February 2013

Here at Socially Aware, we report regularly on the difficulties inherent in applying long-established laws to new technologies like social media. An interesting example of this is unfolding in Japan: it concerns a decades-old law that has been interpreted to prohibit candidates, parties, and even the voting public from engaging in most campaign-related activities on the Internet during the run-up to any given election. But this may be about to change.

The law at issue is called the Public Offices Election Law or Koushoku Senkyo Hou (POEL). As Professor Matthew Wilson describes in his 2011 article, “E-Elections: Time for Japan to Embrace Online Campaigning,” the POEL, enacted in 1950, strictly regulates which campaign activities can be conducted in Japan during the so-called “official campaign period”—a period that immediately precedes each national, prefectural and municipal parliamentary election and that generally lasts from two to three weeks—and precisely how those activities can be conducted. As Professor Wilson summarizes neatly, “Essentially [the POEL] is a collection of ‘thou shall Nots’ or barriers involving the time, place, manner, and methods associated with elections and campaigning.”

Given that the law was enacted over sixty years ago, needless to say, it does not explicitly address modern, computer-mediated communications, let alone social networking. But Article 142 of the POEL does prohibit, among many other specific restrictions, the dissemination of “documents and drawings” during the official campaign period for electioneering purposes, other than the distribution of a limited number of postcards and leaflets as otherwise specifically permitted by the law. And importantly, the Japanese government has consistently interpreted this “documents and drawings” limitation to apply to online activities, including email and social media, such as Twitter feeds. Reportedly, Japan’s Ministry of Internal Affairs and Communications continues to hold the view that Internet-based electioneering activities are governed by the POEL.

The upshot is that, even though Japanese political parties and candidates routinely use blogs, Twitter profiles, Facebook pages and email for general political purposes, those same parties and candidates typically freeze their existing blogs, websites and online presences, refrain from creating new ones, and suspend other campaign-related online communications during the brief periods immediately preceding elections—periods many would consider to be the most crucial times to engage the voting public. And not only does the law apply to political parties and candidates, but it also restricts the general public from engaging in campaign-related activities online.

In any case, the POEL’s prohibitions on Internet and social media electioneering may be nearing a makeover. According to a report in the Japan Times, on February 13, 2013, all eleven major political parties in Japan’s National Diet tentatively agreed to relax this long-time ban on Internet-based electioneering, in time for the House of Councillors election in the summer of 2013.

Glimmers of this news have been on the horizon for some time. In December 2012, Prime Minister Shinzo Abe announced his view that Japan’s strict prohibition on Internet campaigning should be lifted. (Prime Minister Abe is active in social media—witness his Facebook page, with over 230,000 followers, and his Twitter feed, with over 70,000 followers as of the date of this entry.) Other major political figures in Japan have expressed similar views, including Goshi Hosono, Secretary-General for the Democratic Party of Japan (DPJ), and in December 2012, Toru Hashimoto, Mayor of Osaka and co-leader of the Japan Restoration Party, reportedly took to Twitter itself to challenge the logic of the POEL’s restrictions on Internet campaigning.

Japan’s ruling and opposition political parties continue to disagree on the details of how to liberalize the POEL. For example, as the Yomiuri Shimbun reported in early February 2013, the then-current proposal by Japan’s recently elected Liberal Democratic Party (LDP) would have permitted candidates to send campaign-related emails during the official campaign period only to people who had agreed to receive such emails in advance (an “opt-in” approach), while the DPJ’s proposal would have permitted sending unsolicited emails to an unspecified number of people, but not to those who declined to receive such emails (presumably, an “opt-out” approach). The parties have continued to differ on other points as well, including whether only political parties, or both the parties and their respective candidates, should be able to engage in paid web advertising, and whether the right to send campaign emails during the official campaign period should be limited only to political parties and candidates or should extend to the general public. As of February 21, 2013, Japan’s two ruling political parties—the LDP and New Komeitoreportedly have decided to break off discussions with opposition parties and instead propose their draft bill to the Diet directly.

This isn’t the first time that Japan’s political realm has called for a relaxation of the POEL’s restrictions on online campaigning. As several sources point out, in late May 2010, preceding the summer House of Councillors election, ruling and opposition politicians collaboratively drew up a bill to amend the POEL to permit candidates and parties to update websites and blogs during the official campaign period (but not to permit electioneering emails or, at least explicitly, the use of Twitter). However, the Diet was unable to turn those proposed changes into law in time for the election.

