Much Ado About NothingHow does Shakespeare portend social media in the 21st century? I would submit that one only need look at Much Ado About Nothing to see how it should all play out. As with all Shakespeare’s plays there is quite a bit going on but the play centers around the action and dialogue of Benedick and Beatrice who go after each other in a manner which shames modern NBA trash-talkers. Apparently everyone else in the play understands the two are meant for each other so they engage in a very social media style of communication to put the two together. Of course, as this is a comedy, everyone ends up married so Beatrice and Benedick, prompted by their friends’ interference, finally, and publicly, confess their love for each other.

Yesterday I wrote about ways to think through using social media in your Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program. Today I want to explore how one company and one Chief Compliance Officer (CCO) actively uses social media to make more effective the company’s compliance regime. The company is the venerable Dun & Bradstreet (D&B) and its CCO, Louis Sapirman, whom I visited with about his company’s integration of social media into compliance.

Initially Sapirman emphasized the tech savvy nature of the company’s work force. It is not simply about having a younger work force. If your company is in the services business it probably means an employee base using technological tools to deliver solutions. He also pointed to the data driven nature of the D&B business so using technological tools to deliver products and solutions is something the company has been doing for quite a while. This use of technological tools led the company to consider how such techniques could be used internally in disciplines which may not have incorporated them into their repertories previously.

Not surprisingly, with most any successful corporate initiative, Sapirman said it began at the top of the organization, literally with the company’s Chief Executive Officer (CEO), Robert Carrigan. Sapirman noted that the CEO saw the advantage of using social media internally and challenged many in his organization to take a new look at the manner in which their functions were using social media. From there Sapirman and his team saw the advantages of using social media for facilitating a two-way communication. Moreover, Sapirman comprehended the possibility for use of social media for compliance with those external to the company as well.

Internally Sapirman pointed to a tool called Chatter, which he uses similarly to those in Twitter engaging in a Tweet-up. He has created an internal company brand in the compliance space, using the moniker #dotherightthing, which trends in the company’s Chatter environment. He also uses this hashtag when he facilitates a Chatter Jam, which is a real-time social media discussion. He puts his compliance team into the event and they hold it at various times during the day so it can accessed by D&B employees anywhere in the world.

He said that he ‘seeds’ Chatter Jam so that employees are aware of the expectations and to engage in the discussion respectfully of others. When they began these sessions he also reminded employees that if they had specific or individual concerns they should bring them to Sapirman directly or through the hotline. However he does not have to make this admonition any more, as everyone seems to understand the ground rules. Now this seeding only relates to the topics that each Chatter Jam begins with going forward.

One of the concerns lawyers tend to have about the use of social media is with general and specific topics coming up on social media and the ill it may cause the organization. Sapirman believes that while such untoward situations can arise, if you make clear the ground rules about such discussions, these types of issues do not usually arise. That has certainly been the D&B experience.

Each employee uses their own names during these Chatter Jams so there is employee accountability and transparency as well. Sapirman said they further define each communication through a hashtag so that it can not only immediately be defined but also searched in the archives going forward. He provided the examples of specific regulatory issues and privacy. This branding also enhances the process going forward.

I asked Sapirman if he could point to any specific compliance initiatives that arose during or from these Chatter Jams. Sapirman emphasized that these events allow employees the opportunity to express their opinions about the compliance function and what compliance means to them in their organization. One of these discussions was around the company’s Code of Conduct. He said that employees wanted to see the words “Do The Right Thing” as the name of the Code of Conduct.

I inquired about D&B’s use of social media in connection with their third parties. Sapirman said that the company allows some of them access to its internal Chatter tools to facilitate direct communications. Further, these external contractors can connect with both Sapirman and the company through Twitter. He said that he is consistently communicating to the greater body of customers about the compliance initiatives or compliance reminders on what the D&B compliance function is doing and how it is going about doing them. He believes it is an important communications tool to make sure that he and his team are getting their compliance messages out there.

Sapirman also described using Chatter in a manner that sounded almost like Facebook and its new live video function. He said they can deliver short video vignettes about compliance to employees. The compliance function or the employee base can develop these.

