Navigating Privacy And Spam Compliance In Social Media Advertising

STIKEMAN ELLIOTT LLP www.stikeman.com

Navigating Privacy and Spam

Compliance in Social Media

Advertising

David ElderStikeman ElliottSeptember 20, 2011

What is Social Media?

■ Variety of sites, applications and platforms that allow for participating, talking and networking online, including the ability to share information and resources

■ Allow networks of connections to be established

■ Allow users to create, upload and disseminate original written and audio/video content

Navigating Privacy and Spam Compliance

Types of Social Media

■ Blogs – e.g. Wordpress, Blogger

■ Wikis – e.g. Wikipedia

■ Social Bookmarking – e.g. Delicious, Digg

■ Social Network Sites – e.g. Facebook, LinkedIn

■ Status Update Services – e.g. Twitter

■ Virtual Worlds – e.g. Second Life

■ Media Sharing Sites – e.g. YouTube, Flickr


Why Social Media Advertising & Promotion?

■ Large and growing number of users

■ Large portion of online time

■ Facilitates “word of mouth” on massive scale

■ Leverages consumer’s trusted relationships

■ Creates brand loyalty, strong engagement

■ Rich data sets allow for more precise targeting

■ Deep analytics


Online Advertising Options

■ Display advertising

– Minimal targeting – nature of site

■ Contextual advertising

– Targeting based on current visit to single site search query

■ Behavioural advertising

– Targeting based on profile developed based on history of sites visiting, on-site activity – inferred interests and demographics

■ Social advertising

– Targeted based on context and interaction with site, real interests and demographics, activities of connections

– Leverages social connections as examples, endorsements


Social Media Advertising & Promotion

■ Display ads

■ Targeted ads

■ Fan pages

■ Events, groups,

■ Applications – contests, quizzes, games

■ User reviews and discussion fora

■ Social ads, Promoted tweets

■ Like, +1, retweet, etc.

■ Almost any on-net activity can be shared with user networks


Applicable Privacy Requirements

■ Knowledge & consent required for collection, use & disclosure ofpersonal information

■ Sensitivity of information and reasonable expectations of individual relevant to acceptable form of consent

■ Purposes must be identified at or before collection

■ Can’t require consent as condition of supply or product or service, unless required for legitimate core purposes

■ Collection to be limited to what reasonably required to fulfil purposes

■ Personal information to be retained only as long as reasonably necessary to fulfil purposes

■ Personal information to be accurate and up-to-date

■ Individual right of access

■ Protected by reasonable security safeguards


Application – So far...

■ OPC has taken expansive view of what constitutes personal information.

■ Can include:

– cookies

– IP addresses

– Online tracking and behavioural data?

– Particular concern re mobile data/devices

■ Although may appear in public domain, doesn’t mean it can be used for any purpose


The Facebook Decision

■ Noted advertising was a legitimate primary purpose for collection of personal information

■ Therefore, opt-out consent OK

■ But social ads “more intrusive”, require enhanced explanations to users

■ App developers access to personal information too open-ended, more specific consents required

■ Opt-out insufficient


Data Protection & Security

■ Rich and personalized data from social nets and apps are very valuable to identity thieves, fraudsters

■ Hacking is now about organized crime, targeted and well-mobilized

■ Protect user data accordingly

■ Keep only what you need, de-personalize if possible – try to avoid ID theft “keys”

■ Consider https connections, encryption for both stored and transmitted data


Privacy Concerns

■ 45% of Cdn social network users are concerned about associated privacy risks

■ 83% believe companies should ask permission to track online behaviour and Internet usage

■ 90% showed widespread concern about businesses that request too much personal information, don’t keep it secure, sell it to others, or use it to send spam

■ Majority of social network users feel explanations of use of personal information were vague

2011 Canadians and Privacy Survey


Children & Privacy

■ No COPPA in Canada, but:

■ PIPEDA requires “knowledge and consent” – higher hurdle for children?

■ Was amendment in C-29 which would have bolstered consent standard:

“…reasonable to expect that the individual understands the nature,purpose and consequences of the collection, use and disclosure of the personal information to which they are consenting.”

