Two New Privacy Lawsuits Filed — Part One, Facebook

Within the last few weeks, two major companies have been sued for alleged violations of privacy laws – one filed before the Federal Trade Commission seeking an investigation into Facebook’s privacy settings and the other filed in federal court, styled as a class action against Netflix. (The Netflix suit will be analyzed separately, in Part 2 of this topic.)

Facebook Complaint

On December 17, 2009, privacy advocates filed a complaint with the Federal Trade Commission, requesting that “the FTC open an investigation into Facebook’s revised privacy settings.” In the Matter of Facebook, Inc., Docket Number —- (FTC); see also EPIC’s Press Release, “EPIC Defends Privacy of Facebook Users: Files Complaint with the Federal Trade Commission,” Dec. 17, 2009.

Facebook announced its privacy policy revisions in a December 9 Press Release, “Facebook Asks More Than 350 Million Users Around the World To Personalize Their Privacy; Service Gives Users New Tools to Control Their Information” – which suggested that the changes would actually benefit users, and help them protect their information. In fact, however, these changes potentially undo the restrictive settings that users may have applied to keep their profiles closely guarded and viewable only by “friends.”

A copy of the Complaint, Request for Investigation, Injunction and Other Relief can be found on EPIC’s site, but EPIC is not the only plaintiff. Nine other consumer protection organizations have joined, namely the American Library Association (see also their privacy resources), The Center for Digital Democracy (see also a Dec. 17 blog post that explains CDD’s reasons for joining the complaint), Consumer Federation of America, FoolProof Financial Education, Patient Privacy Rights (see also their Dec. 11 criticism of Facebook’s privacy policy changes and their Feb. 18 analysis of the Complaint Almost Filed Against Facebook), Privacy Activism, Privacy Rights Now Coalition, The Privacy Rights Clearinghouse and the U.S. Bill of Rights Foundation. (If the organization name is not hyperlinked, it’s because I could not find an updated web site for the organization. If you find one, please post it in the Comments section below.)

Other Information about Facebook’s Privacy Policies

* EPIC has also developed an “In Re Facebook” page, on which it summarizes all of the actions it has taken to date relating to privacy issues faced by Facebook participants, provides a background to the debate, and chronicles various articles that have been written about the complaint. (Last updated on Dec. 30, although it appears to be kept current, so keep checking back.)

* The Electronic Frontier Foundation (EFF) has also posted (Dec. 21) an interesting article on its Deep Links Blog entitled, “Who Knows Who Your Facebook Friends Are?”, discussing how Facebook’s changes to its privacy policies have exposed users’ list of friends – thus causing real problems for political activists operating under oppressive regimes. Another EFF article worth reviewing in detail is “Facebook’s New Privacy Changes: The Good, The Bad, and The Ugly” (Dec. 9).

* The New York Times’s Brad Stone blogged about the lawsuit in an article entitled “Privacy Group Files Complaint on Facebook Changes,” (Dec. 17) which has been updated to include Facebook’s response to the Complaint. The response notes that Facebook “discussed” the revisions to its privacy policies with regulators, including the FTC.

Why You Should Read a Web Site’s Terms of Service Before Posting

All Internet users should be aware that many of the sites that they visit on a regular basis provide some guidelines about the use that may be made of the site. These guidelines generally cover copyright notices, whether you can copy or share the site’s original content with others, and what rights you retain when you post comments or contributions to their community resources, such as blogs, chats or photo/video share functions. If the site provides content such as podcasts, video clips or streaming content, the Terms of Use will generally outline the limitations to your use and further dissemination of such materials.

For instance, if you visit an online newspaper, such as The New York Times or The Wall Street Journal, the Terms of Service/Use will remind you that the newspaper retains copyright rights in the materials and that by using the site, you agree not to “modify, publish, transmit, participate in the transfer or sale of, reproduce . . ., create new works from, distribute, perform, display or in any way exploit” the newspaper’s original content. NY Times Terms of Service ¶¶ 2.2; see also WSJ’s Subscriber Agreement ¶ 6(b) (users “may not sell, publish, distribute, retransmit or otherwise provide access to the Content received through the Services to anyone, including, if applicable, your fellow students or employees”).

Most of these policies also expressly prohibit using their information for commercial purposes, stressing that their services may be used for “personal use only.” See The Wall Street Journal ¶ 6(b)(iii) (“you may not use such an archive to develop or operate an automated trading system or for data or text mining”).

