Considerations for your Company’s Privacy and Social Media Policies

Written by: Katheryn A. Andresen

In the United States, companies are still primarily under a "self-regulation" model when it comes to privacy considerations. There are exceptions for regulated entities (i.e. financial institutions subject to Gramm-Leach-Bliley Act and healthcare providers subject to the Health Information Portability and Accountability Act) which must follow statutory based regulations on the development of privacy and security policies. In particular, the Federal Trade Commission, in its "Protecting Consumer Privacy" framework of 2010, identified four key steps business should take to create a "fair information practices" approach:

(1) businesses should provide notice of what information they collect from consumers and how they use it;

(2) consumers should be given choice about how information collected from them may be used;

(3) consumers should have access to data collected about them; and

(4) businesses should take reasonable steps to ensure the security of the information they collect from consumers.

The FTC framework applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device and concluded that companies should:

A. Promote consumer privacy throughout the organization at every stage of development

1. Incorporate protections into their practices (i.e. data security, collection limits, retention practices, and data accuracy)
2. Maintain data management procedures throughout the business life cycle

B. Simplify consumer choice

1. Allow for normal business use without requiring a choice
2. Otherwise offer a choice to permit use at a time and in a context in which the consumer is making a decision about his or her data

C. Increase the transparency of their data practices

1. Privacy notices should be clearer, shorter, and more standardized
2. Provide reasonable access to the consumer data they maintain (proportionate to the sensitivity of the data and the nature of its use)
3. Provide prominent disclosures and obtain affirmative express consent before using consumer data in a materially different manner than originally claimed
4. All stakeholders should work to educate consumers about privacy practices[1]

A social media policy should focus on the identification of risks associated with the corporate presence in a social network. A social media policy should provide: (i) clarification that an employee's opinion does not represent the opinion of the employer; (ii) clarification that workplace gossip is not tolerated and could have reprimand or termination consequences; and (iii) clarification that inappropriate language (i.e. racially or sexually offensive, harassment, indecent comments or pictures, or even anything which would reasonably be understood as defamatory or disparaging) associated with either the corporate account or referencing the company may also lead to reprimand or termination consequences. Other company policies may need to be reiterated in this policy, for example: (a) an employee's obligation to protect the confidentiality of client or company information, (b) employment related obligations (i.e. anti-harassment), or (c) security risks to the company.

In a 2010 study,[2] there were eight factors identified that should be considered in a social media policy: (i) security concerns, (ii) legal issues (i.e. for a regulated entity), (iii) content that is acceptable versus not acceptable, (iv) employee's use of social networks (especially referencing the company), (v) employee's access to a company page or account on a social network, (vi) conduct deemed a risk to the company within the social network context that could result in disciplinary action or termination (e.g. violation of HIPAA), (vii) administration considerations for the company's page or account in the social network; and (viii) allowance for citizen or consumers use or posting to the social network page (e.g. a company blog).

Both the framework on privacy policy considerations and the considerations for a social media policy should be assessed when developing these company policies. The Federal Trade Commission has used its authority to protect consumers from "unfair business practices" by bringing Section 5 claims against companies. In two social media cases brought by the Federal Trade Commission, both Twitter and Google were ordered to stop practices deemed to violate a consumer's privacy rights and both companies are now subject to 20 years of audits to confirm compliance to the order. A company should not blindly jump onto the social media bandwagon; at a minimum a company should consider the risks to brand, confidentiality obligations and a company's interests within a social network.

Our attorneys have consistently been named Super Lawyers© and Rising Stars© in the legal profession by Minnesota Law & Politics, Mpls St. Paul Magazine and Twin Cities Business Monthly. Hellmuth & Johnson is AV® Peer Review Rated – the highest possible Peer Review Rating from Martindale-Hubbell – indicating our dedication to professional excellence and adherence to the highest ethical standards.

Hellmuth & Johnson has since grown into one of Minnesota's top twenty-five largest law firms, positioning us to provide a full suite of services to clients without sacrificing our original commitment to providing responsive and affordable representation. Our clients span the spectrum from a first-time home buyer to community associations, construction companies and international corporations.