Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

Employees who post reviews of their employer’s products and services on social media sites, without disclosing their corporate affiliation, can land their employer in an FTC enforcement action. The FTC’s second enforcement action for violation of the agency’s endorsement guidelines, announced on August 26, makes this point.

According to the FTC, Reverb Communications, an on-line public relations firm, sought to boost sales of its clients’ gaming applications by having its employees post positive reviews on iTunes. Over the course of nine months, Reverb employees, posing as disinterested users, gave clients’ games a rating of 4 or 5 and posted comments, such as “Amazing new game,” “ONE of the BEST,” and “Really Cool Game.” According to the FTC, these reviews were misleading because they did not, as suggested, come from independent, ordinary consumers, but from Reverb employees who had a financial incentive to provide a positive endorsement.

In the agreement resolving the FTC’s complaint, Reverb agreed, among other things, (a) not to permit its employees to endorse any product without conspicuously disclosing the employee’s connection to Reverb and/or the manufacturer or advertiser of the product; (b) to take reasonable steps to remove the endorsements that were posted without full disclosure; (c) to maintain for five years all documents related to the company’s compliance with the agreement; and (d) to obtain for five years all current and future employees’ acknowledgement of receipt of the company’s agreement with the FTC.

• Email This
• Print
• Share Link

“BeenVerified” is a new mobile Web application that allows users to conduct background checks on any individual by merely entering the name or email address of the individual. Users get three free background checks monthly and unlimited checks for a monthly fee of only $8. BeenVerified has been a smashing success, with more than one million checks run to date.

HR professionals, recruiters, managers, and co-workers may find BeenVerified hard to resist. According to the application, users can check an individual’s “Criminal History, Property Records, Current Contact Info, Relatives, Neighbors, and more,” merely by entering an individual’s name. By entering an email address, the user can find out about the individual’s social networking activities and view “their online photos, websites, blog posts, and entire online presence.” All of the data is compiled into a concise report.

Despite its ease of use and apparent low cost, the BeenVerified app may expose employers to liability under the federal Fair Credit Reporting Act (FCRA) and analogous state laws. These laws prohibit background checks for employment purposes without providing notice and obtaining the subject’s prior, written authorization. The FCRA permits recovery of compensatory damages, including statutory damages for willful violations, and a fee award.

Although BeenVerified states that information obtained “should not be used for employment, tenant screening, or any FCRA related purposes,” the potential for abuse exists. HR professionals, recruiters, managers, and co-workers now have the ability to review financial, criminal, and other personal information about subordinates, co-workers, and applicants without any safeguards to protect against violations of federal and state background check laws. As a result, employers should consider implementing a policy that prohibits employees from using the application to obtain information about any other employee unless the user has complied with the FCRA’s notice and authorization requirements.

This entry was written by Philip L. Gordon and Jennifer L. Mora.

Photo credit: HelleM 

• Email This
• Print
• Trackbacks
• Share Link

Employers already face concerns about how to handle employees trash-talking about them on blogs, Facebook and other social media. Now, employers must be cautious of the converse — employee endorsements of their employers’ products and services on social media websites. The Federal Trade Commission (FTC) recently issued updated guidelines aimed at protecting consumers from misleading endorsements and advertising. As these guidelines make clear, employers whose employees use social media like blogs or Facebook to comment on their employer’s products or services face potential liability, even where the employer has not authorized or ratified the employee’s remarks.

The FTC’s revised Guides Concerning the Use of Endorsements and Testimonials in Advertising, published in the Federal Register at 16 C.F.R. Part 255 (the “guidelines”), address the application of Section 5 of the FTC Act (the “Act”) – which prohibits unfair or deceptive acts or practices and unfair competition in or affecting commerce -- to the use of endorsements and testimonials in advertising.

In the guidelines, the FTC identifies the general principles it will apply when evaluating whether endorsements and testimonials, including those given by employees about their employers’ products and services, are deceptive. The guidelines provide specific examples, and suggest that employees endorsing their employer’s products or services have a duty to disclose to their audience their relationship to an employer at the time they give the endorsement or testimonial. To be an endorsement or testimonial subject to these guidelines, the posting must be a message “that consumers are likely to believe reflects the opinions, beliefs, findings, or experiences of a party other than the sponsoring advertiser, even if the views expressed by that party are identical to those of the sponsoring advertiser. The party whose opinions, beliefs, findings, or experience the message appears to reflect will be called the endorser...” 16 C.F.R. Part 255.01(b).

• Email This
• Print
• Trackbacks
• Share Link

This past week, Facebook asked each of its 350 million users whether they wanted to change their privacy settings to new settings offered by Facebook. The request ignited a firestorm among privacy advocates who believed that the changes meant less privacy for users. At the same time, the request forced users to consider their old settings and whether to change them to the new ones. The Financial Times reported that, according to Facebook, before this week’s rollout of the new settings, only 15% to 20% of users had changed their default privacy settings, but in response to the inquiry about changing their privacy settings, 50% of users — approximately 175 million users — had made changes.

