Social Media is a cultural phenomenon and its popularity is staggering. According to the most recent reports, as of June 2011, Facebook had well over 600 million users worldwide.1 The Twitter ‘bug’ is also growing. It took Twitter nearly 3 years to reach 1 billion tweets, now Twitter users send 1 billion tweets per week.2 YouTube’s popularity and appeal is also growing. On its website, YouTube boasts that it streams over 2 billion videos everyday.3 The pervasiveness of social media is evidence that society has developed an intimate and long-lasting relationship with social media. It’s a new world where the product owner can target specific consumers at the same time as promoting brand awareness and creating consumer loyalty. The relationship between brand owners and the public is not just one sided. Advertisers and consumers alike are using social media to connect with one another and to establish more intimate relationships than the vehicles and media used in the past.
(a) Collecting Customer Information Legally on Social Media Sites
The Personal Information Protection and Electronic Documents Act (“PIPEDA”)4 is the legislation responsible for overseeing and regulating the collection use and disclosure of personal information by private organizations in Canada. British Columbia, Alberta and Quebec have substantially similar privacy legislation regulating the private sector. As a result, PIPEDA does not apply in these provinces.
PIPEDA and the other substantially similar privacy legislation in Canada provides that private organizations may only collect, use or disclose personal information for purposes that are reasonable, and only to the extent necessary to fulfil those purposes. Further, organizations may only collect, use and disclose personal information when it has notified the individual of the purposes for the collection and with the consent of the individual whose information is being collected, used or disclosed (unless one of the exceptions applies and consent is not necessary). This consent must be informed, meaning the organization has informed the individual of the reason the information is being collected, how it is going to be used, and to whom it may ultimately be disclosed. In some instances, the individual must also have the ability to "opt out" of having his or her information in the organization’s hands, which may mean the organization is not able to service that individual as a customer. As a result, the key to collecting information legally on social media sites is: (1) to ensure that knowledge and consent has been obtained; (2) that the personal information gathered is only for the purposes identified; (3) that the personal information collected is only used or disclosed as is necessary; (4) that any collection, use and disclosure of information is reasonably needed to carry out the purposes required; and (4) that there is a privacy compliance program in the organization to address the collection and use of personal information in social media administered promotions.
Recent strides have also been taken by the Privacy Commissioner of Canada (“Commissioner”) to address the issue of “behavioural advertising”. The Commissioner has defined behavioural advertising as, “tracking consumers’ online activities over time in order to deliver advertisements that are targeted to their inferred interests…and use this data to build user profiles, determine user interest categories and show ads based on demographics and assumptions about user interests.5” In May 2011, the Commissioner released a report on Online Tracking, Profiling and Targeting and Cloud Computing6 which aims to address how behavioural advertising collects personal information. The report suggests that the Commissioner will not decide whether the information collected by behavioural advertising constitutes “personal information” without an investigation. Although the report is not binding, it does make it clear that behavioural advertising in Canada is an area that will be investigated further. As a result, to avoid any related liability it is important to stay current on this topic.
(b) Database and Customer Relationship Management7 (“CRM”) Leverage and Management
Due to social media’s borderless potential, it has become a major component of CRM as a point of interaction. The vast amount of information that can be collected and kept in CRM databases enables an organization to better target and increase the effectiveness of their marketing campaigns and better manage the organization’s interaction with the customer, creating a better experience. However, the accumulation of personal information increases the risks and impact of unauthorized access to the information, whether through security or data breaches.
To reduce liability, organizations must use reasonable safeguards to protect personal information from theft, modification, unauthorized access, collection, use, disclosure and destruction. Safeguards should be appropriate to the sensitivity of the information.
Moreover, organizations may only keep customers’ personal information for as long as reasonable. In considering whether the retention is reasonable, it is appropriate to take into account the nature and extent of the personal information involved, any applicable legal requirements (such as statutory limitation periods for civil lawsuits) and the business purposes relating to retention of the personal information.
(c) Management of Consumer Database in a Co-Promotion
Co-promotion is a partnership between two or more companies where both companies jointly market each other’s products. It often involves a company using a third party’s sales force or distribution channels, in addition to its own to promote their brands.
PIPEDA requires an organization to provide a “comparable level of protection” when personal information is being processed by a third party through “contractual or other means”. As such, if an organization transfers personal information to third parties, the transfer must also be “reasonable” for the purposes for which the information was being collected or used.8
However, reasonableness is fact-specific and is not defined under privacy legislation. In determining whether the transfer of personal information is reasonable, the following factors should be considered: (1) if there were reasonable security arrangements in place; (2) the sensitivity of the personal information at stake; (3) the foreseeability of a privacy breach and of resulting harm; (4) generally accepted common practices in a particular sector or kind of activity; (5) the medium and format of the record containing the personal information; (6) the prospect of criminal activity or other intentional wrongdoing; and (7) the cost of security measures.
In order to reduce liability when conducting any co-promotions, organizations should ensure that third parties who have access to the personal information collected have a “comparable level of protection”. This should ideally be addressed in a co-promotion agreement.
It becomes more complicated when personal information is transferred to foreign third parties. The Commissioner has noted that where personal information is transferred to a foreign third party, that information is subject to the laws of the foreign country and no contract or contractual provision can override those laws. Thus, the Commissioner has stated that, at the very least, an organization in Canada that transfers personal information to a foreign third party should at least notify its customers, depending on the sensitivity of the personal information, that their information may be stored or accessed outside of Canada and of the potential impact this may have on their privacy rights.9
Tips for Businesses
Organizations should consider the following when using social media:
- Only collect, use, and disclose the amount and type of information reasonably necessary to carry out the purposes;
- Take reasonable steps to ensure that the information is accurate, complete to the extent necessary, and not misleading;
- Only keep information as long as reasonably necessary to carry out the business or legal purpose;
- Where third parties are involved, ensure that the third party who have access to the personal information has a “comparable level of protection”; and
- A company that outsources or transfers to foreign third parties should disclose this to its customers.
A final pearl of wisdom in addition to the above, is the importance of having a moderator or knowing how to contact the operator of the social media site when conducting a promotion. This will assist to reduce any liability associated with offensive or otherwise problematic postings. Having the ability to remove or edit or request a moderator to remove or edit the offensive material is key to proper social media management.