Various objections have been raised against easing the POEL’s current restrictions. For example, many are concerned that relaxing the existing restrictions could lead to more harassment and libelous activity, particularly given the quasi-anonymity of Internet communications and the ability to pose as others on social media and “spoof” communications to mask their real origins. These concerns are not without cause: on June 4, 2010, promptly after the selection of Naoto Kan as Japan’s Prime Minister, someone—not Prime Minister Kan—registered a Twitter profile bearing the name “kann_naoto” and displaying Prime Minister Kan’s photograph, and posted a single tweet that translated as, “Using this chance, I have started Twitter.” The account was eventually removed, but only after it had attracted more than 10,000 followers. And then-Prime Minister Kan isn’t the only Japanese politician to have received the fake-profile treatment on Twitter. (Any final proposal to modify the POEL may call for stiffer penalties for using the Internet to defame candidates or spread false information during the official campaign period.)

Objections like these are balanced against the potential benefits of liberalizing the POEL, including the possibility that freeing up the use of social media during the official campaign period will not only help level the campaign playing field cost-wise and give the voting public a chance to hear from their candidates when needed most, but that it will help increase voter turnout among young voters who use social media for … well, practically everything else.

The use of social media by politicians in Japan has exploded over the past few years: according to tracking site Politter, over 560 current and former Japanese politicians are actively tweeting. In view of this, changes to Japan’s Public Offices Election Law could have a major impact on the Japanese electioneering landscape.

Europe is currently undergoing a significant reform of its privacy regime. Under the current European Union (EU) Privacy Directive, individuals already have broad rights curtailing companies’ ability to process their personal data. The proposed EU Privacy Regulation seeks to broaden these rights even further. In particular, the proposed “right to be forgotten” may ultimately impose substantial new burdens on companies, especially social media and Internet businesses.

European privacy laws restrict the information that companies can process regarding individuals, and grant to individuals several rights with respect to their personal data (e.g., access and correction rights). The current EU Privacy Directive came into force in 1995 and has continued to apply ever since with various updates in the intervening years. The Europeans, however, are currently discussing a proposed EU Privacy Regulation that would further strengthen the protection of personal data of individuals by, among other things, introducing new rights. Among the new rights being proposed is the “right to be forgotten.” Essentially, under this proposed new right, individuals would be able to request—under certain circumstances—that companies erase all information in their systems and databases regarding such individuals. Companies receiving such requests would be obligated to comply.

The right to request removal from a company’s records is not new. Under the current EU Privacy Directive, an individual can request that a company remove his or her data from its system under certain circumstances, for example, because there is no legal basis for the company having such data in the first place or because the individual no longer has a relationship with that company (e.g., if a customer switches mobile phone carriers). However, this current right of removal is not absolute and can take a backseat to other interests, such as a company’s duty to maintain books and records of its business.

The new right to be forgotten would strengthen and expand the current right of removal. In particular, the new right would require a company to not only erase the applicable information and cease any further dissemination of the information but also take all reasonable steps necessary to inform third parties to whom the company has made the data available and to request that such third parties also remove the data from their systems. In other words, the new right would require a complete cleanup of the data originating from the company. A phone company receiving the request would therefore have to not only remove the data from its systems, but also inform, for example, its collections agencies, advertising and marketing agencies and outsourcing providers (such as installation services companies) that the request was made and that they should also remove the applicable data from their systems (as currently drafted, the company would only have to pass along the request, and would not be required to verify compliance with such request by other companies).

The right to be forgotten has been conceived in particular to address social media companies and other online businesses. Regarding such providers, the European legislatures find it of paramount importance that individuals be able to control what information is online about them (even when they have put the information online themselves), especially with respect to minors under the age of 18. While the rationale for this approach may be understandable, the way that the right is currently drafted, a social media site that receives a request to be forgotten could be obligated to inform third parties about the request, including other users of the social media site, other social media sites to which the data has been linked (e.g., via Twitter feeds or integration), search engines and any other website that the social media site knows has received the data. Given the expansive scope of the right as currently drafted, this right could potentially create burdensome and costly compliance obligations for social media sites and other online services, once the proposed EU Privacy Regulation is in force.

The proposed reform is currently being discussed in the European Parliament and is not expected to be finalized until 2014 at the earliest, after which there will be another two years before it would take effect. The proposals in the Regulation may still change pending ongoing debate, although it is expected that many of the new rights and requirements, including the right to be forgotten, will be maintained in some form.

Please join Socially Aware editor John Delaney as he chairs Practising Law Institute’s (PLI) “Social Media 2013: Addressing Corporate Risks.” Issues to be addressed at the conference include the following:

  • Social media: How it works, and why it is transforming the business world
  • Drafting and updating social media policies
  • User-generated content and related IP concerns
  • Ensuring protection under the CDA’s Safe Harbor
  • Minimizing risks relating to mobile apps
  • Online marketing: New opportunities, new risks
  • Privacy law considerations
  • Practical tips for handling real-world issues

Representatives from Tumblr, Gilt Groupe, Google and other companies will be speaking at the event in New York City on Wednesday, February 27th. Please join Morrison & Foerster and Socially Aware for a reception immediately following the conference.

