Facebook’s Beacon, Blockbuster, and the Video Privacy Protection Act

facebook3.jpgblockbuster-video.gif

The news has been buzzing lately about Facebook’s Beacon, where participating websites share personal information with Facebook. Beacon originally had a poor notice and opt-out policy, but after significant public criticism, Facebook changed to an opt-in policy. Even under the new opt-in policy, however, the participating companies are still turning data over to Facebook, and that spells potential trouble for at least one of the 40 companies in the Beacon program — Blockbuster Video.

Over at Laboratorium, Professor James Grimmelmann (NY Law School) has an excellent post arguing that Blockbuster’s participation in Facebook’s Beacon violates the Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710. James writes:

The VPPA states:

A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable….

18 U.S.C. § 2710(b)(1). The important first question is who’s a “video tape service provider.” That’s defined in paragraph (a)(4):

[T]he term “video tape service provider” means any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials. . . .

Blockbuster clearly qualifies as a video tape service provider. To the extent it transmits information to Facebook about a customer’s video purchases — no matter what Facebook ultimately does with that data (i.e. regardless of whether it appears in a person’s profile, is stored by Facebook in a database, or is deleted), Blockbuster could be liable under VPPA. The statute is an opt-in statute, requiring that the customer provide “informed written consent . . . at the time the disclosure is sought” in order for the disclosure to be permissible.

James also analyzes whether Facebook could be liable as well:

There’s the joint enterprise theory; since Facebook and Blockbuster acted together, and Blockbuster is liable, so too is Facebook. There’s a split in the VPPA caselaw as to whether liability runs only against the video tape service provider, or can run also against the person who induced the disclosure.

James concludes:

Put this all together, and the legal situation looks a bit bleak for Facebook and Blockbuster. The VPPA provides damages of $2,500 per violation, plus punitive damages and attorneys’ fees. I have no idea how many movies wound up in people’s news feeds, but it doesn’t have to be too many for the total to hurt. Class action lawyers, start your engines.

You may also like...

6 Responses

  1. Bruce Boyden says:

    Very interesting. There is also a marketing exception, which James doesn’t discuss — 18 U.S.C. 2710(b)(2)(D) — which allows the video rental company to disclose information:

    (D) to any person if the disclosure is solely of the names and addresses of consumers and if—

    (i) the video tape service provider has provided the consumer with the opportunity, in a clear and conspicuous manner, to prohibit such disclosure; and

    (ii) the disclosure does not identify the title, description, or subject matter of any video tapes or other audio visual material; however, the subject matter of such materials may be disclosed if the disclosure is for the exclusive use of marketing goods and services directly to the consumer;

    If I had to speculate, I would guess that this might have gotten boiled down in video providers’ heads as: “Disclosure to marketing partners is OK with an opt out.” And that might have made sense in 1988 — who else except the consumer would marketers be targeting with such specific information? Unfortunately, Facebook found someone. Simple rules, foiled again by the advance of technology.

  2. Bruce — the provision you cite is limited to subject matter areas of videos, so it applies when Blockbuster might disclose that Customer X bought videos in the action or comedy movie genre. Also note that the provision only allows for the disclosure when it is “for the exclusive use of marketing goods and services directly to the consumer.”

    I am perplexed at what Blockbuster’s privacy counsel must have been thinking. I would assume that participation in Beacon was run by the attorneys at Blockbuster, who obviously must know the VPPA quite well. It would be interesting to learn what theory they had in mind for why participating in Beacon complied with VPPA.

  3. Eric Goldman says:

    I’d have to trace through the exact implementation, but might 47 USC 230 apply to Facebook? There is a carveout in 230 for ECPA violations; could the VPPA fit into that? Eric.

  4. Eric — I don’t quite understand how 230 might apply to Facebook in connection with Beacon. The potential liability of Facebook might not just be for the disclosure of the information on people’s profiles, but for the receipt of the information that was disclosed to Facebook improperly under VPPA. Merely being the accidental recipient of information disclosed in violation of VPPA wouldn’t make one liable; but inducing or encouraging such disclosure might create liability. I don’t see how 230 would apply.

  5. Jens says:

    And this is why class actions and punitive damages suck …

    Btw, did you know that punitive damages are in certain cases incompatible with German ordre public?

  6. Bruce Boyden says:

    Dan, I had intended to bold exactly the language you quote, but forgot. I’m not saying Blockbuster can claim that exception; quite the opposite. My point was that previously, marketing efforts using information about a specific user’s rentals would have only targeted that individual, so the latter part of the exception might have seemed superfluous. You’re right, however, that even there the exception is limited to the general subject matter of the rentals.

    As for what Blockbuster’s attorneys were thinking, I would throw out as a possibility that they were not thinking about this issue at all, because it may not have ever crossed their desks. Too often privacy decisions at companies are made by the marketing or technology departments, with little or no consultation with lawyers, although hopefully that’s becoming more rare. Particularly dangerous are the seemingly small changes to an existing program that has already received Legal’s approval.

    Re: Eric’s question, whether the VPPA is part of the ECPA, has puzzled me for a while, but I’ve never had an incentive to really look into it. Looking into it now, briefly, I don’t believe it is. It’s codified in Chapter 121 of Title 18 in the middle of provisions from Title II of the ECPA; in fact, Congress specifically added it before Title II’s definitions section, which used to be 2710 and is now 2711. But there’s no reference in the VPPA’s text (P.L. 100-618) to an amendment of the ECPA, just of “Chapter 121”; and the legislative history I could find refers to the ECPA as though it’s a separate statute. So my tentative conclusion is that the VPPA is not excluded under 230(e).