Risks arising from the use of social media in the United States


Financier Worldwide Magazine

August 2015 Issue

August 2015 Issue

Social media is a critical business tool creating unprecedented opportunities for direct consumer interaction, brand awareness, checking the pulse of key constituents and so much more. This incredible opportunity is not risk-free, however, and in the US is the subject of new laws, application of old laws to new situations, and a significant amount of murkiness. Below is a discussion of some of the risks every business may wish to consider to better benefit from its social media presence.

Social media developer rules and terms of use

Many businesses have a ‘page’ or other presence on a social network or may download social media widgets, plug-ins or log-in credentials for use on the website of the business. The page on the social network will at least be subject to the terms of use and privacy policy for the social network but might also be subject to additional rules for business users such as ‘social developer rules’.

It is a risk to fail to read and comply with those rules and terms. For example, a 2015 Facebook rule says Facebook “can analyse your app, content, and data for any purpose, including commercial”. An older version is more explicit: Facebook “can analyse your app, content, and data for any purpose, including commercial (such as for targeting the delivery of ads on and off Facebook and indexing content for search)”. The Facebook rules also require the business to make certain disclosures in the business’ privacy policy.

Failure to abide by the rules can have consequences even if the social media site does nothing to enforce them. In the Matter of Jerk LLC, the US Federal Trade Commission (FTC) alleged that Jerk.com engaged in deception by creating fake profiles of persons as “jerks” or “not jerks” and then offering a paid service to have the profile changed. Part of the basis for the FTC’s charge of deception was Jerk.com’s “improper collection of Facebook data in violation of Facebook’s agreed policies”.

Copyrights in content or data?

Many businesses would like to use ‘user-generated content’ that is posted on their social network pages or is offered by third party vendors from social network sources, such as photos of happy customers using a product of the business. Those pictures are a great way to promote the business’ brand, but are they free for the taking? No. The person creating the content typically owns the copyright and merely posting a photo on a social network or on the business’ page does not, by itself, transfer the copyright or create a licence for re-posting or use in ads, etc. That needs to be done by contract. Privacy policies and other laws (such as the rights of publicity of persons pictured) also impact the ability to use user-generated content.

To illustrate, the Instagram contract for use of its APIs says that the business shall: “remember, Instagram doesn’t own User Content – Instagram users do. Although the Instagram APIs can be used to provide you with access to User Content, neither Instagram’s provision of the Instagram APIs to you nor your use of the Instagram APIs override User Content owners’ requirements and restrictions, which may include ‘all rights reserved’ notices (attached to User Content by default when uploaded to Instagram), Creative Commons licenses or other terms and conditions that may be agreed upon between you and the owners”.

Similarly, the Twitter ad policies say: “Do not include another person’s content in Twitter Ads without the person’s permission. Create your own Tweets, or get permission from the authors of the Tweets and Retweets you use”. Both examples are another way of saying that businesses need to do their own copyright and publicity rights compliance legwork.

Data privacy and security concerns

In the US, the FTC may bring enforcement actions to prevent unfair acts or deceptive practices. Between the FTC, other federal and state regulators, sector-specific laws, trade organisation codes and contracts, privacy and data security rules can heavily impact social media activities (such as Big Data, behavioural advertising and mobile apps) and data types (such as geolocation information, IP addresses and device identifiers). Children under 13 have special protections under the federal Children’s Online Privacy Protection Act (COPPA). That Act applies to online services not only when they are directed to children, but also when any online site or service has actual knowledge that online information was collected from a child. Consider an ‘all-ages’ fan website that accepts a self-posted video of and from four pre-teen concert fans – actual knowledge? Social developer rules say things like “don’t knowingly share information with us that you [the business] have collected from children under the age of 13”, i.e., the social network does not want that information and neither should the business (absent COPPA compliance).

Protecting trademarks, intellectual property, ‘new’ property and reputation

Most businesses understand they should take steps to protect their trademarks and other intellectual property rights. There are emerging types of property or rights that also need protection, e.g., a popular Twitter handle, a group of loyal ‘followers’, and those employee blogs about the business or its products. Litigation has begun regarding who owns or controls those kinds of ‘assets’, such as in cases where the employee blogger quits or is fired.

