The world of social media moves quickly.
In July 2012, for example, Netflix CEO Reed Hastings posted a statement on his Facebook page that the online video company had reached one billion hours of viewing. The company and Hastings subsequently received a Wells notice from the Securities and Exchange Commission (SEC), warning that the agency might bring a civil action for violating Regulation FD, which requires public companies to make full and fair public disclosure of material non-public information.
Fast forward less than a year later to April 2013. The SEC issues a report in which it takes no enforcement action against Hastings or Netflix. Further, the Commission says companies can make announcements over social media, including Facebook and Twitter, by providing relevant web addresses through notifications on their company websites and press releases. “We appreciate the value and prevalence of social media channels in contemporary market communications, and the Commission supports companies seeking new ways to communicate and engage with shareholders and the market,” the SEC says.1
Netflix and the SEC are not alone in embracing the power of social media networks. Fortune 500 companies are “bullish” on social media, with 77 percent having active Twitter accounts and 70 percent now on Facebook, according to a recent study by the Center for Marketing Research at the University of Massachusetts.2 The survey found that companies were also experimenting with platforms like Google+, Foursquare and Instagram. The Fortune 500, the study concluded, “now seems comfortable and even excited with its newfound ability to engage its vendors, partners, customers and others in ways that could not have been imagined when most of their corporations began.”
For ethics and compliance professionals around the globe, this wide-scale and rapid adoption of social media means increasing attention must be paid to how new technologies are being incorporated more broadly into the fabric of an enterprise. Only a few years ago, a principal compliance worry was whether a company’s reputation and its business could be damaged by employee posts on Facebook. While that remains a legitimate concern, the ethics and compliance spotlight must necessarily focus on a broader range of activities.
Privacy is one critical concern, as a wide variety of social media and mobile applications enable companies or their third-party service providers to gather personally identifiable information (PII), location data and other confidential customer information.
For example, in July 2013, the U.S. Federal Trade Commission’s (FTC’s) revised Children’s Online Privacy Protection Act (COPPA) Rule took effect, prohibiting certain websites and online services from collecting, using or disclosing personal information of children under 13 without first notifying parents and obtaining consent.3 The modified rule also widens the definition of children’s personal information to include persistent identifiers such as cookies that track a child’s activity online, as well as geolocation information, photos, videos and audio recordings. (Proposed legislation expanding those protections to children ages 13 to 15 has been introduced in the U.S. Senate and House.4)
State legislatures are also focusing on social media privacy concerns, with California enacting several key laws in 2013. One measure requires that any website or mobile application disclose how it responds to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about their online activities.5 Another piece of California legislation—the so-called “eraser” law—requires website operators to honor requests made by minors who are registered users to remove content the minor posted on the site.6
International regulation of social media varies greatly. The draft European Union Data Protection Regulation,7 which could be approved this year, contains a controversial feature giving consumers the right to be forgotten—now being called the “right to erasure”—that would entitle anyone to contact an Internet firm and have it delete personal data from their services. Third parties hosting the data would be required to remove it as well. The draft regulation includes stronger safeguards for data transfers to non-EU countries and substantial fines for non-compliance—up to 100 million Euros or up to 5 percent of a company’s annual worldwide income, whichever is greater.
Ethics and compliance professionals should ensure that they’re communicating with their own marketing and advertising teams and, importantly, understanding the role of third-party providers in application development. Increasingly, regulations and guidelines are tailored to industry specifics. For example:
- The U.S. Food and Drug Administration issued new guidance for mobile medical apps in 2013, citing research showing that 500 million smartphone users worldwide will be using a health care application by 2015; by 2018, an estimated 50 percent of the more than 3.4 billion smartphone and tablet users will have downloaded mobile health applications.8
- Retailers who provide WiFi coverage in their stores and engage in mobile tracking of customers—an increasingly popular practice—are the focus of a Mobile Locations Code of Conduct developed by the Future of Privacy Forum, a privacy think tank.9
- The Better Business Bureau’s Online Interest-Based Advertising Accountability Program has issued its first ever “compliance warning” under which websites are now expected to ensure that consumers receive “enhanced notice” regarding data collected for “behavioral” advertising and cannot simply rely on third parties, such as ad networks, to bring the websites into compliance.10
Spreading the Word
Word of mouth lies at the heart of social media (in fact, the industry has a Word of Mouth Marketing Association), and marketers increasingly look to “advocates” to help boost sales and reputation through Facebook “likes,” online reviews and comments. However, FTC Endorsement Guides state that if there is a connection between the endorser and the marketer of a product that would affect how people evaluate the endorsement, it should be disclosed; in 2013, the FTC released new guidance for mobile and other online advertisers that explains how to make disclosures clear and conspicuous to avoid deception.11
In September 2013, New York Attorney General Eric T. Schneiderman announced that 19 companies had agreed to cease the practice of writing fake online reviews for businesses and to pay more than $350,000 in penalties.12 The Attorney General’s investigation found that search engine optimization companies were using advanced “IP spoofing” techniques to hide their identities, as well as setting up hundreds of bogus online profiles on consumer review websites to post the reviews. The practice—called “astroturfing”—“is the 21st century’s version of false advertising, and prosecutors have many tools at their disposal to put an end to it,” Mr. Schneiderman said.
