Regulatory and Self-Regulatory Regimes For Social Media — Beyond The FTC

Originally prepared as a paper presented by William T. McGrath at the  Social Media in Law Conference on November 10, 2010.  For more information on the seminar, please visit www.lawseminars.com

Introduction

We used to think of the Internet as a vast, unregulated network – a kind of Wild West of advertising, self-promotion, and unilateral communication of information.  In fact, the Internet is not as unregulated as it may seem.  With the advent of Web 2.0 and a host of new types of social media, greater attention has been devoted to various methods of regulating conduct of companies and individuals using the Internet and social media as a mode of public communication.

This paper will address some of the regulation and self-regulation that corporations need to be aware of.  Some of the regulation is new regulation specifically aimed at the novel issues raised by social media.  Some is simply an application of old regulatory schemes to the new media.  Some of the self-regulatory efforts are measures designed to avoid or deter more restrictive or burdensome governmental regulation.

One major source of social media regulation is the FTC.  This paper however addresses only regulation and self-regulation outside the FTC.

The regulatory regimes that may affect social media are diverse and often industry specific.  They address both the dissemination of information and the collection of information.  Depending on one’s definition of “regulation,” there are innumerable regulatory regimes, from internal corporate policies to the Rules of Professional Conduct for lawyers; from the Lanham Act and Copyright Act to legislative efforts to curb cyber-bullying.  Even the criminal laws can be used to respond to social media abuse, as we have seen in the recent events such as the suicide of a Rutgers student.

There are, however, several more direct regulatory frameworks addressing the use of social media.  If there is a common theme to this regulation, it is that the regulation is primarily focused on protection of consumers.   Among the many regulatory initiatives in place or under discussion, are the following:

• A self-regulatory program for online behavioral advertising developed by the Interactive Advertising Bureau (IAB) together with other advertising and business groups
• A self-regulatory program for children’s advertising, issued by the Children’s Advertising Review Unit (CARU) of the Council of Better Business Bureaus.
• “Guidance on Blogs and Social Media Web Sites,” issued by the Financial Industry Regulatory Authority (FINRA)
• Social media regulation by the Food & Drug Administration (FDA)

Behavioral Advertising

Behavioral advertising, sometimes known as targeted advertising, is pervasive, whether you realize it or not.  Initially, as applied to websites, it used information collected from an individual’s web-browsing behavior (e.g., pages visited, searches made) to select which advertising to display to that individual.  In the Web 2.0 context, the use and effectiveness is greatly expanded because consumers are now offering a much larger digital footprint, offering a wealth of information about friends, interests, locations, and affiliations.

Because it impinges on important privacy interests, behavioral marketing is controversial.  Advertisers love it since it is far more effective than un-targeted Internet advertising.  They argue that behavioral advertising is what allows users to have free access to many of our favorite websites.  Consumers, however, don’t really like behavioral advertising, and the more they know about it, the less they like it.  A 2009 survey conducted by professors at the University of Pennsylvania and the University of California at Berkeley found that 66% of U.S. adults do not want marketers to tailor advertisements to their interests.  The disapproval rate is even higher — between 73 percent and 86 percent — when Americans are informed of three common ways that marketers track their activities online and offline.  The problem is complicated by the fact that the only present ways to avoid behavioral advertising is for the consumer to take affirmative steps to opt-out, as opposed to a system that would only enable behavioral advertising to consumers who opt-in.  In light of the consumers’ lack of awareness, and since there is little transparency or disclosure on many of the sites where behavioral advertising occurs, opt-out procedures would appear to have little effect.

Among the concerns about collection of personal information for use in behavioral marketing is that many people don’t realize it is occurring.  Another survey about behavioral advertising, conducted in 2010, showed that only 51% of the participants recognized that this was something that “happens a lot right now.”

For these reasons, the FTC is interested in this practice.  In 2009, the FTC issued a set of recommended practices for companies engaged in online behavioral advertising.  The FTC encouraged industry self-regulation on this increasingly ubiquitous online practice.  The FTC’s implicit, if not explicit, message to the online advertising industry was that if you don’t regulate yourselves in this area, we’ll do it for you.  The industry responded promptly.

Several months after the FTC issued its principles for online advertising, a coalition of online advertising industry groups issued its own set of guidelines, similar to those enunciated by the FTC.  The industry guidelines, entitled “Self-Regulatory Principles for Online Behavioral Advertising” (the “Principles”), issued in July, 2009, can be found at www.iab.net/media/file/ven-principles-07-01-09.pdf.

The Principles identity seven general principles to guide companies engaged in online behavioral advertising.  Behavioral advertising is defined in the document as “the collection of data online from a particular computer or device regarding Web viewing behaviors over time and across non-affiliate Web-sites for the purpose of using such data to predict use preferences or interests to deliver advertising to that computer or device based on preferences or interests inferred from such Web viewing behaviors.”

The principles are:

1)         The Education Principle, encouraging efforts to educate consumers and businesses about online behavioral advertising.

2)         The Transparency Principle, requiring mechanisms for clearly informing consumers about data collection and use practices.

3)         The Consumer Control Principle, enabling users to choose whether data is collected and used.

4)         The Data Security Principle, requiring advertisers to provide security for data collected and limiting the retention of such data.

