Business idea on the verge of law: an example of why you should be more attentive to the legal side of the project
There are a lot of services in RuNet that provide site owners with the service of “V Kontakte” profile identification, which are referred to the site visitors. Ultimately, the owner of a third-party site can get information about those users who have logged on to his site, being authorized in the social network "V Kontakte".
Many users, however, do not like the situation when, after visiting the next online store, their managers start receiving personal messages in the VC.
This image is licensed under the Creative Commons Attribution-Share Alike 4.0 International license. It is attributed to user Qwertyxp2000.
The question arises: is such activity legal at all? Moreover, this question should be asked not only to the disgruntled user, but also to the owner of the site that will send such messages, and, moreover, to the owner of the service, who kindly provides the service of providing ID of visitors to the social network.
')
Among those sites on which similar services are offered and with which it was possible to familiarize, a couple of resources were found, where a separate attention was focused on the legality of the service operation scheme. In both cases, the argument was similar in its meaning, I will quote from one of the sites (the system name has been deleted):
“System X identifies only users who have profiles in the social network. According to the Federal Law, these data are classified as PUBLIC-ACCESSIBLE, therefore legal claims
for their use a person can not present. Our colleagues received written confirmation of this fact at Roskomnadzor. ”
Indeed, publicly available personal data can be processed without the consent of the user to whom they belong (hence the "written confirmation of this fact" in Roskomnadzor - it is within its competence to protect the personal data of citizens). However, with personal data posted in the VC, the situation is also not as obvious as we would like. First, the profile can be protected by privacy settings, which means that about the level of general access to it, you will have to believe in the word to the one who will transmit information about the user. Secondly, the user has the right to refuse the public accessibility of his personal data at any time and hide it: from this moment the personal data of the user without his consent cannot be processed in any way (you can not even store this data), but, in practice, hardly anyone will track changes to the current privacy settings of a user profile that has already been identified by the system.
In any case, the owners of the service make a significant logical error: based on the fact that the Federal Law “On Personal Data” is not violated, it is concluded that no legally valid claims by the user can arise. At the same time, a rather obvious thing is overlooked: the Federal Law “On Personal Data” is not the only law that should be guided in its work.
So, the considered scheme of sending messages to VC users may well lead to a violation, for example, of the Federal Law “On Advertising”, for which a legal entity is fined 100-500 thousand rubles for each violation case. Responsibility, by the way, will be borne by the advertising distributor, that is, not the one who provides services for the identification of VC users, but the one who uses them and sends advertising to potential customers. Although the one who provides such services will incur at least reputational costs, especially if he has misled the client about the legality of such activities.
What exactly can be a violation of the law on advertising?
The fact is that the distribution of advertising over the Internet is possible only with the prior consent of the addressee. Prove the existence of such consent will naturally have to someone who distributes advertising.
The law does not define a specific form of consent, but the Supreme Arbitration Court of the Russian Federation at one time said that such consent should allow:
Problems may arise when confirming the will of the user.
Firstly, many sites are not in principle concerned about obtaining this kind of consent from the user.
Secondly, as judicial practice shows, such consent should be deliberate and explicit. That is, it may not be sufficient to simply insert a new line into the Site User Agreement, since Courts in such cases have a negative attitude to the situation when the site owner cannot prove that the user has become familiar with such rules. So, you need to make sure that the user could not "pass by" the conditions for giving consent to receive advertising messages. For these purposes can serve, for example:
And do not forget that the site should function in such a way that evidence of actions of a specific user could be “unloaded” and shown to the court, and, if necessary, to an expert who can be charged with verifying the authenticity of the data provided or decrypting it.
But even the presence of the user's consent to an advertising newsletter does not mean that one should completely forget about compliance with the legislation on advertising. For example, the law prohibits the automatic distribution of advertising messages. At the same time, a number of services offer, in addition to user identification in the VC, also software tools for creating message templates and automatically sending them to users. As a result, the use of such functionality in itself creates the risk of bringing to administrative responsibility.
In conclusion, I would like to recommend more attentively to the legal component of your work: be it an extension of the functionality of an existing service, the creation of a new one or something else. You can always come across restrictions that you didn’t know about or that you lost sight of.
