Instagram And The Pitfalls In Changing How Personal Data Is Used

If you are interested in privacy issues, you could hardly have missed the storm that surrounded Instagram's attempt to change its terms of use mid-December to enable it to further exploit user content. Whilst there are a number of potential angles to take on the proposed changes, given Instagram's nature as a photo-sharing app the privacy angle was obvious and quickly rose to the fore. We look at two simple lessons to take away.

Firstly and most importantly, how much damage has been done to the Instagram brand?

If your organisation is lucky enough to be in the media and public spotlight, the biggest lesson from Instagram’s experience is unquestionably that changes to terms of use should not be undertaken lightly, need to be well thought-through, and backed up with an appropriate customer/user campaign to manage expectations.

This approach is key to ensuring your reputation is protected as far as possible. Even then, you might misread the mood of commentators and your customers/users (this may have been the case with Instagram), but at least you will be well-prepared.

Secondly, were Instagram transparent enough?

This issue divides up into a couple of separate points, transparency in the actual changes made, and transparency about the fact changes are being made.

Instagram were pulled up in part because their revisions were not clear, and could be argued to be very broad indeed, prompting user concerns. They backed away from such wide interpretations quite quickly, but the damage had been done. The lesson here is unquestionably that clarity is the best policy. If you want broad rights, write them in, but expect users to think the worst; otherwise be specific and explicit about what you want to be able to do with personal data, and then set about managing expectations around why you want to be able to use the data in that way. One trend in the latter area is to talk about how "free" or cheap services are sustained; there is growing chatter (and acceptance?) in the world of the web that "free" just means "no charges" and does not actually mean completely free, and you may wish to consider adding your voice to this movement.

There are also key decisions to be made in how you flag up changes. If you are an EU-based organisation, technically you need customer/user consent to any such change where new or materially changed usage of personal data is envisaged. How are you going to get this consent? Just via changed T&Cs and implied consent from further usage? This was the method Instagram tried, backed up with some blog entries but it arguably came over as a flimsy approach. A better solution might be to use temporary calls to action, notices etc on your site and a short email campaign to you look like you are being very transparent. Transparency encourages positive brand perception, and can come to your aid even if the actual change is unpopular; you don't want to get caught out with a change that looks like a sneaky, back-door exercise.

If you are an EU-based organisation, and the personal data you collect is sensitive, the position is more difficult still. Consent to such change in use has to be "explicit" - e.g. tick box consent - with a fall-back position for those who do not consent. How would this be managed? (Note that the draft EU General Data Protection Regulation will make this position the default one if it becomes law).

Overall, it is worth keeping Instagram in mind going forward as an example of the potential pitfalls that exist when approaching a change in personal data usage.

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.