Header graphic for print

Socially Aware Blog

The Law and Business of Social Media

Click-Accept Arbitration: Enforcing Arbitration Provisions in Online Terms of Service

By David Kiferbaum and Sherman Khan on Posted in Arbitration, Supreme Court

Companies that provide services to consumers have often sought to reduce the risk of class action lawsuits by requiring that their customers agree to arbitrate any disputes.  Such arbitration agreements may require customers to arbitrate on an individual basis only, with customers being obligated to waive any rights they might otherwise have to pursue claims through class actions.  In recent years, many such arbitration provisions, particularly those that included class action waivers, had been held unenforceable under state law contract doctrine.  In April 2011, however, the U.S. Supreme Court held in AT&T Mobility v. Concepcion that the Federal Arbitration Act preempts most state law challenges to class action waivers. 

How broadly lower courts will interpret the AT&T decision remains to be seen.  For example, on February 1, 2012, the Second Circuit held in In re American Express Merchants’ Litigation that the AT&T decision did not preclude invalidation of an arbitration waiver where the practical effect of enforcement would impede a plaintiff’s ability to vindicate his or her federal statutory rights. 

Nonetheless, in the wake of AT&T, many companies that provide online products or services to consumers are exploring whether to include an arbitration clause and class action waiver in their online Terms of Service.  For those companies that decide to adopt an arbitration provision, whether with or without a class action waiver, it is important to ensure that such arbitration provision will not be invalidated on the ground that no contract was formed with the consumer.

Courts have enforced the arbitration provision in an online Terms of Service agreement where the consumer clearly assents to – or “click-accepts” – the terms and conditions of such agreement, e.g., by checking a box stating “I agree” to such terms and conditions.  For example, in Blau v. AT&T Mobility, decided in December 2011, the plaintiff consumers, who were arguing that AT&T Mobility’s network was not sufficiently robust to provide the promised level of service, had specifically assented to AT&T Mobility’s Terms of Service, which included an arbitration clause.  One of the plaintiffs was bound by an e-signature collected by AT&T Mobility at a retail store.  He asserted that he was not bound because another user of his account had provided the signature.  The court rejected this argument because the user who signed was an authorized user of the plaintiff’s account.  A second co-plaintiff had accepted the Terms of Service by pressing a button on his mobile phone’s keypad; the court held that this acceptance was valid even though the co-plaintiff could not recall whether he had seen the AT&T Mobility Terms of Service.

The enforceability of an arbitration provision becomes more problematic where there is evidence that the consumer did not affirmatively assent to the agreement containing such provision.  In Kwan v. Clearwire Corp., decided in January 2012, the Western District of Washington denied the defendant’s motion to compel arbitration in a putative class action against Clearwire, an Internet service provider, under a variety of state and federal consumer protection statutes in connection with allegedly poorly performing modems.  Clearwire sought to compel arbitration based on an arbitration provision in its online Terms of Service.  Two named plaintiffs, Brown and Reasonover, argued that they could not be bound by the arbitration provision because they had never agreed to the Terms of Service.  The court held that an evidentiary hearing would be required to determine whether an arbitration agreement had been formed with respect to Brown after she introduced evidence that a Clearwire technician who installed her modem, and not Brown, had click-accepted the Clearwire Terms of Service.  Likewise, an evidentiary hearing was required as to Reasonover because Clearwire could not produce a record of a click-acceptance for Reasonover, who testified that she had “abandoned” the Clearwire website without click-accepting the Terms of Service.

What lessons can be drawn from the Blau and Kwan decisions?  First, for an arbitration provision contained in an online Terms of Service agreement to be enforceable against a consumer, there should be clear consent by the consumer to be bound by the agreement.  If the arbitration provision is contained in a passive “browsewrap” Terms of Service, requiring no affirmative consent from the consumer, this may be insufficient – absent other factors – to bind the consumer with respect to arbitration.  In addition, an online Terms of Service containing an arbitration provision should be presented to customers in a reasonably conspicuous manner before the consumer click-accepts the Terms of Service; the agreement should not be “submerged” within a series of links, placed on a part of the screen not visible before the consumer reaches the “I accept” button or buried in small print at the footer of a long email message.  

Second, robust records documenting individual consumers’ “click-acceptances” of an online Terms of Service agreement incorporating an arbitration provision will substantially improve the likelihood that such agreement (and the incorporated arbitration provision) will be enforced.  A click-accept record that is linked to the individual who actually click-accepted the agreement is best.  Moreover, the Terms of Service agreement should be drafted to make clear that it applies not only to the individual who originally click-accepted such agreement, but also to other users to whom the individual provides access to his or her account.

District Court Considers Value of Twitter Account

By Anelia V. Delcheva on Posted in Employment Law, IP, Terms of Use

“Man, what do I write here? And what’s it going to be valued at?” So read Noah Kravitz’s Twitter profile soon after Magistrate Judge Maria-Elena James of the Northern District of California denied Kravitz’s motion to dismiss a number of claims brought against him by his former employer related to the Twitter account. While Kravitz continues to control the @noahkravitz Twitter account currently, the case raises questions as to whether he will retain control of the account and how the account should be valued.

October 15, 2010 was Kravitz’s last day at PhoneDog, an “interactive mobile news and reviews web resource.” After about four and a half years of providing product review and video blogging services for PhoneDog, Kravitz moved on to work at a competing website called TechnoBuffalo. While at PhoneDog, Kravitz used the Twitter account @PhoneDog_Noah to publish content related to mobile products and services. During the course of Kravitz’s employment at PhoneDog, the @PhoneDog_Noah account accumulated approximately 17,000 Twitter followers.