For more information or to register, please visit PLI’s website here.

If you want to use those pictures you found on Twitter, beware. A federal judge in New York recently held that taking photos from Twitter to use for a commercial purpose infringes the photographer’s copyrights. On January 14, 2013, Judge Alison Nathan ruled that Agence France Presse (AFP), which provides subscribers with access to photos though an international wire and databank, and the Washington Post (“the Post”) infringed Daniel Morel’s copyrights to photos he posted on Twitter.

In January 2010, freelance photographer Daniel Morel uploaded to his TwitPic account a number of photos he took in Haiti in the immediate aftermath of the earthquake. An individual named Lisandro Suero took those photos from Morel’s Twitter account, reposted them to his own Twitter account, and tweeted that he had exclusive photos of the earthquake. AFP got the photos from Suero’s Twitter page, attributed the photos to Suero, and began distributing them to users of its wire and databank services. Getty Images (“Getty”) received the photos through AFP’s wire service. The Post received the photos from Getty. Getty and the Post published the photos on their websites, with captions that attributed them to Suero.

When Morel’s exclusive agent found out that AFP, Getty and the Post were using his photos, his agent complained. While at least some efforts were made by AFP, Getty and the Post to address Morel’s agent’s complaint, those efforts in most respects fell far short of what is required under the law.

In March 2010, AFP sought a declaratory judgment that it did not infringe Morel’s copyrights, and Morel counterclaimed for copyright infringement against AFP, Getty and the Post. During the course of the case, Morel moved for summary judgment on his copyright infringement counterclaim. In response, the defendants argued that pursuant to the Twitter Terms of Service (TOS), Morel provided them a license to use the photos by his very act of tweeting the photos.

Judge Nathan disagreed. Judge Nathan found that the Twitter TOS provides that users generally retain their rights to the content they post—with the exception of the license granted to Twitter and its partners. Twitter’s “Guidelines for Third Party Use of Tweets in Broadcast or Other Offline Media” further underscored that, while the Twitter TOS permit users to retweet posts, the Twitter TOS was not intended to let the “world-at-large” remove content from Twitter and commercially distribute it. Rebroadcasting tweets in their entirety is now a news program staple and actively encouraged by Twitter. Twitter’s TOS, however, do not permit media outlets to rip copyrighted material out of tweets and use it for some other purpose. Because AFP and the Post put forward no defense other than their license defense, Judge Nathan granted Morel’s motion for summary judgment and found them both liable for copyright infringement.

Unlike AFP and the Post, Getty argued that it was entitled to the benefit of the safe-harbor provisions of the Digital Millennium Copyright Act (DMCA) that protect service providers from liability for copyright infringement. Judge Nathan held, however, that genuine issues of fact existed as to whether Getty could take advantage of the DMCA safe harbor, noting that companies like Getty that are in the business of selling copyrighted material may not be shielded from copyright liability under the DMCA’s safe harbor. Thus, it remains to be seen whether Getty will also be found liable for copyright infringement.

In one bright spot for AFP and Getty, Judge Nathan granted summary judgment in their favor on the proper method for calculating statutory damages under the Copyright Act, which can result in awards of up to $150,000 per work infringed. Morel claimed that he was entitled to a statutory damage award “in the tens or hundreds of millions of dollars” against AFP and Getty. Morel argued that, because AFP and Getty distributed the photos to many of their subscribers, each downstream infringement by one of their subscribers would entitle him to an additional statutory damages award. Judge Nathan disagreed and held that any award of statutory damages against AFP and Getty could not be multiplied based on the number of infringers with whom they may be jointly and severally liable.

This decision clarifies that Twitter users do not lose ownership rights to their content by posting it to Twitter. Although you may have the right to retweet or publish tweets in their entirety, you don’t have the right to take someone else’s content and use it for commercial gain.

The Federal Trade Commission (FTC) announced a potentially groundbreaking settlement with the social networking app Path and released an important new staff report on Mobile Privacy Disclosures late last week.

The FTC’s Settlement with Path suggests a new standard may be on the near-term horizon: out-of-policy, just-in-time notice and express consent for the collection of data that is not obvious to consumers in context. The FTC has long encouraged heightened notice and consent prior to the collection and use of sensitive data, such as health and financial information. This settlement, however, requires such notice and consent for the collection and use of information that is not inherently sensitive, but that, from the Commission’s perspective, at least, might surprise consumers based on the context of the collection. Only time will tell, but historically Order provisions like this have tended to become cemented as FTC common law. Moreover, although the Children’s Online Privacy Protection Act (COPPA) portions of the settlement do not break new ground, they do serve as a potent—and expensive—reminder that the FTC is highly focused on kids’ privacy online, particularly in the mobile space.

