Facebook's Beacon was illegal as well as dumb

James sez, "Everyone knows that Facebook's Beacon application was a privacy disaster. But it was also probably illegal. I've written up an analysis of Beacon under a 1988 law that flatly prohibits video stores from telling people what their customers rented. Every time Blockbuster spammed your friends list with an announcement about your latest online video purchase, it was violating that law. At a minimum $2,500 fine per violation, this could be a pretty serious legal problem for Blockbuster and Facebook."
There are two possible sources of VPPA trouble here . First, in step (4) when Facebook found out that Ethan had purchase The Producers, that might have been a disclosure either by Ethan or by Blockbuster. Second, in step (6) when Ethan's friends found out that he'd bought it, that might have been a disclosure by Ethan or by Facebook.

Let's start with the disclosure to Facebook (step (4)). Blockbuster looks like it has a strong argument here that Ethan was the discloser, not it. After all, it was Ethan's browser that told Facebook what he'd rented, not Blockbuster's web site. Since Ethan isn't a video tape service provider, that's the end of the story.

I don't think that argument works, though, because Ethan's disclosure to Facebook is pretty much a textbook example of an involuntary act.

Link (Thanks, James!)


  1. Could this law have repercussions for Netflix? Though they do allow you to prevent people from seeing certain movies in your queue and your recently returned/rated lists, the default is to allow all of this information to be viewable to those that you have specified as “friends’.

  2. I think that depends on the definition of “personally identifiable information.” Facebook uses actual names that can be connected to actual people; usernames can be people’s actual names (which should count as an “opt-in,” IMO) but they can also be a layer of abstraction so that when someone sees “BooBooKitty42” they don’t automatically think “Jane Smith, 42 Adams Lane” or whatever. Also, it’s not a bait-and-switch thing; sharing queues and recommendations is a part of the service, not a piece of advertising software that latches on to all of your purchases and notifies your friends. At least, that’s how I see it.

  3. i was wondering the the netflix thing too. I can see my friends rentals on netflix, and i don’t think thats illegal or dumb.

    i might be missing something with facebook as i don’t use it, but is this anyone can access, or just someones friend on facebook?

  4. With Netflix, you actively decide to connect with people for purposes of sharing movie recommendations within the Netflix environment.

    Blockbuster + Facebook, on the other hand, involved no decision on the part of the user, no user intent or consent to share, and was far outside the Blockbuster environment.

  5. You get very minimal information on anyone if you are not someones friend, I made an account just to test this, all you get is a (very small) picture, and possibly a list of their friends who you cannot get any more information out of (accounts can also opt to not publicly show friends as well). However, I have no idea what this beacon thing is.

    Also, I think with netflix and emusic (which you can see all of someones downloads, the difference is, neither of those sites are soliciting your list of music/movies you may have purchased, I think sending emails to your friends is a different story. I dont know, maybe Cory can clarify

  6. Probably the most important difference is that Netflix tells you upfront that the goal of having ‘friends’ is to share your movie preferences, and asks you specifically if it’s okay. You pretty much have to opt in. This would conform to the requirements of the VPPA by requiring explicit consent in an appropriate form.

  7. I can’t believe the amount of drama about Beacon. Tres yawn.

    However, this post motivated me to add the Netflix app to my facebook account! Sweet!

  8. Oh but by the way, the Netflix RSS feed probably violates this law. It’s (I believe) on by default, and if you know someone’s RSS feed URI you can totally stalk their movie-watching preferences. They’re public, just secure through obscurity.

Comments are closed.