On Wednesday, I had the opportunity to attend American Lawyer Media’s Social Media: Risks & Rewards conference as an ILN Marketing Partner. As evidence of the popularity of the conference’s content, the room was almost standing room only by the end of the morning. (For tweets from the conference, see the #LSMC hashtag results)
The first two sessions focused more on the "risks" portion of the conference, discussing a lot of concerns about social media. The first speaker was Joel Reidenberg, Professor of Law and Director of the Center on Law and Information Policy at Fordham University School of Law. His presentation was "Beyond Terms of Use: From Handcuffs to Handshake?"
Professor Reidenberg began by saying that it’s important to think about Terms of Service as an effort by social media sites to bring some certainty to their own environment where the law is lacking and vague. Terms of Service typically consist of two sets of documents:
- Basic user agreement
- Privacy Policy, which is normally incorporated by reference, so the two work hand in hand.
Reidenberg did an informal survey of the room to find out how many people were on LinkedIn. Almost everyone in the room raised their hands, but when he asked how many people had read the user agreement, it was only about five. Only three of those had read the Privacy Policy.
Next, he asked about Twitter – about 20% of the room said they were on Twitter. Reidenberg pointed out that Twitter requires you to agree to the User Agreement before signing up, but not even half of those in the room had read it.
For Facebook, about half the room raised their hands to indicate that they have a profile. Reidenberg asked how many had read the Terms of Service in the last week, pointing out that Facebook changes them frequently. Only one person in the room could answer how information is shared by Facebook with third parties, and Reidenberg said he wasn’t entirely correct in his answer.
He said that the point of his questions was that even in a roomful of lawyers, most of them aren’t reading these documents, which is a major problem. His perspective is from a consumer advocate point of view, and he looks at these Terms of Services as being at the fault line of consumer service.
Reidenberg said there are two forms of agreement consent:
- Scroll down to read the terms
- Click wrap
Illusion of Consent
In both forms, we’re dealing with an illusion of consent as far as the consumer is concerned, because most consumers don’t look at them at all. Those that do and try to parse them out, find them very difficult to understand. When they think they understand, chances are that they’re wrong. The social media site itself may not know if they’re accurately depicting what’s being put on their site because of the sheer complexity of these services.
Reidenberg pointed out that Facebook itself may not even realized what information is being passed on to third parties. And if they don’t, it’s impossible for lawyers to write terms of services that explain and would be able to provide an informed terms of service going forward.
It is possible to force users to recognize that the company is trying to make a contractual agreement of the collection of information on their site. Tools like pop-up windows can do this. On some sites, if you pass to a third party application, there is a pop-up window that warns you of this. This alerts users to the business relationship.
There are technical ways to signal users that some change is taking place with the relationships that the users have with the website, but most of these haven’t been successfully employed because the incentives aren’t there. The law doesn’t require it, so there isn’t the motivation to invest in developing that type of architecture.
Reidenberg said that the architecture of these sites is driven by advertising, because that’s how they’re paid for. As a result, the notion of full transparency warnings is antithetical to the advertising-based model.
Another reason that these can be problematic is that the technical mediation doesn’t work as a legal proposition. Reidenberg talked about a Carnegie Mellon study which reviewed 30,000 websites that had the architecture to disclose to visitors how their information would be used on the site. It basically created a handshake deal. About 30% of those sites that were purporting to do this were wrong, and in many cases, they were actively misleading, so it’s clear this is a challenging problem.
Substantive Fairness of Terms
Courts are increasingly exploring the substantive fairness of the terms that are found in this agreement and many terms of service are including arbitration clauses. They often put down California, because that’s where most social media companies are headquartered. But in Europe, this can be problematic because European law favors the location where the consumer is located.
Reidenberg asked the question whether people believe that if a site has a privacy policy, it means that they won’t share information with third policies. 78% of the public doesn’t realize that this isn’t true. He observed that an overwhelming majority of the public has a misunderstanding of these common terms of service, and said that almost no terms of service for a social media company says it won’t disclose information, since they’re based on advertising models. The public misunderstands what they do, and they think it’s lawful.
Reidenberg talked about changes in terms of services, saying that it’s typical for companies to reserve the right to make changes prospectively. He added that Facebook also reserved the right to make changes retroactively. He asked whether the audience thought there was notice of these changes to the users, and answered his own question, saying that most policies instruct the user to come back.
From a consumer advocate point of view, this engenders mistrust. Since there is direct access, like in the form of a pop-up, it’s easy to properly inform users. But instead, companies bury it, which raises significant legal risk. He said there are instances where the FTC may say that it’s not a good practice. This opens the door for many challenges.
