It has often been said that the digital profile we create of ourselves online “takes on a life of its own”—a type of digital avatar of our real-life selves. Of course, unlike the real "you," your digital self can’t be harmed with sticks and stones. But your reputation online can certainly suffer when you are cast in a negative light because of words posted by others, or if negative or exploitative photographs of you are posted by third-party individuals or companies. And, of course, when your online reputation suffers, you do too.

Here is an overview of some of the rules of the road and the contours of the “right to privacy” for a general user of the Internet or, more specifically, a social media user.

The Rise of Privacy Policies

The Constitution does not speak of a right to privacy directly, but it does protect citizens from unreasonable searches and seizures, and this protection nurtured the broader concept of a right to privacy made famous in a 1890 law journal article co-authored by future U.S. Supreme Court Justice, Louis Brandeis. Needless to say, before 1890, major companies did not issue “privacy policies” for their users (nor related policies governing their use of consumer data).

The right to privacy can have different meanings depending on whether you stand to be searched for contraband by the government in your home, bodily scanned at the airport for security purposes, or if you're using the Internet at home / on your phone. The dimensions of a right to privacy on the Internet first started coming into focus in the late 1990s. In 2000, Businessweek compiled data showing that the percentage of online shoppers who reported being “somewhat” or “very” concerned that websites would “use your personal information to send you unwanted information” had grown from 65% in February 1998 to 78% in March 2000.

In the absence of pervasive federal regulation, since the late 1990s, most consumer-facing websites have adopted privacy policies as a matter of self-regulation. One influential company in this regard is TRUSTe, which provides “trustmarks” to over 5,000 companies that self-certify as complying with the site's own privacy statement and TRUSTe’s program requirements.

There is no single federal law that mandates that website operators adopt privacy policies, save for those sites that collect data regarding, or targeted at, children under the age of 13; such websites are subject to the Children’s Online Privacy Protection Act (COPPA). COPPA dictates that websites targeting users in this age group must post a privacy policy and adhere to enumerated information-sharing restrictions.

The FTC does have jurisdiction over deceptive or misleading privacy policy practices, and state attorneys general have independent jurisdiction to take action against companies that implement false or misleading privacy policies.

A typical privacy policy will tell the user both how the company will gather data from the visitor, as well as the circumstances under which the site will use any data that the website does gather during the course of the visitor’s visit. Companies frequently choose either a model of allowing the user to affirmatively “opt in” to receive future solicitations from the site or to agree to third-party usage of their data, or to “opt out” of either use of their contact information.

Commercial Email

The federal government does actively regulate the content of permissible commercial emails to consumers via the CAN-SPAM Act. Any company sending a commercial email initiating a communication with another party (as opposed to responding to an email inquiry, or to an email in a thread) must avoid using false or misleading header information; avoid using deceptive subject lines; identify the message as an advertisement; tell the recipient the sender’s location; tell recipients how to opt out of future messages; and honor opt-out requests promptly. Companies that send emails in violation of the law are liable for penalties of up to $16,000 per email.

Right to Be Forgotten

Although several columnists have proposed that each Internet or social media user should be deemed to bear an inalienable “right to be forgotten”—to expunge the online world of mentions of one’s name, to the extent a person chooses this option—the concept has not gathered steam legislatively, and the only currently available recourse available to a person is to delete one’s own social media profiles.

LinkedIn class action

There have been court cases in which consumers have alleged that major social networking sites have engaged in practices that infringed their privacy rights. In Perkins v. Linkedin Corp. (E.D. Cal. 2014), the plaintiff alleged that LinkedIn would customarily send two “reminder” emails in the name of existing LinkedIn users to the user’s contacts, without the user’s awareness. The result, according to the Perkins plaintiffs, was unwanted spam in the LinkedIn users’ contacts’ inboxes. The District Court for the Eastern District of California certified a class of LinkedIn users under these allegations, and the case settled for $13 million in 2015.

Defamation and False Light

If someone knowingly spreads false information about you via a Facebook post (or elsewhere online), you can pursue a defamation claim against the person who disseminated the false information. Typically, it is much more difficult to hold the site that provided the speaker with a forum to spread the false information (such as Facebook, or even a gripe forum such as Yelp or GlassDoor.com) liable for defamation.

A similar, related cause of action is available for “false light”—when a person knowingly publishes your name in a context likely to mislead the reader concerning your association with the subject matter. Thus, if someone you vaguely knew created an overtly racist Facebook post and “tagged” your name in connection with the post—but without you having any actual connection to the subject matter—you may have a viable claim under the doctrine of false light against the poster.

Exploitation for Commercial Gain

The flip side of the “right to privacy” is the “right of publicity.” This right protects against the unauthorized publication of your name or image by a third party for commercial gain. Thus, if you walk out of a Starbucks, Starbucks is not permitted to snap a photo of you and print an ad that says, "Buy Starbucks coffee because it will make you cool just like John/Jane Reader." To run such an advertisement and not run afoul of your right of publicity, Starbucks would have to obtain your written consent. And because Starbucks appears to think your name and/or image has value, that means—guess what? You should monetize your consent and ask Starbucks to pay you real money before consenting to their using your image to create a profit for their company.

Not surprisingly (given its ubiquity), Facebook has been at the center of a number of the more well-known lawsuits filed to date involving online privacy protection issues, including a case involving a claim of right of publicity infringement: Fraley v. Facebook, Inc., no. 11-CV-01726 (N.D. Cal. 2011). In Fraley, the court found that a putative class of users, who had alleged that Facebook misappropriated Facebook users’ names and likenesses in advertisements called “Sponsored Stories,” had standing to pursue their claims. The case subsequently settled and Facebook agreed to create mechanisms whereby users can discover if they appear in Sponsored Stories, and also prevent their future appearance in advertisements by that advertiser.

***
The above information is neither legal advice nor a substitute for reference to applicable state law, and instead provides general information.