• School discipline. The California legislature has passed a law that, if signed by Gov. Jerry Brown (or not vetoed by him before the end of September), would significantly expand privacy protections for students from kindergarten through high school. In particular, among other things, the law would limit education technology companies used by K-12 schools from knowingly engaging in targeted advertising to students or their parents and guardians; using certain student-related information to create a profile regarding a K-12 student; or selling or otherwise disclosing such student-related information. Will other states follow California’s lead?
  • Taxi wars. The upstart P2P ride-sharing service Uber and its allies – including the D.C.-based trade group the Internet Association – have begun a public relations campaign to “brand” traditional taxicabs in a negative light and to enhance the public image of ride-sharing apps. Their online campaign, known as “Taxi Facts,” refers to “Big Taxi” as if it were “Big Oil” or “Big Steel,” and states the public deserves to know the truth about the industry. Not to be outdone, the traditional taxi industry has launched a campaign that refers to the new entrants as simply “unregulated taxicabs.”
  • This Bud’s for you. Anheuser-Busch and Facebook have teamed up on a new promotion in which people will be able to go onto the social network and buy their friends beers for their birthdays, to be redeemed at a nearby bar or restaurant. The giver simply enters credit card information, and the recipient redeems an online voucher – as long as he or she is of legal age to drink. “The program was born of A-B’s desire to remain relevant with millennial consumers of legal drinking age – and strengthen our position as the perfect beer for connecting with friends around any occasion,” said Anheuser-Busch’s VP of consumer connections.
  • In-tweet purchases. Twitter is testing the ability for its users to make purchases directly from tweets. The popular social network is working with a number of sellers, nonprofits and artists—as well as a small handful of social shopping and e-commerce platforms—to test “in-tweet purchases,” which will enable users to hit the “Buy” button straight from a tweet and compete a purchase in a few taps. This new functionality is only available to a small percentage of Twitter users for now, but availability is expected to broaden over time.
  • What’s the password? Back in 2012, we reported on then-new section 980 of the California Labor Code, which restricts employer access to “personal social media” (including usernames and passwords) of employees and applicants for employment. SFGate reports that, regardless of section 980, many state law enforcement agencies still require the disclosure of social media passwords, taking the position that the law only applies to private employers. Some California lawmakers are trying to close this apparent loophole through new legislation.
  • Get me one of those Trapper Keepers! It’s that time of year again, when kids head back to school and parents head to the stores for school clothes, school supplies, and much more. The National Retail Federation estimates that spending on back-to-school shopping will reach nearly $75 billion this year—and according to Crowdtap, a remarkable 64 percent of shoppers say that social media will play a role in their decisions on what to buy, with nearly 40 percent of those shoppers looking to Pinterest for deals and discounts.

The latest issue of our Socially Aware newsletter is now available here.

Welcome to a special privacy issue of Socially Aware, focusing on recent privacy law developments relating to social media and the Internet. In this issue, we analyze a controversial European ruling that strengthens the right to be forgotten; we examine a recent California Attorney General report regarding best practices for compliance with the updated California Online Privacy Protection Act; we summarize the FTC’s recent settlement with Snapchat and its broader implications for mobile app developers; we report on a case filed by a French consumer association accusing three major social networking sites of using confusing and unlawful online privacy policies and terms of use; and we highlight the growing popularity of anonymous social apps and the security risks that they pose.

All this–plus a collection of thought-provoking statistics about online privacy…

The latest issue of our Socially Aware newsletter is now available here.

In this issue of Socially Aware, our Burton Award-winning guide to the law and business of social media, we analyze a groundbreaking FTC complaint alleging deceptive practices online that could turn website Terms of Use into federal law; we summarize a U.S. Supreme Court copyright case that could impact existing technologies and future technological innovation; we discuss a ruling from Europe’s highest court that will aid copyright owners in the fight against illegal streaming sites; we report on new SEC guidance on social media use by investment advisers as it relates to testimonials; we take a look at the development of the Internet of Things and the many regulatory, privacy and security issues that go along with it; and we highlight a recent class action decision that potentially impacts any company that hosts videos on its website.

