Apparently, while I was spending several months in a courtroom and away from this blog (although not from Twitter!) the state of California officially became ambivalent about social media and the Internet Age more generally.   Of course, as is usually the case, California’s discomfort may create rules for the rest of us.

Allow me to explain.

This next paragraph represents a completely simplistic and borderline inaccurate description of our government, but is important to understand why California has such an out-sized impact in our country: In the United States, we like to think of ourselves as having a federalist system: the individual states make most of the rules unless there’s a law or regulatory scheme at the Federal level.  But implicit in all of this is that the laws of one state don’t have much of an impact on the laws of another state — that’s why, for example, states can’t collect the sales tax spent on companies with no presence in their borders, permitting Amazon and Zappos to thrive and local merchants to seethe with anger.

But some states are more important than others.  It doesn’t behoove companies to have 50 different approaches to their customers, so they often craft their policies to fit the states with the most customers, or the most significant risks.  Thus, a single state can often impact how the rest of us interact with our consumer experience.

California is often that state.  And now, in two separate bills, California’s legislature is trying to get out in front of the national debate on Internet privacy by creating rules that will, in all likelihood (and for better or worse) affect us all.

The first bill, SB242, would force social networking sites to let users set their privacy settings when they register, rather than after they’ve already joined (and often never will).  The bill would also force those same sites to default to certain privacy settings to keep more information private.   Of course, the social media sites are opposed, saying that all of this limits consumer choice, but the legislators who introduced the bill are not impressed, and a $10,000 fine per violation could easily add up to real money for even the largest sites.

The other bill, SB761, would create the “do not track” rules that privacy advocates have hoped for on the Federal level for some time.  The bill, which is far reaching in its scope, would effectively prevent websites from tracking their users.

At all.

In other words, you can effectively opt out of any of the benefits that companies get from interacting with you, even as you interact with them.  This goes quite a bit further than, say, Jay Rockefeller’s proposal in the U.S. Senate introduced this week, a bill that does include exceptions that industry believes to be necessary for modern e-commerce.

Now will these California proposals become law? Probably not in their current forms, but in this atmosphere of paranoia about Internet privacy it is not at all a bad bet that something will pass.  And if it does, social media sites (and, in fact, almost everyone who does business on the ‘net) will have to decide how far they can go in carving out California customers for special treatment, and whether they will simply have to give America the rules that California has chosen.

I have repeatedly warned everyone to consider the value of having a social media policy.   You need to think about what your employees and colleagues are saying in your name.  You have to consider what type of social media engagement they(and you!) are permitted to engage in on the job.  You need to think about your brand, about content.  

Whew — you’re thinking – that’s a lot.  And it is.  But that shouldn’t stop you from doing it, and not because some law or regulation requires it.  Rather, you need to think about how the world engages with you through social media, and how you intend to engage with the world.  It’s a fairly broad proposition, and it has frozen the collective consciousness of folks around the world who have refrained, en masse, from actually creating social media policies (as opposed to talking about them, of course!)

So — taking a page from some of the big players that have taken the big step and crafted a social media policy – let’s think about (a non-exhaustive list!) of some of the things that you should consider when creating a social media policy.

