put in place tougher sanctions to act as deterrents, for example, up to two years imprisonment and maximum fines of £500,000, the latter of which is expected to take effect in April 2010.[55] The UK, as well as other European countries, is taking data protection law seriously, and service providers should bear this in mind.

In social media enterprises, an even greater risk than identity theft or financial fraud exists. Users of social media have been exposed to emotional abuse[56] and have been sexually assaulted,[57] among other crimes. Attempts have been made to hold the social media enterprises themselves liable for not doing more to stop these abuses. Whilst legal actions have generally not resulted in recovery against social media enterprises, the attendant bad publicity and subscriber concern carry a cost of their own.

Where there is a pre-existing protective order in place, even the simple act of making a friend request via a social media service can rise to the level of criminal contempt.[58] And, especially where the social media environment involves the creation or accumulation of some artificial currency, subscribers can also abuse the system to achieve property crimes or tax evasion.[59]

Precautions to detect likely criminal activity, to the extent practicable, and having social media employment agreements to establish company expectations, are essential for any business’s self-preservation. Typically, companies can take actions such as routine audits and establishing human resources notification policies for crimes involving employees in the workplace. Social media employment agreements are now essential for individuals doing work for your business. We recommend evaluating all of the types of individuals employed by your company and developing a social media agreement that will fit for: employees, contractors, hired talent (representing the company in an endorsement/marketing context), and outsourcing contracts, where applicable. (See Chapter 6 – Employment.)

Addressing Traditional Data Security Concerns

Every social media enterprise needs a comprehensive written information security program. The very open architecture that allows social media enterprises to thrive also allows information security threats to multiply. For example, the Twitter worm, “StalkDailey,” “can gain access to unsuspecting Twitter users by masquerading as the family, friends, and co-workers of the user.”[60] In fact, 19 percent of all hacking attacks were directed at social media enterprises in the first half of 2009, “ranging from simple defacement of sites, placing malware on them or using them to spread smear campaigns.”[61] Social media enterprises need to enlist not just their employees, but also their subscribers, in rapid response to developing privacy threats based on well-understood policies and procedures. Failing to do so may result in dilution of a brand’s value as regulators and consumers react to lapses in security.

A written policy is necessary, but not sufficient to ensure compliance. A written policy without implementation and adherence is a dead letter. Plain language review, easy-to-follow training materials, employee testing, vendor auditing, security breach drills, and the like are indispensible to making sure policy is part of day-to-day procedure.

At the same time, outreach to subscribers to let them know what to expect (and not expect) from the company will help subscribers defend themselves from spoofers, phishers, and similar would-be attackers.

Also, like every company, social media companies should have plans for: the protection and secure disposal of personal data (including in hard copy); the implementation of major litigation holds; and response to the loss or theft of personal data (including, where required or appropriate, through notice to data subjects).

Is the Company Properly Insured against Data Privacy Incidents?

The last risk you need to plan for is the risk that all other mitigation will, ultimately, not be sufficient. As noted above, no system is perfect. Data privacy and security lawsuits can cost millions or tens of millions of dollars to resolve. The right level of coverage, either under general policies or specific endorsements, is something that every company needs to determine on an ongoing basis.

Bottom Line—What You Need to Do

Understand the sensitive nature of information that flows through social media. Recognise the serious compliance and litigation risks that the collection and distribution of such information entails. Consider contractual tools to mitigate these risks, including properly drafted privacy policies and terms of use. Know your obligations under all applicable data privacy and security laws, and have a nuts-and-bolts plan to meet those obligations. Stay ahead of developments in data and privacy security law, so that, to the extent possible, the compliance program put in motion today will be deemed adequate even under the standards of tomorrow. Lastly, know your coverage position with respect to data privacy and security incidents, and properly adjust that coverage in light of known and suspected risks.

Social Media in Action in Product Liability

New Claims and Increased Exposure

The pharmaceutical and medical device industries are heavily regulated, for example, through the EC Medical Devices Directive. Specific rules govern what information a company can relay to patients or doctors through warning labels, package inserts, written correspondence, or visits to a doctor’s office by a company’s sales department. [1] Any communication by a company outside these regulatory parameters may be used against the company as evidence that the company acted in violation of government regulations, leading to a potential causes-of-action under strict liability and negligence.[2] (See Chapter 7 – FDA) For example, if a company has a blog or chat room where patients and/or doctors correspond with the company, this direct communication may include off-the-cuff comments that contain language outside the parameters of information that the company is allowed to relay regarding its products.[3]

Although these problems can occur even without social media, the sheer magnitude of social media outlets and the relative informality of their content greatly increases the risk that statements will be made that may be actionable in law. Similarly, social media exchanges leave a virtual paper trail that can be reviewed for an improper communication in a way that oral communications between a sales representative and a doctor cannot.

One cause of action stemming from such improvident statements or omissions is a claim for negligent misstatement.

An effective claimant’s lawyer is always looking for documents that show a company “puffing” or over-extolling the efficacy and safety of its products. Of great assistance to a claimant’s lawyer are documents that show a company making efficacy and safety claims about its products that are not entirely consistent with the company’s “confidential” internal documents or published material. When these inconsistencies arise—particularly when a company’s marketing department is not working closely enough with legal and risk management—the claimant lawyer is not only well-positioned to advance a relevant claim, but is also able to embarrass the company by asserting that it puts the company profits over safety and misleads patients and doctors, or simply its customers.

Additional problems can arise when a company sponsors third-party websites to promote its products. If the company has editorial rights over the content of the site, claimant lawyers may be able to convince a court that a company “ghost writes” information. “Ghost writing” articles or promotion materials takes place when a company pays an author to write an article that helps the company sell more product—i.e., the article states that a product does not cause an adverse event or that a product helps to solve a medical issue. Even if the research is sound, articles “paid for” by a company tend to look underhand and less sound than objective research in the eyes of the public. Where a company sponsors a site and has the ability to change content, the claimant will advance a “ghost writing” argument if litigation ensues, in an attempt to persuade the court that the company did not have the public’s best interests in mind. Similarly, using editorial rights to silence views critical of the company’s products—or favouring a competitor—would provide further arguments for a claimant lawyer. In addition, “ghost writing” can lead to unwanted, negative media attention for any company that is accused of using ghostwritten material for its benefit.[4]

If successful at portraying a company as a bad corporate actor, the claimant lawyer inevitably has an easier time proving all elements of a product liability claim (liability and causation), and positioning him or herself to secure damages award.

Bottom Line—What You Need To Do

By its very nature, social media often begets informal dialogue that is broadcast more widely than the traditional marketing media. The more that is said publicly, the greater the risk that what is said does not square with regulatory requirements and with what is said privately in internal, confidential company documents. For this reason, a company that chooses to use social media as a marketing or information tool must involve legal and risk-management departments in reviewing marketing’s use of chat rooms, blogs, and external third-party websites (and the content in those media). Failure to do so can result in heightened exposure to legal claims, large damages, and weakened defences.

Social media implications and applications to advertising and marketing cannot be ignored; where the consumers are, and where consumers go, marketing budget ultimately follows. All companies, regardless of whether or not they elect to actively participate in the social media arena, should have policies in place to determine how to respond to negative comments made about the company and/or its brands. Companies that seek to play a more active role should have policies in place that govern marketing agency and/or employee interaction with social media, as well as the screening of User-Generated Content. It is critical, however, that companies do not simply adopt someone else’s form. Each social media policy should be carefully considered and should address the goals and strategic initiatives of the company, and should take into account industry and business specific considerations.