After Kravitz ended his employment with PhoneDog, the company requested that he relinquish use of the Twitter account. Instead, Kravitz kept the account and changed the account handle to “@noahkravitz.” Kravitz’s farewell post, published on the PhoneDog website days after Kravitz left the company, told PhoneDog website visitors that they could continue to follow Kravitz using the new @noahkravitz handle. As of February 2012, the @noahkravitz Twitter account more than 26,900 Twitter followers.

PhoneDog proceeded to file a complaint against Kravitz in the United States District Court for the Northern District of California that asserted a number of claims, including trade secret misappropriation, conversion, and intentional and negligent interference with economic advantage. Kravitz filed a motion to dismiss PhoneDog’s complaint based on, among other things, the argument that PhoneDog could not establish that it had suffered damages over the $75,000 jurisdictional threshold.

The jurisdictional amount-in-controversy issue raises interesting questions regarding the ownership and proper valuation of a Twitter account and its followers. PhoneDog asserted that Kravitz’s continued use of the @noahkravitz Twitter account resulted in at least $340,000 in damages to the company, using a calculation based on the total number of followers, the time during which Kravitz had controlled the account, and a purported industry standard value of $2.50 per follower. Kravitz disputed PhoneDog’s calculations and argued that any value attributed to the account came from his efforts in posting tweets and the followers’ interest in him, not from the account itself. Kravitz also argued that, to the extent a value can be placed on a Twitter account, it cannot be determined simply by multiplying the number of followers by $2.50, but rather requires consideration of a number of factors, such as: (1) the number of followers, (2) the number of tweets, (3) the content of the tweets, (4) the person publishing the tweets, and (5) the person placing the value on the account.

Kravitz also disputed whether PhoneDog had any ownership interest in the Twitter account or its followers at all. Kravitz argued that Twitter’s terms of service state that all Twitter accounts belong to Twitter, not to Twitter users such as PhoneDog. Kravitz also asserted that Twitter followers are “human beings who have the discretion to subscribe and/or unsubscribe” to the account and are not PhoneDog’s property. Finally, Kravitz argued that “[t]o date, the industry precedent has been that absent an agreement prohibiting any employee from doing so, after an employee leaves an employer, they are free to change their Twitter handle.”   

For its part, PhoneDog claimed that it had an ownership interest in the @noahkravitz Twitter account based on the license granted to it by Twitter to use and access the account, and in the content posted to the account. PhoneDog also argued that it had an “intangible property interest” in the Twitter account’s list of followers, which PhoneDog compared to a business customer list. Finally, PhoneDog asserted that, regardless of any ownership interest in the account, it was entitled to damages based on Kravitz’s interference with PhoneDog’s access to and use of the account, which (among other things) affected PhoneDog’s economic relations with its advertisers.

The court determined that the amount-in-controversy issue was intertwined with the factual and legal issues raised by PhoneDog’s claims and, therefore, could not be resolved at the motion-to-dismiss stage. Accordingly, the court denied without prejudice Kravitz’s motion to dismiss for lack of subject matter jurisdiction. The court also denied Kravitz’s motion to dismiss PhoneDog’s trade secret and conversion claims, but granted Kravitz’s motion to dismiss PhoneDog’s interference with prospective economic advantage claims.   

While we wait to learn the final disposition of the @noahkravitz Twitter account, employers should consider explicitly addressing ownership of company-related social media accounts in their agreements with their employees and independent contractors, including providing for transfer of control (including passwords) of such accounts to the company at the end of the employment or independent contractor relationship. In addition, if a social media account is intended to constitute the employer’s property, the account name or handle should refer only to the company and should not include the employee’s name.

Warning Signs: Promotions Using Facebook’s “Like” Feature

By Julie O'Neill on Posted in FTC, NAD, Online Promotions

In a recent case of first impression, the National Advertising Division of the Council of Better Business Bureaus (“NAD”) – an industry forum for resolving disputes among advertisers – addressed an advertiser’s use of Facebook’s “like” feature in connection with an online promotion.  Such promotions – referred to as “like-gated” promotions, typically ask a Facebook user to “like” the advertiser’s Facebook page in order to receive a discount, rebate or other deal.  If the user chooses to “like” such page or content, this information will appear on such user’s Facebook wall and possibly his or her Facebook news feed, where it can be viewed by the user’s Facebook friends.  Moreover, the user’s name and image may be displayed in connection with the “liked” page or content.  As a result, Facebook’s “like” feature can generate invaluable exposure for an advertiser, transforming a user’s interest in the advertiser into a public endorsement of such advertiser’s products and services. 

In the NAD case, Coastal Contacts, Inc., offered a free pair of glasses to each person who “liked” its Facebook page.  A competitor, 1-800 Contacts, Inc., challenged the offer, alleging that Coastal Contacts had failed to adequately disclose the offer’s material terms.  1-800 Contacts also charged that, on account of that failure, the “likes” that Coastal Contacts received were not legitimate, and the company’s use and promotion of such “likes” on the Facebook platform and in press releases were therefore fraudulent.  1-800 Contacts urged the NAD to recommend that Coastal Contacts remove and stop promoting the “likes” that it received via the allegedly misleading promotion, in order to remedy its allegedly unfair social gain.

The NAD agreed with the challenger that Coastal Contacts had failed to clearly and conspicuously disclose the terms of its free offer; however, the NAD did not agree that such failure rendered the resulting “likes” invalid, and it therefore declined to recommend that Coastal Contacts remove or stop promoting those “likes.”  The NAD explained that, although Coastal Contacts’ promotion required modification, there was no evidence showing that participants were denied free pairs of glasses because they failed to understand the offer terms.  In the NAD’s view, because actual consumers “liked” Coastal Contacts’ Facebook page and the consumers who participated in the offer received the benefit of such offer, Coastal Contacts did, in fact, have the general social endorsement that the “likes” conveyed. 