All of the initiatives Sapirman described drove home to me three key insights. The first is how compliance, like society, is evolving, in many ways ever faster. As more millennials move into the workforce, the more your employee base will have used social media all their lives. Once upon a time, email was a revelatory innovation. Now if you are not communicating, you are falling behind the 8-ball. Employees expect their employers to act like and treat them as if this is the present day, not 1994 or even 2004.

The second is that these tools can go a long way towards enhancing your compliance program going forward. Recall the declination to prosecute that Morgan Stanley received from the Department of Justice (DOJ), back in 2012, when one of its Managing Directors had engaged in FCPA violations? One of the reasons cited by the DOJ was 35 email compliance reminders sent over 7 years, which served to bolster the annual FCPA training the recalcitrant Managing Director received. You can use your archived social media communications as evidence that you have continually communicated your company’s expectations around compliance. It is equally important that these expectations are documented (Read – Document, Document, and Document).

Finally, never forget the social part of social media. Social media is a two-way communication. Not only are you setting out expectations but also these tools allow you receive back communications from your employees. The D&B experience around the name change for its Code of Conduct is but one example. You can also see that if you have several concerns expressed it could alert you earlier to begin some detection and move towards prevention in your compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Henry VMost people remember the St. Crispin’s Day speech in Henry V as one of the greatest speeches in all of Shakespeare. However many people do not focus on what led to that speech which was that Henry went out among his troops, disguised as a commoner to ask they what they thought and to hear what they had to say about the upcoming battle with the French. One of the most important things that Henry learns is that his men, while willing to do their duty, believe they will all die the next day in battle, most particularly because of the overwhelming size differential in the two armies. Henry takes this information and incorporates those fears, together with English patriotism, into the rousing speech he gave before he led his men to victory.

I am a huge fan of using social media in your compliance function. I often point to Louis Sapirman, the Vice President (VP), Associate General Counsel (AGC) and Chief Compliance Officer (CCO) at Dun & Bradstreet, as an example of a company and CCO that has embraced the use of social media to advance their best practices compliance program.

CCOs and compliance practitioners often ask me how they could begin to get their arms around how to structure such a program for their company. In an article in the MIT Sloan Management Review, entitled “Finding the Right Role for Social Media in Innovation”, Deborah Roberts and Frank Pillar reviewed companies that were not deriving significant benefit from their customer facing social media efforts. I found their discussion of potential remedies as a useful tool to help CCOs design an internal company wide social media campaign.

After acknowledging that social media focuses on the social aspects of the communication, I think the most important thing to remember is that communication in social media is two-way; both inbound and outbound. It can help to bring your employee base together in an efficient manner to create an environment conducive to compliance for your organization. It also has the benefit of continued engagement. It is more than putting on training or even a Compliance Week set of initiatives, you can continue the conversation and enthusiasm about compliance going forward.

The authors break this down further into three parts that emphasize (1) the need to listen to and learn from user-generated content; (2) the need to engage and facilitate dialogue with employee innovators; and (3) to find an audience of early adopters to create excitement and collect feedback. No doubt inspired by some fond childhood memories, the authors monikered these three concepts as (a) Camp Explore, (b) Camp Create and (c) Camp Communicate.

Camp Explore

This is the method the authors suggest of how to generate employee insights into your compliance program “where activities are designed to extend the breadth and depth of how organizations search for innovations” even in the compliance arena. The key is that the compliance function must be listening and listening in a manner which they may not have used previously. The authors write that you will need to “learn to read the signals from large, diverse, disconnected, and unstructured pools of data generated by users. In addition, they will learn to analyze and convert blog posts, tweets, and user-generated content into valuable insights for new products.”

Compliance professionals will need the skills of both a social scientist and a data scientist at Camp Explore. This is because compliance practitioners will need to “assimilate, combine, and utilize data from many different sources” across the globe. The authors noted, “they will need to acquire skills in computational techniques to unveil trends and patterns within and between the various data sets.” The overall award from Camp Explore “is to sharpen their business acumen and teach them how to communicate the findings to those involved in [compliance] projects.”