Similarly, new ways of clearing intellectual property rights are emerging and should be considered. Taking months to clear rights while a movie is being made is significantly different from clearing rights in a real-time social media campaign during halftime at a major football game.

Liability for things users might do

Users do things they are not supposed to do, innocently or otherwise, such as posting copyrighted works (without permission) or defamation. Steps can be taken to mitigate these risks such as prohibiting conduct in terms of use, qualifying for and following the federal Digital Millennium Copyright Act’s ‘takedown’ provisions, and removing comments under protections afforded by the federal Communication Decency Act. The later Act generally says that providers of an interactive computer service are not liable for content provided by another content provider. There are ways to fail to qualify for or lose these protections, so relevant procedures and disclosures are advisable.

Social media technologies

Currently on appeal to a US Court of Appeals is a case called Nickelodeon Consumer Privacy Litigation. When a video watcher pressed the Google ‘thumbs up’ button, the user’s IP address was passed by the Nickelodeon website to Google. The claim is that this violated the federal Video Privacy Protection Act which precludes providing personally identifying information (as defined in the VPPA) about who watched what videos. The trial court said the IP address was not PII; appellants argue it was PII, claiming that even if the data actually sent by Nickelodeon was not PII, Nickelodeon knew that Google could easily convert it to PII because of the social data Google already has. The claimed concept has the potential to be too unbounded, but illustrates that use of social media technologies that share data with social networks may create special concerns.

Contests and sweepstakes

Social media can make sweepstakes and contests easy to create, but those activities remain subject to a panoply of state and federal of laws. In addition, each of the social networks has its own set of rules (found in the social developer rules).

Testimonials and endorsements

User or celebrity endorsements or testimonials can be great for a brand, but they are governed by specific rules. There is FTC guidance on endorsements and testimonials generally and as used in social media and blogging. The FTC recently updated its Frequently Asked Questions regarding this issue. Failure to comply can sting – in 2011, a company that advertised its products through online affiliate marketers posing as ordinary consumers paid $250,000 to settle with the FTC. Regulatory action today tends to focus on situations in which ‘consumers’ look like they are recommending a business’ product simply because they love it, but there is actually a material connection between them and the business that would affect how others evaluate the endorsement (e.g., the endorser is receiving free merchandise from the business). That connection must be disclosed.


Some businesses believe ‘social’ means that the business gets a free pass to do things online that it cannot do offline. A good example of this would be a stockbroker ‘tweeting’ information he is forbidden to disclose in a formal setting. Free passes do not exist, and most regulators have issued sector specific guidance about how businesses must operate in social media. Accurate records can be required or helpful to prove compliance.


What about a sole proprietor that has valuable data on a social media page? At death, will executors and heirs have the passwords they need to get at that data? Some US states will be considering a new uniform act, the Uniform Fiduciary Access to Digital Assets Act, which is intended to deal with that issue, but which is also the subject of significant debate. Regardless of that outcome, the issue should be considered.


If the business gets sued and needs to respond to discovery requests for information from its social media pages, it will need to be able to impose a ‘litigation hold’ and comply with the ‘Electronically Stored Information’ rules of the Federal Rules of Civil Procedure. That can be harder than one would think (especially when the data is on a third-party site), so advance planning is key.

Why bother?

Why bother with social media if it is complex enough to create a risk list? Bank robbers rob banks because that is where the money is. Businesses increasingly use social media because that is where society is. While there are risks, they can be managed.


Holly K. Towle is a partner and Kendra Nickel-Nguy is an associate at K&L Gates LLP. Ms Towle can be contacted on +1 (206) 370 8834 or by email: holly.towle@klgates.com. Ms Nickel-Nguy can be contacted on +1 (206) 370 8015 or by email: kendra.nickel-nguy@klgates.com.

© Financier Worldwide

©2001-2016 Financier Worldwide Ltd. All rights reserved.