When the Sky’s the Limit, Don’t Forget the Basics: Social Media, the Internet and Your Business

The National Law Review recently published an article by Charles H. Gardner of Much Shelist, P.C. regarding Social Media and Businesses:

In today’s diverse marketplace, social media sites, as opposed to a company’s own branded website, are poised to become a primary and potentially first point of contact with current and future generations of consumers. Techrevel.com recently reported that 56% of consumers who use Facebook, as an example, say that they are more likely to recommend a brand after becoming a “fan.” With the number of Facebook users approaching one billion, a strong social media presence has become a de facto mandate for businesses.

In response, start up and established businesses are growing more reliant on the Internet, and social media in particular, for marketing and sales. According to a recent Forrester Research study cited on Statistica.com, social media marketing expenditure is expected to grow to $5 billion in 2016, up from approximately $1.6 billion in 2011.

In this context, you may be exploring the possibility of making your company website more interactive. From a business perspective, creating a user experience on your branded website that is simpatico with social media reanimates the end user’s experience and revitalizes your brand. From a legal perspective, however, you may wonder how to enter (or expand your presence in) this pioneer media. How do you balance the advantages of interactivity with the added burdens of creating, maintaining and updating essential privacy, data security and other policies?

You can start by asking―and answering―the following questions:

Does your website have a privacy policy that is compliant with all federal, state and territorial laws?

Federal law (and several state laws) mandates that companies inform their users about the personally identifiable information (PII) they collect, how the company uses it, with whom the company may share it, and how users may “opt-out” of having their PII collected and shared. PII includes information such as name, social security number, biometric records, etc., that alone or when combined with other information such as date and place of birth, mother’s maiden name, etc., can be used to trace an individual’s identity. Because many states have regulations that are more restrictive than federal regulations, you should seek to comply with the laws of the most restrictive states. These laws may apply not only to information that you collect from your own company website, but also from your company social media pages.

Every company with a presence on the internet should have a privacy policy that is compliant, proactive and forward thinking. If you have a strong international presence, it should address issues of global compliance as well.

If your company website is interactive or likely to become interactive, are you following proper procedures to shield the company from liability?

Consumers are likely to continue their use of third-party social media sites, including Facebook, as an interactive first point of contact with a company. However, as branded company sites begin to mirror the functionality of traditional social media sites, company sites are including interactive features from blogs and community chat rooms to video sharing  and personalized profile pages that allow the posting of user-generated content (UGC). If your website includes these or similar features, then you are, in fact, also an interactive website.

There are two important legal protections for operators of interactive computer services. The Communications Decency Act (CDA) provides safe harbor (immunity from liability) for Internet Service Providers (ISPs). This shields an ISP from liability arising out of civil causes of action such as defamation, invasion of privacy, trade libel, etc. As a very general rule, as long as the provider is not a publisher of the content (importantly, they merely provide a place to post the content; they do NOT contribute to or edit it), they will not be held liable for the original posting of the offending UGC. While the term ISP is traditionally applied to services such as Yahoo!, Google, and AOL, recent case law suggests that if you operate an interactive computer service, you should, for the practical purpose of maintaining safe harbor protection, consider yourself a sort of ISP.

The Digital Millennium Copyright Act (DMCA) also contains important safe harbor provisions. Under the DMCA, “an operator of interactive computer services” is immune from liability for intellectual property (primarily copyright) infringement by a third party using the service provided that the provider follows certain registration, compliance and procedural guidelines.

Do you post and require users to agree to your company website’s terms of use?

One of the most valuable policies for a website owner is a terms of use policy (sometimes called “house rules” or a “user agreement”). Your terms of use tell your users what they can reasonably expect when using your site. For example, you may prohibit certain activities, such as hate speech, personal attacks, posting materials to which the user does not have the requisite legal rights, etc. By setting the ground rules of what you will allow on your site, you can monitor UGC for violations of the policy and remove or refuse to post such material objectively based upon your site’s posted terms and preserve your safe harbor protection. Remember, if an ISP edits or modifies content, it is treated as a publisher of content and can lose safe harbor protection. However, if an ISP removes content in its entirety for violating a documented policy, the ISP is not considered a publisher and is protected under the CDA for example.

A well-crafted terms of use policy, if correctly written and agreed to, also forms a “contract” between the end user and the website operator. For example, arbitration clauses can minimize the likelihood of class action lawsuits and the potentially negative publicity of high-profile trials. A transparent policy can also set reasonable expectations, engender goodwill and protect the company website owner.

Do you have internal procedures and policies in place to address data security, data breaches and personnel practices?

As soon as reasonably possible, before or after your site goes live, you should discuss data security with your attorney and a qualified information technology (IT) representative. Like privacy policies, data security policies should comply with federal law and regulations, as well as the laws of the most restrictive U.S. state or territory. It is wise to have written procedures for data protection and breaches, which should be provided to any personnel who will be dealing with the company’s electronically stored information (ESI), particularly to the extent that the ESI contains end users’ PII.

You should also have a separate personnel policy that educates your employees and contractors about the use of company technology, social media and the Internet, and that protects your company without unreasonably or illegally restricting your employees’ activities.

As a practical matter, social media is no longer merely an optional business tool. It is a primary source of communication, information and advertising. Developing sound social media and technology policies as early as possible can reduce your liability and exposure and allow your company room to grow in this new online world.

© 2012 Much Shelist, P.C.