Camp Cocreate

If a company has matured past Camp Explore, the next step the authors suggest is Camp Cocreate for companies that “know they actively want to engage and involve [employees] in the innovation process” around compliance. The overall goal is to be more collaborative to allow employees to be more involved in the design process. As a CCO or compliance professional you will “learn how to engage, identify, and select the right participants and develop the right incentives to encourage their participation. Creativity is both an input and an output of the cocreation process. Managers will also develop skills in relationship building and gain experience in the art of conversation and dialogue, a key aspect of collaboration. Managers will learn how to become better facilitators and community managers.”

One of the important factors is to visit with “unconventional users” to help facilitate the creative process. Here social media itself can be a powerful tool, facilitating a two-way communication street to allow the compliance function to hear and even see what business and other types in the field may see and hear. The model of involving employees for in-house innovation has always been useful to help build buy-in and acceptance but the authors also found that more diverse participation in the creation process can provide a richer developed process. 

Camp Communicate

This learning camp focuses on the most obvious uses of social media, to communicate and tell a story. The authors write, “As social media becomes an ever more integral part of people’s work and social lives, people have come to expect communication about products and brands via social media channels.” Social media can also afford the compliance function the opportunity to interact more directly with its customer base, the company’s employees, in a manner that is far more engaging than the old command and control approach.

If your goal in the compliance function is to create awareness and publicize your compliance program and initiatives, social media can be a powerful tool for you. Indeed the authors believe it should be a “core activity.” Through the use of social media tools, your compliance function can not only tell the story of compliance but also communicate expectations and even train. Yet once again it is simply more than a one-way tool as using social media facilitates a two-way communication. Just as employees are more apt to tell you about a concern immediately or soon after they have been trained on that issue; they may well communicate directly with you after having received a social media communication on subjects such as managing of third party relationships.

The authors end their article on a cautionary note. They believe many companies are approaching social media in the same manner as they approached the dot-com boom of the 1990s. Companies are embracing the technologies but simply following the herd, “In the case of social media, they embrace whatever social media sites and strategies are in vogue without developing a coherent strategy for tying their social media activity to new product development. Having a Facebook page, creating a brand community, or having a social media page dedicated to a new [compliance] launch will not, on its own, improve a company’s [compliance] performance.”

CCOs and compliance practitioners need to develop a dedicated compliance strategy around social media, in the context of your corporate objectives. Just as Henry V gave one of the most rousing speeches in all of Shakespeare, basing it on the input he received from his men, you can take the input from your employee base and create a compliance experience that your employees will embrace.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Social Media 2I continue my exploration of the use of social media as a tool of doing compliance by looking at some concepts around the sharing of information. In a recent podcast on Social Media Examiner, entitled “Sharing: The Art and Science of Social Sharing”, podcast host Michael Stelzner interviewed Bryan Kramer, a social strategist and author of the book “Shareology: How Sharing is Powering the Human Economy”. Kramer talked about several concepts that I found particularly useful for a Chief Compliance Officer (CCO) or compliance practitioner to think through when considering the use of a social media strategy in a best practices anti-corruption compliance program, under the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or some other compliance regime.

Kramer’s book Shareology is a study of how, what, where, when and why people and brands share. For this book, Kramer conducted more than 250 interviews with executives, marketers and social media people, as well as professors of linguistics, psychology, sociology and so on, with the question “why people share” in mind.

The answer came down to one thing: connection. He found that “People all have the desire to reach out and connect with other people, whether it’s through sharing content and having someone reply back or by sharing other people’s content and helping them out.” From this research, Kramer identified six types of people who share:

  • Altruist: Someone who shares something specific about one topic all the time.
  • Careerist: Someone who wants to become a thought leader in their own industry, so they can see their career grow.
  • Hipster: Someone who likes to try things for the first time and share it faster than everyone else.
  • Boomerang: Someone who asks a question so they can receive a comment only to reply.
  • Connector: Someone who likes to connect one or more persons to each other.
  • Selective: This is the observer.