In the Workplace
Social media increasingly plays a role in just about all stages of the employment process—and at each stage, there are compliance risks.
Many companies, for example, regularly look up job applicants online as part of the hiring process. But according to a 2013 study by researchers at Carnegie Mellon University, many may also use what they find to discriminate.13 In an online experiment, the researchers tested responses of over 4,000 U.S. employers to a Muslim candidate relative to a Christian candidate, and to a gay candidate relative to a straight candidate. They found that “survey subjects with hiring experience are significantly less likely to say they would interview the Muslim candidate than the Christian candidate.” (However, researchers found no evidence of discrimination against the gay candidate relative to the straight candidate.)
If your company is contemplating asking employees to turn over the passwords for their Facebook or Twitter accounts, exercise extreme caution—and question whether you’ll get the results you want. While access to personal accounts might seem like a good way to protect proprietary information or trade secrets, it could also represent an invasion of employee privacy. According to the National Conference of State Legislatures, laws to prevent employers from requesting passwords to personal Internet accounts have been passed in 10 states (Arkansas, Colorado, Illinois, Nevada, New Jersey, New Mexico, Oregon, Utah, Vermont and Washington), and legislation has been introduced or is pending in at least 36 states.14
Every company should have a social media policy. An effective policy should be simple, consistent and tightly aligned with a company’s code of conduct; whatever the company code for in-person encounters and whatever the rules for general good behavior, they apply in the online world as well. Potential penalties for violations, including dismissal, should be made clear.
Consider, for example, the Social Computing Guidelines issued by IBM: “Be thoughtful about how you present yourself in online social networks. The lines between public and private, personal and professional are blurred in online social networks. By virtue of identifying yourself as an IBMer within a social network, you are now connected to your colleagues, managers and even IBM’s clients. You should ensure that content associated with you is consistent with your work at IBM.”15
In the U.S., the National Labor Relations Board (NLRB) has focused considerable energy on social media issues, with a series of rulings emphasizing that corporate guidelines must not violate Section 7 of the National Labor Relations Act (NLRA) by disciplining or firing an employee because the employee was using social media to engage in “protected concerted activity,” which occurs when two or more employees act together to protest or complain about wages, benefits or other terms and conditions of employment.
The Bright Side
As social networks continue to grow—soon to become more popular than voice or text communications, by some estimates—large enterprises need to acknowledge their emerging importance in virtually all aspects of business. Technology, marketing, communications, human resources and legal departments should coordinate and communicate on a regular basis. Corporate boards should be briefed regularly on the potential rewards and risks of these new media platforms.
In fact, Facebook-like social networks within companies—often called “enterprise social networks”—are increasingly being deployed to foster better communication and productivity. The Gartner research firm predicts that by 2016, 50 percent of large organizations will have such internal networks, and that 30 percent of these “will be considered as essential as email and telephones are today.”16
For companies to achieve maximum benefits of these social networks, however, Gartner advises that businesses focus on leadership and relationships over content and technology. “Successful social business initiatives require leadership and behavioral changes,” Gartner says. “Just sponsoring a social project is not enough—managers need to demonstrate their commitment to a more open, transparent work style by their actions.”
The full LRN Risk Forecast Report can be accessed at: http://pages.lrn.com/risk-forecast-report-2014