The FTC’s Report reinforces this sentiment by encouraging all the major players in the mobile ecosystem—including app developers, ad networks, and trade associations—to increase the transparency of the mobile ecosystem through clear, accessible disclosures about information collection and sharing at appropriate times.

To continue reading this post, click here.

Handing a victory to online retailers, on February 4, 2013, the California Supreme Court held in a split decision that online transactions involving electronically downloadable products fall outside the scope of the Song-Beverly Credit Card Act (Apple v. Superior Court (Krescent), S199384). Despite acknowledging the unique fraud issues present in online transactions, the Court refused to decide the broader issue of whether the Act applies to online transactions that do not involve electronically downloadable products or to any other “card not present” transactions that do not involve in-person, face-to-face interaction between the purchasing customer and the retailer. That said, given the Court’s analysis, it is hard to imagine a different outcome for online transactions as a whole.

This opinion comes nearly two years after the California Supreme Court’s February 2011 decision in Pineda v. Williams-Sonoma Stores, Inc., which held that for purposes of the Song-Beverly Act, ZIP codes constitute “personal identification information” (PII). The Pineda decision opened a floodgate for lawsuits based on retailers’ collection of ZIP codes, resulting in hundreds of cases against brick-and-mortar retailers. Some online retailers were swept up in the post-Pineda litigation frenzy as well and, since then, online retailers and others involved in e-commerce have been waiting to see if the Act, which prohibits businesses from requesting and recording customers’ PII during credit card transactions, applies to online transactions. Although the majority explicitly limited its holding to online purchases of electronically downloadable products, the Court’s 4-3 decision is consistent with the trend in California trial courts (state and federal), which have concluded that online transactions are exempt from the Act.

The “electronically downloadable” transactions at issue in this case involved digital media, i.e., audio and video files customers can purchase and download from the Internet onto their personal computers. The Court held that “this type of transaction does not fit within the statutory scheme,” reasoning that the Legislature did not “intend[] to bring the enormous yet unforeseen advent of online commerce involving electronically downloadable products—and the novel challenges for privacy protection and fraud prevention that such commerce presents—within the coverage of the [Act].” The Court supported this reasoning through an extensive examination of the Act’s text, purpose, and history.

Initially, the Court found that the text was not decisive of the issue. Turning to the history and purpose of the Act, the Court explained that “while the Legislature indeed sought to protect consumer privacy, it did not intend to do so at the cost of creating an undue risk of credit card fraud.” For example, the Court focused on the safeguards against fraud provided by Section 1747.08(d) of the Act, which allows retailers to require customers to provide positive identification as a condition of accepting a credit card as payment. Section 1747.08(d) also permits retailers to record certain PII (the customer’s driver’s license number) in “card not present” transactions, which are transactions in which the customer does not make the credit card available for verification. These safeguards evidence the “Legislature’s concern that there be some mechanism by which retailers can verify that a person using a credit card is authorized to do so.” Because application of the Act to electronically downloadable products would provide no mechanism for online retailers to protect against fraud, the Court concluded that the Legislature could not have intended the Act to apply to such products.

The Court also rejected arguments that the 2011 amendment to the Act, which created an exception allowing gasoline retailers to collect ZIP codes in “pay-at-the-pump” transactions, somehow shows that the Act applies to online transactions. In particular, the Court rejected the notion that the narrow exception would be unnecessary surplusage if the Act was not intended to apply to remote (or “card not present”) transactions in the first place. Here, the Court focused on the specific problem the Legislature intended to address by amending the Act: to provide relief to gasoline retailers who had been collecting ZIP codes pre-Pineda for fraud prevention purposes. Finding the plaintiff’s view—that the Legislature would have created a fraud prevention exception for gasoline retailers while leaving online retailers unprotected—counterintuitive, the Court observed that online retailers “have at least as much if not more need for an exemption to protect themselves and consumers from fraud.”

Although online purchases of electronically delivered goods are unquestionably outside the scope of Song-Beverly, the Court declined to close the door—at least in this decision—to online transactions in general. The Court’s concerns about credit card fraud, however, are hardly unique to electronically downloadable products; the same analysis applies with equal force to online transactions generally (as well as other “card not present” transactions). While the logic of the decision suggests that these transactions should also be outside the scope of the Act, we expect that some enterprising plaintiff’s lawyer may take up the issue left undecided and pursue claims either against catalog merchants, telephone order companies, or even online retailers selling tangible goods. We think retailers have the stronger argument.