What About the Endorsement Guides?

The case raises an issue that the NAD did not address:  Should an advertiser be required to disclose that the Facebook “likes” received through a like-gated promotion were received in exchange for consideration?  Under the Federal Trade Commission’s (“FTC”) Endorsement Guides, an advertiser is required to disclose any material connection between itself and a consumer who endorses its business.  So, should a “like” given in exchange for a discount or other deal be accompanied by a disclosure of the connection?  Is such a disclosure even possible? 

To our knowledge, the FTC has not publicly addressed this issue, but we think that it could challenge an advertiser’s failure to disclose the consideration received in exchange for an endorsement conveyed by a “like.”  Any disclosure that the FTC would seek to prescribe in connection with “likes” displayed within the Facebook platform would most likely have to be built into Facebook’s “like” feature itself – something that is not within advertisers’ direct control.  This does not rule out an FTC action, as the FTC could take the position that advertisers should not use like-gated promotions if they are unable to make the disclosures required under the Endorsement Guides.  The FTC may also assert that corporate Facebook users have the power to impress upon Facebook the need to modify the “like” feature to allow for necessary disclosures. 

An advertiser considering a like-gated Facebook promotion should keep these issues in mind (and keep an eye out for further developments).  It should also ensure compliance with the FTC’s Endorsement Guides to the extent possible (i.e., where it can make required disclosures), such as on its own Facebook page and in other online and offline media in which it promotes the “likes” that it has received as a result of any promotion.

Don’t Forget the Facebook Promotions Guidelines.

When structuring a contest, sweepstakes or similar promotion using Facebook, an advertiser must also comply with the Facebook Promotions Guidelines, which Facebook revises from time to time.  Among other things, the Guidelines set limits on a promotion sponsor’s use of Facebook’s “like” feature.  For instance, while “liking” a sponsor’s own Facebook page is a permissible requirement under the Guidelines for a user’s participation in a promotion, the act of “liking” such a page cannot function to automatically register the user for the promotion.  Further, if a sponsor does condition participation on “liking” the sponsor’s Facebook page, the sponsor must extend eligibility for the promotion to users who previously “liked” the page, as well as to users who “like” the page from the first time in connection with the promotion. 

Sponsors of promotions are also prohibited under Facebook’s Guidelines from requiring prospective participants to take any action using any Facebook features or functionality other than either “liking” the sponsor’s own Facebook page, checking into a particular location or connecting to the sponsor’s Facebook app.  Nor may a sponsor require prospective participants to “like” any content other than the sponsor’s own Facebook page – for example, a sponsor may not condition a user’s participation on “liking” a specific wall post or any other particular piece of content.  The Guidelines do not explain the reason for this distinction; however, it may be that the “News Feed” and other posts that result when a user “likes” particular content (as opposed to a Facebook page generally) may often constitute “unauthorized commercial communications,” which are prohibited by Facebook’s Statement of Rights and Responsibilities

All this serves as an important reminder that running a successful and legally compliant promotion requires the promotion’s sponsor to be familiar with applicable laws, the social media platform provider’s various guidelines and contractual terms, and emerging best practices.

Editor’s Predictions for 2012

By John Delaney, Gabriel Meister and Aaron Rubin on Posted in Employment Law, IP, Privacy, Terms of Use

To ring in the New Year, the Socially Aware editors provide their predictions regarding social media law and business developments in the coming year (please keep in mind that, if we were good at this prediction thing, we wouldn’t be practicing law for a living) . . .

Watch for an explosion of employment law disputes involving social media in 2012.  It’s coming.  Get ready. You heard it here first.

We’re going out on a limb here, but we believe that the Second Circuit may reverse and remand the lower court’s decision in the widely-followed Viacom v. YouTube litigation, potentially creating turbulence for online companies that rely on user-generated content to attract traffic and boost revenues.  Although the case raises some of the most important copyright issues of the digital era, the lower court’s decision, favoring YouTube, did not dig into the details and nuances of the parties’ respective arguments, and our sense is that the Second Circuit may ultimately reverse that decision and send the case back to the lower court for further proceedings.

With the rise of social media platforms, we are seeing more and more companies — even Fortune 500 companies — entering into extremely one-sided “clickwrap” agreements with platform providers. Although clickwrap agreements are generally enforceable under U.S. law, we expect to see more challenges on public policy and other grounds to particular provisions in these agreements.

Speaking of clickwraps, we often comment on how social media platforms’ terms of service (TOS) are typically long and intricate, branching off into various rules, policies, guidelines and “best practices” that change over time (and not necessarily all at the same time!).  As business users invest more and more time and money in creating and cultivating their social media presences, and as consumers increasingly turn to social media as the way to interact with their favorite brands, we anticipate a resurgence of interest in what these TOS say… not just what they say today, but what they said last week, last month and last year.  We foresee more services adopting Twitter’s practice of maintaining an archive of earlier TOS versions, and perhaps even the institution of a well-stocked third-party clearinghouse, along the lines of TOSback.org, dedicated to tracking social media TOS changes over time. 

Even with Facebook’s recent settlement with the FTC in connection with Facebook’s data collection practices, we anticipate still further privacy law headaches for social media companies in the coming year.  Global privacy laws get tougher and more burdensome each year, and yet many social media providers, anxious to justify astronomical valuations, are undoubtedly feeling pressure to make more aggressive use of the personal information that they have collected from their customers.  Watch for the first skirmishes in 2012 to be initiated by European regulators. 

