LinkedIn’s expanded and more intelligible privacy policy

LinkedIn recently announced an update to its privacy policy and user agreement in a blog post titled Updating LinkedIn’s Privacy Policy. Although LinkedIn updated the user agreement too, the emphasis was more on updates to its privacy policy. The new policy expands on a number of issues and reinforces the extent to which users needs to take responsibility for their actions when using the service.

LinkedIn recently announced an update to its privacy policy and user agreement in a blog post titled “Updating LinkedIn’s Privacy Policy”. Although LinkedIn updated the user agreement too, the emphasis was more on updates to its privacy policy

Updated user agreement

The user agreement remained substantially the same as the previous version. The big change is more about layout and accessibility improvements. The new version makes use of summaries in a side panel which highlight the key points in the somewhat denser text in the main body of the document.

Other helpful features of the new version are a reminder about the contractually binding nature of the user agreement as well as a summary of the changes to this version (LinkedIn published a changes summary with its previous version in October 2012).

Updated privacy policy

The privacy policy received the same visual overhaul as the user agreement. An appealing change to the privacy policy which wasn’t applied to the user agreement is the use of a series of icons that remind me of the Mozilla-originated Privacy Icons project which was established to bring more clarity to privacy policies using descriptive icons. Although the icons in the LinkedIn privacy policy don’t go quite in the same direction or as far as the Privacy Icons project, they are helpful in ascertaining, at a glance, what the various sections are about.

One of the fundamental clauses in the privacy policy is the clause titled “Consent to LinkedIn Processing Information About You” which reminds users about the effect of the policy:

The personal information you provide to us may reveal or allow others to identify aspects of your life that are not expressly stated on your profile (for example, your picture or your name may reveal your gender). By providing personal information to us when you create or update your account and profile, you are expressly and voluntarily accepting the terms and conditions of LinkedIn’s User Agreement and freely accepting and agreeing to our processing of your personal information in ways set out by this Privacy Policy. Supplying information to us, including any information deemed “sensitive” by applicable law, is entirely voluntary on your part. You have the right to withdraw or modify your consent to LinkedIn’s collection and processing of the information you provide at any time, in accordance with the terms of this Privacy Policy and the User Agreement, by changing your Settings or by closing your account.

The new privacy policy goes onto quite a bit more detail about what personal information it collects from you and what it does with that personal information. For example, in the 2012 version, the privacy policy says the following about registration information:

When you register an account to become a LinkedIn user (“User”), such as your name, e-mail, employer, country, and a password.

In the new privacy policy, LinkedIn uses a more detailed clause:

To create an account on LinkedIn, you must provide us with at least your name, email address, and a password. You can choose to provide further information about yourself during the registration process (for example, your gender and location). We use this additional information to provide you with more customized services like language-specific profile pages and updates, more relevant ads, and more valuable career opportunities, and it may appear on your LInkedIn profile that is viewable by others. You understand that, by creating an account, LinkedIn and others will be able to identify you by your LinkedIn profile, and you allow LinkedIn to use this information in accordance with this Privacy Policy and our User Agreement. We may also ask for your credit card details if you purchase certain LinkedIn services.

Some clauses are entirely new and relate to LinkedIn’s expanded service offering. The clause dealing with “Address book, LinkedIn Contacts, and other services that sync with LinkedIn” deals largely with LinkedIn’s contacts import feature and its new LinkedIn Contacts app which combines contacts on your device with interactions on LinkedIn and select 3rd party services like Evernote and Tripit. This functionality introduces an interesting challenge, especially given LinkedIn’s professional focus. Users can add their contacts’ contact details and that information potentially has considerable value (imagine the value of, say, Richard Branson’s mobile number if you are fortunate to have it?).

LinkedIn allows users to remove data they have introduced to LinkedIn, to a degree. The following clause is part of the Address book clause:

Any information that you upload or sync with LinkedIn is covered by the User Agreement and this Privacy Policy. You can remove your information at your convenience using the features LinkedIn makes available or in accordance with Section 3. We collect information when you sync non-LinkedIn content—like your email address book, mobile device contacts, or calendar—with your account. We use this information to improve your experience. You can remove your address book and any other synced information at any time.