With the explosive growth of social media, consumers increasingly expect to be able to interact online with the companies from which they buy goods and services. As a result, financial institutions have begun to explore the use of social media, both to strengthen relationships with existing customers and to attract new ones. Financial institutions, however, have proceeded with extreme caution in using social media, in large part due to uncertainty as to the application of financial laws and regulations to social media and, to the extent they are applicable, how a financial institution can comply.

In response to industry requests for guidance on the use of social media, on January 23, 2013, the Federal Financial Institutions Examination Council (FFIEC) requested public comment on proposed guidance (“Proposed Guidance”) for financial institutions relating to the use of social media. The Proposed Guidance is intended to help financial institutions understand potential risks associated with the use of social media and to communicate the expectations of the agencies that make up the FFIEC for how financial institutions should manage these risks. The Proposed Guidance, however, largely does not address how a financial institution may comply with any particular requirement when using social media.

The following provides an overview of the Proposed Guidance, which may be found here. Comments on the Proposed Guidance must be submitted to the FFIEC by March 25, 2013.

Background on the FFIEC

The FFIEC is a formal interagency body that is authorized to prescribe uniform principles, standards and report forms for the examination of financial institutions by the federal banking agencies, the National Credit Union Administration (NCUA) and the Bureau of Consumer Financial Protection (CFPB) (collectively, the “Agencies”). Historically, banks were the main type of financial institutions to be the focus of FFIEC supervisory guidance; however, the Dodd-Frank Act expanded the membership of the FFIEC to include not only the federal banking agencies and the NCUA, but also the CFPB. As a result, FFIEC guidance now extends to any person supervised by the CFPB, including many types of non-bank financial institutions, such as mortgage brokers, payday lenders, consumer reporting agencies and debt collectors.

The Proposed Guidance

The Proposed Guidance is intended to help financial institutions understand potential risks associated with their use of social media, including compliance, reputation and operational risks, and to communicate the Agencies’ expectations for how financial institutions should manage these risks. Although the Proposed Guidance clarifies that, if finalized, it would not impose additional obligations on financial institutions, the Agencies each intend to issue any final guidance as supervisory guidance to the institutions that they supervise. As a result, financial institutions subject to the Agencies’ supervisory authority will be expected to use the guidance in their efforts to ensure that their risk management practices adequately address the risks associated with their use of social media, including those outlined in the finalized guidance.

“Social Media” Defined

The Proposed Guidance casts a wide net in defining “social media” as any “form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.” From the Agencies’ perspective, it is social media’s interactive nature that distinguishes it from other online media. The Proposed Guidance includes the following non-exhaustive examples of media that the Agencies believe to fall within the definition:

  • micro-blogging sites (e.g., Facebook and Twitter);
  • forums, blogs, customer review websites and bulletin boards (e.g., Yelp);
  • photo and video sites (e.g., Flickr and YouTube);
  • professional networking sites (e.g., LinkedIn);
  • virtual worlds (e.g., Second Life); and
  • social games (e.g., FarmVille).

Risk Management Programs

A cornerstone of the Proposed Guidance is the expectation that a financial institution will maintain a risk management program through which it identifies, measures, monitors and controls risks related to its use of social media. The Proposed Guidance provides that a financial institution’s risk management program should include the following seven components:

  • A governance structure with clear roles and responsibilities whereby the institution’s board or senior management directs how the use of social media contributes to the institution’s strategic goals and that establishes controls and ongoing risk assessments.
  • Policies and procedures regarding the use and monitoring of social media and compliance with applicable consumer protection laws.
  • An employee training program regarding the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities.
  • An oversight process for monitoring information posted to proprietary social media sites administered by, or on behalf of, the financial institution.
  • A due diligence process for selecting and managing third-party service provider relationships in connection with social media.
  • Audit and compliance functions to ensure ongoing compliance with internal policies and applicable law.
  • Parameters for reporting to the institution’s board or senior management that will enable periodic evaluations of the social media program.

As in other areas of financial law and regulation, the expectation would be that the size and complexity of a financial institution’s risk management program would be commensurate with the breadth of the institution’s involvement in social media. For example, a financial institution that relies heavily on social media should have a more detailed program than a financial institution that uses social media only in a limited manner. Nonetheless, the Proposed Guidance indicates that a financial institution that does not use social media should still be prepared to address the potential for negative comments or complaints related to the institution that may arise within social media and also to provide guidance for employee use of social media.

