Author Archive
Limits of Privacy on Facebook
Thursday, December 1st, 2011Despite Facebook’s “Privacy Settings”, Your Information Might Not Be So Private
By Michael Feldman
With over 800 million users, there is a good chance that you, a family member or a business colleague uses Facebook. Many people assume that their posts and information viewed on Facebook is only available to their “friends.” Such an assumption would be wrong for several reasons.
First, your information is only private to the extent you affirmatively check certain boxes for your Facebook page. If you fail to select the appropriate settings, you will be allowing more than your “friends” to view your personal information. Remember that these settings involve not only limiting what the general public can see, but what advertisers and other websites you visit can see about your Facebook page (even if you are not logged on to Facebook at the time). Therefore, consider adjusting your privacy settings in the category marked “Apps, Games and Websites” and “How people bring your info to apps they use.” To maximize your privacy, turn off all platform apps.
Second, unlike Google+, Facebook does not make it easy to create different categories of “friends”, each of which only has access to limited information. Rather, once you make someone your “friend” – whether that person is a true friend, your boss or co-worker, someone you met last night, or even a celebrity you never met – that “friend” has the same access to your personal information that your best “friend” has. Though the user can block off certain “friends” from certain information, the process to do so is neither obvious nor simple. Such sharing of personal information would never occur outside of online social networking sites.
Third, you might never know what personal information Facebook or other social networking sites actually share. As you may have heard, Facebook just settled a Complaint by the Federal Trade Commission (“FTC”), which alleged that Facebook deceived consumers by asserting that their information would be private, then making it Public. Pursuant to the settlement, Facebook must now be honest in what it tells users, provide users with notice before changing its privacy settings (assuming the user actually reads these) and will undergo privacy audits every 2 years for the next 20 years. The settlement is far from perfect from a consumer viewpoint. The settlement is unclear about whether Facebook can share your information with advertisers – the primary source of Facebook’s revenue. In addition, though Facebook has to disclose its privacy policy to users, there is no requirement that the policies be in language easily understood by its users, as opposed to legalese. Perhaps most disturbingly to some is that the settlement keeps Facebook’s users in the dark about the results of the FTC’s investigation. Therefore, the taxpayers who paid for the investigation and the alleged victims – the Facebook users – will not know what privacy violations have already occurred. Thus, Facebook users may never know how their personal information has already been used, sold or distributed.
Fourth, several recent Court decisions have held that your Facebook page is not necessarily private. That is, litigants have obtained access to Facebook pages (among other social networking sites like MySpace) to prove their case. For example, in one case, a plaintiff claimed she was injured and unable to participate in activities she previously enjoyed. Against her objection, her adversary obtained access to her Facebook and MySpace pages to prove that the plaintiff was lying. The defendant was even able to gain access to “deleted” information from those pages. Similarly, other Courts have held that you have no “right to privacy” in your Facebook or MySpace pages because those companies do not guarantee complete privacy. As a result, employees have been terminated for information they posted online.
Fifth, your “friends” can share your information without your permission. Unauthorized sharing has also occurred as a result of viruses or hackers, both of which are rampant.
Sixth, never assume that what you delete is truly deleted. It is not. “Deleted” information is usually stored for an extended period of time with or without your knowledge.
The bottom line is that you should be very careful when you post information on a social networking site such as Facebook. You should assume that despite your privacy settings, the information may potentially be seen, shared or obtained by other than your “friends” without your explicit permission or knowledge. Notwithstanding, it is also critical that you take advantage of the privacy settings available and be familiar with the privacy policy of your social networking site to maximize your privacy. You would not allow strangers to wander your house or office, so do not let them wander your Facebook page.
ZIP Code Collection – An Invasion of Privacy?
Thursday, September 22nd, 2011Zip Codes Can Reveal Customer Information, Leading To Privacy Concerns
By Michael Feldman
A February 2011 ruling against Williams-Sonoma by the California Supreme Court held that a consumer’s ZIP code was “personal identification information” that merchants are not permitted to demand from customers under a California consumer privacy law. The result was a rash of lawsuits against businesses such as Wal-Mart Stores Inc., Bed Bath & Beyond Inc., Crate & Barrel and Victoria’s Secret. Though some stores claim to use the ZIP code information to protect against credit card fraud (i.e., if the card was stolen, the user is less likely to know the ZIP code of the true owner), most businesses use the information for marketing purposes. Ultimately, the California Supreme Court held that merchants can still collect customer’s ZIP codes under limited circumstances such as gas station pumps where the information is requested for security reasons, and in transactions involving shipping. Retailers may also ask customers to produce a valid driver’s license for security reasons, but may not record the personal information contained on the license.
The California Supreme Court’s decision was premised upon California’s strict consumer privacy laws. However, the theory of ZIP codes representing personal or protected information has now spread to New Jersey. Superior Court Judge Stephan Hansbury refused to dismiss a lawsuit against Harmon Stores, Inc. for collecting ZIP code information from its credit card customers. The Court held that New Jersey’s Truth in Consumer Contract, Warranty and Notice Act allowed the plaintiffs to assert a claim for violation of N.J.S.A. 56:11-17, which provides:
No person which accepts a credit card for a consumer transaction shall require the credit card holder, as a condition of using a credit card in completing the consumer transaction, to provide for recordation on the credit card transaction form or any other form, any personal identification information that is not required by the issuer to complete the credit card transaction, including, but not limited to, the credit card holder’s address or telephone number, or both; provided, however, that the credit card holder’s telephone number may be required on a credit card transaction form if the credit card transaction is one for which the credit card issuer does not require authorization. (emphasis added)
It appears that the New Jersey Superior Court, like the California Supreme Court, considers ZIP code information to represent protected “personal identification information.” As a general matter, the ZIP code information is not required by the credit card company. As the New Jersey case is in its infancy, we do not yet know the results or full repercussions.