Online behavioral advertising is a subject that attracts strong bipartisan opposition, even in the current bitterly divided Congress.  Watch for 2011’s call for greater regulation of OBA to grow louder over the coming year, resulting in new legislation or regulations.

We will see even the largest, most conservative Fortune 500 companies adopting internal, company-wide social media platforms of the type offered by Jive, NewsGator and SocialText.  And, in 2013 and beyond, we’ll be seeing a new generation of privacy, employment, defamation and other legal claims arising out of these enterprise social platforms.

We will likely continue to see courts struggle with the limits of the safe harbors provided by Section 230 of the Communications Decency Act.  Ever since the landmark 1997 case Zeran v. America Online, courts have fairly consistently held that Section 230 provides online service providers broad immunity for defamatory or otherwise actionable information posted by users.  But we have also seen courts occasionally impose some limits on the scope of Section 230 — e.g., in the 2008 case Fair Housing Council v. Roommates.com and the more recent Hill v. StubHub case.  And other courts, such as the California Supreme Court in Barrett v. Rosenthal, have expressed discomfort with the broad sweep of Section 230 even while upholding it.  Watch for more Section 230 cases in 2012 as courts continue to explore the outer boundaries of this critically important but controversial statute. 

You don’t need a crystal ball to see that mobile apps will continue to generate much of the growth in social network use and Internet use in general in 2012.  Perhaps more interesting is the question of what form those apps will take and where users will get them. Various app stores and marketplaces, large and small, will continue to offer consumers many choices to shop for apps for different mobile platforms. And the emergence of HTML5-based apps as an alternative to native apps adds another dimension to the issue.  We will likely see continued volatility in this area in 2012, but, if we were going to make a prediction — and that’s what we’re doing here, right? — our money is on HTML5-based apps to start taking market share from native apps in the coming year.

As the major global social media platforms vie for local eyeballs, we foresee more announcements like Twitter’s recently-reported arrangement withMixi,Japan’s long-time favorite social media platform, to collaborate on new products and services. Partnerships like this, coupled with geographic expansion (Twitter opened an office inTokyo in early 2011), could help the leading U.S. social media providers to establish brand recognition and ultimately market share in countries that are still ruled by homegrown incumbents.

Running Contests and Sweepstakes on Facebook, Google+ and Twitter: How the Rules Stack Up

By Seth Graham on Posted in Online Promotions, Terms of Use

Over the past two years, Socially Aware has revisited Facebook’s Promotions Guidelines from time to time — even as recently as August 2011 — to help keep our readers up-to-date on how popular social media platforms seek to regulate contests, sweepstakes and other promotions.

Online promotions are as popular as ever, and given that two-thirds of American adults now use some type of social media platform, we decided to take a broader, comparative look at the promotions guidelines of three major social networks — Facebook, Google+ and Twitter — to give our readers a sense of how these guidelines stack up.

A social network’s terms and conditions governing promotions are typically a mix of rules, restrictions and best-practices suggestions that can be difficult to navigate.  Equally tough to digest are the dozens of “how to” websites that purport to instruct social media users how to conduct successful (and legal) promotions online, and the numerous companion sites that advertise social media promotions to anyone who wishes to join.  What’s more, social media services’ promotions policies are updated and amended frequently, as we have noted previously, and they typically incorporate or are incorporated into other, far more general rules and restrictions that both protect the respective service providers and give those providers considerable latitude in accepting, rejecting, suspending or terminating promotions on their platforms.

Here’s a quick look at where Facebook’s, Google+’s and Twitter’s promotions guidelines stand today:

1.  Google+.  Let’s start with Google+, the newest social network on our list.  Google+ recently published its policies for contests and promotions.  Simply put, Google+ users are not permitted to run contests, sweepstakes, offers, coupons or other such promotions directly on their Google+ Pages; however, users are permitted to post links on their Google+ Pages to such users’ promotions on other sites, as long as they agree to be solely responsible for such promotions and for compliance with all applicable laws, rules and regulations.  (In a sense, this approach mirrors Facebook’s rule, discussed in our August 2011 issue, on communicating about promotions:  “If you use Facebook to communicate about . . . a promotion, you are responsible for the lawful operation of that promotion.”)  Some have noted that Google+’s restrictive promotions policies are somewhat counterintuitive in light of Google+’s recent launch of “Brand Pages,” which finally enable brands, products, companies, businesses, places, groups, and everyone else to establish branded presences on the fledgling service.

User promotions that are linked from users’ Google+ Pages are required to adhere to a variety of other Google+ terms and conditions, including the Google+ Pages Additional Terms of Service.  Those terms incorporate by reference even more Google+ terms and conditions, such as the Google+ User Content and Conduct Policy.  Google retains the right both to remove a user’s “Promotion content” from the user’s Google+ Page for any reason and to block or remove Pages that violate Google+’s Pages terms (and even, in the case of repeat violations of the Pages terms, to suspend the user’s Google+ account).

One other interesting point:  For now, according to the Google+ Pages Additional Terms of Service, “[e]xcept as otherwise required by the Google+ Pages Terms, you may not include terms, conditions or non-Google provided technical restrictions on Google+ Pages.”  This implies that, even though a user is permitted to link to the user’s promotion from his or her Google+ Page, the user is not permitted to include on the Page any “terms” or “conditions” governing the promotion — let alone the promotion’s “Official Rules.”