I find all of these categories to be relevant to a CCO or compliance practitioner in considering the use of social media in their compliance program. All of these can describe not only the reasons to use social media but they can also help you to identify who in your organization might be inclined to use social media and how it can facilitate your compliance program going forward.

The Altruist, Hipster and Careerist speak to how a CCO or compliance practitioner can be seen in getting out the message of compliance throughout your organization. Whichever category you might fall into, it is still about the message or content going forward. I find nothing negative in being seen as one or the other if your message is useful. Even if you are my age, there is nothing wrong with incorporating a little Hipster into your communication skills. As my daughter often reminds me, Dad you are so uncool that you are retro, but that is cool too. Applying that maxim to your compliance regime, if you can communicate in a manner your workforce sees as interesting or even hip, it may well help facilitation incorporation of that message into their corporate DNA.

I found the Boomerang, Connector and Selective categories as good ways to think about how your customer base in compliance (i.e. your employees) might well use social media tools to communicate with the compliance function. The use of social media is certainly a two-way street and you, as the compliance practitioner, need to be ready to accept those communications back to you. Indeed some comments by your customer base could be the most important interactions that you have with employees as their comments or questions could lead you to uncovering issues which may have arisen before they become Code of Conduct or FCPA violations. More importantly, it could allow you to introduce a proscriptive solution which moves your program beyond even the prevent phase.

Kramer also has some insights about the substance of your social media message. Adapting his insights to the compliance field, I found a key message to be that the problem is that companies do not write the way they speak, and don’t speak the language of their employee base. In many ways, compliance is a brand and Kramer believes that “brands and the people representing those brands need to change their language. If they focus on the title and the quality of the content, among other things, it’ll resonate more with their audience.” He also advocates using the social media tools and apps available to you. He specifically mentions Meerkat and Periscope, Snapchat, memes and/or videos to raise the value of the content. He was quoted as saying, “If you have a blog and there are no visuals, you might as well shut it down.”

It would seem the thesis of Kramer’s work is that sharing is a primary method to communicate and connect. In any far-flung international corporation this is always a challenge, particularly for discipline which can be viewed as home office overhead at best; the Land of No populated by Dr. No at worst. Kramer says that you should work to hone your message through social media. Part of this is based on experimenting on what message to send and how to send it. Yet another aspect was based upon the Wave (of all things) where he discussed its development and coming to fruition in the early 1980s. It took some time for it to become popular but once it was communicated to enough disparate communications, it took off, literally. Kramer noted, “It’s the same thing with social media. On social media, we think something will go viral because the art is beautiful or the science is full of deep analytics, but at the end of the day it really takes time to build the community.”

This means that you will need to work to hone your message but also continue to plug away to send that message out. I think the Morgan Stanley Declination will always be instructional as one of the stated reasons the Department of Justice (DOJ) did not prosecute the company as they sent out 35 compliance reminders to its workforce, over 7 years. Social media can be used in the same cost effective way, to not only get the message of compliance out but also to receive information and communications back from your customer base, the company employees.

Once again please remember that I am compiling a list of questions that you would like to be explored or answered on the use of social media in your compliance program. So if you have any questions email them to me, at tfox@tfoxlaw.com, and I will answer them within the next couple of weeks in my next Mailbag Episode on my podcast, The FCPA Compliance and Ethics Report.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Ed. Note-today we have a post from our colleague, Michelle Sherman, a frequent commentator on social media issues.

If you cannot do it offline, you probably cannot do it online.  This is a good way to think about social media and legal ethics. We know that attorneys are not allowed to communicate with a represented party on the other side of a legal action, so it should not be surprising that trying to “friend” a party on Facebook in order to see all of their Facebook activity is not allowed by the ABA or the assorted state bar rules of professional responsibility. Cal. Rules of Professional Conduct, Rule 2-100. It is also unethical to direct someone to “friend” the other party. Some state bars have also extended this rule to unrepresented parties and witnesses. Namely, it is fine to look at their public social media presence, but attorneys cannot “friend” them or arrange for it to be done on their behalf.

