Lisa Jackson, ICT solicitor with Leman Solicitors
On Thursday, LinkedIn became the latest in a stream of social networking companies, including Google+, Facebook and Twitter, to announce an update to its privacy policy. If you are still reading this then it is likely you have already read more of this article than any social network’s policy on privacy. Where they are so easily ignored by members, does this mean they are just tick-box exercises with no real value?
These privacy policies are intended to help organisations comply with data protection law by informing users how personal information is collected, stored and used. That is the theory but the recent amendments by major social networks highlight in reality how uninformed social network users are about what networks do with personal information.
Since Facebook opened itself to the public in 2006, a level of comfort has emerged among social media members with sharing personal details of their lives with friends, family and the world at large. Obviously, where members post content publically they accept it is freely available for anyone to access. But where content is uploaded with the intention that it should remain private or semi-private, what should be the limits on the use of that content by that social network?
This question has been increasingly asked by regulatory bodies and the media. The Irish Data Protection Commissioner’s audit of Facebook last year attracted widespread media attention and pushed privacy issues into the headlines.
The reaction from social networks has been to update their privacy policies. The link to these policies is usually tucked away at the bottom of a website or in the settings of a mobile app and it is up to a member to seek it out. It is worth reviewing some of the main privacy policy changes.
At the start of March, Google harmonised the profiles of users across all of its services, including YouTube, Gmail, Google Search and Google+. This harmonisation brought all of Google’s services under the one privacy policy and pooled the personal information of users from all services. Google said this information is used to tailor content, including search results and adverts.
This explanation has not satisfied regulators who believe Google remains secretive about how is uses members’ data. France’s independent authority for privacy, the CNIL, has examined Google’s privacy policy closely. Two questionnaires on the new policy have been sent to the multinational since March. The deadline for replies on the second round was yesterday.
On its website, the CNIL notes it considers it “impossible to know Google’s processing of personal data, as well as the links between collected data, purposes and recipients”.
Where Google has such a wealth of information on its users it should be under an increased obligation to provide details of how this information is collected, stored and used. Its existing privacy policy appears to fall short of this obligation.
Facebook calls its privacy policy a ‘Data Use Policy’. This policy, along with the Statement of Rights and Responsibilities (SRR) aims to inform members of how Facebook uses their personal information. Following the audit of Facebook by the Irish Data Protection Commissioner, Facebook amended both policies.
In a blog post on 11 May, the Facebook Site Governance set out changes to the Data Use Policy. This included changes to the data retention provisions of the policy to allow members’ information collected by advertisers to be kept for longer than the previous time limit of 180 days. Also, Facebook clarified that it may show any kind of advertising to members who are off-site.
A second blog post was posted on 31 May by the Facebook Site Governance. It outlined administrative amendments to the SRR to reflect new features on the Facebook site, including the Facebook Timeline. Facebook has asked members to vote on the changes and will announce the result today.
These blog posts are wordy and do not provide a clear picture of the changes that Facebook intends to make to its privacy policy and SSR. The comments by members on the Facebook Site Governance page under its post last Tuesday reflect this and also highlight that the vote was not widely publicised.
In mid-May, Twitter followed Google and Facebook and published an updated privacy policy on its website. It included a clearer explanation of the situations where Twitter will share user information with others.
The updates include a new section on how Twitter tailors content and specify that Twitter can use members’ contact information to help third-party services, client applications and others find Twitter accounts.
The policy also sets out that Twitter supports the ‘Do Not Track’ browser settings, which prevent the collection of information used to tailor Twitter suggestions based on a user’s browsing of sites that have integrated Twitter buttons or widgets.
The changes were set out in a clear email to members that highlighted the main changes to the policy. It also linked to a larger section explaining the new tailored suggestion feature that clearly shows users how to opt-out. The changes appear to reflect a genuine effort to inform members of how their personal data is used.
In a blog post on 1 June, LinkedIn announced plans to update its privacy policy from last Thursday onwards. The revisions will shorten the length of time that personal information collected through off-site advertising and plug-ins is stored to 24 hours. The privacy controls that allow access to LinkedIn information by third parties and search engines has also been increased.
LinkedIn hit the headlines last week for its mobile calendar feature. This opt-in feature syncs LinkedIn with a smartphone’s calendar to gather information about event entries and send these to LinkedIn’s servers. This caused confusion among members and forced LinkedIn to write a blog post explaining what the feature actually does.
It is unacceptable that explanations of how member information is collected and used is provided in such a reactionary way. If users cannot understand how LinkedIn is collecting, storing and using their personal information then its privacy policy is not adequate.
It seems some of the above privacy policy changes are mainly cosmetic and are aimed more at appeasing regulators than providing a true account to users of how their data is collected, stored and used. One welcome outcome is the fact that online privacy issues have now come to the public’s attention.
Also, some social networking platforms, particularly Twitter, should be applauded for making changes without a direct regulatory push. The fact that notice of its updated policy was communicated so clearly to members shows a commitment to member privacy.
Hopefully, other social networks take note of Twitter’s approach. If they plan to be truly socially responsible when it comes to user privacy their policies should be communicated to members through more easily digestible methods, like videos or infographics, rather than wordy amendment documents or blog posts.
By Lisa Jackson
Lisa Jackson is an ICT solicitor with Leman Solicitors. Follow her on Twitter.
