Applying ‘Old’ Privacy Laws To New Marketing Initiatives
The marketing potential of Social Media is very quickly being recognized and explored by many businesses and organizations. This is understandable given the number of connections and interactions with prospective customers, clients and business associates that can be made and the ease of doing so. Facebook pages are established for networking opportunities allowing comments to be posted and providing updates on activities; tweets are sent out with very brief commentary and information on people and upcoming events; invitations are regularly received to join LinkedIn and be part of one’s professional network; blogs are established to provide a forum for information or opinions about certain topics. These are just to name a few - there are more and, inevitably, there will be more.
The speed at which Social Media is implemented by businesses to take advantage of marketing opportunities is often very quick. Once the opportunity is recognized, businesses want to be seen as progressive and get ahead of their competition. Unfortunately, in an effort to be the ‘first out of the gate’, this sometimes means that some businesses may not fully appreciate all of the implications of adopting Social Media strategies as part of their marketing initiatives. Privacy is one example of the issues that businesses have to consider.
In a presentation to the IAPP (International Association of Privacy Professionals) at the Canadian Privacy Summit, the Office of the Privacy Commission of Canada remarked on some of the privacy risks that are associated with utilizing Social Media and Social Networking platforms. Those risks include organizations which do not fully understand the nature of privacy risks when using or implementing a Social Media strategy. Consider the example of a networking site which prompts you to see if there are any contacts that you could connect with. Does that disclosure of contacts violate applicable privacy laws? The answer depends on whether personal information is disclosed (for example, while business contact information is not considered personal information, e-mail addresses may be, depending on why they are used). Another issue is whether those using these Social Media platforms appreciate the lasting effect of their comments or, perhaps more importantly, the availability of their comments to others (which may have only been made to a select few, but through the magic of the internet, become readily available and distributed).
These examples require businesses to ask themselves a few basic questions: First, is any personal information being disclosed? Second, does the business or the individual who is part of the business understand that disclosure of personal information is being made? Third, if so, is there consent for such disclosure?
If these questions sound familiar - they should. When the Personal Information Protection and Electronic Documents Act (PIPEDA)came into general application in 2004, businesses were forced to address the same basic issues and questions in assessing their personal information management practices. The obligations and requirements under PIPEDA (or any substantially similar legislation enacted by provinces) continue, but now need to be considered in the context of different and evolving applications and media.
At a minimum, when a business is going to adopt, encourage or allow any type of Social Media, it needs to address the privacy issues.
What is personal information? What personal information is being collected and why? Will a customer’s or potential customer's contact information be collected or disclosed? What about buying habits or behavioural information about purchases or frequency of use of the Social Media platform? Are individuals providing consent to the collection or disclosure of their personal information? Regardless of consent, is the collection of personal information reasonable in the circumstances? (This point is important. One of the basic tenets of the federal privacy legislation is that the collection, use and disclosure of personal information must be reasonable.) How long is personal information retained? What safeguards does a business implement to protect personal information? What safeguards does a business need to implement?
For example, consider recent media reports about general access to Facebook pages which were thought to be restricted because of a failure to understand the privacy settings. If Facebook is a tool that is going to be used by a business, not only should appropriate employee policies be implemented to govern what content should or should not be posted, but businesses will need to more thoroughly understand how the platform operates to more appropriately utilize it and comply with applicable privacy laws.
None of these questions or obligations are new. They are all part of the 10 principles of the privacy legislation and, while the privacy legislation may not have contemplated the new and developing Social Media platforms and the rate by which they are being adopted, businesses that wish to take advantage of the opportunity that they present need to turn their minds to complying with the privacy obligations.