A. Maintain The Confidentiality Of Your Client Communications.

Another bright line is that attorneys cannot disclose confidential information about their clients on social media. Cal. Rules of Professional Conduct, Rule 3-100. In fact, many companies prefer for their outside counsel not to publicize their courtroom wins for their clients out of concern that it will invite similar actions to be filed against the company. Companies have media relations departments to tell their story for them so attorneys should coordinate any press releases of their own with their clients. This is something to keep in mind when an attorney writes her LinkedIn profile, or posts about her work day on Facebook or Twitter.

Preserving the confidentiality of attorney-client communications, and not waiving the attorney work product protection means attorneys need to think carefully about how they post status updates on LinkedIn, and the “conversations” they are having on LinkedIn discussion groups, or on listservs. Even if a listserv is treated as a private forum for qualifying members to confer about legal issues, it does not mean that a court will treat those discussions as privileged or confidential. A plaintiff’s attorney in an employment discrimination case learned this the hard way when he was trying to quash a document subpoena seeking his writings on a listserv. In Muniz v. United Parcel Service, Inc., CV 09-1987 (N.D. Cal.), the plaintiff’s attorney allegedly made posts on the listserv in which he accused the judge of being “defense-biased”, and described the defense counsel as aggressively defending the case to the point of absurdity. Professor Georgene M. Vairo, a professor at Loyola Law School, was reported in a January 18, 2011 Los Angeles Daily Journal article, as saying that the fact that the attorney’s writings appeared on a confidential listserv does not mean work product privilege applies to them. “Given the way social media is, even when you try to keep things private, can you really have an expectation of privacy?” Vairo said.

B. Make Social Media Part Of Your Litigation Strategy.

Yet, attorneys may fall short of their duty to zealously represent their clients if they ignore social media entirely. It is a rich resource for discovery about the other side, witnesses and even prospective jurors. In Johnson v. McCullough, the Missouri Supreme Court discussed how trial attorneys should take advantage of technological advances and research prospective jurors. Thereby, hopefully avoiding the need for a motion for new trial because it is discovered much later that a juror was deliberately concealing his bias on voir dire in order to remain on the jury.

However, this research and monitoring of jurors during the case comes with some bright line rules as well.

1. Do Not Have “Contact” With Jurors Through Social Media.

Again, offline rules provide a bright line for social media contact with jurors. A study done by Reuters Legal using data from Westlaw online found that tweets from people describing themselves as prospective or sitting jurors appeared at the rate of one nearly every three minutes. Increasingly, parties are filing motions for new trials or to overturn a verdict based on juror misconduct on the Internet. In a criminal case in Camarillo, California, a juror posted a cell phone picture of the murder weapon on the Internet, and invited people on his blog to ask him questions about the case.

Thus, attorneys and courts have good reason to be concerned about what jurors are saying on social media. Courts are tackling the problem by instructing the jury not to discuss the case anywhere including on social media. However, just as jurors still talk about pending trials with their friends and family despite the court’s admonitions, jurors are sometimes ignoring (or forgetting) the court’s admonitions and posting on social media. Consequently, attorneys should have someone monitoring the jury during voir dire, trial and deliberations.

This monitoring needs to be done so it does not result in “contact” with the jurors. Cal. Rules of Professional Conduct, Rule 5-320. Friending jurors, or following them on Twitter, is taking it too far. On the other hand, attorneys can monitor the public posts of jurors on Facebook and Twitter without jurors realizing it.

2. Bring Jury Misconduct To The Court’s Attention.

Now assume the plaintiff’s attorney learns from social media that a juror intentionally failed to disclose she was prejudiced against the defendant manufacturer in the case, because the juror had been a victim of a similar industrial accident. The juror is someone that the attorney thought was sympathetic to his client’s case and the last thing he wants to do is lose the juror. This is the ethical question that is likely to come up for attorneys, and the answer is the same as other offline misconduct of jurors. As an officer of the court, the attorney is required to bring it to the attention of the court.