Risk Areas Generally

The majority of the Proposed Guidance focuses on identifying potential risks related to a financial institution’s use of social media, including risk of harm to consumers. In particular, the Proposed Guidance identifies potential risks within three broad categories: (1) compliance and legal risk; (2) reputational risk; and (3) operational risk. While the Proposed Guidance catalogs the many risks presented by the use of social media, the focus is on the risks associated with compliance with consumer protection requirements. Nonetheless, the lengthy identification of risk areas would put financial institutions on notice of the broad scope of their responsibilities with respect to the use of social media.

Compliance and Legal Risk Areas

Compliance and legal risk relates to the risks associated with the failure to comply with laws, rules, regulations, prescribed practices, internal policies and procedures, and ethical standards and the related exposure to enforcement actions and/or private rights of action. The Proposed Guidance cautions that these risks are “particularly pertinent” for an emerging medium like social media where a financial institution’s policies and procedures may not have kept pace with changes in the marketplace.

Although a financial institution would be expected to ensure that it periodically evaluates and controls its use of social media to ensure compliance with all applicable legal obligations, the Proposed Guidance identifies examples of more than 15 federal laws where a financial institution may be exposed to compliance and legal risk. These examples are broken down into five general categories: (1) privacy; (2) deposit and lending products; (3) payment systems; (4) anti-money laundering; and (5) community reinvestment. Of note, none of these includes any exception regarding the use of social media. As a result, the Proposed Guidance cautions that, to the extent a financial institution uses social media to engage in covered activity (e.g., advertising a credit product), it would be required to comply with any applicable legal requirement that may relate to that covered activity.

We highlight below certain compliance risks identified in the Proposed Guidance that may be relevant to many financial institutions:

Privacy

  • A financial institution using social media should clearly disclose its privacy policies where required by the Gramm-Leach-Bliley Act.
  • A financial institution maintaining its own social media site should ensure that it maintains and follows policies restricting access to the site to users 13 or older in a manner consistent with the Children’s Online Privacy Protection Act.
  • A financial institution should consider whether any unsolicited communication sent to consumers via social media complies with the limitations of the CAN-SPAM Act and the Telephone Consumer Protection Act.

Deposit and Lending Products

  • A lender should ensure that its use of social media does not violate the Equal Credit Opportunity Act prohibition on making statements in advertising that would discourage, on a prohibited basis, a reasonable person from applying for credit.
  • A lender that advertises credit products in any form of social media communication should ensure that it does so in a manner that complies with Regulation Z’s advertising requirements.
  • A debt collector must comply with Fair Debt Collection Practices Act limitations when conducting covered activities through social media, including, for example, being cognizant that that any social media communication does not disclose the existence of a debt or harass or embarrass consumers about their debts (e.g., a debt collector writing about a debt on a Facebook wall).

Payment Systems

  • A financial institution using social media to facilitate an electronic fund transfer for a consumer should consider whether it is required by Regulation E to, for example, provide any required disclosures to the consumer.

Anti-Money Laundering

  • Financial institutions should be aware of emerging areas of Bank Secrecy Act and anti-money laundering risk in connection with social media, including, for example, the fact that virtual world Internet games and digital currencies present a high risk for money laundering and terrorist financing and should be monitored accordingly.

Community Reinvestment

  • A depository institution subject to the Community Reinvestment Act should ensure that its policies and procedures for its own social media properties address the appropriate monitoring of public comments.

Reputational Risk Areas

For purposes of the Proposed Guidance, reputational risk relates to the risks arising from negative public opinion. A financial institution engaged in social media activities would be expected to be sensitive to and properly manage the reputational risks that may arise from its social media activities. The Proposed Guidance provides a number of considerations for financial institutions related to reputational risk in the context of social media use, including that a financial institution should:

  • have appropriate policies in place to monitor and address in a timely manner the fraudulent use of its brand, such as through phishing or spoofing attacks;
  • have procedures to address risks associated with members of the public posting confidential or sensitive information (e.g., an account number) on the institution’s social media page or site;
  • weigh the risks and the benefits of using a third party to conduct social media activities, including, for example, the ability of a financial institution to control content on a site owned or administered by a third party; and
  • consider the feasibility of monitoring question and complaint forums on social media sites to ensure that customer inquiries, complaints or comments are addressed in a timely and appropriate manner.

Operational Risk Areas

For purposes of the Proposed Guidance, operational risk relates to the risk of loss resulting from inadequate or failed processes, people or systems. These include the risks posed by a financial institution’s use of information technology, including social media. In light of the vulnerability of social media platforms, the Proposed Guidance indicates that a financial institution should ensure that its internal controls designed to protect its information technology systems and to safeguard customer information from malicious software adequately address social media usage. And, in a related point, a financial institution’s incident response program should extend to security incidents involving social media.

