In today's diverse marketplace, social media sites, as opposed to a company's own branded website, are poised to become a primary and potentially first point of contact with current and future generations of consumers. Techrevel.com recently reported that 56% of consumers who use Facebook, as an example, say that they are more likely to recommend a brand after becoming a "fan." With the number of Facebook users approaching one billion, a strong social media presence has become a de facto mandate for businesses.
In response, start up and established businesses are growing more reliant on the Internet, and social media in particular, for marketing and sales. According to a recent Forrester Research study cited on Statistica.com, social media marketing expenditure is expected to grow to $5 billion in 2016, up from approximately $1.6 billion in 2011.
In this context, you may be exploring the possibility of making your company website more interactive. From a business perspective, creating a user experience on your branded website that is simpatico with social media reanimates the end user's experience and revitalizes your brand. From a legal perspective, however, you may wonder how to enter (or expand your presence in) this pioneer media. How do you balance the advantages of interactivity with the added burdens of creating, maintaining and updating essential privacy, data security and other policies?
You can start by asking―and answering―the following questions:
Federal law (and several state laws) mandates that companies inform their users about the personally identifiable information (PII) they collect, how the company uses it, with whom the company may share it, and how users may "opt-out" of having their PII collected and shared. PII includes information such as name, social security number, biometric records, etc., that alone or when combined with other information such as date and place of birth, mother's maiden name, etc., can be used to trace an individual's identity. Because many states have regulations that are more restrictive than federal regulations, you should seek to comply with the laws of the most restrictive states. These laws may apply not only to information that you collect from your own company website, but also from your company social media pages.
If your company website is interactive or likely to become interactive, are you following proper procedures to shield the company from liability?
Consumers are likely to continue their use of third-party social media sites, including Facebook, as an interactive first point of contact with a company. However, as branded company sites begin to mirror the functionality of traditional social media sites, company sites are including interactive features from blogs and community chat rooms to video sharing and personalized profile pages that allow the posting of user-generated content (UGC). If your website includes these or similar features, then you are, in fact, also an interactive website.
There are two important legal protections for operators of interactive computer services. The Communications Decency Act (CDA) provides safe harbor (immunity from liability) for Internet Service Providers (ISPs). This shields an ISP from liability arising out of civil causes of action such as defamation, invasion of privacy, trade libel, etc. As a very general rule, as long as the provider is not a publisher of the content (importantly, they merely provide a place to post the content; they do NOT contribute to or edit it), they will not be held liable for the original posting of the offending UGC. While the term ISP is traditionally applied to services such as Yahoo!, Google, and AOL, recent case law suggests that if you operate an interactive computer service, you should, for the practical purpose of maintaining safe harbor protection, consider yourself a sort of ISP.
The Digital Millennium Copyright Act (DMCA) also contains important safe harbor provisions. Under the DMCA, "an operator of interactive computer services" is immune from liability for intellectual property (primarily copyright) infringement by a third party using the service provided that the provider follows certain registration, compliance and procedural guidelines.
Do you have internal procedures and policies in place to address data security, data breaches and personnel practices?
As soon as reasonably possible, before or after your site goes live, you should discuss data security with your attorney and a qualified information technology (IT) representative. Like privacy policies, data security policies should comply with federal law and regulations, as well as the laws of the most restrictive U.S. state or territory. It is wise to have written procedures for data protection and breaches, which should be provided to any personnel who will be dealing with the company's electronically stored information (ESI), particularly to the extent that the ESI contains end users' PII.
You should also have a separate personnel policy that educates your employees and contractors about the use of company technology, social media and the Internet, and that protects your company without unreasonably or illegally restricting your employees' activities.
As a practical matter, social media is no longer merely an optional business tool. It is a primary source of communication, information and advertising. Developing sound social media and technology policies as early as possible can reduce your liability and exposure and allow your company room to grow in this new online world.© 2013 Much Shelist, P.C.