Best Practices for Social and Mobile Media As Privacy Laws Evolve

In the United States, several hundred state laws govern data captured by companies, including social-mobile data. These laws include statutes regarding:

• Data security and breach response;
• Records retention and destruction; and
• Data privacy regulations aimed at protecting personal information of employees and customers.

An alphabet soup of federal regulations also govern this data (e.g., HIPAA, the Health Insurance Portability and Accountability Act, http://bit.ly/16IvtE; COPPA, the Children's Online Privacy Protection Act, http://bit.ly/jYYFvT; FACTA/FCRA, the Fair and Accurate Credit Transactions Act, and the Fair Credit Reporting Act, http://bit.ly/udH44K and http://bit.ly/3Pu0Fe, respectively; ECPA, the Electronic Communications Privacy Act, http://bit.ly/GkNog; and the VPPA, the Video Privacy Protection Act, http://bit.ly/Hus9r). As emerging technologies continue to challenge societal expectations of privacy, new methods for collecting, storing, aggregating and sharing information continue to push the boundaries of our legal frameworks. As a result, we are now seeing:

• Major data breaches reported almost daily;
• An up-swell in class actions related to privacy violations, along with new damage theories;
• Significant increases in Federal Trade Commission (FTC) scrutiny and fines, and increased scrutiny and fines imposed by other watchdog agencies; and
• An increased focus of public and political attention on data-privacy and security issues.

These issues and events create significant risks for any company caught unprepared in the social-mobile data frenzy.

Tip of the Iceberg

As companies increase their efforts to collect, use and share social-mobile data, they should expect legal challenges to increase.

Last year, The Wall Street Journal examined 101 popular smartphone applications and found that more than half transmitted a phone's unique identifier to third parties without users' permission, and 47 sent the phone's location to third parties. Five apps went further, sending users' gender, age and other personal data to third parties. Negative publicity and several lawsuits against the companies publishing these apps have heightened awareness, but the problem hasn't abated. A recent patent application filed by Apple describes a framework for deploying and
pricing ads based on information derived from consumers' browsing and searching activities, and the contents of their media library. It also describes using the contents of friends' media libraries to better target ads, and explains how Apple could tap “known connections on one or more social networking websites” to accomplish this. Given the intent to leverage what many consider personal and private information, the company would be well advised to develop a well thought-out legal and compliance strategy regarding the collection and use of this data before deploying the technology.

If these examples seem extreme, consider that IBM recently announced a new retail technology that enables stores to offer targeted third-party products and services to consumers at checkout. The solution allows shoppers who use mobile devices to scan orders, redeem digital coupons, access loyalty points and pay for orders at self-service pay stations. The related compliance issues are significant for retail establishments large and small.

Complicating the issues is the pervasive legal ambiguity and inconsistency as to what information is protected and subject to regulation among jurisdictions. There has also been an expansion in the definition of protected private information. For example, the California Supreme Court, in Pineda v. Williams Sonoma, 51 Cal. 4th 524 (2011) (http://bit.ly/uJiNtf), recently held that customer ZIP codes are private information subject to protection under a state law governing what information can be collected as part of face-to-face credit-card transactions. Federally, Congress and the Supreme Court have shown an ever-increasing interest in defining geospatial reference data on smart phones and IP addresses as private information.

Unfortunately, most companies still view social-mobile data as marketing information, not as private, and protected, records. But along with the ability to tie this data to specific individuals comes the need to treat it as other private information is treated. This is especially true when the data is used for purposes unrelated to why it was originally collected.

Best Practices: Seven Privacy and Risk Priorities

To avoid privacy-related lawsuits targeted against the use of social-mobile data, it's vital that companies have a clear plan about:

• What they are collecting;
• How they are collecting social-mobile data;
• How they are storing the data;
• With whom the data is being shared;
• What level and type of consent they have to use the data; and
• How long the information will be kept.

Seven best practices for counsel to keep in mind follow.