C. Avoid The Unintentional Creation Of An Attorney-Client Relationship.

Attorneys are using blogs and social media to try and develop business. A February 2012 survey by ALM Legal Intelligence, “Social Media ROI for Law Firms” found that of the law firms that are using social media and blogs – 85 percent and 70 percent respectively of the responding law firms – almost 50 percent of those firms are receiving leads from their efforts. In doing so, law firms are understandably concerned about not creating an inadvertent attorney-client relationship when someone comments on a blog or tries to engage one of their attorneys about the specifics of their particular legal issue.

These are legitimate legal concerns. In addressing an analogous situation, the State Bar of California issued a formal opinion for attorneys who have call in radio shows on legal issues. The State Bar recommended that the attorney radio host: (1) remind callers that they are speaking on a public forum so nothing they are saying is confidential; and (2) encourage callers to seek advice from an attorney about their specific problem. Formal Opinion No. 2003-164. It is also recommended that the law firm pre-screen comments before they are posted on the blog site to edit posts that may potentially create a problem. Also, do not answer fact specific questions – rephrase the question to a broader legal issue that may be of interest to the broader audience to whom you are writing or speaking. And, finally, keep your responses in the public forum so there is no expectation of a confidential attorney-client relationship.

[1] 4851-4734-3630, v.  1

———————————————————————————————————————————————————————-
Michelle Sherman practices at Slater Hersey & Lieberman LLP. She can be reached at Msherman@slaterhersey.com. Follow Michelle on Twitter: @MShermanEsq

———————————————————————————————————————————————————————-

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. 

Ed. Note-there are many forms of compliance convergence. Today we have a guest post from Michelle Sherman, a frequent contributor on compliance and  social media issues. 

The Federal Trade Commission (“FTC”) is working hard to make sure consumers are not being misled about how websites and social networking sites are using their personal information.  Companies that do not follow their own privacy policies are finding themselves the subject of FTC complaints.  It is therefore even more important for businesses to review and update their “privacy policy,” “terms of use,” and other legal agreements on their websites.  This review should also include any company apps.

1.         When Businesses Do Not Comply With The Terms Of Their Website Privacy Policy, Then They May Be In Violation Of Section 5(a) Of The FTC Act

The recent consent decrees that the FTC entered into with Facebook, Google and online advertiser ScanScout highlight the need for businesses to make sure they are acting in accordance with their privacy policies.  Businesses are well advised to take the following actions:

(1) Ensure that the published policies on their websites for terms of use and privacy reflect what information the businesses are collecting from consumers, and that the disclosures are clearly stated without unnecessary and lengthy legalese;

(2) Examine how the businesses are using personal information or anticipate using it, and that these uses are being fully disclosed to consumers; and

(3) Take reasonable measures to safeguard consumer information.  Because of the risks of cyberhacking, it is also worthwhile to conduct an audit on how consumer information is being safeguarded, and what information is being stored and for how long a period.  The FTC settled a complaint against Twitter for its alleged failure to take reasonable safeguards to protect users’ accounts against hackers.

In all of these complaints, the FTC alleged that the respondents made false or misleading representations about their privacy policies in violation of Section 5(a) of the FTC Act.  The FTC Act prohibits unfair or deceptive acts or practices.  15 U.S.C. § 45(a).

The consent decrees entered into by Facebook, Google and ScanScout in order to avoid more costly litigation and possibly stiffer penalties are similar in some key respects, and include some terms that will increase their costs of doing business.  As is sometimes the case with the FTC, the FTC conditioned the settlements on these businesses agreeing to change their business practices in ways that may place them at a competitive disadvantage to their competitors because some of the additional privacy measures they must now take are not required under current law.

2.         Lessons To Be Learned From The FTC Settlements With Facebook And Others

It is instructive to know how these businesses allegedly violated the terms of their privacy policies with users because the same may be true for many companies.

(a)  Facebook Complaint

In its complaint against Facebook, the FTC alleged:

(1) Facebook told its users that third-party apps that users installed – such as Farmville by Zynga– would have access only to user information that they needed to operate.  In fact, the apps could access nearly all of the users’ personal data.

(2) Facebook told users that they could restrict sharing of data to limited audiences – for example, with “Friends Only.”  In fact, selecting “Friends Only” did not prevent their information from being shared with the third-party applications their friends used.