The user agreement’s relevance is largely that it contains license provisions which apply to content users submit to LinkedIn (for example, an image of Richard Branson’s business card submitted with LinkedIn’s CardMunch app). These provisions state the following (I highlighted some of the more interesting words and phrases):

You own the information you provide LinkedIn under this Agreement, and may request its deletion at any time, unless you have shared information or content with others and they have not deleted it, or it was copied or stored by other users. Additionally, you grant LinkedIn a nonexclusive, irrevocable, worldwide, perpetual, unlimited, assignable, sublicenseable, fully paid up and royalty-free right to us to copy, prepare derivative works of, improve, distribute, publish, remove, retain, add, process, analyze, use and commercialize, in any way now known or in the future discovered, any information you provide, directly or indirectly to LinkedIn, including, but not limited to, any user generated content, ideas, concepts, techniques and/or data to the services, you submit to LinkedIn, without any further consent, notice and/or compensation to you or to any third parties. Any information you submit to us is at your own risk of loss. By providing information to us, you represent and warrant that you are entitled to submit the information and that the information is accurate, not confidential, and not in violation of any contractual restrictions or other third party rights. It is your responsibility to keep your LinkedIn profile information accurate and updated.

Submitting information to LinkedIn requires users to take responsibility for what they are submitting. Bearing in mind that LinkedIn has extended its platform to 3rd party websites and services in a manner that is not all that different to Facebook’s Platform extensions (although Facebook seems to have taken more care to give its users options for removing information they submit to Facebook), sharing sensitive information with LinkedIn can have problematic consequences.

This is especially important bearing in mind LinkedIn’s “Indemnification” clause in the user agreement which provides as follows:

You agree to indemnify us and hold us harmless for all damages, losses and costs (including, but not limited to, reasonable attorneys’ fees and costs) related to all third party claims, charges, and investigations, caused by (1) your failure to comply with this Agreement, including, without limitation, your submission of content that violates third party rights or applicable laws, (2) any content you submit to the Services, and (3) any activity in which you engage on or through LinkedIn.

Although LinkedIn references your ability to close your account and remove your data from the service repeatedly, it may not be quite so simple. LinkedIn reserves the right to retain data after you have closed your account. This is not unusual but you should factor this into your planning when you share information:

We retain the personal information you provide while your account is active or as needed to provide you services. LinkedIn may retain your personal information even after you have closed your account if retention is reasonably necessary to comply with our legal obligations, meet regulatory requirements, resolve disputes between Members, prevent fraud and abuse, or enforce this Privacy Policy and our User Agreement. We may retain personal information, for a limited period of time, if requested by law enforcement. LinkedIn Customer Service may retain information for as long as is necessary to provide support-related reporting and trend analysis only, but we generally delete closed account data consistent with Section 3.A., except in the case of our plugin impression data, which we de-personalize after 12 months unless you opt out.

This policy operates on the basis of consents users give to LinkedIn through the privacy policy itself. As this warning, below, points out, you agree to the user agreement and privacy policy (and subsequent changes) when you use the service. It is your responsibility to read the user agreement and privacy policy carefully and make sure you both understand the documents and are comfortable that your intended use of the service falls within the scope of that governing contractual framework and your comfort levels.

LinkedIn’s privacy policy changes underscore a larger threat to users

LinkedIn screenshot

LinkedIn has caused quite a fuss in the last few days with its changes to its privacy policy on 16 June 2011 enabling it to make use of users’ profile photos and names in what it terms “social advertising”, among other things. What is more interesting is how it gave itself the right to do this. The clause in the privacy policy dealing with this is 2(K) which states the following:

Advertising and Endorsements on LinkedIn

In order to deliver relevant and valuable ads to you and your network, LinkedIn may use your name and profile photo in connection with social advertising based on content shared on LinkedIn. This advertising may include the fact that you have recommended or endorsed a product or service on LinkedIn, followed a company, joined Groups or conversations, established or added content to your profile, etc., and will only be displayed to your LinkedIn network. You can opt-out of allowing your name and/or profile photo to be used in social ads here.

The mechanism LinkedIn uses to make changes to its privacy policy is set out in clause 5(C) which states the following:

Changes to this Privacy Policy

We may update this Privacy Policy at any time, with or without advance notice. In the event there are significant changes in the way we treat your personally identifiable information, or in the Privacy Policy document itself, we will display a notice on the LinkedIn website or send you an email, so that you may review the changed terms prior to continuing to use the site. As always, if you object to any of the changes to our terms, and you no longer wish to use LinkedIn, you may close your account. Unless stated otherwise, our current Privacy Policy applies to all information that LinkedIn has about you and your account.