All this—plus a collection of thought-provoking statistics about digital music…

Earlier this year, the French consumer association UFC-Que Choisir initiated proceedings before the Paris District Court against Google Inc., Facebook Inc. and Twitter Inc., accusing these companies of using confusing and unlawful online privacy policies and terms of use agreements in the French versions of their social media platforms; in particular, the consumer association argued that these online policies and agreements provide the companies with too much leeway to collect and share user data.

In a press release published (in French) on its website, UFC-Que Choisir explains that the three Internet companies ignored a letter that the group had delivered to them in June 2013, containing recommendations on how to modify their online policies and agreements. The group sought to press the companies to modify their practices as part of a consumer campaign entitled “Je garde la main sur mes données” (or, in English, “I keep my hand on my data”).

According to the press release, the companies’ refusal to address UFC-Que Choisir’s concerns prompted it to initiate court proceedings. The group has requested that the court suppress or modify a “myriad of contentious clauses,” and alleged that one company had included 180 such “contentious clauses” in its user agreement.

The group has also invited French consumers to sign a petition calling for rapid adoption of the EU Data Protection Reform that will replace the current Directive on data protection with a Regulation with direct effects on the 28 EU Member States. UFC-Que Choisir published two possibly NSFW videos depicting a man and a woman being stripped bare while posting to their Google Plus, Facebook and Twitter accounts. A message associated with each video states: “Sur les réseaux sociaux, vous êtes vite à poil” (or, in English, “On social networks, you will be quickly stripped bare”). Continue Reading French Consumer Association Takes on Internet Giants

The Federal Trade Commission’s (FTC) announcement that it had filed a complaint against Jerk, LLC and its websites like “jerk.com” (“Jerk”) looks at first glance like a run-of-the-mill FTC Section 5 enforcement action involving allegedly deceptive practices online. But hidden in the facts of Jerk’s alleged misbehavior is a potentially significant expansion of the FTC’s use of its deception authority.

According to the FTC’s complaint, Jerk allegedly led consumers to believe that the profiles on its websites were created by other users of the website. The company also allegedly sold “memberships” for $30 a month that supposedly included features that would enable consumers to alter or delete their profiles, or to dispute false information in the profiles. Jerk also charged consumers a $25 fee to email Jerk’s customer service department, according to the FTC’s complaint.

The FTC alleges that Jerk created between 73.4 million and 81.6 million unique consumer profiles primarily using information such as names and photos pulled from Facebook through application programming interfaces, or APIs. The complaint states that “[d]evelopers that use the Facebook platform must agree to Facebook’s policies,” such as obtaining users’ explicit consent to share certain Facebook data and deleting information obtained from Facebook upon a consumer’s request. Continue Reading Jerked Around? Did the FTC’s “Jerk.com” Complaint Just Turn API Terms Into Federal Law?

Cisco estimates that 25 billion devices will be connected in the Internet of Things (IoT) by 2015, and 50 billion by 2020. Analyst firm IDC makes an even bolder prediction: 212 billion connected devices by 2020. This massive increase in connectedness will drive a wave of innovation and could generate up to $19 trillion in savings over the next decade, according to Cisco’s estimates. 

In the first part of this two-part post, we examined the development of, and practical challenges facing businesses implementing, IoT solutions. In this second part, we will look at the likely legal and regulatory issues associated with the IoT, especially from an EU and U.S. perspective.

The Issues

In the new world of the IoT, the problem is, in many cases, the old problem squared. Contractually, the explosion of devices and platforms will create the need for a web of inter-dependent providers and alliances, with consequent issues such as liability, intellectual property ownership and compliance with consumer protection regulations. Continue Reading The Internet of Things Part 2: The Old Problem Squared

A 2013 CareerBuilder survey of hiring managers and human resource professionals reports that more than two in five companies use social networking sites to research job candidates. This interest in social networking does not end when the candidate is hired: to the contrary, companies are seeking to leverage the personal social media networks of their existing employees, as well as to inspect personal social media in workplace investigations.

As employer social media practices continue to evolve, individuals and privacy advocacy groups have grown increasingly concerned about employers intruding upon applicants’ or employees’ privacy by viewing restricted access social media accounts. A dozen states already have passed special laws restricting employer access to personal social media accounts of applicants and employees (“state social media laws”), and similar legislation is pending in at least 28 states. Federal legislation is also under discussion.