• Email This
• Print
• Trackbacks
• Share Link

On September 29, 2009, Littler Mendelson presented a webinar, hosted by HR.com, entitled, “Legal Perils of Social Media & Social Networking: What Every Employer Needs to Know.” Several of the attendees submitted questions by e-mail that could not be answered during the time allotted for the webinar. The answers to those questions are below.

Question: Because of the sketchy and inconsistent nature of HR policy around this topic, it seems reasonable for employees to ask for definition from their employers regarding use of social media to avoid being surprised should there be a potential issue. Would you agree?

Response: I would agree. The intersection of social networking sites and work is so new that accepted etiquette, custom, or norms have not yet developed. Employers can address this problem by establishing a policy that provides easily understood guidelines for employees’ social media activities whether authorized by the employer or not. Training also is very important in this area. Employers need to train managers and employees on how to respond to and handle the many complicated issues raised by the intersection of work and social media activity.

• Email This
• Print
• Share Link

Several employment lawyers recently have debated whether employers should permit their employees to “recommend” a former employee on LinkedIn. The debate began after a National Law Journal article quoted two management-side attorneys who counseled against permitting such recommendations. According to these lawyers, a positive recommendation arguably could provide evidence of pretext in a discrimination lawsuit if the former employee who is the subject of  the recommendation had been terminated for poor performance. The contrarians in the debate contend that this scenario is unlikely to occur and even if it did, the LinkedIn recommendation would not be particularly persuasive evidence of pretext.

Both sides have their points, but, in my view, neither side has the answer. Experienced employment litigators know that in the “wrong case” a positive LinkedIn recommendation could result in the denial of summary judgment — or worse, an adverse jury verdict — and accompanying recriminations for not having advised the defendant to prohibit such recommendations. At the same time, implementing a policy to avoid the unusual case where a manager is willing to make positive public proclamations about a litigious poor performer denies the employer the benefit of whatever good will might result from these LinkedIn recommendations.

• Email This
• Print
• Trackbacks
• Share Link

Ranting on the Internet about one’s employer has become commonplace. When these rants appear on publicly accessible Internet pages, employers can access them, and, except in limited circumstances, can take adverse action based on the posting’s contents. As a recent adverse jury verdict demonstrates, employers who access a restricted social networking site without proper authorization can face liability under federal and state laws intended to protect personal privacy. The risk will increase as employees use increasingly sophisticated privacy settings to limit access to their personal social networking pages.

For a detailed discussion of this development, see Littler's ASAP "Verdict Against Houston's Restaurant Demonstrates Risks of Accessing Employee's Restricted Social Networking Sites" by Philip L. Gordon.

For more background on this case, see our prior blog post.

• Email This
• Print
• Trackbacks
• Share Link

Even a brief posting of private information on an Internet site amounts to “publicity per se” sufficient to support a civil action for invasion of privacy, according to a three judge panel of the Minnesota Court of Appeals in Yath v. Fairview Clinics, filed June 23, 2009. Candace Yath was a patient at the defendant clinic, where she sought testing for sexually transmitted diseases because she had a new sex partner. She was observed there by a clinic employee, Tek, who was an acquaintance. Tek later (and in violation of clinic policy) accessed Yath’s medical file, learning of Yath’s new sex partner (Yath was at the time married but estranged from her husband) and that Yath had been diagnosed with a sexually transmitted disease. Tek informed a second person, also an acquaintance (and relative) of Yath about the medical file information. Word soon spread to a group of people, including Yath’s husband.

One month later a web page appeared at MySpace.com bearing the title “Rotten Candy,” and including a photo of Yath and the contents of her medical file. The MySpace page asserted that “Rotten Candy” has a sexually transmitted disease, had recently cheated on her husband and was addicted to plastic surgery. After learning about the Internet posting, the clinic manager investigated. When the manager first accessed the webpage, it listed only six “friends,” indicating that at least six persons had accessed the page. When the manager tried again to access the web page, one or two days later, the webpage had been removed.

• Email This
• Print
• Trackbacks
• Share Link

On June 18, Philip Gordon will present at the International Association of Privacy Professionals (IAPP) Practical Privacy Series on the topic "On the Cutting Edge: The Top Five Developments for 2009" (You may register for the event here). Below, Mr. Gordon answers questions about some of the top HR privacy concerns that every organization is confronting.

IAPP: With so much focus on safeguarding customer information, why is HR privacy even an issue?

