Gonzalo Mon writes in Mashable that “Although various bills pending in Congress would require companies to get consent before collecting certain types of information, outside of COPPA, getting consent is not a uniformly applicable legal requirement yet. Nevertheless, there are some types of information (such as location-based data) for which getting consent may be a good idea.  Moreover, it may be advisable to get consent at the point of collection when sensitive personal data is in play.”

First, what current requirements – laws, agency regulations and quasi-laws – require obtaining consent, even if not “uniformly applicable”?

1. Government Enforcement.  The Federal Trade Commission’s November 2011 consent decree with Facebook user express consent to sharing of nonpublic user information that “materially exceeds” user’s privacy settings.  The FTC was acting under its authority under Section 5 of the FTC Act against an “unfair and deceptive trade practice”, an authority the FTC has liberally used in enforcement actions involving not just claimed breaches of privacy policies but also data security cases involving managing of personal data without providing adequate security.

2. User Expectations Established by Actual Practice.  The mobile space offers some of the most progressive (and aggressive) examples of privacy rights seemingly established by practice rather than stated policy.  For example, on the PrivacyChoice blog, the CEO of PlaceIQ explained that “Apple and Android have already established user expectations about [obtaining] consent.  Location-based services in the operating system provide very precise location information, but only through a user-consent framework built-in to the OS.  This creates a baseline user expectation about consent for precise location targeting.”  (emphasis added) Continue reading

For businesses, is there an obligation in the United States to do anything more than simply have a privacy policy?  The answer is not much of an obligation at all.

Put another way, is it simply a question of disclosure – so long as a business tells users what it intends to do with their personal information, can the business pretty much do anything it wants with personal information?  This would be the privacy law equivalent of the “as long as I signal, I am allowed to cut anyone off” theory of driving.

Much high-profile enforcement (via the Federal Trade Commission and State Attorneys General) has definitely focused on breaches by businesses of their own privacy statements.  Plus, state laws in California and elsewhere either require that companies have privacy policies or require what types of disclosures must be in those policies, but again focus on disclosure rather than mandating specific substantive actions that businesses must or must not take when using personal information.

As The Economist recently noted in its Schumpeter blog, “Europeans have long relied on governments to set policies to protect their privacy on the internet.  America has taken a different tack, shunning detailed prescriptions for how companies should handle people’s data online and letting industries regulate themselves.”   This structural (or lack of structural) approach to privacy regulation in the United States can also been seen – vividly – in legal and business commentary that met Google’s recent privacy overhaul.  Despite howls of displeasure and the concerted voices of dozens of State Attorneys General, none of the complaints relied on any particular violations of law.  Rather, arguments (by the AGs) are made about consumer expectations in advance of consumer advocacy, as in “[C]onsumers may be comfortable with Google knowing their search queries but not with it knowing their whereabouts, yet the new privacy policy appears to give them no choice in the matter, further invading their privacy.”

Again, there’s little reliance on codified law because, for better or worse, there is no relevant codified law to rely upon.  Google, Twitter and Facebook have been famously the subjects of enforcement actions by the states and the Federal Trade Commission, and accordingly Google has been careful in its privacy rollout to provide extensive advance disclosures of its intentions.

As The Economist also reported, industry trade groups have stepped in with self-regulatory “best practices” for online advertising, search and data collection, as well as “do not track” initiatives including browser tools, while the Obama Administration last month announced a privacy “bill of rights” that it hopes to move in the current or, more realistically, a future Congress.

This also should not ignore common law rights of privacy invasion, such as the type of criminal charges successfully brought in New Jersey against the Rutgers student spying on his roommate.   These rights are not new and for the time being remain the main source of consumer recourse for privacy violations in the absence of meaningful contract remedies (for breaches of privacy policies) and legislative remedies targeted to online transactions.

More to come on this topic shortly.

“RTs do not = endorsements.” We’ve all seen it on Twitter bios, usually bios belonging to members of the media.

These kinds of disclaimers, disassociating the tweets from the people who retweet them, are common. The Twitter bio belonging to Brian Stelter of the New York Times (@brianstelter) notes, “RT & links aren’t endorsements.”

A Social Media Policy Addressing RTs and Linking

But for some, those disclaimers are not enough.  Last fall, the Associated Press introduced an updated social media policy for its reporters and editors.  As recently reported in Yahoo! News, the AP memo advised reporters and editors that “Retweets, like tweets, should not be written in a way that looks like you’re expressing a personal opinion on the issues of the day. A retweet with no comment of your own can easily be seen as a sign of approval of what you’re relaying.” The guidelines note, “[W]e can judiciously retweet opinionated material if we make clear we’re simply reporting it.”

Continue reading

It is a task often relegated to the office interns: posting promotional content to outside social media sites.

Despite the fact that this practice is officially frowned upon in the Federal Trade Commission’s 2009 endorsement guidelines, companies will often engage paid individuals – either employees on the payroll or outside bloggers who receive compensation in the form of a free sample – to post positive reviews online, including to places like Twitter, personal blogs, or online public forums without identifying the connection between the commenter and the product being commented on.