 *          *          *          *

If the FFIEC finalizes the Proposed Guidance, financial institutions should expect that the Agencies will independently issue the finalized guidance as supervisory guidance to the institutions that they supervise. In such a case, financial institutions will be expected to use the guidance as part of their efforts to address the risks associated with the use of social media and to ensure that their risk management programs provide effective oversight and controls related to the use of social media. Until final guidance is in place, it is important for financial institutions to be cognizant of and consider the extent of their usage of social media and the risks associated with that use and whether existing controls address the types of risks identified in the Proposed Guidance. Finally, financial institutions may also wish to consider whether they will provide comments to the FFIEC on the Proposed Guidance, including, for example, identifying any technological or other impediments to compliance with otherwise applicable law when using social media.

2012 was a momentous year for social media law. We’ve combed through the court decisions, the legislative initiatives, the regulatory actions and the corporate trends to identify what we believe to be the ten most significant social media law developments of the past year–here they are, in no particular order:

Bland v. Roberts – A Facebook “like” is not constitutionally protected speech

Former employees of the Hampton Sheriff’s Office in Virginia who were fired by Sheriff B.J. Roberts, sued claiming they were fired for having supported an opposing candidate in a local election. Two of the plaintiffs had “liked” the opposing candidate’s Facebook page, which they claimed was an act of constitutionally protected speech. A federal district court in Virginia, however, ruled that a Facebook “like” “…is insufficient speech to merit constitutional protection”; according to the court, “liking” involves no actual statement, and constitutionally protected speech could not be inferred from “one click of a button.”

This case explored the increasingly-important intersection of free speech and social media, with the court finding that a “like” was insufficient to warrant constitutional protection. The decision has provoked much criticism, and it will be interesting to see whether other courts will follow the Bland court’s lead or take a different approach.

New York v. Harris – Twitter required to turn over user’s information and tweets

In early 2012, the New York City District Attorney’s Office subpoenaed Twitter to produce information and tweets related to the account of Malcolm Harris, an Occupy Wall Street protester who was arrested while protesting on the Brooklyn Bridge. Harris first sought to quash the subpoena, but the court denied the motion, finding that Harris had no proprietary interest in the tweets and therefore did not have standing to quash the subpoena. Twitter then filed a motion to quash, but the court also denied its motion, finding that Harris had no reasonable expectation of privacy in his tweets, and that, for the majority of the information sought, no search warrant was required.

This case set an important precedent for production of information related to social media accounts in criminal suits. Under the Harris court’s ruling, in certain circumstances, a criminal defendant has no ability to challenge a subpoena that seeks certain social media account information and posts.

The National Labor Relations Board (NLRB) issued its third guidance document on workplace social media policies

The NLRB issued guidance regarding its interpretation of the National Labor Relations Act (NLRA) and its application to employer social media policies. In its guidance document, the NLRB stated that certain types of provisions should not be included in social media policies, including: prohibitions on disclosure of confidential information where there are no carve-outs for discussion of an employer’s labor policies and its treatment of employees; prohibitions on disclosures of an individual’s personal information via social media where such prohibitions could be construed as limiting an employee’s ability to discuss wages and working conditions; discouragements of “friending” and sending unsolicited messages to one’s co-workers; and prohibitions on comments regarding pending legal matters to the degree such prohibitions might restrict employees from discussing potential claims against their employer.

The NLRB’s third guidance document illustrates the growing importance of social media policies in the workplace. With social media becoming an ever-increasing means of expression, employers must take care to craft social media policies that do not hinder their employees’ rights. If your company has not updated its social media policy in the past year, it is likely to be outdated.

Fteja v. Facebook, Inc. and Twitter, Inc. v. Skootle Corp. – Courts ruled that the forum selection clauses in Facebook’s and Twitter’s terms of service are enforceable

In the Fteja case, a New York federal court held that a forum selection clause contained in Facebook’s Statement of Rights and Responsibilities (its “Terms”) was enforceable. Facebook sought to transfer a suit filed against it from a New York federal court to one in Northern California, citing the forum selection clause in the Terms. The court found that the plaintiff’s clicking of the “I accept” button when registering for Facebook constituted his assent to the Terms even though he may not have actually reviewed the Terms, which were made available via hyperlink during registration.

In the Skootle case, Twitter brought suit in the Northern District of California against various defendants for their spamming activities on Twitter’s service. One defendant, Garland Harris, who was a resident of Florida, brought a motion to dismiss, claiming lack of personal jurisdiction and improper venue. The court denied Harris’s motion, finding that the forum selection clause in Twitter’s terms of service applied. The court, however, specifically noted that it was not finding that forum selection clauses in “clickwrap” agreements are generally enforceable, but rather “only that on the allegations in this case, it is not unreasonable to enforce the clause here.”