Gordon: HR privacy should be a major concern of every organization for several reasons. Virtually all class-action litigation involving the compromise of customers’ personal data has been unsuccessful because of the absence of any actual damages. By contrast, privacy violations involving employee personal data often do result in cognizable injuries, including loss of employment and emotional distress. The risk of significant damages is particularly high in the employment context because employers maintain not only the full range of personal identifiers but also financial information and very sensitive health information. In addition, security breaches involving employee personal data can have a negative impact on employee morale, and employees, unlike consumers, can easily express their disgruntlement to senior management. While the potential exposure is high, developments in technology and recently enacted legislation have complicated employer’s compliance obligations, further increasing their exposure to liability.

IAPP: Could you provide some examples of recent developments that have a significant impact on HR privacy compliance and employers’ exposure to liability for privacy violations?

Gordon: Employers are struggling to find the right approach for addressing text messaging in the workplace and the variety of Web 2.0 communications platforms. Unlike e-mail, text messaging almost always is transmitted through, and stored at, a third-party service provider. The laws governing access to electronic communications stored at a service provider impose substantial restrictions on employers. These restrictions do not apply when accessing communications stored on the corporate network. Social networking is particularly challenging for employers, especially as employees form their own networks, because personal profiles often blur the line between “private” and work life while, at the same time, permitting employees to communicate messages that senior management views as contrary to the organization’s interests.

On the legal side, we have the passage in February 2009 of significant amendments to HIPAA, which will have an impact on every employer that sponsors a HIPAA-covered benefit plan. In November, the Genetic Information Non-Discrimination Act of 2009 (GINA) will become effective. GINA will raise significant compliance challenges because the Act defines “genetic information” to include several categories of information that most privacy and HR professionals might not think of as “genetic” in nature, such as certain FMLA certifications. I will cover these technological and legal developments at the Practical Privacy Series in a presentation entitled, “On the Cutting Edge: The Top Five Developments For 2009.”

• Email This
• Print
• Trackbacks
• Share Link

The explosive growth in Facebook and MySpace pages has created a fertile ground for evidence-gathering by trial lawyers. However, these websites enable users to establish privacy settings, and to serve as “gatekeepers,” to control who can gain access to their posted material. One privacy setting limits access to those whom the user has accepted as a “friend.” An attorney who is not on the user’s “friends list,” in theory, could effectively circumvent the user’s gatekeeping by asking a third party to send a friend request to the user. Many social networking users are not particularly selective when it comes to making “friends.”

The Philadelphia Bar Association’s Professional Guidance Committee recently addressed the ethics of this strategem, cautioning that it is unethical for an attorney to use a third party to “friend” a Facebook user who is a litigation witness for purposes of obtaining information that the attorney might use to impeach the witness.

The Committee’s advisory opinion found that an attorney violates rules of professional conduct by gaining access to a private (“invitation only”) social network site by way of deception. Specifically, the opinion explains that by not disclosing to the potential witness the third party’s affiliation with the attorney, the attorney has omitted a “highly material fact” and has “purposefully conceal[ed] that fact from the witness for the purpose of inducing the witness to allow access.” Presumably, had the witness known the “whole story” and the true motivation behind the third party’s friend request, the witness would not have permitted access to his or her social network profile.

• Email This
• Print
• Trackbacks
• Share Link

How far can employers go to access an employee’s restricted social networking profile? A case scheduled for trial next month in New Jersey’s federal district court may give employers and employees alike a better understanding of what it means to engage in “private” on-line social networking.

In March 2006, Brian Pietrylo, an employee at Houston’s Restaurant in Hackensack, New Jersey, created a discussion group about his workplace on his personal MySpace web page. He flagged the group as private and described its purpose as follows: to “talk about all the crap/drama/and gossip occurring in our workplace, without having to worry about outside eyes prying in.” The group was accessible only by invitation. Those who accepted the invitation became members and could log on at any time.

One group member, a Houston’s hostess named Karen St. Jean, showed the discussion group to a manager during a dinner party. The circumstances underlying upper management’s access to the group are disputed, but all parties agree that another restaurant manager soon became aware of the group and asked St. Jean for her sign-in information, which she provided. Houston’s management found sexual comments about employees and customers, disparaging jokes about company practices, references to drugs and violence, as well as a copy of an employee wine test. Because of their findings, the restaurant terminated the employment of Pietrylo and another contributing employee, Doreen Marino.

• Email This
• Print
• Trackbacks
• Share Link

A California appellate court rejected the invasion of privacy claims of a UC Berkeley student whose online rant against her hometown resulted in a firestorm of negative publicity and fierce reaction from local residents. Cynthia Moreno wrote “An Ode to Coalinga” and posted it on her online journal on her MySpace page. In the ode to her hometown located in central California, Moreno ranted against the town and its inhabitants. The local newspaper published the ode after the town’s high school principal sent the newspaper a copy printed off the internet. Unfortunately for Moreno and her family, the town’s residents reacted violently and forced Moreno’s family to shut down their business and move out of town.