Legal Permeability for Terms of Services
Reidenberg had suggested earlier that terms of service are at a fault line. Companies are in a tough position because consumers are expecting one thing and are not clear on how the existing rules might apply. So companies are trying to come up with ways of insulating themselves from liability.
Sites gives users the right to use their service in exchange for personal information. Reidenberg mentioned limited liability for providers; indemnification by users – if information is provided by property rights, the user doesn’t have the right to post it; perpetual use; saying that all of these things are there and they become permeable.
Reidenberg suggested that if those in the audience hadn’t read a social media site’s terms of service yet, they should read one after today’s session and ask themselves if a normal person without seven years of university education and passing the bar would be able to understand what these policies say. Uniformly, the answer would be no.
These terms and policies are subject to significant risks and challenges, particularly challenges by the FTC as unfair and deceptive practices, so Reidenberg expects to see wide scale class action suits going forward.
He said that efforts to limit liability become hard because these companies also are targets as intermediaries. He gave the example of a model who alleged she was being defamed on a blog, where the blogger was using a pseudonym. The model wanted to unmask the blogger, and Google found itself in the middle of a lawsuit.
Reidenberg said that the more social media sites are at the forefront of "social dynamics," the more they’re putting themselves in the middle of disputes between other third parties. Terms of service tries to deflect this as much as possible, but it’s dubious. He added that Google will be unlikely to collect anything from the indemnification clause with regard to that particular blogger.
Intellectual property pressures will also be challenging. One of the issues that has been cropping up is the use of trademarks as user IDs. People set up accounts and use celebrity names or a trademark as part of an ID. Reidenberg likened this to domain name disputes from a decade ago, and said it would be hard for user agreements to be an effective tool.
Reliance on consent as the model, where consent is almost fictitious in many of these cases, won’t be a terribly good defense against the class actions that we’re beginning to see, Reidenberg observed, citing the Google Buzz case.
He said he’s seeing new kinds of statutory claims being brought and predicts that Facebook will be the subject of a class action suit under the Fair Credit Reporting Act. He mentioned that it’s public knowledge that social media sites are being used to screen employees, which raises the question of whether these sites are consumer reporting agencies, such that these statutes apply.
Reidenberg said that litigators are looking for ways to make new law and grasping for statutes to use. Consent is a basis under the FCRA to disclose information, but under jurisprudence, it has to be clear that that’s what it’s for. None of the sites talk about the use of their sites for this purpose, so it won’t be sufficiently conspicuous to work under the FCRA.
Lessons
Reidenberg’s takeaway is that we’re in an important period of legal flux to use the terms of service to satisfy the needs. His lessons to the audience are:
- If you’re advising clients, advise them to be as transparent as possible. Really push the transparency envelope and push using the technology tools to make transparency work for consumers. It’s challenging because if you say you’ll be transparent, and you’re not fully transparent, you’re opening yourself up. But the reverse is even riskier. Scandals erupt and can cause bad law.
- Focus on substantive fairness. Could you describe the terms of service to your grandmother and not be ashamed? Reidenberg said it’s amazing that some sites are willing to do some of the activities that they say they’re going to do. The public is upset with the use of personal information on social media sites – when asked " What consequences should there be if a company violated the terms of service or breached privacy?" (this was asked of those who thought they had privacy rights, but didn’t). One third of respondents thought the executives of these companies should go to jail, and most thought they should be fined. Therefore, substantive fairness is critically important.
- Technology tools will be essential to make this work, and this goes back to making transparency acceptable. Be able to show what’s happening. Reidenberg mentioned when a user no longer wants to have a profile on a social media site and deletes it – what happens? Does the site still keep it? That should be transparent, and if they’re keeping it in an archive, the user should be able to see what’s being kept. Under the FCRA, you can get your credit report. But there’s no legal obligation on social media sites for that kind of practice. However, technologically, it can be enabled and it goes a long way towards ameliorating the risks.
- Think about public education – this is critical. Lawyers have an extremely important role to play. They engage with their clients about what to do, and should be encouraging them to engage with the public about this and informing them about their terms of service. He asked the audience to begin to think about how we educate children, young adults, more senior adults in the social media space, and how this can work economically. Reidenberg commented that Facebook is hugely valuable across the world because people want to be connected. But they don’t like the risks and they don’t understand them.
His closing point was that there will be increasing regulation of this space as societal expectations and business models fail to converge.
Question & Answer
There were several audience questions, which Reidenberg answered:
Question: If consumers don’t read policies, and they’re not all that effective, they bring exposure. So why not just not have a policy? Who will notice and who will care?