Using the LinkedIn Services after a notice of changes has been sent to you or published on our site shall constitute consent to the changed terms or practices.

This mechanism is not unique to LinkedIn. It is common in virtually all website terms and conditions and privacy policies and is fairly essential for the ongoing maintenance of a site and its continued evolution. In South Africa this sort of change is permissible where the provider notifies users of the change in the service’s terms and conditions and gives users an opportunity to stop using the service.

What is problematic about this particular matter and how LinkedIn words its legal documents is the extent to which the terms and conditions and privacy policy go. I wrote about this in February 2009 and, at the time, argued that as bad as Facebook’s terms and conditions were at the time, LinkedIn’s are potentially far worse. At the time I first wrote about LinkedIn’s terms and conditions, I focused on the license provisions in its User Agreement which remain in the current version of the User Agreement. I wrote the following:

As I mentioned above, the license LinkedIn takes from its users is very broad and it bears repeating:

… a nonexclusive, irrevocable, worldwide, perpetual, unlimited, assignable, sublicenseable, fully paid up and royaltyfree right to us to copy, prepare derivative works of, improve, distribute, publish, remove, retain, add, and use and commercialize, in any way now known or in the future discovered, anything that you submit to us, without any further consent, notice and/or compensation to you or to any third parties …

The license covers anything users submit to LinkedIn. This obviously includes biographical information but it also includes the valuable knowledge users share with each other in LinkedIn’s fora and Q&A service. These services include shared knowledge across a number of industries from users who are, themselves, frequently experts in their fields. All of this knowledge falls under the scope of this license and can be exploited commercially without any regard to its users’ wishes. They have, after all, agreed to these terms. Just to be clear, LinkedIn does not appear to claim ownership of this knowledge or information (in fact, given its position in the OpenSocial community and is association with organisations like Plaxo which advocate user control over their data, I suspect LinkedIn would deny any suggestion that it claims ownership of user content and knowledge) but its license is so broad as to parallel ownership rights. The only thing it seems not to claim is what is known as bare dominium which is the last vestige of ownership the user retains, along with his or her rights to exploit his or her own content and knowledge.

The license applies not just to content you may contribute directly to the service (for example, that biographical data Amanda referred to in her post) but also to “any User generated content, ideas, concepts, techniques and data” you submit to LinkedIn. In addition to the knowledge users submit through the Q&A service daily, consider the number of applications that are available to LinkedIn users and which enable users to “submit” slideshows from Slideshare, blog posts, travel data, uploaded files and business ideas and tips in its groups. If you contribute any information and knowledge through those or other tools, consider whether you are comfortable having that information and knowledge exploited for profit by the service that you perhaps expected to play the role of a facilitator and platform, rather than your competitor.

This controversy points to a larger threat to LinkedIn users and serves as a caution to people who use other services. The underlying changes to LinkedIn’s terms and conditions have occurred largely unseen (were you aware of the changes in June?) and even where they do bubble up to the surface, few users read the terms and conditions and the proposed changes until after they have been effected and the controversy hits the media. As LinkedIn’s current terms and conditions stand, LinkedIn stands to benefit considerably from users’ contributions to the service, and inordinately so. The social advertising issue is just icing on the cake. If you use LinkedIn extensively (at least, more than just maintaining a profile), it is a good idea to carefully consider whether you are comfortable with LinkedIn having the rights it has over your content and your profile data.

As users we have little cause for complaint if we fail to exercise basic due diligence and satisfy ourselves that we are comfortable with the rights our social services take in respect of our profiles and content.

Update: One of my contacts on Google+ pointed out this post on the LinkedIn blog which went up yesterday and which addresses the social ads issue fairly well:

Our core guiding value is Members First. And, with regards to the social ads we’ve been testing, we’re listening to our members. We could have communicated our intentions — to provide more value and relevancy to our members — more clearly.

Most importantly, what we’ve learned now, is that, even though our members are happy to have their actions, such as recommendations, be viewable by their network as a public action, some of those same members may not be comfortable with the use of their names and photos associated with those actions used in ads served to their network.