The FTC’s endorsement guidelines seek (among other things) to ensure that unbiased positive reviews online can be considered credible, while also ensuring that positive reviews that are partially the result of some sort of compensation be acknowledged as such. Continue reading

Much has been made lately of tension between Twitter and its outside developers.  The issues stoking the fire are less legal issues than business issues brought to front-burner by two particular factors:

(1) The maturity of Twitter as a development platform, or in the words of Ryan Sarver of Twitter, “In the early days, all the clients except Twitter.com were built out by ecosystem companies, mainly because Twitter was so focused on keeping the lights on.  But we learned that in order for us to really grow, we had to start taking over that core experience.” (quoted in the NY Times, 7/17/11).

(2) A reported Federal Trade Commission inquiry into the relationship by the , which has (in some views) caused Twitter to re-think its liberal open-door policy when it came to permitting outside development on its platform.

An excellent story and accompanying podcast on this subject appeared in the NY Times last week, written by Claire Cain Miller.

Bottom line: Twitter is seeking to control the applications that control access to Twitter, meaning desktop and mobile, and leaving the field open to enterprise applications, usability applications, analysis and similar applications.

Certainly the business reasons seem pretty clear, in that Twitter seeks to control core functionality – and the development of that core functionality – of the mother ship.  Although it is not terribly surprising that that strikes some critics as cynical, see for example here (“Twitter, just be honest: ‘The only way we can figure out how to make money is same ol’ display ads and we need to own the client for that.’”)

There are legal issues here, namely the ability of the platform to restrict access to its API.  As Claire Miller and others have noted, part of the problem for Twitter is that developer expectations may have been artificially inflated.  But there is more.  The FTC hint of antitrust scrutiny may be causing Twitter some heartburn about its historical open-ness.  Some analogy from two unrelated contexts: In trademark law, the concept “use in commerce” requires confirmation of continued public use of a registered trademark every 5 years or so.  In real property law, a property owner’s failure to restrict public access to property – and thus demonstrate its private claim – can, under some circumstances, support a court’s granting a permanent public right of way.

Quoting Rob Diana from Regular Geek, “Twitter also now owns the platform as a whole and must be as reliable as a utility company.  They must provide all of the capabilities that consumers need in the clients.” (emphasis added) A danger for a “public utility” of the information superhighway is creeping expectation of the duties and obligations of public purpose: Loss of commercial freedom, permanent regulatory scrutiny and public stakeholder claims.  It may very well be that Twitter is acting much like New York’s Rockefeller Center, which closes public access to traffic one day a year as a legal “fiction” in order to continue to assert private ownership rights.

Twitter rolled out its new API TOS (“Developer Rules of the Road”) in March of this year.  Rob Diana noted at that time that the announcement may have been – or perhaps should have been – anticlimactic, in that “A basic Twitter client is a terrible idea in today’s ecosystem.”  Wrote Diana:

Unless there is major functionality outside of the existing solutions, a new client is a losing idea. There is a high barrier to entry when we already have third-party clients like Tweetdeck, Seesmic, HootSuite and PeopleBrowser. This does not include some of the other applications that focus on team or brand management. So, by saying not to develop a new client, Twitter has saved us and investors a lot of time and money.

A privacy policy?  Who needs a privacy policy?  Privacy is a mess.  You’re building an online business, and you figure you have to have a privacy policy.  But why?  Is “because everyone else has one” a good enough reason?  Ever wonder what you really need to know about privacy law?  I mean … what you have to comply with as a business operating in an online environment?

Here, then, the first of several Frequently Asked Questions about privacy policies.  Or to be more precise, here now some practical answers on privacy practices:

FAQ #1: Can I simply post a privacy policy and forget about it?  Short Answer: No.  Longer Answer: No, because as between posted statements and actual compliance, actual compliance is what’s required.   Continue reading

Podcast #1: December 30, 2010

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

In today’s podcast, we discuss the Federal Trade Commission’s recently issued privacy proposals. My guest is Karen Neuman, a founding partner of St. Ledger-Roty Neuman & Olson LLP, a Washington, DC law firm that focuses on regulation of information technologies and communications law, including privacy & data security, mobile communications, the Internet, media, telecommunications and related transactional matters.

At the core of the new privacy proposal is the idea that the current system of self-regulation does not provide enough consumer protection.  Basically, from the FTC’s perspective, people do not pay enough attention to the data-collecting activities of websites and not enough companies are up-front about the data they do collect from visitors to their sites.  The FTC says that while many companies detail their data collection through privacy policies, consumers bear too much of a burden in having to sort through such long, legalistic documents.

Among other proposals, the FTC’s new framework would require a “Do Not Track” option, much like the one we currently have to avoid telemarketers.  “Do Not Track” would essentially prevent companies from tracking things like your browsing history and buying habits, making it much more difficult for them to target consumers with personalized ads.  The proposal also aims to have companies incorporate more consumer protection into their business practices through simpler, more transparent options and by allowing consumers more access to the data being collected about them.  The FTC issued its proposed rules just last week, and requested public comment from both businesses and the public.

Please click play on the audio player below to hear the podcast.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.