1. EMPLOYEE USE: YES OR NO? Do you want your employees and colleagues using social media at work?  This is, obviously, quite controversial.  There are some who believe that the only proper approach to social media in the workplace is to ban it.  Others think that companies are shooting themselves in the foot bycutting off their personnel from valuable communication tools.  In truth, the answer is likely to vary from company to company, and perhaps even within companies.  Rather than assume a  “one size fits all” solution, you need to work with counsel to determine what, if any, restrictions are appropriate.  Are you in the securities industry? FINRA may have some guidance for you, and the optimal policy will differ from, say, that of Zynga.
2. WHAT ARE YOUR EMPLOYEES AND COLLEGUES ALLOWED TO SAY? An obvious follow-up to the question of employee use is what, exactly, they are allowed to say, and whether the company should take a position on what they do on their spare time in their own name.
3. WHAT SHOULD THE COMPANY “DO” WITH THINGS IT LEARNS THROUGH SOCIAL MEDIA?  This is a bigger problem than it may initially appear — so much so that I will also discuss this at a later date in greater detail.  But think about it: You and your colleagues are going to learn all sorts of things from social media: you may learn about product defects.  You may learn about dangerous drug interactions.  You may learn that one of your colleagues is a racist.  You may learn that one of your colleagues is engaging in price fixing.  You may learn that one of your subordinates is pregnant.  You may discover that one of your products needs to be recalled.  The list is endless — and can create almost endless forms of liability.  Again, there is no universal solution to a complex problem — but the problem calls for some serious soul searching in order to determine how far this should actually be pushed.
4. WHAT ARE THE RULES FOR USING CONTENT ON YOUR SITE? If your social media presence is worth even a fraction of the time it will take to do it right, there will be content.  Hopefuly, valuable content.  Who owns it?  Do you have the rights to it?  What type of process do you have in place? Do you need?
5. IS THERE REGULATED ACTIVITY ON MY SITE? Are there sweepstakes or contests as part of my social media strategy? Coupons? Rebates? Financing offers? Am I marketing to minors? Am I marketing to folks in other countries?  Just because you’re on the Internet doesn’t mean that the law stops applying to your activities — and in some cases that regulation becomes more complicated than it would have been if you simply had a store.

Of course, this is just a taste, but should inspire you to consider whether your failure to have a social media policy is also a lost opportunity for valuable self-reflection.  A social media policy is not merely something to have so that some random regulator will be happy.  Instead, it is a critical tool for understanding how you can and should interact with a powerful new medium of expression.

It goes without saying that you should have a privacy policy if you are accepting personally identifiable information through your web presence or social media initiative.  The Federal Trade Commission, by the way, agrees — and trust me, you don’t want the FTC taking an interest in you or your business.

But ironically, all of that time, money and brainpower you spent on crafting a best-of-breed privacy policy may result in a document read by…no one.  Go ahead — check your analytics — see how often someone takes a look at your privacy policy, or even your terms and conditions.  Not a big source of hits, is it?  That one person who looked at your privacy policy last week?  That was me. 

And even when consumers have independent access to information about privacy, they don’t seem to be paying attention.  According to one recent study, even on Facebook (the subject of endless media focus on privacy) 25% of users don’t use privacy controls.  So if users don’t care, why should you?  Believe it or not, I get this question all the time: “Can’t I just copy a privacy policy from someone and then just paste it into a link?”

Yet even if no one (and I mean literally no one) looks at your privacy policy, if you accept personally identifiable information you need one.   A good one.  One customized for you and you alone.  Beyond the regulators-will-get-exceptionally-angry explanation (and you should not underestimate the power of an irritated regulator), there is another, self-interested reason for this – and it is both aspirational and practical. 

If you do not have a policy, your organization will have no sense of its limits.  Putting one together forces you 9and your team) to decide what it wants to be doing, and why.  It forces you to weigh the benefits against the risks.  In other words, it forces you to have a strategy. 

That normative function is great — but having a privacy policy also forces you to do an empirical analysis of what you’re doing right now.  A good privacy policy describes your activity with clear-eyed accuracy.  The process of drafting a privacy policy forces you to engage in a review of your marketing practices that allows you to get your arms around what is actually happening in your organization.  I can assure you that even sophisticated folks are often surprised by what they find.

So do people read your privacy policy?  Probably not.  Should you have one? In the immortal words of my eleven year-old son: duh!

…or 10 years old.  Given that commercial interaction with both minors and children under the age of 13 is both regulated and difficult to control, that simple fact should give all businesses pause for thought.   “But Legally Social Guy,” you say, a tear running across your downy cheek.  “I sell heavy machinery.  Or consulting services.  Or cars.  I don’t have to worry about such things!”  Oh yes you do! 

I have been fascinated to watch the Internet activities of my son and his friends, curious to see how parents view use of the Internet and whether there are any real controls on their online behavior.  As one might imagine, the situation is somewhat mixed: some parents are quite watchful, and others are shockingly laissez faire.  But regardless of parental involvement, you can be sure that children are looking at your web site.  Why?  It’s because of what I call ”search habits.”