■ OPC has voiced concern, sees as vulnerable group; focusing on outreach, education

■ Proceed with extreme caution


Appropriation of Personality

■ Relevant to social ads that use name, likeness of someone in network in association with endorsement, sale

■ Canadian law recognizes tort of misappropriation of personality, but only “old media” cases

■ Similar claims being made in other jurisdictions re social media ads, implied endorsements

■ Important to have clear and unambiguous consent

■ May still be liability if claims relate to fake profiles


Canada’s Anti-Spam Legislation: Summary

■ Prohibits sending commercial electronic messages without express consent (some exceptions)

■ Creates identification, contact and unsubscribe obligations

■ Prohibits the installation of a computer program without express consent (some exceptions)

■ Prohibits the alteration of transmission data or rerouting of messages without express consent

■ Creates detailed disclosure requirements to obtain consent

■ Creates significant monetary penalties for non-compliance

■ Creates private right of action for damages stemming from


Core Anti-Spam Requirement

■ prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless:

■ Have the express or implied consent of the recipient

■ Message is in the prescribed form:

– identifies sender/person on whose behalf sent

– contact info for sender/person on whose behalf sent

■ No cost, easy unsubscribe mechanism:

– Same means as message sent, or other electronic means

– Gives Electronic address/web link for unsubscribe

– Effective “without delay”, no later than 10 business days


Key Definitions I

■ “electronic message” means a message sent by any means of telecommunication, including a text, sound, voice or image message.

■ “electronic address” means an address used in connection with the transmission of an electronic message to

a) an electronic mail account;

b) an instant messaging account;

c) a telephone account; or

d) any similar account.


Key Definitions II

1(2) For the purposes of this Act, a commercial electronic message is an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including an electronic message that

a) offers to purchase, sell, barter or lease a product, goods, a service, land or an interest or right in land;

b) offers to provide a business, investment or gaming opportunity;

c) advertises or promotes anything referred to in paragraph (a) or (b); or

d) promotes a person, including the public image of a person, as being a person who does anything referred to in any of paragraphs (a) to (c), or who intends to do so.


Key Definitions III

6. (1) It is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless

a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied; and

b) the message complies with subsection (2) [requirements as to sender ID, contact info, unsubscribe]

…

(5) This section does not apply to a commercial electronic message

a) that is sent by or on behalf of an individual to another individual with whom they have a personal or family relationship, as defined in the regulations;

…

9. It is prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of sections 6 to 8.


Not Just for eMail

■ Applies to broad array of electronic messages: instant messaging, SMS, social media

■ Broad application to commercial activity – not just outright sales pitch

■ Generally require express consent to send

■ Could be liable if seen to induce social net user to send commercial message to another without consent


Anti-Spam Issues for Social Ads

■ Proposed regs define “personal relationship” narrowly

■ Issue with “forward-to-a-friend” – suggesting or enabling forward could attract liability

■ Identification requirements exhaustive, could be particularly challenging in social media space

■ Twitter just announced will be introducing some ads into user’s timelines – can’t opt out


Best Practices - Privacy

■ Don’t leave it to social net operator or ad aggregator/server

■ Stay on top of Canadian and international laws and trends re privacy, spam

■ Assume the worst; law of unintended consequences --test and test again

■ Transparency re collection, use and disclosure practices

■ Prominent, easy to understand, access – FAQs, layers

■ Get best consent you can – scroll and click

■ Keep records – onus on you to prove


More Best Practices - Privacy

■ Choose partners carefully

■ Caution re third party sharing

■ Great caution re aggregation with off-net info

■ Extra caution re location information

■ Monitor User Generated Content

■ Robust security – firewall, encryption, limit retention

■ Be aware of perceptions, reasonable expectations


Best Practices - Spam

■ Don’t spam – and tell users not to

■ Review/modify practices for obtaining/developing target lists, choose vendors/partners carefully

■ Review/modify formats for electronic marketing

■ Ensure effective and timely unsubscribe

■ Review/modify program installations, associated disclosures and consent

■ Ensure consent records are retained and retrievable

■ Engagement of marketing, brand, technical resources to detect issues, ensure compliance


STIKEMAN ELLIOTT LLP www.stikeman.com

David [email protected]

For further information

SLIDE 24 STIKEMAN ELLIOTT LLP

Documents

Navigating Privacy And Spam Compliance In Social Media Advertising