These state social media laws restrict an employer’s ability to access personal social media accounts of applicants or employees, to ask an employee to “friend” a supervisor or other employer representative and to inspect employees’ personal social media. They also have broader implications for common practices such as applicant screening and workplace investigations, as discussed below. Continue Reading Employer Access to Employee Social Media: Applicant Screening, ‘Friend’ Requests and Workplace Investigations

Our global privacy + data security group’s Data Protection Masterclass Webinar series is turning the spotlight on social media marketing and policies in January.

Please join Socially Aware contributors Christine Lyon and Karin Retzer, along with Ann Bevitt in our London office for a webinar that will examine the laws and regulations in the United States and Europe relating to consumer-facing issues that arise from the use of social media in advertising and marketing. This presentation will also address the challenges that employers and employees face resulting from the use of social media in the workplace and in the recruitment process.

Topics Will Include:

  • Privacy issues for social media advertising, blogging and tweeting
  • Data sharing in relation to social plug-ins
  • Data protection requirements for social media market research
  • Targeting and analytics
  • Social media policies
  • Monitoring of social media use, including misuse of social media by employees
  • Use of social media in the application process

Date & Time:

Tuesday, January 21, 2014

4:30 p.m. – 6:00 p.m. GMT
11:30 a.m. – 1:00 p.m. EST
8:30 a.m. – 10:00 a.m. PST

Speakers:

Registration:

To register for this webinar, please click here.

For more information, please contact Kay Burgess at kburgess@mofo.com or +44 20 7920 4067.

In November 2013, the Berlin District Court ruled that all of the 25 provisions in Google’s online terms of use and privacy policy that had been challenged by the German Federation of Consumer Associations (VZBV) are unenforceable.  In reaching its decision, the court found that German law applies to terms of use and privacy policies to the extent they are directed to German consumers.

Under German unfair contract terms legislation, clauses that contradict main elements of German law and unfairly disadvantage consumers are invalid.  In this respect, the court found that the German Federal Data Protection Act and the Telemedia Act constituted key elements of law to be considered in relation to standard terms, and hence considered these statutes irrespective of the fact that these statutes only apply to organizations established in Germany or using equipment in Germany.  Google has announced that it will appeal the decision, but, if the judgment is upheld, any online terms of use or privacy policy applicable to German consumers could be challenged under German law and in a German forum.

In the case, Google claimed that the unfair contract terms legislation was not applicable because its terms of use and privacy policy do not constitute contracts and the related Google services had been provided free of charge.  The court disagreed, observing that users were required to consent to these terms upon registration or use, and the services were not for “free” because of the commercial value of the personal data collected by Google and subsequently used for marketing purposes.

Among other clauses, the court found the following provisions in the terms of use to be invalid, many of which are relatively standard provisions in U.S. terms of use:

  • Google’s right to unilaterally terminate its services in the case of any breach of its terms of use or policies without prior notice that would allow users to remedy the breach;
  • Google’s right to monitor content for compliance with its policies;
  • Google’s right to alter its services at its discretion;
  • Google’s right to amend its terms of use without further notice or consent; and
  • The (mutual) liability limitation for bodily harm and life, or statutory product liabilities.

The court also found that Google had not obtained valid consent for the collection, use and sharing of personal data via its consent box (“I agree to the use terms and I have read the privacy policy.”).  German law requires that users be informed as to the specific data to be collected and how such data will be used and shared.  Google’s privacy policy, however, provided insufficient detail and relied on blanket statements to describe its rights, for example:

  • Google’s right to collect information (including device-type information) and location data “relating to the services”;
  • Google’s right to share data with organizations that “Google reasonably believes to have a need to know”;
  • Google’s right to share data in the context of a merger;
  • Google’s right to record phone calls without any specific notice;
  • Google’s right to merge data from different platforms without further notice or consent;
  • Google’s limitations on users’ rights to access data provided to Google; and
  • Google’s right to share data with law enforcement agencies without further notice or consent.

The court also objected to the privacy policy’s broad cookie language, including Google’s statement that only “cookies and other anonymous data” are collected by Google.  Cookie IDs and other tracking information were considered by the court to be personal data in this context.

The court’s judgment can be found (in German) here.