Commercial analysis: LinkedIn's well known 'I'd like to add you to my social network' email marketing vehicle has landed them in hot water in a recent case in the US.
WHAT WAS AT THE HEART OF THIS LAWSUIT?
Social network, LinkedIn is reported to have agreed to pay $13m to users in the US to settle a class action lawsuit claiming that LinkedIn sent them unsolicited emails (see Perkins et al v LinkedIn Corporation).
The lawsuit claimed that during the period 17 September 2011 to 31 October 2014, LinkedIn used its 'Add Connections' service to grow its member base by inviting existing members of LinkedIn to import contacts from their external email accounts in order to generate automated email invitations to one or more of those contacts inviting them to connect on LinkedIn.
If no response was made to such an invitation request LinkedIn automatically generated two more 'chasers'.
The lawsuit alleged that even though LinkedIn members willingly opted-in to the 'Add Connection' service, at no time did they consent impliedly or expressly to their contacts receiving further unsolicited 'chaser' emails. In the 'Add Connections' service not only did the invitation emails openly come from the LinkedIn member to his or her contacts, but also included that LinkedIn members' profile photograph.
As a result, the lawsuit stated:
'Despite the appearance of the endorsement emails, the users do not compose the message, they do not consent to LinkedIn sending multiple messages on their behalf, and they are not compensated for the use of their name or likeness in the advertising or promotion of LinkedIn.'
Although LinkedIn rejected the claims made in the lawsuit, they have agreed the $13m compensation in order to avoid further issues.
WHAT LESSONS SHOULD BUSINESSES, PARTICULARLY SOCIAL MEDIA AND BUSINESSES THAT USE EMAIL MARKETING, TAKE FROM THIS CLAIM?
The lessons that can be learned from this settlement are that in relation to personal information or personal data, while individuals may impliedly or expressly consent to their personal data being used for purposes in respect of which they have had unambiguous and transparent notice, there is little possibility that they can consent to the use of their information for purposes other than which they originally consented. More importantly, third parties such as the contacts of LinkedIn members, as in this case, have a right to object to their information being shared since they have not had an opportunity to consent at all.
As with Facebook 'Likes' and this LinkedIn 'Add Connections', businesses must remember that the data privacy laws of most countries require transparency with data subjects as regards the current and future use of any personal data that may be processed about them--even with their consent--and must not collect and process data without permission. In particular, if that personal data is sensitive data and/or is going to be shared with further third parties and/or transferred from one jurisdiction to another in breach of data transfer restrictions.
COULD A SIMILAR ACTION BE BROUGHT IN THE COURTS IN ENGLAND AND WALES?
While class actions are not usual in England and Wales--or indeed in other EU member states--there would be nothing to stop an individual bringing a similar complaint direct to the relevant data protection authority since the 'Add Connection' was all about collecting personal data.
LinkedIn is headquartered in Ireland in respect of its EU operations and is therefore subject to Irish data protection law and of course recently the Irish Data Protection Commissioner has been very much in the news as a result of the decision from the European Court of Justice (ECJ) in the case of Maximillian Schrems v Data Protection Commissioner: C-362/14, also known as the safe harbor case.
ARE THERE ANY TRENDS EMERGING IN THIS AREA?
The recent decision of the ECJ that Safe Harbor, as a mechanism for transferring personal data from the EU to the US is now invalid, has an impact on many social media companies and indeed on LinkedIn.
LinkedIn also relies on Safe Harbor. EU data protection laws apply to any business or individual that processes personal data and is either based in the EU or uses equipment for the purposes of processing personal data in the EU. In respect of many users of LinkedIn, they are processing personal data using the LinkedIn service in their personal or domestic capacity. However, LinkedIn more than most social media services, is aimed at professionals and is used for professional purposes.
Arguably, the domestic exemption does not apply to individuals who are using LinkedIn and the question now arises as to whether those individuals are data controllers in their own right in respect of their LinkedIn activities and as such, should consider registration with the relevant data protection authority and more importantly, not be using LinkedIn until such time as LinkedIn provides an alternative solution to 'Safe Harbor' for the purposes of data being shared across its entire network, including the US.
The ubiquitous nature of communications and communication devices is such that the division between work and home or business and personal life is blurred. That blurring also distorts the liabilities and responsibilities of business professionals who use social media accounts in their own names for both personal as well as business purposes.
It will be interesting to see how the regulators focus on these issues, both in the US as well as in Europe.
Originally published in LexisNexis, 14 October 2015 in an interview with Fran Benson.