Fteja and Skootle highlight that potentially burdensome provisions in online agreements may be enforceable even as to consumers; in both cases, a consumer seeking to pursue or defend a claim against a social media platform provider was required to do so in the provider’s forum. Both consumers and businesses need to be mindful of what they are agreeing to when signing up for online services.

Six states passed legislation regarding employers’ access to employee/applicant social media accounts

California, Delaware, Illinois, Maryland, Michigan and New Jersey enacted legislation that prohibits an employer from requesting or requiring an employee or applicant to disclose a user name or password for his or her personal social media account.

Such legislation will likely become more prevalent in 2013; Texas has a similar proposed bill, and California has a proposed bill that would expand its current protections for private employees to also include public employees.

Facebook goes public

Facebook raised over $16 billion in its initial public offering, which was one of the most highly anticipated IPOs in recent history and the largest tech IPO in U.S. history. Facebook’s peak share price during the first day of trading hit $45 per share, but with a rocky first few months fell to approximately $18—sparking shareholder lawsuits. By the end of 2012, however, Facebook had rebounded to over $26 per share.

Facebook’s IPO was not only a big event for Facebook and its investors, but also for other social media services and technology startups generally. Many viewed, and continue to view, Facebook’s success or failure as a bellwether for the viability of social media and technology startup valuations.

Employer-employee litigation over ownership of social media accounts

2012 saw the settlement of one case, and continued litigation in two other cases, all involving the ownership of business-related social media accounts maintained by current or former employees.

In the settled case of PhoneDog LLC v. Noah Kravitz, employer sued employee after the employee left the company but retained a Twitter account (and its 17,000 followers) that he had maintained while working for the employer. The terms of the settlement are confidential, but news reports indicated that the settlement allowed the employee to keep the account and its followers.

In two other pending cases, Eagle v. Edcomm and Maremont v. Susan Fredman Design Group LTD, social media accounts originally created by employees were later altered or used by the employer without the employees’ consent.

These cases are reminders that, with the growing prevalence of business-related social media, employers need to create clear policies regarding the treatment of work-related social media accounts.

California’s Attorney General went after companies whose mobile apps allegedly did not have adequate privacy policies

Starting in late October 2012, California’s Attorney General gave notice to developers of approximately 100 mobile apps that they were in violation of California’s Online Privacy Protection Act (OPPA), a law that, among other things, requires developers of mobile apps that collect personally identifiable information to “conspicuously post” a privacy policy. Then, in December 2012, California’s Attorney General filed its first suit under OPPA against Delta, for failing to have a privacy policy that specifically mentioned one of its mobile apps and for failing to have a privacy policy that was sufficiently accessible to consumers of that app.

Privacy policies for mobile applications continue to become more important as the use of apps becomes more widespread. California’s OPPA has led the charge, but other states and the federal government may follow. In September, for instance, Representative Ed Markey of Massachusetts introduced The Mobile Device Privacy Act in the U.S. House of Representatives, which in some ways would have similar notice requirements as California’s OPPA.

Changes to Instagram’s online terms of service and privacy policy created user backlash

In mid-December 2012, Instagram released an updated version of its online terms of service and privacy policy (collectively, “Terms”). The updated Terms would have allowed Instagram to use a user’s likeness and photographs in advertisements without compensation. There was a strong backlash from users over the updated Terms, which ultimately led to Instagram apologizing to its users for the advertisement-related changes, and reverting to its previous language regarding advertisements.

Instagram’s changes to its Terms, and subsequent reversal, are reminders of how monetizing social media services is often a difficult balancing act. Although social media services need to figure out how they can be profitable, they also need to pay attention to their users’ concerns.

The defeat of the Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA)

Two bills, SOPA and PIPA—which were introduced in the U.S. House of Representatives and U.S. Senate, respectively, in late 2011—would have given additional tools to the U.S. Attorney General and intellectual property rights holders to combat online intellectual property infringement. A strong outcry, however, arose against the bills from various Internet, technology and social media companies. The opponents of the bills, who claimed the proposed legislation threatened free speech and innovation, engaged in various protests that included “blacking out” websites for a day.  These protests ultimately resulted in the defeat of these bills in January 2012.

The opposition to and subsequent defeat of SOPA and PIPA demonstrated the power of Internet and social media services to shape the national debate and sway lawmakers. With prominent social media services such as Facebook, YouTube, Twitter, LinkedIn and Tumblr opposed to the bills, significant public and, ultimately, congressional opposition followed.  Now that we’ve witnessed the power that these services wield when acting in unison, it will be interesting to see what issues unite them in the future.