Reidenberg: From the surveys that have been done, it’s clear that consumers do care. The problem comes in the futility of looking at boilerplate contracts. If you put something in the policy, it might be enforced against you. So there’s a disincentive to have long legalese policies for that reason. He used the Sears case as an example. A point was buried in their terms of service, and was considered to be an FTC violation. But without disclosures, you’re not transparent and that’s a bigger risk.
He said that lawyers on behalf of their clients have to be thinking of ways to draft meaningful statements that aren’t twenty pages of legal terminology that users can’t understand if there’s a plain language explanation.
Question: Are you taking the position that any change to terms of service requires notice to users?
Reidenberg: He answered that he’d go with materiality. He said suppose a change is the PO Box number where notices are to be sent – this is a small change, so because of the cumbersomeness and annoyance factor to the consumer, notification probably isn’t justified. The difficulty comes in determining whether or not it’s material.
Reidenberg said it’s tough for companies not to have a myopic view of what is material, so it behooves organizations to set up an external advisory board. It would be the notion that the company might want some kind of vetting board to break out of an internal myopia for how the changes in policies that they’re adopting will be perceived by users. He said that some companies may want to use focus groups, but it’s not the same as getting external advice on structuring the services that they’re providing. This can help them to avoid finding themselves on the wrong side of a headline.
Follow-up Question: What about companies that are operating in many foreign countries, particularly with regard to children’s privacy?
Reidenberg: It’s not just children’s privacy that is a concern, as Europe has more comprehensive privacy laws for everyone. What constitutes consent and informed consent is different in Europe than it is in the United States, and even varies among European countries. Reidenberg said that if you’re operating websites in foreign languages targeting users with foreign language advertisements, you’ll be stuck under their rules. He added that some sites will try to deny that by putting in a governing law, but it won’t work in many jurisdictions where there’s active targeting and the site is aware that users are in those countries.
He said that during a recent session with global data commissioners, they discussed this issue. They used to look at consent as the be all and end all, but there’s a notion that that’s not going to work anymore. In some kinds of data processing, consent will have to be implicit because of the function for social media.
His short answer to the question was "comply with local law." This is why technology tools are essential. He said that if it’s not possible to work with one law, the company will have to make arrangements on the back end to filter out those users.
Question: Has anyone put privacy policies in simple English? Would that establish informed consent?
Reidenberg: Some have tried, but they haven’t gotten very far. Is it possible to do? Yes. In order to sign up for many sites, it’s necessary for the user to click "I agree" and often, there will be a box with the policy in there. This isn’t very user friendly. Suppose companies did improve the usability, would this improve the situation? Absolutely. It would make the practices and the rules, the terms that the site wants to impose for use much more explicit for users.
Would it provide fully informed consent? That would depend. Courts and regulation agencies will be able to look over companies’ shoulders to decide whether it’s substantively fair.There will always be that type of backstop no matter what the informed consent turns out to be.
Question: The demographics in the audience are more those people who advertise on the Facebooks of this world. What are the implications for advertisers if there is a policy, if there isn’t, if it’s broken? Are there issues that involve them?
Reidenberg: The advertiser can be caught in the middle. The first line of the lawsuit will be the social media site, because they’re the conduit of information for the site. The advertiser might be getting information, like metrics, and it depends on how the ad networks are established and what the relationship is between the network and the site. If the ad network is aware that the social media site is violating its policy by sharing information, it’s going to be liable.
Question: The audience member had recently seen a mention of future LinkedIn advertising and asked about information being provided to advertisers.
Reidenberg: The question will be if you can see some aspect of what’s being share, and there’s a whole bunch of information that you can’t see, does that open up a deception claim.
Question: Is there clear law on the targeting of advertisements?
Reidenberg: No, but we will see more attempts to find theories to hold the advertisers responsible because they’re driving the industry right now. He doesn’t believe that purely advertising-supported sites will be around five years from now. The challenges for privacy will be very significant, so Reidenberg is skeptical that there will be a lot of success in generating enough income to pay for the services this way. He sees the internet going the same way as print newspapers and believes that we’re in a transitional phase.
Question: The audience member said that they work for a company that’s highly regulated and was glad to see that there were more audience members from the pharmaceutical area in attendance, since they are struggling in this space. She asked for Reidenberg’s thoughts on liability as a page owner on a third party site, where you have content but can only post limited terms of use a as a page owner.
Reidenberg: You’re going to have risk. If you have a page on someone else’s service, the main service provider dictates what you can say and do in terms of rules with respect to your clients. Right now, it’s an open field, determind by the terms of service provisions.
There were no additional questions, so the session was ended.