In the modern, digital world, each of us is asked to read and accept hundreds of pages of terms and conditions that govern the way we use our products and services.
While no one could be expected to read every term (especially for entertainment or other “low risk” services), as a specialist in reading and drafting such documents, a lawyer can offer insight into just how they operate (and which rights the average user winds up signing away).
In our “A Lawyer Reads…” series, we’ll take a deeper dive into a few of those little-read contracts, terms, and conditions in an effort to provide just a bit of that insight.
This week, Facebook CEO Mark Zuckerberg testified before the United States Congress on matters ranging from data privacy to Facebook’s culpability in the fomenting of foreign genocides.
One strand of questioning that persisted throughout the entirety of his marathon interrogation, however, was whether an ordinary user of Facebook’s services could understand the company’s terms and conditions document. In answering that he didn’t believe that most users read through such “click through” terms, Zukerberg opened himself up to a series of additional challenges.
But how “bad” are the Facebook terms really?
The current version of the Facebook Terms of Service (the “Terms”), the document that covers a user’s relationship with Facebook, can be found HERE.
Let’s start from the top.
This Statement of Rights and Responsibilities (“Statement,” “Terms,” or “SRR”) derives from the Facebook Principles, and is our terms of service that governs our relationship with users and others who interact with Facebook, as well as Facebook brands, products and services, which we call the “Facebook Services” or “Services”. By using or accessing the Facebook Services, you agree to this Statement, as updated from time to time in accordance with Section 13 below. Additionally, you will find resources at the end of this document that help you understand how Facebook works.
So right off the bat, we have two links out to separate documents: the “Facebook Principles” and a Facebook Help Center post on “What are Facebook Products?”.
The first of these is not really an issue. It is an aspirational “Bill of Rights” type document in which Facebook states things like “People should own their information” and “People should have the freedom to build trust and reputation through their identity and connections.” While nice (and designed to give users warm feelings about the company and its services), it is important to note that the “Facebook Principles” are not written in a way to be legally operative. No one (including Facebook) is *bound* to do anything (or not do anything) by the way such document is written. The “principles” are stated to have informed the company’s reasoning behind its Terms document, but little else.
The second is a bigger problem. The Help Center page linked to is not a legal document. Further, it only refers to a list of services which the term Facebook Products is intended to “include” (things like the mobile app, the in-app browser, Messenger, Instagram, etc.). Importantly, the list is not claimed to be exhaustive, and in fact states that “Facebook Products does not include some Facebook-offered products or services that have their own separate privacy policies and terms of service”. So not a lot of clarity there.
Creating further ambiguity, the term “Facebook Services” is actually defined in Section 17.1 of the Terms document itself:
By “Facebook” or” Facebook Services” we mean the features and services we make available, including through (a) our website at http://www.facebook.com and any other Facebook branded or co-branded websites (including sub-domains, international versions, widgets, and mobile versions); (b) our Platform; (c) social plugins such as the Like button, the Share button and other similar offerings; and (d) other media, brands, products, services, software (such as a toolbar), devices, or networks now existing or later developed. Facebook reserves the right to designate, in its sole discretion, that certain of our brands, products, or services are governed by separate terms and not this SRR.
So, everything the company makes available is covered…except when they say it’s not. This is…okay, but the link earlier in the document is unnecessary and creates unneeded ambiguity.
Because Facebook provides a wide range of Services, we may ask you to review and accept supplemental terms that apply to your interaction with a specific app, product, or service. To the extent those supplemental terms conflict with this SRR, the supplemental terms associated with the app, product, or service govern with respect to your use of such app, product or service to the extent of the conflict.
So, each product may have separate terms and conditions (and per the definition above, such terms may state that the Terms document itself does not apply to such product). If there are separate terms provided, and they conflict with the Terms document, then the separate terms will control over the baseline Terms document.
In other words, the terms of service “closest” to the application being used is the one that controls your use of that application. That makes sense, but it does mean that a user is responsible for reading every separate terms document that Facebook provides for its various services.
On to Section 1!
The Big Kahuna. Let’s see what Facebook has to say about keeping your data private.
Your privacy is very important to us. We designed our Data Policy to make important disclosures about how you can use Facebook to share with others and how we collect and can use your content and information. We encourage you to read the Data Policy, and to use it to help you make informed decisions.
Ok, well it’s good that privacy is very important to Facebook. That’s not a legally operative statement, but it’s nice to hear. Also not legally operative, however, are the other statements in the section about why they designed their data policy or that users should read it. That’s odd. Ordinary, we would expect a statement like “You agree to be bound by the Data Policy” or similar.
Oh! Here it is, in an unnumbered section at the bottom of the Terms document:
By using or accessing Facebook Services, you agree that we can collect and use such content and information in accordance with the Data Policy as amended from time to time.
It is exceedingly weird that such a statement is not made in the privacy section up at the top of the document (which such section effectively contains ZERO legally operative statements as presently written), but at least they put in bold, right? Snide commentary aside, this is a legally operative statement and causes the entirety of their linked Data Policy to apply to Facebook users.
So, let’s (start to) take a look at that.
Data Policy (Part 1)
As many legislators pointed out this week, the Facebook Data Policy is a long (2,600+ word) document with multiple links out to help pages, marketing brochures, other policies and procedures, etc. It is not an easy read even for a lawyer, and most certainly not for the average user of Facebook’s services.
The policy itself can be found HERE. It is broken up into a series of questions that are then answered by the company in a FAQ document style.
What kinds of information does Facebook collect?
Depending on which Services you use, we collect different kinds of information from or about you.
