Written by Jake Romero

Facebook announced last week that it now has upwards of 1 billion active users.  That same week, over 10 million Twitter messages were sent during the U.S. presidential debate .  With the number and use of social media websites rapidly expanding, your privacy rights with respect to your tweets, “likes” and status updates, even the ones about being hungry and/or sleepy, are the focus of new legislation enacted in California.

Assembly Bill No. 1844  prohibits an employer from “requiring or requesting an employee or applicant for employment to disclose a username or password for the purpose of accessing personal social media, to access personal social media in the presence of the employer, or to divulge any personal social media.”  AB-1844 also prohibits retaliation by the employer against any employee or applicant for not complying with employer demands that violate this prohibition.  A companion bill that was also enacted last week, Senate Bill No. 1349 , prohibits similar requests and requirements made by certain colleges of their students.

The greater likelihood is that in your hiring and retention practices, you are not specifically requiring employees and prospective employees to hand over their user names and passwords.  However, AB-1844 defines “social media” as “an electronic service or account, or electronic content, including, but not limited to, video, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.”  This definition is quite broad, and can potentially be applied to a large swath of digital content that is not traditionally thought of as “social media.”  As a result, we recommend that you consider the following steps to ensure that you do not inadvertently violate AB-1844 or lose control of or access to your business’s social media presence:

  • Your business should have a comprehensive, easy to understand Internet usage policy in place (sometimes referred to as an “acceptable use policy”).  A strong Internet usage policy will help you manage and track where your employees keep and retain company information and can set boundaries regarding the use of personal social media sites during work hours and using work devices.  We recommend that each of your employees and, as of their start date, all new hires, receive a copy of the policy and sign an acknowledgment of having read it.  All of your employees should have access to your Internet usage policy on an ongoing basis.
  • Review any agreements you have in place with employees who develop, manage or contribute to social media content on behalf of your business or as part of the services they provide.  AB-1844 applies only to “personal” social media accounts but there is no guidance regarding what constitutes a personal account.  Your agreements with any employee who creates or manages social media content on behalf of your business should explicitly provide that that account or content is not personal to the employee and is the property of the employer.
  • Consider the manner in which your social media presence is managed and updated.  AB-1844 explicitly provides that nothing in AB-1844 “precludes an employer from requiring or requesting an employee to disclose a username, password, or other method for the purpose of accessing an employer-issued electronic device.”  If, however, you have a “bring your own device” policy that allows employees who manage your social media presence to do so from a device that is owned by that employee and also used for personal activities, distinguishing an employee’s personal account from your business’s data may become increasingly difficult.

Of course, if you are reading this and your company does not have a comprehensive Internet usage policy or social media policy at all, you might want to consider calling a member of the Mintz Levin Privacy and Data Security team.


If you’ve missed this development of late, the word on the street is that prospective employers are not just using Google to search for whatever may be available on the Internet — they are asking applicants to provide their Facebook passwords to allow the prospective employer to peruse their Facebook page.

Our colleagues over at the Mintz Employment Matters blog have written about this and the potential risks.    Check it out before you interview that next candidate.

Following on the heels of Facebook’s landmark settlement with the Federal Trade Commission, a bipartisan group of members of the House of Representatives has apparently read the “new and improved” Facebook privacy policy and were not impressed.

Reps. Cliff Stearns (R-FL), Ed Markey (D-MA), Joe Barton (R-TX), and Diana DeGette (D-CO), sent a letter to Facebook CEO Mark Zuckerberg, wondering why the site’s new Data Use Policy was longer than the U.S. Constitution.

“Many of these actions [in the FTC settlement] have long since been rectified by Facebook in response to user concerns, but both the practices and user information collected by those practices give rise to questions nonetheless,” the letter said.

The letter pointed out that Facebook’s current privacy policy is almost six times as long as it was in 2005, longer than other social networks’ policies and the Constitution, not including the amendments. The representatives asked Zuckerberg to give them data regarding the percentage of Facebook users who read the full policy.  “We are concerned … that long, complex privacy policy statements make it difficult for consumers to understand how their information is being used,” the letter said.

Facebook aside, the fact is that privacy policies are getting longer and more complex and more difficult for users to comprehend as websites attempt to put every possible way that they may or “might” use information now or in the future into the policies.   The congressional inquiry may help to put a check on the”kitchen sink” approach to drafting.