2.  Twitter.  In contrast to Google+’s prohibitive policies, Twitter specifically permits users to operate promotions on its platform.  In fact, Twitter’s Guidelines for Contests on Twitter (the “Twitter Guidelines,” which despite their name, govern both contests and sweepstakes) take a different approach from other platforms’ promotions terms, as they read more like a set of suggestions that promotions operators are encouraged to follow in order to generally enhance the Twitter user experience and to steer entrants clear of violating other Twitter rules.  (Unlike the promotions guidelines for Google+ and Facebook, the Twitter Guidelines do not distinguish between promotions “run on” Twitter and those merely advertised on or promoted using Twitter; the guidelines simply govern any contests and sweepstakes “on Twitter,” for example, offering prizes for Tweeting updates, following a particular user or posting updates with a specific hashtag.)

As an example, the Twitter Guidelines admonish users to discourage the creation of multiple accounts (which could lead to account suspension under “The Twitter Rules”) by “be[ing] sure to” impose a rule that users will be ineligible if they create multiple accounts to enter a promotion more than once.  The Twitter Guidelines also note that users “might want to set a clear contest rule” that multiple entries from a given entrant in a single day will not be accepted, in order to help discourage posting of the same Tweet repeatedly (e.g., “whoever re-Tweets the most wins”).

3.  Facebook.  While Google+’s promotions guidelines flatly prohibit onsite promotions and instead focus on how users can communicate about their offsite promotions, and Twitter’s guidelines do not distinguish clearly between operating and communicating about promotions on Twitter, Facebook’s Promotions Guidelines squarely address both communicating about and operating promotions on Facebook.

Facebook’s Promotions Guidelines get into plenty of detail on how promotion operators can and cannot use Facebook and its many features to operate promotions.  A few highlights:

  • Promotions operated on Facebook must be administered using Apps on Facebook, Facebook’s development tools for app builders, both to ensure interoperability with Facebook’s platform and to enable Facebook to advertise to users of the app.
  • Promotions operators are required to make certain mandatory disclosures, including (i) a complete release of Facebook by each entrant, (ii) an acknowledgement that the promotion is not sponsored, endorsed or administered by Facebook, and (iii) that the entrant is providing information to the promotions operator only and not to Facebook.  (Neither Google+ nor Twitter requires disclosures such as these, although Google+’s promotions terms include broad language releasing Google from liability for users’ promotions and requiring users to indemnify Google from claims and losses arising from such promotions, and Twitter’s general terms simply disclaim any liability for Twitter’s use of content provided by Twitter users.)
  • Facebook features and functionality cannot be used (i) as a way to register for or enter a promotion (e.g., “Liking” a Facebook Page cannot constitute an entry in a promotion), (ii) as a prerequisite to participating in a promotion (although promotion operators are permitted to require users to Like a Page, check into a Place, or connect to the operator’s page in order to enter a promotion), (iii) as a promotion voting mechanism, or (iv) to notify promotion winners (e.g., through messages, chat, or posts on profiles or pages).  This is an interesting contrast to the Twitter Guidelines, which imply that Twitter is comfortable with the use of a wide range of Twitter features in connection with Twitter-based promotions.

Conclusions.  The promotions guidelines promulgated by Facebook, Google and Twitter reveal a few common threads.  Each service seems to be concerned with protecting its community members, for example, by restricting the creation of false accounts, by prohibiting the publication of misleading or false information or by limiting the collection and use of personal information by promotions operators for purposes other than the promotion itself.  Similarly, each service’s guidelines require promotion operators to take certain actions to ensure that their promotions do not interfere with, and are otherwise compatible with, the general functioning of the service.  Finally, each provider has put measures in place to shield itself from the legal complications arising from operating or communicating about promotions on its service — in at least one case (Google+), by prohibiting the operation of promotions outright.

Moreover, keep in mind that a social media site’s promotions guidelines are only part — typically, a very small part — of the universe of terms and conditions that bind promotions operators.  Each service described in this article requires compliance with various other sites-pecific policies, terms and conditions, which often further restrict how promotions can be run or advertised.  Google+’s promotions guidelines link to three other Google+ policies, each of which links to several other policies that impose additional restrictions, for example, the Google+ Pages Additional Terms of Service’s prohibition on posting content that violates third-party rights or content that is considered inappropriate under yet another policy, the Google+ User Content and Conduct Policy.  Similarly, Twitter requires all promotions operators to comply with The Twitter Rules and Twitter’s search best practices before commencing a promotion, and Facebook supplements its Promotions Guidelines by requiring promoters to comply with Facebook’s Statement of Rights and Responsibilities (which, as we have noted previously, incorporate many other Facebook policies), its Ad Guidelines, and its Platform Policies.  And bear in mind that all of these policies, rules and guidelines change over time.

The complexity of social media services’ various promotions guidelines, rules and best practices means that any would-be promotions operator needs to carefully review — and monitor over time — each service’s terms, particularly when a promotion is designed to leverage multiple social media services simultaneously.  First-time social media promotions operators in particular may want to seek legal guidance, both in understanding each target service’s terms and in helping to craft a set of “Official Rules” that can help the operator manage risk and maximize the chances of running a successful social media promotion.