Sure. They collect lots of different kinds of information depending on what the user is doing. Not a great deal of insight there, but makes sense.
Things you do and information you provide.
We collect the content and other information you provide when you use our Services, including when you sign up for an account, create or share, and message or communicate with others. This can include information in or about the content you provide, such as the location of a photo or the date a file was created. We also collect information about how you use our Services, such as the types of content you view or engage with or the frequency and duration of your activities.
So, they collect the “content and other information” provided when someone shares something on their service. The use of the term “other information” here is important as it is an oblique reference to collecting data that a user may not otherwise assume they are providing when they, say, share a picture of their family at Chuck E. Cheese.
That picture can contain additional data, “metadata”, such as location and date (or even photographer) which the user might not otherwise be aware that they are sharing, but Facebook *can* collect it.
Facebook also acknowledges that it collects analytics data on user activity, such as time on the site and what a user engages with. This is normal and to be expected, but again, not something the average user may be considering when they send a message to Mom.
Things others do and information they provide.
We also collect content and information that other people provide when they use our Services, including information about you, such as when they share a photo of you, send a message to you, or upload, sync or import your contact information.
Facebook is also able to gather information about a user based on what *others* provide regarding that user. If Grandma tags you in a photo, Facebook may correlate your location or other information based on that tag, even if the user him or herself did not originally provide it. That’s also probably a surprise to most.
Your networks and connections.
We collect information about the people and groups you are connected to and how you interact with them, such as the people you communicate with the most or the groups you like to share with. We also collect contact information you provide if you upload, sync or import this information (such as an address book) from a device.
Similar to the other categories, Facebook is capable of collecting data about how you interact with others on their services both formally (in designated groups) and informally. Importantly, Facebook states that it can collect all contact information a user elects to provide through its syncing feature. Ostensibly, the use of this information is limited in certain ways, but we’ll get to that later in the Data Policy.
Information about payments.
If you use our Services for purchases or financial transactions (like when you buy something on Facebook, make a purchase in a game, or make a donation), we collect information about the purchase or transaction. This includes your payment information, such as your credit or debit card number and other card information, and other account and authentication information, as well as billing, shipping and contact details.
Facebook collects payment information in order to process payments. This is normal as there is really no way that Facebook could offer this feature without collecting this data.
We collect information from or about the computers, phones, or other devices where you install or access our Services, depending on the permissions you’ve granted. We may associate the information we collect from your different devices, which helps us provide consistent Services across your devices. Here are some examples of the device information we collect:
- Attributes such as the operating system, hardware version, device settings, file and software names and types, battery and signal strength, and device identifiers.
- Device locations, including specific geographic locations, such as through GPS, Bluetooth, or WiFi signals.
- Connection information such as the name of your mobile operator or ISP, browser type, language and time zone, mobile phone number and IP address.
Now here’s another area of information that the average user probably doesn’t expect Facebook to be collecting. Facebook has the capability to collect data on phone/laptop type, operating system, location, mobile phone number, and IP address.
The company states that they collect this information to help “provide consistent Services across your devices”. But if you have Facebook on your mobile phone, Facebook can collect your phone number, your location, and potentially even more (“file and software names and types” seems particularly thorny), before correlating it with your ownership of that laptop, your work environment, or more.
This is an important piece of how Facebook develops its understanding of its various users.
Information from websites and apps that use our Services.
We collect information when you visit or use third-party websites and apps that use our Services (like when they offer our Like button or Facebook Log In or use our measurement and advertising services). This includes information about the websites and apps you visit, your use of our Services on those websites and apps, as well as information the developer or publisher of the app or website provides to you or us.
If a third party site offers a “like” button or uses Facebook measurement or advertising, Facebook may collect information on you, the websites you visit, and how you use those websites. Written this way, the provision is obviously too broad. If I have never used Facebook in my life, but find myself on a third party site contracted with Facebook for advertising, I have not consented to the Facebook Terms or this Data Policy. This provision should not apply in such circumstance.
That said, in most cases, the provision *will* likely apply solely by virtue of a user “logging in” to such a site through Facebook or otherwise finding the site through their own Facebook portal. At that point, the user should assume that Facebook can (and will) collect data on such user’s activities.
Information from third-party partners.
We receive information about you and your activities on and off Facebook from third-party partners, such as information from a partner when we jointly offer services or from an advertiser about your experiences or interactions with them.
Facebook can contract with third parties to get information on you. This is to be expected, and presumably such contracts relate to data collected validly by such third parties. But again, that advertisement you see on Facebook that you can’t believe exactly matches the search you did for Hawaiian vacations from your work computer 6 hours ago? It’s not magic, it’s contract. And Facebook is collecting (and contracting for) that data constantly. It’s their value proposition.
We receive information about you from companies that are owned or operated by Facebook, in accordance with their terms and policies. Learn more about these companies and their privacy policies.
Another link. In this one, Facebook acknowledges ownership of 8 additional companies including Oculus and What’sApp. Importantly, the privacy policies of each such named company will control a user’s interaction with that company, *but* all such companies may share the information they gather with the other companies in the Facebook “family”. So foreign users of What’sApp can have their information analyzed and correlated by Facebook proper before being sent to Oculus for advertising opportunities, etc.
Without diving into every such company’s own data protection policies, the average user can’t know just how such information will be treated once it is placed in one of the other company’s hands.
And that’s more than enough terms and conditions reading for today’s post. Please join us next week as we dive into Facebook’s answers to “How do we use your information?”, “How is your information shared?”, “How can I manage or delete my information?” and (hopefully) more of the actual Terms of Service document.