In  Moreno v. Hanford Sentinel, Inc., et al., the California court of appeal held that Moreno cannot state a claim for invasion of privacy because her MySpace posting was available to the public. This was the case even though she had intended the posting only for her MySpace friends, removed the posting after six days, and the posting did not include her last name. The court found that once the ode was posted on MySpace, it was available to the public; and her MySpace page included her identity and her picture. Therefore, the court held that she could not have had a reasonable expectation of privacy. Nor could her family state a privacy claim because the right of privacy is purely personal. The appellate court did, however, send the case back to the lower court to decide Moreno’s claim for intentional infliction of emotional distress.

The decision confirms that employers can review a prospective or current employee’s online postings that are readily accessible to the public, even if intended for just the author’s friends on a social networking site. Employers do need to tread with more caution, however, before accessing a social networking profile or other on-line forum that is password protected or otherwise restricted. The decision in Moreno would not apply to such sites because access to the MySpace page in that case was unrestricted.

This entry was written by Gregory Iskander, Of Counsel in Littler's Walnut Creek office.

• Email This
• Print
• Trackbacks
• Share Link

Student teacher Stacey Snyder lost her chance to earn a teaching certificate largely because of content that she posted on her MySpace page. The page included a picture of Snyder, captioned “Drunken Pirate,” in which, according to Snyder’s trial testimony, she wore a pirate’s hat, was drinking a “mixed beverage,” and had a “stupid expression on my face . . . giving the peace sign . . . expressing myself at the moment, basically peace, love happiness . . . .” The page also contained a post in which Snyder implied that the teacher who was supervising Snyder’s participation in the student teacher program, Nicole Reinking, was the reason that Snyder would not apply for a job at Conestoga Valley (CV) High School in Pennsylvania after completing the program.

Unfortunately for Snyder, a CV High teacher viewed the picture and the post and gave a copy of both to Reinking. Reinking, who had not been pleased with Snyder’s performance even before receiving the MySpace content, promptly complained to her supervisor who, in turn, brought the MySpace content to the attention of the school’s superintendent. He suspended Snyder from the student teacher program. In her final evaluation from Reinking and from her supervisor at Millersville University — where Snyder was pursuing her teaching certificate — Snyder received an “unsatisfactory” rating for “professionalism.” That rating disqualified Snyder from earning a teaching certificate.

Snyder sued Millersville University in federal district court in Philadelphia, alleging that the university had violated her First Amendment rights by denying the teaching certificate based largely on the MySpace content. In what appears to be the first published decision addressing an adverse action (at least akin to an adverse employment action) based upon content on a social networking site, the court, after a two-day bench trial, rejected Snyder’s First Amendment claim and denied Snyder’s request for an order compelling Millersville University to award her a teaching certificate.

The decision is important for private employers, but not because of its legal underpinnings, which turned largely on legal issues that are irrelevant to the private workplace (i.e., state regulations applicable to student teachers and First Amendment jurisprudence concerning speech by public employees and students at public schools). While the applicable legal framework created substantial obstacles, the more significant problem for Snyder (apparent to any experienced trial lawyer reading between the lines of a carefully crafted opinion) was the unsympathetic posture of her factual position.

• Email This
• Print
• Trackbacks
• Share Link

Some companies, like on-line retailer Zappos.com, are sponsoring corporate twitter sites. What is “twitter”? According to Twitter.com, “Twitter” is “a service for friends, family, and co–workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: “What are you doing?” A review of Zappos’ twitter site suggests the answer to that question rarely is “working.” Are Zappos employees unwittingly creating the justification for terminating their employment, or has Zappos—in an effort to foster unrestrained twittering—assured its employees that their “twittering” would not be used against them in a court of law?

We don’t know the answer to those questions, but we do know that any employer seeking to cater to the “Twitterites” in its workforce should first consider some tough legal issues. How will the company react when an employee twitters that she is “organizing a union” or “complaining to her buddies about all that overtime”? Would a Twitterite ever be so frank or uncool? How does a business respond to a Twitter record that, in fact, does show that an employee seems always to be doing something other than work during working hours? Twitter actually is quite good for identifying slackers because each Twitter post includes the date and time of posting. Yet this begs another question: How will the company extend a “litigation hold” to Twitter after receiving a preservation demand from a sophisticated plaintiff’s lawyer who specifically identifies "Twitter" as one category of information that purportedly must be preserved?

The point of this post is not to provide answers, but rather to highlight that each new generation of “cool corporate communications tools” brings some tough legal issues to the forefront. Those issues should be thoroughly discussed before an employer rushes headlong into an embrace of the next new thing.

• Email This
• Print
• Trackbacks
• Share Link