Proposed Facebook Settlement Underscores the FTC’s Privacy Priorities

By Julie O'Neill on Posted in FTC, Privacy

On November 29, 2011, the Federal Trade Commission (“FTC”) announced a proposed order against Facebook that builds upon both the FTC’s recommendations from its 2010 draft privacy report and precedents set in the order that it recently imposed on Google.  Any business that collects personal information from consumers should pay close attention to this action because it makes clear that:

  • The FTC will continue to remain vigilant in holding companies to their privacy-related promises to consumers.  The FTC will pay particular attention when those promises involve consumers’ choices regarding their personal information, and it will continue to look for and prosecute companies who have certified their compliance with the U.S./EU Safe Harbor (allowing personal information collected in the EU to be transferred to the US) yet fail to abide by the principles underlying the Safe Harbor;
  • The FTC will continue to require opt-in consent for material changes to a company’s privacy practices.  This is not a new development, but it is worth repeating that the FTC has not backed away from its assertion that, when a company changes its privacy practices in a material way, it must obtain consumers’ opt-in consent to those changes before applying them retroactively (i.e., to information already collected);
  • The FTC has a robust new template for privacy orders.  The FTC will continue to impose onerous injunctive relief on companies that do not abide by their own privacy promises, including the obligation — even where there has been no alleged data breach — to obtain an independent privacy audit every other year for 20 years; and
  • The FTC will continue to require companies subject to a privacy order to implement and maintain a comprehensive “privacy by design” program and, in fact, may begin to expect this from all companies.  In its 2010 draft privacy report, the FTC proposed that businesses make privacy and data security a routine consideration by adopting a “privacy by design” approach.  The report has not yet been finalized, but that has not stopped the FTC from moving this proposal closer toward becoming a legal requirement by way of its enforcement actions against Google and Facebook (the FTC often expresses its “expectations” of industry through settlement agreements).  We take the inclusion of a “privacy by design” requirement in both orders to mean that the FTC thinks that all businesses should adopt such procedures and that, eventually, the FTC is likely to view a failure to adopt such procedures as deceptive or unfair, in violation of the FTC Act.

The proposed order would settle charges that a variety of Facebook’s information practices were deceptive or unfair.  Highlights of the complaint and proposed order are summarized below.  The proposed order was open for public comment until December 30, 2011; that period having closed, the FTC will now determine whether to make its order final or to modify its requirements.

The FTC’s Complaint

The FTC’s complaint against Facebook contains eight counts, each of which underscores the theme repeated in the FTC’s privacy enforcement actions over the years:  Businesses must comply with the privacy-related promises that they make to their customers.  Here, the FTC alleged that Facebook failed to comply with promises made to its users in a variety of contexts over time.  Specifically:

  • Facebook’s privacy settings:
    Access to personal information.      Facebook promised its users that, through the choices that they made in their Profile Privacy Pages, they could limit the categories of people who could access their personal information.  According to the FTC, however, users’ choices were meaningless because Facebook permitted third-party applications used by a user’s Facebook friends to access the user’s personal information — including marital status, birthday, town, schools, jobs, photos, and videos — regardless of the privacy settings chosen by the user.  The FTC has therefore alleged that the company’s representations were deceptive.
  • Facebook’s privacy settings:
    Overriding user choice.      Two counts in the FTC’s complaint address privacy policy changes that Facebook made in December 2009 — changes that Facebook claimed would not only give users more control over their personal information but also allow them to keep their existing privacy settings.  According to the FTC, contrary to those promises, some information designated by users as private (such as a friend list) was actually made public under the new policy.  The FTC has charged that this was deceptive because Facebook overrode users’ existing privacy choices without adequate disclosure. The FTC has further charged that the change constituted an unfair practice because Facebook retroactively applied material changes to personal information it had already collected from users without first obtaining their consent.  In the FTC’s view, the practice met the standard for unfairness because it “has caused or has been likely to cause substantial injury to consumers, was not outweighed by countervailing benefits to consumers or to competition, and was not reasonably avoidable by consumers.”
  • Scope of applications’ access to user information.  The FTC has alleged that, for more than three years from the debut of applications on the Facebook platform, Facebook deceived its users about the scope of the profile information accessible to apps.  Specifically, Facebook told users that an app would have access to only the information “that it requires to work.”  The FTC has charged that this promise was deceptive because, in many instances, Facebook gave apps unrestricted access to user profile information, including information that such apps often did not need to operate.
  • Advertisers’ receipt of user information.  According to the FTC’s complaint, Facebook represented to users numerous times that it would not share their information with advertisers without the users’ consent.  For instance, in its Statement of Rights and Responsibilities, Facebook promised:  “We don’t share your information with advertisers unless you tell us to. . . Any assertion to the contrary is false. Period . . . we never provide the advertiser any names or other information about the people who are shown, or even who click on, the ads.”  The FTC has alleged that this representation and others like it were deceptive because, from at least September 2008 until the end of May 2010, Facebook’s site was designed and operated such that the User ID of a user who clicked on an advertisement was, in many cases, shared with the advertiser.
  • Facebook’s “Verified Apps” program.  Facebook promised its users that, under its “Verified App” program, Facebook reviewed apps so as to “offer extra assurances to help users identify applications they can trust — applications that are secure, respectful and transparent, and have demonstrated commitment to compliance with [Facebook] policies.”  According to the FTC, however, because Facebook did not take any steps to verify an app in any of these ways, its promise was deceptive.
  • Photo and video deletion.  Facebook told users that, when they deactivated or deleted their accounts, their photos and videos would be inaccessible to others.  The FTC has alleged, however, that Facebook continued to make available the photos and videos of both deactivated and deleted accounts to third parties, and, accordingly, the company’s promises were deceptive.
  • Compliance with the U.S.-EU Safe Harbor Framework.  The FTC has alleged that Facebook misrepresented its compliance with its Safe Harbor certification because — as described above — it failed to give its users notice and choice before using their information for a purpose different from that for which it was collected, in violation of the “Notice” and “Choice” principles required of Safe Harbor certified companies.  Because Facebook’s Safe Harbor certification represented to consumers that Facebook was compliant with the principles, the FTC has charged that its failure to comply with them was unfair or deceptive.

The Proposed Settlement Agreement

No Privacy or Security Misrepresentations.  Like all FTC orders settling charges of deception, the proposed order would prohibit Facebook from future misrepresentations. Specifically, the order would enjoin Facebook from express and implied misrepresentations about how it maintains the privacy or security of users’ information, including:  (1) the extent to which a user can control the privacy of his or her information; (2) the extent to which Facebook makes user information available to third parties; and (3) the extent to which Facebook makes information accessible to third parties after a user has terminated his or her account.