Many users, however, do not like the situation when, after visiting the next online store, their managers start receiving personal messages in the VC.
This image is licensed under the Creative Commons Attribution-Share Alike 4.0 International license. It is attributed to user Qwertyxp2000.
The question arises: is such activity legal at all? Moreover, this question should be asked not only to the disgruntled user, but also to the owner of the site that will send such messages, and, moreover, to the owner of the service, who kindly provides the service of providing ID of visitors to the social network.
')
Among those sites on which similar services are offered and with which it was possible to familiarize, a couple of resources were found, where a separate attention was focused on the legality of the service operation scheme. In both cases, the argument was similar in its meaning, I will quote from one of the sites (the system name has been deleted):
“System X identifies only users who have profiles in the social network. According to the Federal Law, these data are classified as PUBLIC-ACCESSIBLE, therefore legal claims
for their use a person can not present. Our colleagues received written confirmation of this fact at Roskomnadzor. ”
Indeed, publicly available personal data can be processed without the consent of the user to whom they belong (hence the "written confirmation of this fact" in Roskomnadzor - it is within its competence to protect the personal data of citizens). However, with personal data posted in the VC, the situation is also not as obvious as we would like. First, the profile can be protected by privacy settings, which means that about the level of general access to it, you will have to believe in the word to the one who will transmit information about the user. Secondly, the user has the right to refuse the public accessibility of his personal data at any time and hide it: from this moment the personal data of the user without his consent cannot be processed in any way (you can not even store this data), but, in practice, hardly anyone will track changes to the current privacy settings of a user profile that has already been identified by the system.
In any case, the owners of the service make a significant logical error: based on the fact that the Federal Law “On Personal Data” is not violated, it is concluded that no legally valid claims by the user can arise. At the same time, a rather obvious thing is overlooked: the Federal Law “On Personal Data” is not the only law that should be guided in its work.
So, the considered scheme of sending messages to VC users may well lead to a violation, for example, of the Federal Law “On Advertising”, for which a legal entity is fined 100-500 thousand rubles for each violation case. Responsibility, by the way, will be borne by the advertising distributor, that is, not the one who provides services for the identification of VC users, but the one who uses them and sends advertising to potential customers. Although the one who provides such services will incur at least reputational costs, especially if he has misled the client about the legality of such activities.
What exactly can be a violation of the law on advertising?
The fact is that the distribution of advertising over the Internet is possible only with the prior consent of the addressee. Prove the existence of such consent will naturally have to someone who distributes advertising.
The law does not define a specific form of consent, but the Supreme Arbitration Court of the Russian Federation at one time said that such consent should allow:
- identify the addressee;
- confirm his will.
Problems may arise when confirming the will of the user.
Firstly, many sites are not in principle concerned about obtaining this kind of consent from the user.
Secondly, as judicial practice shows, such consent should be deliberate and explicit. That is, it may not be sufficient to simply insert a new line into the Site User Agreement, since Courts in such cases have a negative attitude to the situation when the site owner cannot prove that the user has become familiar with such rules. So, you need to make sure that the user could not "pass by" the conditions for giving consent to receive advertising messages. For these purposes can serve, for example:
- pop-up pop-up window with a link to the consent (or with its text), in the same window there should be a clause stating that the start of using the site is considered to be giving the user a corresponding consent;
- the corresponding line with a flag on the registration page of a new account, if consent is given during registration (but remember that consent must precede advertising, and not vice versa).
And do not forget that the site should function in such a way that evidence of actions of a specific user could be “unloaded” and shown to the court, and, if necessary, to an expert who can be charged with verifying the authenticity of the data provided or decrypting it.
But even the presence of the user's consent to an advertising newsletter does not mean that one should completely forget about compliance with the legislation on advertising. For example, the law prohibits the automatic distribution of advertising messages. At the same time, a number of services offer, in addition to user identification in the VC, also software tools for creating message templates and automatically sending them to users. As a result, the use of such functionality in itself creates the risk of bringing to administrative responsibility.
In conclusion, I would like to recommend more attentively to the legal component of your work: be it an extension of the functionality of an existing service, the creation of a new one or something else. You can always come across restrictions that you didn’t know about or that you lost sight of.
Source: https://habr.com/ru/post/297632/
All Articles