In addition, if you visit a medical site, the Terms of Use may disclaim any liability for any injuries that you receive by not getting medical treatment for your issues and for your decision to rely on the educational information provided by the site in lieu of seeking treatment. See WebMD. These sites also will disclaim that they provide any medical advice, and will advise you to always follow your doctor’s instructions and obtain proper medical treatment when you need to.

Many of these sites will typically provide guidelines for what material (text, photos, video) can be posted and what may be deemed “offensive” to the applicable community. If you violate the terms of the particular site with respect to “offensive” or “restricted content,” your ability to access the sites or continue a membership with them may be blocked or discontinued.

These Terms of Service – coupled with the site’s posted Privacy Policies (see the prior post, Recommended Reading: Privacy Policies for Web Sites You Visit) – should inform your choices about the behavior that you should use on each site, as well as giving you advanced warning if the site will re-use your information later, perhaps without your express consent.

What Happens to Information You Post – Can the Site Re-Use It?

This really raises questions about who owns the copyright to content that you write. Under U.S. copyright law, an author automatically obtains copyright rights in his or her “original works of authorship” (books, paintings, drawings, photos, sculptures, songs, portions of web sites, etc.) once they are “fixed in any tangible medium of expression.” 17 U.S.C. § 102(a).

You should read the terms of service for any web site on which you plan to post original content, such as comments to news articles, status updates on social networking sites, tweets on Twitter, photos uploaded to a photo sharing web site, or even videos shared on YouTube. Each of these sites has different policies in place regarding what they do with your original content, and in some respects, may limit what you can do with that content later. Here are some examples:

Facebook, Statement of Rights and Responsbilities, ¶ 2: “You own all of the content and information you post on Facebook, and you can control how we share your content through your privacy and application settings. In order for us to use certain types of content and provide you with Facebook, you agree to the following: . . . 1. For content that is covered by intellectual property rights, like photos and videos (“IP content”), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (“IP License”). This IP License ends when you delete your IP content or your account (except to the extent your content has been shared with others, and they have not deleted it).”
— This version of Facebook’s terms (dated May 1, 2009) suggests that once you delete your original content – or cancel your account – their limited rights to use it will expire. They also note, however, that if you have shared information with others and if they have not deleted it, Facebook’s ability to access to this material will not

Shutterfly, Terms & Conditions ¶ 3: With respect to content you upload, “you will retain ownership of such Submissions, and you hereby grant us and our designees a worldwide, non-exclusive, sublicenseable (through multiple tiers), assignable, royalty-free, fully paid-up, perpetual, irrevocable right to use, reproduce, distribute (through multiple tiers), create derivative works of, and publicly display and perform (publicly or otherwise) such Submissions, solely in connection with the Service (including without limitation for purposes of promoting the Service).”
Note that you also consent to allow Shutterfly to use your likeness for purposes of (among others) promoting or marketing Shutterfly to others: “(iii) you hereby consent to the use of your likeness, and you have obtained the written consent, release, and/or permission of every identifiable individual who appears in a Submission to use such individual’s likeness, for purposes of using and otherwise exploiting the Submission in the manner contemplated by these Terms (including for purposes of promoting the Service), or, if any such identifiable individual is under the age of eighteen (18), you have obtained such written consent, release and/or permission from such individual’s parent or guardian (and you agree to provide to Shutterfly a copy of any such consents, releases and/or permissions upon Shutterfly’s request).”
— Shutterfly reserves the right to re-use your photos or videos to create derivative works for purposes of promoting or marketing their service – and provides that your use of the service constitutes your consent to use your likeness in their marketing efforts.

Snapfish, Terms & Conditions ¶ VII(A): “In order for Snapfish to make your photos available to you and your invitees, as well as to use images to offer you a special variety of online services, Snapfish needs the rights to make use of all Content on the Service, in accordance with and subject to these Terms. Accordingly, as a condition to your Membership, you hereby grant Snapfish a perpetual, universal, non-exclusive, royalty-free right to copy, display, modify, transmit, make derivative works of, and distribute your Content, solely for providing or improving the Service.”
— Snapfish claims to limit its use of your material to anything required to “provide or improve” their service to you.

Twitter, Terms of Service, General Conditions: “The Twitter service makes it possible to post images and text hosted on Twitter to outside websites. This use is accepted (and even encouraged!). However, pages on other websites which display data hosted on must provide a link back to Twitter. . . . We claim no intellectual property rights over the material you provide to the Twitter service. Your profile and materials uploaded remain yours.”
— Twitter appears to claim no rights in any of your original content.

