The class action privacy lawsuits faced by Facebook and Zynga should scare every social and mobile app developer and make them question their own legal footing in this rapidly changing digital media entertainment landscape.
The plaintiffs in Graf v. Zynga and Swift v. Zynga and Facebook make some shocking allegations. Regardless of those cases’ merits, they should put every app developer and social media site operator on notice: your users are not afraid to sue you.
Lawsuits will kill your business. Period. Lawsuits are costly to defend and to settle or, if validated in court, to pay out. They can also be a costly PR nightmare. A class action lawsuit over disclosure of user PII (personally-identifiable information) to third parties can kill your business, even if your disclosures were unintentional.
Are you scared yet? Good. Now, here are three things you should know to help minimize the risk that you will be sued in a Zynga-like class action lawsuit.
1. Don’t Share Users ID Numbers or Other Personally Identifiable Information
Duh! This should be a no-brainer, but it can be trickier to implement in practice. The problem, as recent Wall Street Journal articles and the Graf complaint make clear, is with what are known as “referrer headers.” Referrer headers are the parts of the URL that a referring website transmits to any website that has been clicked on by a user. In the case of social apps that contain click-able advertisements, referrer headers are part of the information that the app transmits to an advertiser whenever a user clicks on an ad.
In this context, advertisers are called “third parties” because they are the “third” party where the user and the app / app developer or the first two. The WSJ and multitudes of other articles have already detailed why this problem arises, so I won’t go into detail about it here. Facebook has said its disclosure of Facebook user names or ID numbers to advertisers, including Google and Yahoo, was “due to the way browsers work” and “unintentional.”
Still, it’s unclear whether Zynga and Facebook will have to pony-up for these practices anyway, even if their disclosure of millions of users’ PII was unintentional. The best course of action for a social app or networking site operator is to do everything they can not to share their users’ PII. Facebook itself has published a blog providing technical tips for addressing the “referrer header” problem.
2. Control Your Ad Network or At Least Know Your Advertisers
If you’re using a third-party ad network, then you can leverage your relationship with your network to weed out less scrupulous advertisers and put pressure on a questionable advertiser. At the very least, you can get a point of direct contact with an advertiser to work with them if they’re pestering your users with false or misleading advertisements. This will certainly help reduce the risk of incurring a Swift-like lawsuit. There, the plaintiff alleged – among other things – that one of Zynga’s advertisers charged her bank account $165.85 even after she had canceled the advertiser’s “risk free trial” she initially subscribed to in order to earn virtual currency in one of Zynga’s games.
These types of “lead-generation” advertisers may be one way for you to quickly monetise your social app or website, but I think we can all agree they are also a sure-fire way to upset your users and get sued as Zynga and Facebook have been in the Swift case. Control your ad network and exclude these types of “lead gen” advertisers if you can.
3. Use a Double or Triple Opt-In Process to Get Users’ Specific and Informed Consent if You Need to Share Their Information
There may be some social apps or websites that must, as a necessary part of their service, share some of their users’ PII with their advertisers. Let’s say you have a social app that serves advertisers’ coupons that are hyper-targeted to who a user is, what his tastes are and where she is located. Therefore, your app needs to send your advertisers some personally identifiable information in order to do so. That’s a perfectly legitimate application that could be very valuable to many users. If disclosure of this information is what is happening on the back-end, then you should get the specific and informed consent from your users to do so on the front-end. Spell out exactly what information is being shared and how, when and why that information is being used when they sign up for your social app or Web service.
Use a double opt-in (such as responding to an e-mail) or even a triple opt-in (such as also responding to a text message) process to get consent for all of this. Getting specific and informed user consent helps minimize the risks of lawsuits in the first place, and provides you with defenses against certain federal claims such as those alleged in the Graf case.
The law in this area is not yet settled, and you can bet that there will be innovative, new ways for users to sue social app developers and social media site operators if users feel they’ve been wronged. For example, do users have personal rights or property rights in their personally identifiable information? Many of the leading legal scholars in the area (see Information Privacy in Cyberspace Transactions and It’s Personal But Is It Mine?) and even White House officials seem to think so, but the courts have been slow to recognise these rights. If personal or property rights in PII become the legal norm, then misappropriating and misusing users’ personal information could open developers to class action lawsuits for other claims based on negligence theft, conversion, trespass or breach of duty, in addition to the claims presented in the Graf and Swift cases.
As innovative, new practices using PII are developed in the social app and social media space, app developers and site operators should review their practices with a legal counsel who is knowledgeable in this area. It’s a very fine line between avoiding these types of lawsuits and playing the game in the “Scamville Social Gaming Ecosystem of Hell.”
This post was contributed by Jason Pu, Business Attorney and Outside General Counsel at Jason J. Pu, Esq. He can be reached at jasonjpu at gmail dot com.
NOW WATCH: Ideas videos
Business Insider Emails & Alerts
Site highlights each day to your inbox.