Facebook’s Beacon, Blockbuster, and the Video Privacy Protection Act

You may also like...

6 Responses

  1. Bruce Boyden says:

    Very interesting. There is also a marketing exception, which James doesn’t discuss — 18 U.S.C. 2710(b)(2)(D) — which allows the video rental company to disclose information:

    (D) to any person if the disclosure is solely of the names and addresses of consumers and if—

    (i) the video tape service provider has provided the consumer with the opportunity, in a clear and conspicuous manner, to prohibit such disclosure; and

    (ii) the disclosure does not identify the title, description, or subject matter of any video tapes or other audio visual material; however, the subject matter of such materials may be disclosed if the disclosure is for the exclusive use of marketing goods and services directly to the consumer;

    If I had to speculate, I would guess that this might have gotten boiled down in video providers’ heads as: “Disclosure to marketing partners is OK with an opt out.” And that might have made sense in 1988 — who else except the consumer would marketers be targeting with such specific information? Unfortunately, Facebook found someone. Simple rules, foiled again by the advance of technology.

  2. Bruce — the provision you cite is limited to subject matter areas of videos, so it applies when Blockbuster might disclose that Customer X bought videos in the action or comedy movie genre. Also note that the provision only allows for the disclosure when it is “for the exclusive use of marketing goods and services directly to the consumer.”

    I am perplexed at what Blockbuster’s privacy counsel must have been thinking. I would assume that participation in Beacon was run by the attorneys at Blockbuster, who obviously must know the VPPA quite well. It would be interesting to learn what theory they had in mind for why participating in Beacon complied with VPPA.

  3. Eric Goldman says:

    I’d have to trace through the exact implementation, but might 47 USC 230 apply to Facebook? There is a carveout in 230 for ECPA violations; could the VPPA fit into that? Eric.

  4. Eric — I don’t quite understand how 230 might apply to Facebook in connection with Beacon. The potential liability of Facebook might not just be for the disclosure of the information on people’s profiles, but for the receipt of the information that was disclosed to Facebook improperly under VPPA. Merely being the accidental recipient of information disclosed in violation of VPPA wouldn’t make one liable; but inducing or encouraging such disclosure might create liability. I don’t see how 230 would apply.

  5. Jens says:

    And this is why class actions and punitive damages suck …

    Btw, did you know that punitive damages are in certain cases incompatible with German ordre public?

  6. Bruce Boyden says:

    Dan, I had intended to bold exactly the language you quote, but forgot. I’m not saying Blockbuster can claim that exception; quite the opposite. My point was that previously, marketing efforts using information about a specific user’s rentals would have only targeted that individual, so the latter part of the exception might have seemed superfluous. You’re right, however, that even there the exception is limited to the general subject matter of the rentals.

    As for what Blockbuster’s attorneys were thinking, I would throw out as a possibility that they were not thinking about this issue at all, because it may not have ever crossed their desks. Too often privacy decisions at companies are made by the marketing or technology departments, with little or no consultation with lawyers, although hopefully that’s becoming more rare. Particularly dangerous are the seemingly small changes to an existing program that has already received Legal’s approval.

    Re: Eric’s question, whether the VPPA is part of the ECPA, has puzzled me for a while, but I’ve never had an incentive to really look into it. Looking into it now, briefly, I don’t believe it is. It’s codified in Chapter 121 of Title 18 in the middle of provisions from Title II of the ECPA; in fact, Congress specifically added it before Title II’s definitions section, which used to be 2710 and is now 2711. But there’s no reference in the VPPA’s text (P.L. 100-618) to an amendment of the ECPA, just of “Chapter 121”; and the legislative history I could find refers to the ECPA as though it’s a separate statute. So my tentative conclusion is that the VPPA is not excluded under 230(e).