The search habits of kids today are quite different than what adults experienced all those years ago.  Because information is presumed to be at your fingertips at all times, questions are meant to be answered, not left for another day.  Today, every time a child thinks a strange thought, or overhears a phrase that he or she does not perfectly understand, the first idea that crosses their mind is “I should go look that up on the Internet!”  On their phone.  Right now. 

Did your child just see a cool car?  She wants to look at every site that talks about that model.  Did your child see a bulldozer or a crane?  That will be his next search term.  Was there a billboard on the highway?  A commercial on television?  A pharmaceutical ad?  Kids look these things up — the idea that your site is “not attractive to children” has been, as they used to say in college theory classes, problemitized. 

What does that mean?  It means that instead of just considering whether you are intending, explicitly, to sell your wares or services to minors, you need to consider (a) whether there are scenarios that might attract children or minors to your site, and (b) what types of activity might actually take place there.  The details will, of course, vary significantly depending on your site and the manner in which you use it for your own marketing efforts, but do not assume that your site will never be viewed or accessed or used by folks without the ability to contract with you, and without the consent of parents.  Instead, consider the real world, and whether it has any impact on your obligations under the law.

It comes as no surprise to see that new polls show that folks are using social media sites at work at an ever increasing rate.  In fact, if any poll had shown otherwise I would have suspected it was wrong. 

But is this large-scale use of social media a good thing, or a bad thing, when done by employees at work, while on the clock.  As it is with most things in law, the answer is: it depends.

Are you the type of business where having your employees build social networks is a critical part of their job?  For example, trying to keep sales and marketing staff off of social media, for many businesses, would be tantamount to corporate suicide.  Connecting with people is what sales and marketing folks are supposedto do, and allowing them to do their job through electronic means is, in many cases, necessary.  That said, does every member of the administrative staff need access to Facebook?  Perhaps (depending on the type of business) but in many other cases perhaps not. 

The better question, however, is this: What are you trying to accomplishby permitting access?  Does the employee at issue do their job better if they are connected?  Is the employee happier because of it?  Will it distract them from their job, or help them do their job more effectively?  Are you working in a regulated industry (like the securities industry) where social media use could present a whole bushel of additional problems?  Or are you an entrepreneurial start-up where you need everyone on staff to be reaching out at all times to everyone they know?

These are the types of questions you should ask yourself regularly, becuase while there is no right answer applicable to every business, the wrong answer defnitively involves never asking the question in the first place.

Following up on yesterday’s post about German regulators growing impatience with Facebook’s privacy policies, we now have news of a Canadian class action.  According to the the most recent report:

The suit contends that Facebook subjected [the Plaintiff] to a breach of privacy and the misappropriation of his personal information. It also alleges that Facebook intentionally used his information for commercial purposes, calling the company’s actions “malicious, deliberate, and oppressive.”

Actually, Malicious, Deliberate and Oppressive LLP would make an excellent name for a law firm, perhaps as co-counsel with Poor, Nasty, Brutish and Short LLP.  You see — I can never stop thinking about branding!

In any event, beyond the merits of this case (and Facebook, as might be expected, believes the case to be frivolous), these recent developments raise an interesting question: are lawsuits relating to social media privacy practices simply inevitable?

The answer, unfortunately, is almost certainly yes.  Consumer protection statutes in many states, and in a variety of other nations, are intentionally composed to capture a broad range of malevolent behavior.  As we all know, one of the real values in social media is in capturing information about the public.  The capture and use of data can often be spun (whether legitimately or not) as somehow predatory or deceptive.  Thus, the inevitability of lawsuits. 

That does not mean, however, that social media should be off the table.  In fact, the correct response is almost exactly in opposition to that view.  There is no way to completely eliminate risk in any activity that does not involve sitting alone in a padded room.  Social media engagement involves a significant potential opportunity, despite the risks.  Rather than run away, we should recognize that the risks are not large and, more importantly, are manageable.  When we systematically approach the ways in which we use and interact with social media, it becomes quite easy to identify the risks we are taking.  By modifying our behavior or pricing in the risk to the cost of our effort, we can easily manage whatever additional risks we have tkane upon ourselves. 

Moreover, as part of the equation, we must also consider the risk we take by doing nothing — for not engaging with social media may present an even larger risk than anything we might do on our Facebook page.