(3) Facebook promised users it would not share their personal information with advertisers.  Facebook did according to the FTC.

(4) Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible, when in fact Facebook allowed access to the content according to the FTC.

(5) Facebook also claimed that it complied with the U.S. – EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union, but it did not.

(b)        Google Complaint

Google is also faulted for making use of its users’ data in ways that was contrary to what Google was telling users about the launching of Google’s Buzz social network through its Gmail web-based email product.  The FTC alleged that “Google led Gmail users to believe that they could choose whether or not they wanted to join the [Buzz] network, [but] the options for declining or leaving the social network were ineffective.”  Google was apparently trying to immediately ramp up its social network in order to compete with Facebook.  The Buzz launch ended up being a public relations nightmare for Google with thousands of consumers reportedly complaining that they were concerned about public disclosures of their email contacts from which Google tried to create immediate Buzz connections for users.  In some cases, use of the emails disclosed ex-spouses, therapists, employers or competitors.

According to the FTC, Google breached its privacy policy when it launched Buzz, its social networking site, because Google’s policy told Gmail users that “[w]hen you sign up for a particular service that requires registration, we ask you to provide personal information.  If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.”  According to the FTC, Google used Gmail users’ information for a different purpose without telling them by starting a social networking site with the information.

            (c)  Online Advertiser ScanScout Complaint

The FTC is not just pursuing these actions against social media behemoths such as Facebook and Google.  In November 2011, the FTC reached a settlement with an online advertiser ScanScout.  ScanScout is an advertising network that places video ads on websites for advertisers.  ScanScout collects information about consumers’ online activities (aka behavioral advertising) in order to post video ads targeted to the people visiting the website.  In ScanScout, the FTC alleged that there was a discrepancy between the online service and their website privacy policy:

“[F]rom at least April 2007 to September 2009, ScanScout’s website privacy policy discussed how it used cookies to track users’ behavior.  The privacy policy stated, ‘You can opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies.’  However, changing browser settings did not remove or block the Flash cookies used by ScanScout….  The claims by ScanScout were deceptive and violated Section 5(a) of the FTC Act.”

In the ScanScout action, the company Tremor Video, Inc. is also subject to the settlement order because ScanScout merged with Tremor Video.  This settlement also highlights the importance of doing an audit of a target company’s social media activity before acquiring or merging with it so your company will have more information concerning the legal risks of the deal.

3.         Business Costs Of Not Updating Your Privacy Policy And Following It

In each of these cases, the FTC is making the settling party do some things that are more than they would have been required to do in the normal course of business, thereby, making it more challenging and expensive for them to do business.

These consent decrees require the settling party to do the following:

(1) Tell users what information is being collected and for what purpose, with the right to “opt out” of the targeted advertising (ScanScout);

(2) Obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences (Facebook; Google);

(3) Establish and maintain a comprehensive privacy program to address privacy risks associated with new and existing products and service, and protect the privacy and confidentiality of consumers’ information (Facebook; Google); and

(4) Every two years, for the next 20 years, obtain independent, third party audits certifying that the privacy program meets or exceeds the requirements of the FTC order (Facebook; Google).

4.         Conclusion

Considering that the vast majority of consumers simply click through the legal agreements to get to the applications on a website, there is no real downside to companies spending a little time and money to ensure that their privacy policy, terms of use and other legal agreements reflect their current practices.  Similarly, updating these agreements should be a routine part of changing how the company is collecting and using information from its users.  It should be coordinated between marketing, IT and legal with each checking off on the updates being accurate.  And, finally, the website should clearly indicate that the privacy policy and/or agreements have been updated so users have the option to review any changes.  If experience is any indicator, virtually all users will continue to visit the website notwithstanding the updated policy or agreements.

 Michelle Sherman is special counsel at Sheppard Mullin Richter & Hampton where she practices business litigation and consults with businesses on legal and regulatory compliance issues relating to social media and the Internet.  Michelle is the editor and contributing author to the law firm’s Social Media Law Update blog.