Topic: Social media
Who: Committee of Advertising Practice (“CAP”) / Information Commissioner’s Office (“ICO”)
When: June 2013
Where: United Kingdom
Law stated as at: 10 July 2013
What happened:
CAP and the ICO have both recently published new guidance which may be useful to marketers using social media.
ICO guidance: Social networking sites and online forums
The new ICO guidance focuses on the application of the Data Protection Act 1998 (“DPA”) to social networking websites and online forums.
The guidance clarifies that organisations that use social networking sites and online fora must comply with the requirements of the DPA when processing personal data. This also applies to individuals if they are processing such data for non-personal reasons.
Whether an individual is processing data for non-personal reasons will depend on the facts, as indicated in the guidance. For example, a sole trader using social networking sites and online fora for business purposes and processing personal data in doing so would clearly be processing data for non-personal reasons. The ICO guidance provides a lot of detail on the personal purposes exception, such as when it will apply to groups of individuals, including clubs and societies.
Organisations and individuals processing data for non-personal reasons have responsibilities under the DPA when they post personal data on their own or a third party website or download and use personal data from a third party website. If they are running an online forum or social networking site they will also be subject to the DPA when processing contact information or other personal data about its users or subscribers.
Responsibility for third party content
Whether those running online forums or social networking sites have obligations in relation to personal data posted on their sites by third parties has traditionally been less clear cut. Where they take an active role moderating content before it is posted, they would clearly be considered a data controller. However, the new ICO guidance suggests that they will also be considered a data controller if they only allow posts subject to terms and conditions which cover acceptable content, and if they can remove posts when these policies are breached, as they will still, to some extent, be determining the purposes and manner in which the personal data is processed.
One upshot of being considered data controller in this context is that there is consequently a duty on the site owner to take reasonable steps to check the accuracy of any personal data that is posted on the site by third parties and is presented as a “matter of fact”.
The ICO recognises that what constitutes reasonable steps will depend on the circumstances, such as the nature of the site and the extent to which the person or organisation running the site moderates content.
For example, the ICO indicates that it would not expect a large social networking site to check all posts for accuracy, but would expect it to (a) have clear and prominent policies for users about acceptable and non-acceptable posts, (b) have clear and easy to find procedures in place for data subjects to dispute the accuracy of posts and ask for them to be removed, and (c) respond to disputes about accuracy quickly and have procedures to remove or suspend access to content, at least until such time as the dispute has been settled.
You can read the full ICO guidance here.
CAP guidance: The rules of social engagement
CAP recently provided some helpful tips on marketing via social media too.
An important recommendation in CAP’s guidance is that advertisers should make sure user generated content is appropriate if it is incorporated into their advertising. It needs to be responsible, accurate and not misleading, harmful or offensive. For example, where an advertiser is positively inviting a conversation, for example through a promotional question such as “How have you used our service today?” then CAP would expect the advertiser to monitor the user generated responses on pages under their control accordingly to ensure that advertising rules were not being breached.
Another key point is that advertisers must make it easy for the average consumer to be able to judge whether or not they are seeing an ad. In the event that an advertiser gets a celebrity to endorse their brand, then they too have to adhere to this rule. On Twitter, CAP has suggested that advertisers use #spon or #ad to make this obvious.
The guidance also advises that advertisers should take care to target their ads suitably when using social media and consider whether the content of an ad is appropriate given where it will be displayed and who it will be seen by. The CAP Code obviously places much emphasis on protecting children, for example. CAP also suggests that advertisers should be careful when running competitions on social media website and take the same precautions as they would offline, e.g. by providing terms and conditions upfront.
The full CAP guidance note is available at: http://www.cap.org.uk/News-reports/Media-Centre/2013/The-rules-of-social-engagement.aspx.
Why this matters:
Social media is becoming an ever more important tool for brands looking to market their products and services, offering an excellent opportunity to interact with an audience, often for relatively little financial outlay.
However, the ICO and CAP guidance clearly demonstrates that marketers should approach social media campaigns with the same diligence that they would when preparing other ads, as the usual advertising and data protection laws will still apply.
Mark Smith
Osborne Clarke