Social networking sites must comply with EU privacy laws even if ...

for and tread especially carefully when processing information from minors, the Article 29 Data Protection Working Party said. The operators are deemed to be data controllers under EU law because they provide the means for processing user data and all the basic services related to user management such as registration and account deletion, the panel said. Networking sites also decide whether and how data can be used for advertising and marketing, it said. Companies that provide applications in addition to the ones from a social networking site may also be data controllers, it said. In most cases, users are data subjects, the panel said. Users who process personal data “in the course of a purely personal or household activity” are exempt from data protection rules, it said. But when those activities go beyond personal or household activities - - as when a user acts on behalf of a company or association, uses the site mainly for commercial, political or charitable goals or has an unusually high number of contacts -- the exemption is lost, it said. When access to profile information extends beyond self-selected contacts, such as when access is open to all members on the Web site or the data is indexable by a search engine, the household exemption doesn’t apply, the panel said. Application of the exemption is also limited by the need to guarantee the rights of third parties who give information to users, it said. The opinion recommended that operators offer privacy-friendly default settings that allow users freely and specifically to consent to an access to their profile’s content beyond their self- selected contacts; sites adequately warn users about privacy risks to themselves and others when they upload information online; users be informed that publishing sensitive personal data requires explicit consent from the data subject; sites ensure that third parties comply with privacy rules by giving users clear information about how their personal data will be used; where a Web site allows users to access and update their information with other applications, such as reading and posting messages to the network from their mobile phone, the site should let users choose an access level for the application providers just sufficient to perform the task; and providers delete personal user registration data as soon as the user or the site deletes the account. Users have several rights under the directive, the panel said. Networking sites should set up complaint-handling offices to deal with privacy issues raised by members and non-members, it said. Operators should “consider carefully” whether they can justify requiring users to use their real identities, it said. They should consider the best interest of children in collecting personal data, it said. The opinion recommended a five-pronged approach to protecting minors in the social networking environment that includes awareness-raising, not asking for sensitive data on subscription forms, not aiming direct marketing at youngsters, and requiring parental consent before subscribing. Technologies leading to privacy such as pop-up warnings and age verification should be considered, and providers should adopt codes of practice with effective enforcement measures, the panel said. Legislation may be needed to discourage unfair or deceptive practices, it said.