Wednesday, April 15, 2009

Social Media, Banking and the Communications Decency Act

Social media is dependent upon communal participation. Members of a social media community such as Facebook, MySpace, Twitter, etc, share everything from names, professions and scholastic and corporate affiliations to names and photos of family and friends as well as up-to-the-minute updates on current events. Little is too personal on social media, and the greater the extent of the sharing the greater the reward for all involved. That's why it's called "social" media.

As in the non-Internet world, users of social media often do and say things that are not always appropriate - whether intentional or not. Examples include the posting of a piece of confidential or inappropriate information about oneself, one's company or an acquaintance (have you seen the latest Domino's video?). Such communication can take the form of a written comment, photo, video or other form of communication. These actions can result in claims of defamation, incorrect statements of fact, harassment, etc. And in Domino's case, a temporary loss of revenue and a ding on the company's brand.

Unfortunately for social media operators, including banks that host their own social media platforms (e.g., Bank of America's Small Business Online Community), those adversely affected tend to include social media operators (in the context of this article, banks that host a social media site). Fortunately for social media operators operating in the U.S., there exists some form of protection against these claims.


Section 230 of the Communications Decency Act ("CDA") of 1996 is a landmark piece of Internet legislation. Section 230(c)(1) of the CDA provides immunity from liability to providers and users of an "interactive computer service" that publishes information provided by others (user-generated content). Courts generally apply the following three-prong test to determine whether a defendant is subject to the protections afforded by Section 230.
  1. The defendant must be a "provider or user" of an "interactive computer service;"

  2. The cause of action asserted by the plaintiff must treat the defendant as a "publisher or speaker" of the harmful information at issue; and,
  3. The information must be "provided by another information content provider," (i.e., the defendant must not be the information content provider of the harmful information at issue).

This section of the CDA was enacted to enhance free speech by making it unnecessary for Internet service providers and other service providers to unduly restrict customers' actions for fear of being found legally liable for customers' conduct. This law effectively protects social media operators since it covers computer services that involve user-generated content.

As a result of its effective protections, Section 230 is considered quite controversial because courts have interpreted Section 230 as providing complete immunity to Internet service providers and other service providers with regard to torts committed by their users. Critics of Section 230 are primarily concerned with its effectiveness at leaving victims with no hope of relief in instances where the true tortfeasors cannot be identified or are judgment proof.

Courts have upheld Section 230 in a variety of factual contexts and on numerous legal theories, including posting of:

  • Defamatory information;
  • Opinions;
  • Private information;
  • False information;
  • Pornographic information;
  • Harassing commentary; and,
  • Discriminatory and/or illegal advertising.

Section 230, however, is not absolute protection. For example, plaintiffs have successfully argued in a handful of cases that an "interactive computer service" was not entitled to Section 230 immunity because the person or entity in question was an "information content provider" with respect to the information at issue, thereby failing the third test noted above.

Notwithstanding certain plaintiff successes, generally the social media operator is protected against liability for postings made by others so long as the operator does not contribute in whole or in part, in the creation or development of the content and provides a mechanism for detecting objectionable content.

As such, in order for social media operators (e.g., banks) to obtain the maximum protection under Section 230 of the CDA, the operator should strictly adhere to the following:

  • Do not alter any contribution of user-generated content. To the extent that user-generated content is repackaged - no matter how insignificantly, the social media operator potentially voids one of the three tests and risks exposure. Competent legal counsel should opine on the risk to the social media operator to the extent that any user-generated content is repackaged or reformatted.
  • Maintain the ability for users to alert the operator of questionable content. Users should at all times be provided with the ability to report user-generated content that violates the terms of use or is generally considered offensive or specifically offensive. Additionally, users should be provided with the ability to promptly delete user-generated content that is directly posted to their profiles or personal space within the social media platform.
  • Maintain formal policies and procedures for addressing complaints of questionable content. The policies should include both external terms of use policies and internal policies and procedures for the timely management of complaints. Periodic audits and compliance with recommended corrective actions should be performed and well documented to serve as support in the event of legal action.
  • The Terms of Use should explicitly state that the user is fully responsible and liable for any legal action attributed to their user generated content and the TOU should include indemnification language that contractually indemnifies the social media operator as a result of user-generated content. Any subsequent changes to the TOU should require the user to accept the changes prior to permitting the user access to the social media platform.

With more and more banks considering the addition of social media capabilities, such as product review and ratings, banks need to ensure that they implement a set of policies and procedures that ensures ongoing compliance with the CDA. Compliance is not difficult but nonetheless, it must be addressed as part of any implementation process.

Be wary of social media consultants that are not able to connect the dots between the practical implementation and legal compliance with the CDA. Consultants, whether in-house or external, should provide a product that is compliant as well as a set of end user terms that maximize protection.

[This blog is not to be considered legal advice. ]

No comments:

Post a Comment