The Wall Street Journal, Subscriber Agreement ¶ 7(b)(iii): “You agree that upon uploading, posting or submitting information on the Services, you grant Dow Jones, and our respective affiliates and successors a non-exclusive, transferable, worldwide, fully paid-up, royalty-free, perpetual, irrevocable right and license to use, distribute, publicly perform, display, reproduce, and create derivative works from your User Content in any and all media, in any manner, in whole or part, without any duty to compensate you.”
— This means that they can re-use what you post, (sometimes) authorize others to re-use it and they are not required to pay you anything for it, or obtain your prior permission.

WebMD, Terms & Conditions, User Submissions: “If you submit any business information, idea, concept or invention to WebMD by email, you agree such submission is non-confidential for all purposes. . . . If you make any submission to a Public Area or if you submit any business information, idea, concept or invention to WebMD by email, you automatically grant-or warrant that the owner of such content or intellectual property has expressly granted-WebMD a royalty-free, perpetual, irrevocable, world-wide nonexclusive license to use, reproduce, create derivative works from, modify, publish, edit, translate, distribute, perform, and display the communication or content in any media or medium, or any form, format, or forum now known or hereafter developed. WebMD may sublicense its rights through multiple tiers of sublicenses. If you wish to keep any business information, ideas, concepts or inventions private or proprietary, do not submit them to the Public Areas or to WebMD by email.” (Emphasis in original).
— Essentially, WebMD acknowledges that they plan to commercialize any good idea that you provide to them without your permission if you ignore this warning.

YouTube, Terms of Service ¶ 6(C): “For clarity, you retain all of your ownership rights in your User Submissions. However, by submitting User Submissions to YouTube, you hereby grant YouTube a worldwide, non-exclusive, royalty-free, sublicenseable and transferable license to use, reproduce, distribute, prepare derivative works of, display, and perform the User Submissions in connection with the YouTube Website and YouTube’s (and its successors’ and affiliates’) business, including without limitation for promoting and redistributing part or all of the YouTube Website (and derivative works thereof) in any media formats and through any media channels.”
— YouTube acknowledges that it might use your content to promote their services.

When Can You Forward the Web Site’s Original Content to Your Friends?

In addition to being concerned about a site’s proposed use of your original writings (whether through comments, posts, blogs, updates on social networking sites, etc.), you should be aware that the Terms of Use policies will govern your ability to forward their original content to others.

As explained above, you should assume that as an initial matter, the web site on which you find an interesting article is probably the owner of the copyright in that material. Under copyright law, copyright owners have the exclusive right to create derivative works (which your comment forwarding their content might be) and to publish or distribute their works as they see fit. 17 U.S.C. § 106. Anyone who engages in this conduct without their consent or approval could engaging in copyright infringement, which carries statutory damages (per instance) of between $750 and $30,000. Id. § 504 (c). In addition, if a court determines that your actions were “willful” justifying an enhanced damages award, this amount per instance can increase up to $150,000. Id. As a result, you should always review the site’s terms of service to see what the limits are to your use of their original content.

Many sites will provide guidelines for downloading from their service or sharing their original content. They may provide limited licenses to permit downloading as long as you include all copyright notices, a reference to the original source of the material and/or use the material for personal use only. See NY Times Terms of Service ¶¶ 2.2, 2.3.

If they provide tools to share their materials on certain social networking sites (like Facebook, Yahoo Buzz, LinkedIn and others), the sites might give more leeway to the number of times that you can share their materials. See The Wall Street Journal ¶ 6(b)(iii) (“While you may download, store and create an archive of articles from the Service for your personal use, you may not otherwise provide access to such an archive to more than a few individuals on an occasional basis. The foregoing does not apply to any sharing functionality we provide through the Service that expressly allows you to share articles or links to articles with others.”)

Forwarding original content without the consent of the owner can be copyright infringement if you don’t fit into a defense to the allegation, such as fair use or parody. The case law that defines when conduct is “fair use” or that the resulting communication is a “parody” is detailed and voluminous – too large to try to summarize here. Suffice it to say that it’s a very fact-intensive analysis and one cannot assume that just because someone believes their own conduct is “fair” does not mean that the law will recognize it as qualifying for the “fair use” defense.

** Note: By linking the terms of use provided by the web sites identified above, I am not endorsing them or making any representations about the value of the goods or services provided by them. They were chosen somewhat randomly and are intended to serve as examples to show various terms of service about which Internet users should be aware.

Recommended Reading: Privacy Policies for Web Sites You Visit

Most web sites have privacy policies that generally identify what the site does with your personal information once it is submitted to them. Depending on the purpose of the web site, these policies can be very involved (on sites that collect and retain your credit card information and/or Social Security Numbers) to very simple (on sites that collect very little of your personal data).

