This post analyzes a new privacy lawsuit against Facebook. But first, some context: I received an e-mail from a friend this weekend that read, in part:
Subject: Privacy Code Red!
How do I make it so that my Fandango purchases don’t show up on Facebook???? Is it going to happen if I buy a book on Amazon? WTF?!?!!?
My friend is not a technophobe. This anecdote suggests that some users are still experiencing unwanted disclosures as a result of the Facebook Ads system, particularly the Beacon feature, even long after reforms intended to eliminate privacy problems. Beacon, you may remember, transmits information about your purchases and activities on third-party web sites into your Facebook news feed. As originally rolled out, this transmission happened without the user’s explicit permission. Now there is an opt-in for every disclosure, which in my opinion should eliminate serious objection to the program. (In addition, you now can opt out of all Beacon-like messages on Facebook: in the new layout, go to privacy settings, and under “news feed and wall” opt out of everything under “actions on external websites.”)
Naturally, every business wants its customers to tell their friends about the business, hopefully with a recommendation (like this or this). Such “trusted referrals” are extremely valuable advertising. In many cases, this information — what Eric Goldman calls “online word of mouth” — can be highly valuable “wisdom of crowds” material for consumers too. Done right, these information flows are a good thing.
But social networking and other information-sharing features of the web are poised to supercharge the trusted referral by giving marketers the ability to send information to all your identifiable friends about your use of their products or services. This method is called “socia lmarketing.” In translation, it could mean that businesses will tell everybody you know where you browse and what you buy. What is the proper legal response?
My current writing project focuses on the legal dimensions of social marketing. (It will appear in the University of Illinois Law Review next year.) Social marketing causes concerns about both disclosures of personal data and also information quality — for example, messages that look like an endorsement by your friend when in fact that friend hated the product once she received it. But standard legal paradigms for addressing those sorts of concerns, namely traditional privacy law and trademark law, don’t really deal well with social marketing. Privacy law generally focuses only on sensitive information and trademark law only on misleading messages. Social marketing can be problematic even if the messages are neither sensitive nor misleading. Neither paradigm addresses both over-disclosure and information quality. A hybrid approach more similar to rights of publicity or the somewhat neglected tort of appropriation would do a better job, or so I argue.
Last month, a class action lawsuit concerning the Beacon program was filed in federal court in California, but because it sticks with the traditional privacy paradigm I don’t think it will get very far. One noteworthy feature is that it limits its claims to the period before Beacon changed to an opt-in program, so the plaintiffs don’t even allege issues with today’s Facebook. Even so, the claims rely mostly on privacy laws that may not fit very well.
They rely on the Electronic Communications Privacy Act, an anti-eavesdropping measure. But ECPA allows either participant in the communication to record it and share it with others (see subsection 2(d)); one party may be the user but depending on how you look at it the other party is either Facebook or the advertiser. The plaintiffs also depend on federal and state laws aimed at computer hacking, but this seems to be another attempt to stretch the definition of that concept ion a harmful way. These strike me as poor claims.
A better claim falls under the federal Video Privacy Protection Act, which prohibits disclosure of video rental records. The complaint alleges that Fandango, Blockbuster, Overstock, and Gamefly violated this law, and Facebook aided and abetted them. Because in this single instance the law has recognized a class of information subject to social marketing as sensitive and deserving special statutory protection, this claim may work. A separate Beacon-related suit like this was filed previously against Blockbuster alone. James Grimmelmann analyzed the issue a while back and thought a claim like this would have merit, at least under the old Beacon. (Again, the because new Beacon asks permission it is probably immune under the VPPA, and rightly so).
Finally, the plaintiffs make a general claim under California consumer protection law. This may be the best bet for broad relief, but it is such a mooshy area (and not my specialty) that I am reluctant to make a prediction, yet. My article will argue for oversight by the Federal Trade Commission and state attorneys general, based on a paradigm of consent similar to that found in publicity rights and the appropriation tort. After all, these institutions already serve as privacy watchdogs, and of course preventing misleading consumer information is their core mission. A private suit under these same laws might make sense too. But it will require breaking new ground, and will not be easy for these plaintiffs. If there is an aggressive state attorney general out there eager to make a mark on digital privacy, give me a call…