Opt-In Consent for New Disclosures.  The proposed settlement agreement would require Facebook to obtain users’ opt-in consent before sharing their information with a third party in a way that materially exceeds the restrictions imposed by the users’ privacy settings.  This obligation ratifies a requirement that the FTC first imposed against Gateway Learning in 2004 and which it has repeated numerous times since then:  A company that makes a material change to its privacy practice must obtain affected individuals’ opt-in consent to that change before applying it retroactively (i.e., to information already collected).  The proposed order specifies the way in which Facebook must obtain such consent.  It must:  (1) clearly and conspicuously disclose to the user, separate and apart from any privacy policy or similar document, (a) the categories of information that will be disclosed, (b) the identity or categories of the recipients, and (c) the fact that such sharing exceed the restrictions imposed by the user’s privacy settings; and (2) obtain the user’s affirmative express consent to the disclosure.

Deletion of “Deleted” Content.  The proposed settlement would require Facebook to implement procedures reasonably designed to ensure that the information of a user who has deleted his or her information or deleted or terminated his or her account is not accessible by any third party.

Privacy by Design.  Like the FTC’s order against Google, the proposed Facebook order includes a “privacy by design” provision that would require Facebook to implement and maintain a comprehensive privacy program that (1) addresses the privacy risks related to the development and management of both new and existing products and services and (2) protects the privacy of user information.  Specifically, Facebook would have to:

  • designate one or more responsible employees;
  • identify reasonably foreseeable material risks that could result in the unauthorized collection, use or disclosure of user information;
  • design and implement reasonable controls and procedures to address identified risks and regularly test them;
  • develop and implement reasonable steps to select service providers that will adequately protect user privacy and contractually require them to maintain appropriate protections; and
  • evaluate and adjust the privacy program in light of the testing required by it, any material change to Facebook’s operations, or any other circumstances that may have a material impact on the program’s effectiveness.

In its 2010 draft privacy report, the FTC proposed that businesses make privacy and data security a routine consideration by adopting a privacy by design approach.  Although it has not yet finalized the report, the FTC has moved this proposal closer to becoming a legal requirement through both its proposed order and its recent order against Google.  The FTC often expresses its expectations of industry through a settlement agreement.  For this reason, we take the inclusion of a privacy by design requirement in both orders to mean that the FTC thinks that all businesses should adopt such procedures and that, eventually, the FTC is likely to view a failure to have them as deceptive and/or unfair, in violation of the FTC Act.

Biannual Audits for 20 Years.  The proposed settlement agreement would require Facebook to obtain an independent privacy audit every other year for 20 years.  In light of the fact that this is the second time that the FTC has imposed such relief this year (after the Google matter), we expect that the 20-year audit requirement along with the privacy by design provision, will become a staple of FTC privacy settlements.

Safe Harbor Provisions.  The proposed settlement marks the second time that the FTC has held a company accountable for its alleged failure to comply with substantive privacy provisions of the US/EU Safe Harbor framework.  (The first was in the Google action.)  The charges serve as an important reminder that Safe Harbor certification constitutes a representation to consumers that, if false, is actionable.  The proposed order would bar Facebook from misrepresenting its compliance with the Safe Harbor or any other privacy or security compliance program.

Key Take Aways

The FTC’s complaint and proposed order against Facebook are noteworthy because they reinforce the precedents that the FTC set in its action against Google, thereby sending the following unmistakable signals to the market:

  • The FTC will continue to hold companies to their privacy promises and apply strong injunctive relief where it finds that the promises are false;
  • The FTC continues to believe that a company must obtain affected consumers’ affirmative consent to new privacy practices applied retroactively;
  • The FTC will continue to look for and prosecute companies’ failures to abide by the principles underlying their US/ EU Safe Harbor certifications;
  • The FTC has a new template for privacy settlement agreements — one that requires a privacy by design approach to business, as well as independent biannual audits for 20 years; and
  • The FTC is beginning to consider privacy by design as a requirement under Section 5 of the FTC Act, which prohibits unfair and deceptive acts and practices.

Standard for Discovery of Anonymous Internet Users’ Identities Remains in Flux

By Sunni Yuen on Posted in Discovery, Litigation, Privacy

Plenty of press attention has been given to social media sites’ views on whether their users can use “handles” or pseudonyms instead of their real names.  But much of the Internet’s social conversation remains dependent upon that dot-com staple, the anonymous message board.  In the recent case of Varrenti v. Gannett Co., Inc., a New York trial court had an opportunity to opine on the standard for compelling an online service provider (OSP) to disclose the identities of anonymous Internet posters in view of competing First Amendment considerations.  However, the court punted on that issue, instead basing its decision on the far narrower question of whether plaintiffs stated a prima facie cause of action against the anonymous defendants — and leaving the standard for discovery of anonymous Internet users’ real identities unsettled in New York, just as it is nationwide.

A variety of tests for compelling the disclosure of the identity of an anonymous Internet user have emerged over the past decade.  One approach is the five-factor balancing test established by a New York federal court in Sony Music Entertainment Inc. v. Does 1-40.  Under the Sony Music test, a court is required to weigh the following five factors in order to assess the need to disclose an anonymous Internet user’s identity:

  • Is there a concrete showing of a prima facie claim of actionable harm?
  • Is the discovery request sufficiently specific to lead to identifying information?
  • Is there an absence of alternative means to obtain the subpoenaed information?
  • Is there a central need for the subpoenaed information to advance the claim?
  • Does the anonymous Internet user have a reasonable expectation of privacy?