Other questions that interest in the lawmakers include questions that site operators (and their advisors) should be asking with every privacy policy: how the site tracks users’ browsing habits, including what information it collects, whether the information can be used to identify an individual, and whether users can opt out of tracking, specifically asking:  “How is Facebook making it easier for users to understand their ability to opt out?” The lawmakers requested that Zuckerberg respond to the questions by Jan. 3.

Stearns and DeGette are the chairman and ranking member, respectively, of the House Energy and Commerce Committee’s subcommittee on oversight and investigations. Barton and Markey are co-chairmen of the Congressional Bipartisan Privacy Caucus.

So, when’s the last time you reviewed your company’s privacy policy?

“Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users” —  Federal Trade Commission Chairman Jon Leibowitz

The Federal Trade Commission (FTC) has announced the long-rumored proposed consent decree with Facebook, settling allegations in a complaint that Facebook violated Section 5 of the FTC Act by failing to live up to representations made to consumers regarding its privacy practices.  The settlement comes ahead of Facebook’s planned IPO this spring and carries no financial penalties.  Importantly for Facebook, the settlement does not force Facebook to revert back to its system prior to December, 2009.  Early Facebook users will remember that in those days, users could keep things and people they “liked” completely private.

Let’s take a look at what the settlement does provide.  It imposes a series of measures that Facebook must undertake to better protect the privacy of its users, including the development of a written comprehensive privacy program that addresses the privacy risks related to the development and management of new and existing products and services and protects the privacy and confidentiality of users’ information.  Surprisingly, it appears that Facebook did not have such a program.

The settlement also requires that Facebook (i) obtain opt-in consent from users prior to making changes that override their privacy preferences; (ii) ensure that a user’s information cannot be accessed by anyone after a reasonable period of time, not to exceed 30 days, following the user’s deletion of his or her account; (iii) obtain audits performed by an independent, third-party professional every two years for the next 20 years certifying that it has a privacy program in place that satisfies the requirements of the FTC consent decree.

Continue Reading FTC: Facebook “Deceived” Consumers by Failing to Keep Privacy Promises

Update:  Post from Daily Online Examiner blog.

If you’re a power Facebook user, you are likely tired of the constant changes to privacy settings.  At last count, the most recent change was the 13th.    This report may make your day.

 The Wall Street Journal reports this afternoon  (registration required) that Facebook is finalizing a proposed settlement with the Federal Trade Commission over charges that FB engaged in “deceptive behavior” when making those changes to its privacy settings.   The article quotes people familiar with the situation:

The proposed settlement – which is awaiting final approval from agency commissioners – would require Facebook to obtain “express affirmative consent” if Facebook makes “material retroactive changes,” some of the people said.

Written by Stu Eaton

The United States District Court for the Northern District of California has dismissed the claims of the plaintiffs against Facebook in the case of In re: Facebook Privacy Litigation.  Plaintiffs’ claims were based on Facebook’s admitted disclosure of their personal information to is advertisers in its “Referrer Headers,” which are created when  a user clicks on an advertisement and then sent to the corresponding advertiser.  Plaintiffs alleged that the Referrer Header, which contained the webpage address the user was viewing prior to clicking on the advertisement, revealed personally identifiable information, such as the user’s  name, gender, picture and other personal information without that user’s knowledge or consent.  Plaintiffs sought damages under the Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. §§ 2510, et seq., and California’s Unfair Competition Law, Business and Professions Code §§ 17200, et seq.

A.         No Violation of the Electronic Communications Privacy Act

The ECPA is composed of two distinct subsections, the Wiretap Act and the Stored Communications Act  (“SCA”), both of which prohibit a communications service from disclosing the contents of any communication to parties who are not the “addressee or intended recipient.”   See 18 U.S.C. §§ 2510(a), 2702(b).  The SCA contains a specific exception allowing disclosure with the “lawful consent of the originator.”  18 U.S.C. § 2702(b).  Plaintiffs alleged that they did not know of or consent to Facebook’s disclosure their personal information to its advertisers, and that such disclosure violated both subsections of the ECPA.