1. Visit your own websites and social-media pages, and download and use your company's apps. Give as much attention to what is on your public website and how your company is using customer apps ' especially the app license and use agreement ' as you do to the internal policies for records management, records training and legal-holds training.

2. Pay special attention to “digital safes” and other tools that store personal and private customer information. How is this data managed and what practices, processes and controls are in place to properly manage and protect it? It is especially important to consider what is implied by your brand (are you a security company, for instance?) or explicitly found in your marketing materials.

3. Have a conversation with your CMO soon. Just as you engaged with IT a few years ago, you now need to engage the marketing department. What are its business goals? What is it doing and what is it planning for next year, especially in the area of customer engagement and social-mobile apps?

4. Revisit your privacy policy, based on what your company is actually doing. Then “operationalize” your policies: Design them for execution rather than aspiration; that is, engage with the lines of business and those in the IT organization that will be enforcing the policies.

5. Modernize your records-and-retention program. Provide meaningful, actionable guidance on what information to retain, how to retain it, how long to retain it and where to retain it. Provide procedures, not just policies, on what can and cannot be done with information during retention.

6. Understand the sources and atomic structure of today's highly complex information. Where does it originate? What form does it take? Who has access to it over its life? How is it assembled and aggregated? How is it used and reused? Is it sold, bartered or shared with third parties? How can it be dismantled for disposition?

7. Work with the Chief Information Officer to design governance and disposal into IT systems, instead of trying to apply it after the fact.

While today's privacy environment is highly complex and dynamic, a well conceived plan and thoughtful dialogue with all involved and concerned, or who could be, can help you on your journey.

As social media and mobile devices and apps (“social-mobile”) continue to proliferate in the corporate enterprise, and e-commerce firms rely evermore on these technologies to assist promotion and sales, these forms of collaboration and information-sharing are putting a new spin on compliance issues.

A tidal wave of publications and seminars has proliferated of late that address many of these issues. Topics range from preventing trade secrets from leaking on Facebook to the ethics of monitoring current and potential employees in and out of the workplace.

Garnering much less attention are the compliance and risk issues that new marketing initiatives using social-mobile can present. To minimize such issues, legal departments and other counsel on whom these businesses depend for advice must develop a working relation- ship with marketing and IT in order to fully understand how information acquired through social-mobile initiatives is being collected, stored and used by the company, and to assess the impact on the company's electronic discovery, records-retention and regulatory-compliance obligations.

In the United States, several hundred state laws govern data captured by companies, including social-mobile data. These laws include statutes regarding:

• Data security and breach response;
• Records retention and destruction; and
• Data privacy regulations aimed at protecting personal information of employees and customers.

An alphabet soup of federal regulations also govern this data (e.g., HIPAA, the Health Insurance Portability and Accountability Act, http://bit.ly/16IvtE; COPPA, the Children's Online Privacy Protection Act, http://bit.ly/jYYFvT; FACTA/FCRA, the Fair and Accurate Credit Transactions Act, and the Fair Credit Reporting Act, http://bit.ly/udH44K and http://bit.ly/3Pu0Fe, respectively; ECPA, the Electronic Communications Privacy Act, http://bit.ly/GkNog; and the VPPA, the Video Privacy Protection Act, http://bit.ly/Hus9r). As emerging technologies continue to challenge societal expectations of privacy, new methods for collecting, storing, aggregating and sharing information continue to push the boundaries of our legal frameworks. As a result, we are now seeing:

• Major data breaches reported almost daily;
• An up-swell in class actions related to privacy violations, along with new damage theories;
• Significant increases in Federal Trade Commission (FTC) scrutiny and fines, and increased scrutiny and fines imposed by other watchdog agencies; and
• An increased focus of public and political attention on data-privacy and security issues.

These issues and events create significant risks for any company caught unprepared in the social-mobile data frenzy.

Tip of the Iceberg

As companies increase their efforts to collect, use and share social-mobile data, they should expect legal challenges to increase.