An OSP’s terms of service agreement can play into the fifth prong of the Sony Music test.  In Sony Music, for example, the OSP’s terms of service specifically reserved the right to disclose any information necessary to satisfy any law.  Because the same terms also expressly prohibited users from transmitting material in violation of copyright law, the court found that the anonymous defendants had little expectation of privacy when using the service to download and distribute over peer-to-peer networks, sound recordings owned by third parties without permission of the copyright holders. Such a limited expectation of privacy, in conjunction with the plaintiff’s strong prima facie claim of copyright infringement and the plaintiff’s demonstrated need for the identifying information to advance its claim, outweighed any limited First Amendment protections that the service users might otherwise have.

Another test for whether the disclosure of an anonymous Internet user’s identity can be compelled, is the four-factor test invoked by the Appellate Division of the New Jersey Superior Court in Dendrite International, Inc. v. Doe No. 3.  In the lower court, Dendrite had sought to discover the identity of an anonymous poster on a Yahoo! Internet message board devoted to a discussion of Dendrite’s stock performance.  Dendrite alleged that the poster defamed the company and misappropriated trade secrets by making false statements about Dendrite having changed its revenue recognition policy, Dendrite’s contracts being structured to defer income and Dendrite’s lack of competitiveness, as well as by alleging that Dendrite’s president was secretly and unsuccessfully “shopping” the company.  The lower court judge found that the plaintiff was not entitled to discovery of the anonymous poster’s identity because it had failed to show harm caused by the anonymous postings — a required element for stating a prima facie case of defamation.

On review, the Appellate Division adopted, with modifications, a four-factor test that had been applied by the federal district court in the Northern District of California in Columbia Insurance Company v. Seescandy.com.  Under this test, a trial court is permitted to order the disclosure of an anonymous Internet user’s identity if:

  • The plaintiff makes efforts to notify the user that he or she is the subject of a subpoena, and affords the user a reasonable opportunity to file and serve opposition;
  • The plaintiff identifies and sets forth the exact statements purportedly made by the anonymous user that allegedly constitute actionable speech;
  • The plaintiff has asserted a prima facie cause of action against the defendant and produced sufficient evidence to support each element of the action; and
  • The strength of the prima facie case presented, and the need for the disclosure of the defendant’s identity, outweigh his or her First Amendment right of anonymous free speech.

The fourth prong of this Dendrite test is intended to be a “flexible, non-technical, fact-sensitive mechanism” that gives courts ample discretion to evaluate whether disclosure of the anonymous user’s identity is necessary.  Therefore, even though the lower court judge in Dendrite may have taken a stricter approach than normal to the “harm” element of the test (particularly when applying motion-to-dismiss standards), the Appellate Division determined that the judge’s analysis of the claim was still consistent with that element of the test — and after determining that the record supported the lower court’s finding that there was no nexus between the anonymous postings and fluctuations in Dendrite’s stock prices, it affirmed the finding and refused to permit discovery of the anonymous poster’s identity.

At least one court has found that the nature of the speech involved should be the driving force in selecting the test for discovering the identity of an anonymous Internet user.  The Ninth Circuit has held that a stricter test for unmasking “John Doe” Internet publishers is appropriate when the speech at issue is non-commercial.

Under this test, originally established by the Delaware Supreme Court in Doe v. Cahill, a plaintiff may discover an anonymous speaker’s identity by both giving or attempting to give notice to the speaker, and presenting a prima facie case that can survive a hypothetical motion for summary judgment.  As reported in our August 2010 issue, the trial court in Quixtar, Inc. v. Signature Management TEAM, LLC, used this test to order the disclosure of the identities of anonymous speakers who had made allegedly false and disparaging statements about the plaintiff company on third-party blogs and in online videos.  On appeal, the Ninth Circuit found that the district court’s application of the Cahill test was not appropriate because the speech involved related to a non-compete provision in a contract, which was not express political speech entitled to greater protection.  However, because the trial court’s decision to apply the Cahill test did not constitute clear error, the Ninth Circuit nonetheless refused to vacate the trial court’s order.  It is unclear whether courts in other jurisdictions have adopted the approach of choosing a test based on whether the speech at issue is commercial or non-commercial. 

The recent Varrenti decision reminds us that the assertion of a prima facie cause of action remains a key factor in determining whether the identities of anonymous Internet users are discoverable, no matter which test reigns.  In Varrenti, members of the Village of Brockport Police Department brought a defamation action against the Democrat & Chronicle, a local newspaper publisher in Rochester, New York, and four Internet users who posted anonymous comments on the newspaper’s website about the plaintiffs’ competence, integrity and actions.  The plaintiffs argued that the Sony Music test should apply, while the defendant argued that the Dendrite test should apply.  The New York Supreme Court elected not to address the issue of which test applied, instead focusing on the common factor from both tests — that is, whether the plaintiffs had stated a prima facie cause of action for defamation.  Because the tone and objective of the anonymous statements were critical of the plaintiffs and the comments were published in a web forum that invited newsreaders to share opinions, the court found as a threshold matter that the comments were protected expression that could not form the basis of a defamation claim, and that, therefore, no prima facie case had been stated.

In basing its decision solely on the context in which the comments were made, the Varrenti court avoided addressing other test factors, bringing no further clarity on which standard for discovering the identity of anonymous Internet users should apply.  Until the various standards for discovery of anonymous Internet users’ identity converge, then, the question of whether an OSP can be compelled to disclose an Internet user’s identity rests largely on the plaintiff’s ability to state a prima facie claim of actionable harm — worth keeping in mind for companies pursuing a claim against a user of a message board or other social media service.