There are no hard-and-fast rules for what must be included in a privacy policy, and there is no minimum list of terms that must be included. In certain industries, however, federal law imposes disclosure requirements that require certain types of businesses to identify what they do with your personal information. For instance, financial institutions may be governed by the Gramm-Leach-Bliley Act (GLB), which generally places restrictions on the use of personal financial information, such as credit cards. Similarly, health care providers may be governed by Health Insurance Portability Accountability Act (HIPAA), which provides very detailed rules about the use of personal medical information. Web sites that are directed to children or could reasonably foresee a younger audience are required to comply with the Childrens’ Online Privacy Protection Act (COPPA), which significantly limits what personal information web site operators are permitted to collect and/or retain.

If an organization covered by federal laws such as these also provides a web site, their treatment of your personal information should be described in the privacy policy associated with the web site (or in the case of health care providers, they may hand you a hard-copy Notice of Privacy Practices when you visit their offices for treatment, which has a different purpose than online privacy policies).

In addition, the Federal Trade Commission (FTC) recently updated its guidelines identifying best practices for online advertising – which includes statements made in online privacy policies. FTC Staff Revises Online Behavioral Advertising Principles (2/2/09). It also provides a summary of best practices to be considered by web site operators. Privacy Policies: Say What You Mean and Mean What You Say (2/08). Among these guidelines is a simple instruction: if a web site posts a privacy policy, it must not violate the terms.

Violations of privacy policies have resulted in investigations initiated by the FTC, sometimes resulting in fines against the company for saying one thing in its privacy policy and then doing something completely different. See, for example, these summaries about FTC investigations and settlements: Sony BMG Music Settles Charges Its Music Fan Websites Violated the Children’s Online Privacy Protection Act (12/11/08); Online Apparel Retailer Settles FTC Charges That It Failed to Safeguard Consumers’ Sensitive Information, in Violation of Federal Law (1/17/08). In essence, privacy policies are considered to be a form of advertising, and therefore, must be truthful.

Evaluating Privacy Policies

You should understand that in some circumstances, the moment you visit a web site information about you (although perhaps not personally identifiable) can be collected automatically by the web site, including your computer’s IP address, the date and time of your visit, the number of times you have visited this particular site, and (sometimes) where else on the Internet you have visited. Then, you may be in a position to submit personal information to the site – perhaps your credit card in order to complete an online purchase, a home phone number, a mailing address, a birth date, updates to a wishlist or baby gift registry, etc.

At the very least, when you are faced with sending personal information about yourself to a web site, take a few minutes to find the privacy policy associated with that site and read it to find out what they will be doing with the information that you are about to give them. If you cannot understand the policy, or if you do not like what you are reading, perhaps reconsider whether you should give them your personal information. In an age where identity theft is common, it pays to be careful with such information.

You can also check to see whether the privacy policy has an “opt out” procedure that you can invoke if you do not want to permit that particular use of your information.

Selected Privacy Policies for Comparison*

Citibank; Republic First Bank; TD Bank; Wachovia Bank; WellsFargo

DRUG STORES (Prescriptions, Rebates)
CVS; Duane Reade; Rite Aid; Safeway

Federal Trade Commission (FTC); Internal Revenue System (IRS); The White House; US Department of Commerce; US Department of Justice; US Patent & Trademark Office

Johns Hopkins Medicine; LabCorp; Mayo Clinic; Quest Diagnostics; WebMD

ABC News; CNN; Fox News; MSNBC; NY Times; Wall Street Journal; Washington Post

SEARCH ENGINES; Bing; Google; Yahoo

Amazon; Barnes & Noble; LL Bean; Sears; Starbucks; Target; Wal-mart (a new policy will go into effect Aug. 23, 2009 – the link points to a series of privacy policies available through Wal-mart)

Facebook; LinkedIn; MySpace; Twitter

Kodak EasyShare; Shutterfly; Snapfish; YouTube; Zazzle

FOREIGN SITES (with different legal requirements)
Agence-France Presse; BBC (see also Targeted Advertising Update (for users outside the UK only); The Economist; The Financial Times; World Intellectual Property Organization

* Note: By posting links to the privacy policies of the web sites identified above, I am not making any representations or endorsements about the value of the products or services provided by these sites or about the validity or enforceability of their privacy policies. These links were chosen somewhat randomly and are intended to serve as examples to show various ways to explain a site’s treatment of data collected from its visitors.