Princeton's CU Boulder's Paul Ohm writes about Netflix's insane new plan to release millions of customers' personal information — ZIP code, gender, year of birth — as a sequel to its Netflix Challenge. Latanya Sweeney's famous study on de-anonymizing data has shown that date (not just year) of birth, gender and ZIP are sufficient to personally identify 87% of Americans. In other words, Netflix is about to put the behavioral data about viewing choices for millions of Americans into the public domain, despite its legal duty to keep this information private.
Because of this, if it releases the data, Netflix might be breaking the law. The Video Privacy Protection Act (VPPA), 18 USC 2710 prohibits a "video tape service provider" (a broadly defined term) from revealing "personally identifiable information" about its customers. Aggrieved customers can sue providers under the VPPA and courts can order "not less than $2500" in damages for each violation. If somebody brings a class action lawsuit under this statute, Netflix might face millions of dollars in damages.