The Northern District noted that when a user clicks on an advertisement, the result is either: (1) a communication between the user and Facebook, which is then passed on to the advertiser; or (2) a communication between the user and the advertiser sent through Facebook.  The Court held that Plaintiffs failed to state a claim under the SCA because, under either interpretation, Facebook was entitled to pass on the information at issue.  If the communication was sent to Facebook, then it was an “addressee or intended recipient” and thus permitted to disclose the communication to advertisers with the “lawful consent” of the  users.  The Court held that the act of clicking on the advertisement amounted to such “lawful consent.”   Alternatively, if the communication was sent to an advertiser, then no violation occurred because the advertiser was the addressee or intended recipient, and “Defendant was permitted to divulge the communications to  it.”  Applying the same analysis, the Court also denied Plaintiffs’ wiretap claims.

B.         Personal Information Is Not The Same As Money

Relying on the theory that a user’s personal information can be equated with money or property,  Plaintiffs also sought damages under California’s Unfair Competition Law  (“UCL”).  The Court held that personally identifiable information does not constitute property under the UCL.   It also went one step further, expressly limiting its prior ruling  in  Does 1 v. AOL, Inc., 719 F. Supp. 2d 1102 (N.D. Cal. 2010), which held that AOL’s disclosure of users’ personal  information was not something users’ bargained for when they “signed up and paid fees” to use AOL’s service.  The Northern District Court held that AOL did not stand for the broad proposition that personal information equals property, but rather that “a plaintiff who is a consumer of certain services  . . . may state a claim under  . . . California Consumer Protection statutes when a company, in violation of its own policies, discloses personal information about its consumers to the public.”   Because Facebook is a free service, the Court held that Plaintiffs cannot state a claim under the UCL.

Editor’s Note:  Congratulations to Stu Eaton, author of this post, who just received his CIPP certification!

As a follow-on to yesterday’s posts regarding the public face of the Facebook privacy brouhaha, at this hour Facebook is holding an “all-hands” meeting to discuss the company’s overall privacy strategy. PC World suggests that perhaps today’s company meeting is the beginning of Facebook’s effort to improve user guidance on issues of sharing and privacy, or maybe the company is considering a roll back of new features. Stay tuned.

Related links:

GigaOM » Facebook Needs to Find Its Voice on Privacy
Facebook’s Eroding Privacy Policy: A Timeline Electronic Frontier Foundation

Whether the terse discussions in the public arena over Facebook’s privacy “changes” demonstrate that the world’s largest social network is playing fast and loose with the truth about its internal controls on user privacy, or whether it is just an example of poor corporate communication of policies to end users is still a matter of debate. See Glitch Brings New Worries About Facebook’s Privacy – NYTimes.com.

Last week, the author of the Times’ technology blog Bits invited readers to submit questions for Facebook’s vice president for public policy, Elliot Schrage. She probably got more than she (or Schrage) expected – in fact, over 300 of them. Schrage’s response is published in today’s blog entry: Facebook Executive Answers Reader Questions – Bits Blog – NYTimes.com.

For a completely different view of Mr. Schrage’s comments, I found Catharine Taylor’s post at Social Media Insider to raise some important questions.

The Most Wonderful Time of the Year — It’s time for the annual “top ten” lists. Information Security Resources has posted an article that is eye-opening reading with respect to data breaches in 2009. Ten Most Damaging Data Breaches of 2009

U.S. to Join Fingerprint Sharing — CBC News – Canada reports that the U.S. will join Canada, Australia and Britain in sharing fingerprints and other data to help authorities discern people’s true identities in cracking down on asylum shopping and unlawful immigration.

Another site thinks “Privacy Matters”
website, IAB Privacy Matters, the IAB describes how marketers collect and use information about users’ Web activities. IAB Senior Vice President David Doty said the site describes “in plain English” how online advertising works and includes guidance on how users can adjust their settings to control their information. The site is part of a broader effort among ad industry trade groups to head off potential regulation, the report states.

Facebook Changing — Again — Facebook will roll out new privacy controls in the coming weeks, reports it’s news. The new options will let users control who sees their posts on a per-post basis. In an open letter to users, CEO Mark Zuckerberg said: “We’re adding something that many of you have asked for–the ability to control who sees each individual piece of content you create or upload.” The company will also roll out a simplified privacy settings page with a “walk-through” option where users can get recommendations from Facebook. In addition, the company will shutter its regional networks.