It is hard to believe that social media is less than seven years old. Facebook now claims more than 500 million users and there are no fewer than ten other social networks that claim more than 100 million. The popularity of playing games on social media platforms is also growing at a brisk pace. FarmVille reported reaching 62 million active users in September 2010.
People using social media and playing online games are generally not focusing on data collection and sharing issues. However, the social media platform, as well as the games on that platform, are often paid for by advertising. Those advertisers yearn for detailed data. In these areas, like the Internet generally, the pace of technology far exceeds the law. Specifically, the legal standards around social media, games, privacy, and data security are in flux. Even a fundamental question such as what is personal data is subject to debate. Smart marketers and PR executives are paying an increased amount of attention to just this issue.
This question is well-evidenced by a group of cases filed in the past several months. A group of class action cases filed at the end of 2010 against Facebook and the Facebook platform game company Zynga, the developer of FarmVille, all concern the Facebook's User ID (‘‘UID''). Before January 2010, this UID was part of the directory structure shared with advertisers when a Facebook user clicked on an advertising link. Though it was unique to the user, the UID itself did not contain personal information. However, when the UID was extracted from the URL, it could be used by a data-mining company to yield certain information publicly available on Facebook. This two-step process could be used to let marketers know, individually and in the aggregate, exactly who was clicking on advertisements so long as the Facebook user allowed their personal data to be searchable by UID.
This recent round of cases is not Facebook's first encounter with a class action involving a violation of personal data. Facebook was first sued in 2008, in Lane v. Facebook, for alleged violations of the Federal Electronic Communications Privacy Act and the federal Computer Fraud and Abuse Act. Lane focused on Facebook's Beacon program, which was the company's first major foray into targeted advertising. The seemingly simple premise of being able to share information on purchases with one's Facebook friends became a fiasco for the social networking giant when some users experienced embarrassing results (such as posting a discount engagement ring purchase on a user's wall). However, Lane differs from the current set of cases because detailed personal information was intentionally used and disclosed in a single step (instead of unintentionally and involving multiple steps). Lane ended in a $9.5 million settlement and termination of the Beacon program.
Platforms beyond Facebook also have the same concerns. On December 23, 2010, the class action cases above were followed by a case against several companies, including game companies and a mobile phone company alleging similar privacy failings under the same federal statutes. In Freeman v. Apple, the plaintiffs complain that certain applications, including advertising-supported games, pass a unique device identifier (UDID) along whenever a user clicks on an advertisement. However, unlike the earlier or later Facebook cases, the UDID cannot be linked to any personally identifiable information. It is merely an identification number on the mobile device used to access the advertisement. Therefore, this situation should pose significantly less risk for Apple.
Given these cases, communications professionals should be very mindful of any disclosure of personally identifiable information in social media. This is true both of the work PR firms do for their clients and for their own companies. In both instances, the PR agencies need to understand how broadly federal law defines “personally identifiable information” and to ensure they have appropriate disclosures in place.
Michael Lasky is a senior partner at the law firm of Davis & Gilbert LLP, where he heads the PR practice group and co-chairs the litigation department. He can be reached at firstname.lastname@example.org.