While it is likely that the Harmon Stores case will be appealed at some point (if it does not settle), its very existence creates new uncertainty amongst New Jersey consumers and merchants alike. For consumers, Judge Hansbury’s opinion suggests that the consumer can refuse to provide his or her ZIP code information when engaging in a live transaction (as opposed to online transactions or, like in California, when using an automated machine to charge a transaction). Of course, it is also possible that refusing to provide ZIP code information could simply result in the merchant demanding that you produce a driver’s license.
Merchants, on the other hand, should be sure to have a valid justification for seeking a customer’s ZIP code information in connection with any credit card transaction. Merely seeking it for marketing purposes will not suffice. Alternatively, merchants can be clear in seeking the ZIP code information that providing the information is completely voluntary. However, engaging in such a practice presents its own pitfalls and could create new confusion or a public relations nightmare.
As privacy-related litigation and consumer’s concerns about their privacy rights increase, one thing is becoming abundantly clear: now is the time for businesses to proactively use consumer privacy protection as a marketing tool to distinguish the business from its competitors.
Putting Privacy First
Thursday, August 18th, 2011“Putting Privacy First” was originally published in the August 2011 edition of TechNews.
By: Michael J. Feldman
Many businesses view legal compliance as a necessary evil and an obstacle to profits. Thus, compliance is often made a mere formality. Dealing with the complex privacy and data protection rules and regulations is often viewed no differently – be it industry-specific rules such as HIPAA (healthcare), age-specific rules such as COPPA (online marketing to minors), agency-specific rules (i.e., SEC or FTC rules), the rules and regulations of each individual state, or even the various foreign laws such as the Data Protection Act (applies to businesses which conduct any business with many European nations). However counterintuitive it may be for some, forward-thinking businesses do not view privacy and data protection compliance as a necessary drag on revenue, but instead, they use it as a marketing tool to distinguish themselves from the competition and grab an increased market share.
As privacy and data breach issues continue to make front page news on a near-daily basis, and with the U.S. Congress working on sweeping new privacy laws, such compliance concerns are increasing in magnitude and importance. The reality is that whether you are aware or not, the various privacy and data protection laws impact and govern the operations of almost all businesses. For example, if you can answer “Yes” to any of these questions, there are privacy and data protection laws that govern your operations: Do you accept credit cards for payment? Do you gather any personal information about your customers, patients, employees, members or vendors? Do you electronically store any data on your computers or servers? Do you sell or market on the Internet? Do you conduct any business with, or market your business to, any person or entity located in another country? Are you in the financial industry? Do you seek to conduct any credit checks on potential employees or customers? The above only addresses a tiny fraction of the activities which subject you to regulation.
So what can and should a business do to not only survive, but actually thrive in this ever-changing regulatory environment? The answer is quite simple – be compliant and market the advantages of your privacy policies.
As acknowledged by the Washington Post on July 18 in “Tech IPO’s Grapple With Privacy,” Google did not have to deal with online privacy in 2004 as such a concept did not exist. Times have certainly changed. On the same day as the Washington Post article, the New York Times reported in an article entitled “Privacy Isn’t Dead. Just Ask Google+” that “Rather than focus on new snazzy features — although it does offer several — Google has chosen to learn from its own mistakes, and Facebook’s. Google decided to make privacy the No. 1 feature of its new service.” Google+ represents a significant attempt by Google to break Facebook’s near stranglehold on social media. Given Google’s past success, it is no surprise that Google has attacked privacy concerns head-on, and turned consumers’ concern for privacy into a marketing bonanza. Such a strategy has been used successfully in the automobile industry for years by companies such as Volvo, Subaru and Mercedes; each of whom turned consumer concern about automobile safety into a marketing opportunity to distinguish themselves from the competition by marketing their superior safety features.
The obvious next question is how does a business use consumers’ privacy concerns as a marketing tool? The answer is to acknowledge your customers’ concerns, explain how and why your business cares about the customer more than your competitors, and that you will keep them safe. To accomplish this goal, you must first determine which regulatory scheme(s) govern the operation of your business. Second, you must determine the best method for compliance with the applicable law, and whether it makes business sense to implement privacy and data security policies which go beyond the minimum required by law. Third, you should examine how, if at all, your competitors address and promote their privacy obligations. Fourth, you must develop a strategic plan to promote to your customers the superiority of your privacy and data security policies. Importantly, you must not only inform your customers of what your privacy and data security policies are, but how such policies help and protect your customers. For example, Mercedes realized that people were scared of getting injured in car crashes, so their advertisements often explained how Mercedes technology would help avoid accidents (i.e., anti-lock brakes) and how they would protect you if you did crash (i.e., airbags and crumple zones). The same applies to privacy and data protection concerns. In the end, by carefully planning out and implementing each of the above four-steps, you will avoid regulatory problems while simultaneously gaining a leg up on the competition.