Last year, The Wall Street Journal examined 101 popular smartphone applications and found that more than half transmitted a phone's unique identifier to third parties without users' permission, and 47 sent the phone's location to third parties. Five apps went further, sending users' gender, age and other personal data to third parties. Negative publicity and several lawsuits against the companies publishing these apps have heightened awareness, but the problem hasn't abated. A recent patent application filed by Apple describes a framework for deploying and
pricing ads based on information derived from consumers' browsing and searching activities, and the contents of their media library. It also describes using the contents of friends' media libraries to better target ads, and explains how Apple could tap “known connections on one or more social networking websites” to accomplish this. Given the intent to leverage what many consider personal and private information, the company would be well advised to develop a well thought-out legal and compliance strategy regarding the collection and use of this data before deploying the technology.

If these examples seem extreme, consider that IBM recently announced a new retail technology that enables stores to offer targeted third-party products and services to consumers at checkout. The solution allows shoppers who use mobile devices to scan orders, redeem digital coupons, access loyalty points and pay for orders at self-service pay stations. The related compliance issues are significant for retail establishments large and small.

Complicating the issues is the pervasive legal ambiguity and inconsistency as to what information is protected and subject to regulation among jurisdictions. There has also been an expansion in the definition of protected private information. For example, the California Supreme Court, in Pineda v. Williams Sonoma , 51 Cal. 4th 524 (2011) ( http://bit.ly/uJiNtf ), recently held that customer ZIP codes are private information subject to protection under a state law governing what information can be collected as part of face-to-face credit-card transactions. Federally, Congress and the Supreme Court have shown an ever-increasing interest in defining geospatial reference data on smart phones and IP addresses as private information.

Unfortunately, most companies still view social-mobile data as marketing information, not as private, and protected, records. But along with the ability to tie this data to specific individuals comes the need to treat it as other private information is treated. This is especially true when the data is used for purposes unrelated to why it was originally collected.

Best Practices: Seven Privacy and Risk Priorities

To avoid privacy-related lawsuits targeted against the use of social-mobile data, it's vital that companies have a clear plan about:

• What they are collecting;
• How they are collecting social-mobile data;
• How they are storing the data;
• With whom the data is being shared;
• What level and type of consent they have to use the data; and
• How long the information will be kept.

Seven best practices for counsel to keep in mind follow.

1. Visit your own websites and social-media pages, and download and use your company's apps. Give as much attention to what is on your public website and how your company is using customer apps ' especially the app license and use agreement ' as you do to the internal policies for records management, records training and legal-holds training.

2. Pay special attention to “digital safes” and other tools that store personal and private customer information. How is this data managed and what practices, processes and controls are in place to properly manage and protect it? It is especially important to consider what is implied by your brand (are you a security company, for instance?) or explicitly found in your marketing materials.

3. Have a conversation with your CMO soon. Just as you engaged with IT a few years ago, you now need to engage the marketing department. What are its business goals? What is it doing and what is it planning for next year, especially in the area of customer engagement and social-mobile apps?

4. Revisit your privacy policy, based on what your company is actually doing. Then “operationalize” your policies: Design them for execution rather than aspiration; that is, engage with the lines of business and those in the IT organization that will be enforcing the policies.

5. Modernize your records-and-retention program. Provide meaningful, actionable guidance on what information to retain, how to retain it, how long to retain it and where to retain it. Provide procedures, not just policies, on what can and cannot be done with information during retention.

6. Understand the sources and atomic structure of today's highly complex information. Where does it originate? What form does it take? Who has access to it over its life? How is it assembled and aggregated? How is it used and reused? Is it sold, bartered or shared with third parties? How can it be dismantled for disposition?

7. Work with the Chief Information Officer to design governance and disposal into IT systems, instead of trying to apply it after the fact.

While today's privacy environment is highly complex and dynamic, a well conceived plan and thoughtful dialogue with all involved and concerned, or who could be, can help you on your journey.