5)         The Material Changes Principle, requiring user consent before changing collection and use policies to be less restrictive

6)         The Sensitive Data Principle, applying heightened protection for certain data collected, such as children’s data and various financial and medical information.

7)         The Accountability Principle, creating mechanisms for ensuring meaningful compliance.

Of course, principles are not worth the paper they are written on unless they are actually implemented.  Last month, the industry launched a program to actually implement the Principles.  On October 4, 2010, the industry coalition put into effect a program to implement the Principles.  See, www.iab.net/self-reg.

The cornerstone of the implementation program is the deployment of a new icon, which we will all be seeing much of in the future:

Those participating in the program will display the icon in or near advertisements where data is collected and used for behavioral advertising.  The icon not only identifies such advertising but also allows the user to link to a disclosure statement and an opt-out mechanism.  Other opt-out mechanisms and information about behavioral advertising will also be accessible.

The program also implements some enforcement mechanisms.  Beginning in 2011, the Council of Better Business Bureaus (CBBB) and the Direct Marketing Association will began to monitor and enforce compliance of companies that participate in the program.  The CBBB will also identify companies that are not following the program.

Children’s Advertising

A similar earlier model of advertising industry self-regulation is seen in the “Self-Regulatory Program for Children’s Advertising” issued by the Children’s Advertising Review Unit (CARU) of the CBBB.  It can be found at www.caru.org/guidelines/index.aspx.  This program sets standards to ensure that advertising to children is not “deceptive, unfair or inappropriate” for children, taking into account their “susceptibility to being misled or unduly influenced” and their “lack of cognitive skills needed to evaluate the credibility of advertising.”  It deals with advertising directed to children under 12 or 13 years of age.

While not focused solely on social media, some of CARU’s guidelines address advertising through emerging technologies.  Online data collection and other privacy related practices by website operators come within its scope.  It has guidelines specifically dealing with online data collection from children that are consistent with the Children’s Online Privacy Protection Act (COPPA).  Its guidelines involve issues such as deception, product claims, material disclosures, endorsements, and blurring of advertising and editorial content.

CARU can initiate complaints and when it finds violations it seeks changes through voluntary compliance.  It also publishes case reports.

Food and Drug Administration

An article on the Huffington Post by author Riva Greenberg suggests that doctors are losing their relevance due to social media health sites.  As healthcare costs rise, patients are turning to social media to get information and to share information, experiences, treatments, and support.  Social media health sites are growing rapidly.

Where social media is thriving, advertising will no doubt be part of the action.  But manufacturers of medical products such as drugs and medical devices must tread this terrain carefully because advertising and product information in the field is highly regulated by the Food and Drug Administration (FDA).  FDA regulations require promotional messages to be truthful, not misleading, and fairly balanced between the benefits and risks associated with a particular product.

The FDA has shown a particular interest in the area, though it has not yet issued a policy.  It held a public hearing in November, 2009, and solicited written comments after the hearing.  Among the issues that need to be addressed are the problems created by the space constraints.  We’ve all heard the long, sometimes frightening, and usually disgusting lists of side effects of drugs on television commercials.  That kind of disclosure is hard to accomplish in a tweet.

The FDA has taken two regulatory actions involving the Internet and social media.  In 2009 it issued notices of violations to 14 companies that had paid for sponsored links for pharmaceutical products on Internet search engines.  The ads mentioned the drugs without immediate information about the risks.  In 2010, the FDA issued a notice of violation to a pharmaceutical company,  Novartis, because the Facebook “sharing” feature of the social widget on the company’s website for a certain drug generated communications that violated the Food, Drug, and Cosmetic Act and FDA implementing regulations.

Securities Regulation

Firms that sell securities and financial instruments are also subject to federal regulations concerning communications to the public.  The Financial Industry Regulatory Industry (FINRA) (formerly the National Associations of Securities Dealers, an independent regulator for all securities firms in the U.S.) has been active in this arena.  It first addressed the questions of interactive electronic communications over a decade ago when it stated that a registered representative’s participation in an Internet chat room is subject to the same requirements as a presentation in person before a group of investors.  It has also issued a “Guide to the Internet for Registered Representatives.”  And in January, 2010, it issued a Regulatory Notice entitled “Social Media Web Sites — Guidance on Blogs and Social Networking Web Sites.”  It can be found at www.finra.org/industry/regulation/notices/2010/p120760.

Among other things, the Notice clarifies that firms subject to the securities laws must retain records of communications made through social media sites, and they must ensure that the technology for such record retention is in place.  If a firm recommends a security through social media, it must comply with NASD rules requiring the broker-dealer to determine that the security is suitable for every investor to whom it is made.  Firms must also comply with regulations requiring certain supervisory procedures where employees are engaged in interactive electronic communications on social media sites.  Complex issues can arise as to whether a securities firm can be held responsible for third-party posts on a social media site established by the firm.  If the firm was involved in the preparation of the content or explicitly or implicitly endorsed or approved the content, it can be responsible for it.

The SEC has also issued an interpretive release providing guidance on federal securities law issues raised by the use of social media by public companies.  See “Commission Guidance on the Use of Company Web Sites” at www.sec.gov/rules/interp/2008/34-58288.pdf.