Did Blockbuster, Facebook break video privacy law with Beacon?
A 1988 law restricts the sharing of someone's video choices
Computerworld - Did Facebook and Beacon partner Blockbuster violate a 1988 video privacy protection law when movie choices that Facebook members made on the latter's Web site were made available to other members of the social network?
According to a professor at the New York Law School, the answer is a definite "yes" -- at least for Blockbuster -- and "quite possibly so" for Facebook.
"The case against Blockbuster is quite straightforward," said James Grimmelmann, associate professor at the New York Law School. "I'm surprised that there haven't been lawsuits already in terms of Blockbuster. The one against Facebook requires a couple more steps. It's one of those interesting issues" that can be viewed in multiple ways legally.
The law in question is the Video Privacy Protection Act (VPPA) of 1988. It basically prohibits movie rental companies such as Blockbuster from disclosing personally identifiable rental records of the people who rent or buy movies from them to others -- unless the customer consents to the practice in writing.
The rarely invoked law was passed after Supreme Court nominee Robert Bork's video rental records were published in a newspaper. It "stands as one of the strongest protections of consumer privacy against a specific form of data collection," according to a description of the law on the Electronic Privacy Information Center (EPIC) Web site.
Civil remedies under the law include fines of at least $2,500 for each violation. In the few situations where the law has been invoked, the cases involved the disclosure of customer movie rental records to law enforcement authorities by rental companies. The law has never been tested in an online situation such as the one involving Blockbuster and Facebook, and could raise interesting issues, according to Grimmelmann.
Facebook's Beacon ad service was released in early November as a part of the Facebook Ads platform. It is ostensibly designed to track the activities of Facebook users on more than 44 participating Web sites and to report those activities to the users' Facebook friends, unless specifically told not to do so. The idea is to give participating online companies a way to monitor the activities of Facebook users on their Web sites and to use that information to then deliver targeted messages to Facebook friends.
The problem with that arrangement, at least for Blockbuster, is that such information sharing put it in violation of VPPA before Facebook changed its privacy policies following an outcry over Beacon, Grimmelmann said. The mere fact that Blockbuster passed on movie choice information to Facebook friends without user consent is a violation of VPPA, he said. That information exchange between Blockbuster and Facebook took place in the background without the Facebook user's knowledge, even though the user's consent might have been needed for it to have been shared with other Facebook members, he said.
It is less clear what, if any, culpability Facebook might have, he said. Under tort law, it could be argued that this was a joint enterprise and since Blockbuster is liable, Facebook is, too, Grimmelmann said. Even so, Facebook has a "much better argument" than Blockbuster, he said.
Blockbuster did not respond immediately to a request for comment on Grimmelmann's assertions. A spokesman for Facebook said the company "does not have a comment here."
Grimmelmann wrote about the issue in his blog earlier this week.
Read more about Privacy in Computerworld's Privacy Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Privacy White Papers | Webcasts