So, we will be changing how these types of social ads look, from this:

Before: Social Ads

To this:

After: Social Ads

Trust is the foundation upon which the LinkedIn platform is built. We’ll continue to work hard to earn and maintain your trust, while delivering the most valuable and relevant experience we can.

Your website terms and conditions may contain prohibited terms

I’m working on a particularly interesting challenge at the moment which was introduced by proposed regulations to the Consumer Protection Act which goes fully into force in a couple months. First a little background. The Consumer Protection Act will have a fairly radical impact on consumer rights in South Africa. One of the better publicized influences (and probably one of the more understated and yet more important ones) is the requirement that contracts be written in plain language. This requirement, alone, should have a dramatic benefit for consumers who have been confused by legal jargon for far too long. This is particularly important as contracts become increasingly complex to accommodate new legislation like the Consumer Protection Act, ironically.

The Consumer Protection Act prohibits a number of practices and this includes certain types of contractual terms. Section 48 of the Act deals with “Unfair, unreasonable or unjust contract terms” and section 48(1)(a) has the following to say:

48. (1) A supplier must not—

(a) offer to supply, supply, or enter into an agreement to supply, any goods or services—

(i) at a price that is unfair, unreasonable or unjust; or
(ii) on terms that are unfair, unreasonable or unjust;

The Act, itself, doesn’t give too many specific examples of which terms would be considered “unfair, unreasonable or unjust” although it does mention that terms which are “excessively one-sided in favour of any person other than the consumer or other person to whom goods or services are to be supplied” would be considered problematic.

The Trade and Industry Minister published draft regulations to the Consumer Protection Act for comment in November and one of the provisions in these draft regulations caught my eye. The draft regulations deal with a number of issues (the draft regulations run to about 96 pages) and right at the very end is section 56 which gives some substance to the Consumer Protection Act’s prohibition on contractual terms which are considered to be unfair and unreasonable. Section 56(o), in particular, proposes deeming the following types of clauses to be unfair:

enabling the supplier to unilaterally alter the terms of the agreement including
the characteristics of the product or service

This seems fair, suppliers should be able to change contract terms and conditions that consumers have reviewed and agree to. Well, they seem fair until you consider that website terms and conditions are contracts with the website’s users and visitors and they generally contain a clause which allows the website owner to change the terms and conditions unilaterally. This common clause in website terms and conditions has an important, practical function. It allows the website owner to make what may be important changes to its contract with its users which may be necessary for the website’s proper functioning and operation without the need to negotiate the changes with each and every user and visitor individually. Ordinarily, parties would be required to negotiate amendments to their contracts and agree on them for them to be of any force and effect. In the context of a contract between a consumer and a supplier in the ordinary course, requiring that the parties negotiate and agree on changes to their agreement is beneficial to the consumer because it means the consumer won’t find herself subject to terms she didn’t agree to when buying the product or requesting the service.

Certificate of the Slaves on the Syrena, 05/12/1820 (page 1 of 2)

The problem is that this requirement doesn’t scale very well, certainly not with the sorts of numbers of consumers (aka, users and visitors) who frequent popular websites. In fact, requiring website owners to negotiate changes with users and visitors (casual visitors can probably be handled a little differently to ongoing users, I think) would likely result in multiple versions of the terms and conditions, each containing variations particular to each consumer’s negotiations with the website owner. The complexity and variation of the terms and conditions would only increase in time and managing these contracts would become practically impossible. The only way to circumvent this is a clause in the contract (aka, the website terms and conditions) which enables the website owner to change terms and conditions unilaterally. Unfortunately, this could become a prohibited practice if this line item remains in the published regulations.

This presents a challenge to website owners who may soon find that this often understated clause could well become an unfair or unreasonable term and, effectively, prohibited. I have a couple ideas how to deal with this but the one risk is not implementing a solution which doesn’t amount to another prohibited practice under the Act, for example a term which has as its general purpose or effect defeating the purposes or policy of the Consumer Protection Act (section 51(1)(a)(i)). It is an interesting challenge and short of a workable contractual mechanism or legislation relief, this may be something for a court to address in years to come.

On a related note, it is also worth bearing in mind that this is not the only respect in which the Consumer Protection Act impacts on website terms and conditions. The Consumer Protection Act includes a host of requirements which necessitate a number of changes to website terms and conditions, particularly those dealing with liability limitation mechanisms, so be sure to have your website terms and conditions reviewed and amended.