Best practices for social and mobile media as privacy laws evolve

Posted on November 28, 2011 by Admin

As social media and mobile devices and apps (“social-mobile”) continue to proliferate in the corporate enterprise, these new forms of collaboration and information sharing are putting a new spin on compliance issues. There has been a tidal wave of publications and seminars of late that address many of these issues. Topics range from preventing trade secrets from leaking on Facebook to the ethics of monitoring current and potential employees in and out of the workplace.

Garnering much less attention are the compliance and risk issues that new marketing initiatives using social-mobile can present. To minimize such issues, legal departments must develop a working relationship with both marketing and IT in order to fully understand how information acquired through social-mobile initiatives is being collected, stored, and utilized by the company, and to assess the impact on the company’s electronic discovery, records retention, and regulatory compliance obligations.

In the U.S., several hundred state laws govern data captured by companies, including social-mobile data. These laws include statutes regarding data security and breach response, records retention and destruction, and data privacy regulations aimed at protecting personal information of employees and customers. An alphabet soup of federal regulations (e.g., HIPAA, COPPA, FACTA/FCRA, ECPA, and the VPPA) also governs this data. As emerging technologies continue to challenge societal expectations of privacy, new methods for collecting, storing, aggregating, and sharing information continue to push the boundaries of our legal frameworks. As a result we are now seeing:

• Major data breaches reported almost daily.

• An upswell in class actions related to privacy violations along with new damage theories.

• Significant increases in FTC and other agency scrutiny and fines.

• An increased focus of public and political attention on data privacy and security issues.

These create significant risks for any company caught unprepared in the social-mobile data frenzy.

TIP OF THE ICEBERG

As companies increase their efforts to collect, use, and share social-mobile data, they should expect legal challenges to increase.

Last year, the Wall Street Journal examined 101 popular smartphone applications and found that more than half transmitted a phone’s unique identifier to third parties without users’ permission, and 47 sent the phone’s location to third parties. Five apps went further, sending users’ gender, age, and other personal data to third parties. Negative publicity and several lawsuits against the companies publishing these apps have heightened awareness, but the problem hasn’t abated. A recent patent application filed by Apple describes a framework for deploying and pricing ads based on information derived from consumer’s browsing and searching activities and the contents of their media library. It also describes using the contents of friends’ media libraries to better target ads, and explains how Apple could tap “known connections on one or more social networking Web sites” to accomplish this. Given the intent to leverage what many consider personal and private information, the company would be well advised to develop a well-thought-out legal and compliance strategy regarding the collection and use of this data before they deploy the technology.

If these examples seem extreme, consider that last week IBM announced a new retail technology solution that enables retail stores to offer targeted third-party products and services to consumers at checkout. The solution lets shoppers use mobile devices to scan orders, redeem digital coupons, access loyalty points, and pay for orders at self-service pay stations. The related compliance issues are significant for retail establishments large and small.

Further complicating the issues is the pervasive legal ambiguity and inconsistency as to what information is protected and subject to regulation among jurisdictions. There has also been an expansion in the definition of protected private information. For example, the California Supreme Court, in Pineda v. Williams Sonoma, recently held that customer ZIP codes are private information subject to protection under a state law governing what information can be collected as part of face-to-face credit card transactions. Federally, Congress and the Supreme Court have shown an ever increasing interest in defining geo-spatial reference data on smartphones and IP addresses as private information.

Unfortunately, most companies still view social-mobile data as marketing information, not as private, protected records. But along with the ability to tie this data to specific individuals comes the need to treat it like other private information. This is especially true when the data is used for purposes unrelated to why it was originally collected.

BEST PRACTICES: SEVEN PRIVACY & RISK PRIORITIES

To avoid privacy-related lawsuits targeted against the use of social-mobile data, it’s vital that companies have a clear plan about what they are collecting, how they are collecting it, how they are storing it, who it’s being shared with, what level and type of consent they have to use it, and how long the information will be kept. Here are seven best practices for counsel to keep in mind:

1. Visit your own websites and social media pages, and download and use your company’s apps. Give as much attention to what is on your public website and how your company is using customer apps — especially the app license and use agreement — as you do to the internal policies for records management, records training, and legal holds training.

2. Pay special attention to “digital safes” and other tools that store personal and private customer information. How is this data managed and what practices, processes, and controls are in place? It’s especially important to consider what is implied by your brand (are you a security company?) or explicitly found in your marketing materials.

3. Have a conversation with your CMO soon. Just as you engaged with IT a few years ago, you now need to engage the marketing department. What are its business goals? What is it doing now and what is it planning for next year, especially in the area of customer engagement and social-mobile apps?

4. Revisit your privacy policy based upon what your company is actually doing. Then “operationalize” your policies. Design them for execution rather than aspiration. That is, engage with the lines of business and those in the IT organization that will be enforcing the policies.

5. Modernize your records and retention program. Provide meaningful, actionable guidance on what information to retain, how to retain it, how long to retain it, and where to retain it. Provide procedures, not just policies, on what can and cannot be done with information during retention.

6. Understand the sources and atomic structure of today’s highly complex information. Where does it originate? What form does it take? Who has access to it over its life? How is it assembled and aggregated? How is it used and reused? Is it sold, bartered, or shared with third parties? How can it be dismantled for disposition?

7. Work with the CIO to design governance and disposal into IT systems, instead of trying to apply it after the fact.

While today’s privacy environment is highly complex and dynamic, a well-conceived plan and thoughtful dialogue can help you on your journey.

Credit: David White, Daily Business Review

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>