Facebook and the VPPA: Uh-Oh

The Facebook Beacon story has been igniting privacy debates for a while, and has caused the company some serious embarrassment. I think it could cause them much worse.

Another member of a professorial mailing list I’m on asked whether Facebook may have violated the Video Privacy Protection Act of 1988. Nicknamed the “Bork Bill” (a newspaper published his video rental records during his confirmation hearings), the VPPA protects your privacy in the videos you rent and buy. Well, guess what? One of Facebook’s Beacon partners was Blockbuster, so some of the items that wound up in people’s news feeds were the names of videos they’d bought. Oops.

I dug a bit into the legalities of the issue, and this is roughly what I came up with: Facebook and Blockbuster should hunker down and prepare for the lawsuits. Their recent move to allowing a global opt-out may cut them off from accruing further liability, but there’s probably an overhang of damages facing them from their past mistakes. I should note that this isn’t my usual area of law, so salt the analysis appropriately. Caselaw on the VPPA is thin, but there might be other rules of information privacy law out there that would significantly change the bottom line. That said, let us begin.

The VPPA states:

A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable… .

18 U.S.C. § 2710(b)(1). The important first question is who’s a “video tape service provider.” That’s defined in paragraph (a)(4):

[T]he term “video tape service provider” means any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials … .

Thus, it’s fairly clear that Blockbuster is a “video tape service provider” but Facebook and its users aren’t. There are also a pair of important legal principles that could make things much dicier for Blockbuster.

  • If the disclosures by Facebook or a user are involuntary, then torts law ordinarily puts the liability on whoever set the unfortunate process in train. It’s like persuading a six-year-old to commit fraud for you, or grabbing a pirate’s sword arm and forcing him to slice someone with his cutlass. As we’ll see, this could make Blockbuster liable for disclosures technically made by its customers.
  • If Facebook and Blockbuster agreed to act in concert to do something, then doctrines of principal-and-agent and joint enterprise often allow their actions and motives to be attributed to each other. That would let things done by Facebook be counted as having been done by Blockbuster, possibly making Blockbuster liable for disclosures technically made by Facebook.

With these rules in mind, let’s look at the facts to see if there were any relevant disclosures of personally identifiable information. The typical sequence of relevant information flows in the days before a global opt-out went something like this:

  1. Ethan visits Blockbuster and clicks to buy The Producers.
  2. Ethan’s click causes some functions (written by Facebook, sent to Ethan by Blockbuster) to execute in Ethan’s browser.
  3. Those functions create an “iframe” (a kind of sub-page) within the Blockbuster page on Ethan’s browser.
  4. The iframe communicates with Facebook, telling it that the currently-logged-in user (Ethan) has just bought The Producers.
  5. The iframe tosses a pop-up window; if Ethan clicks “no” in the pop-up, the dance stops here.
  6. Joel, who is on Ethan’s friends list, sees that Ethan bought The Producers.

There are two possible sources of VPPA trouble here . First, in step (4) when Facebook found out that Ethan had purchase The Producers, that might have been a disclosure either by Ethan or by Blockbuster. Second, in step (6) when Ethan’s friends found out that he’d bought it, that might have been a disclosure by Ethan or by Facebook.

Let’s start with the disclosure to Facebook (step (4)). Blockbuster looks like it has a strong argument here that Ethan was the discloser, not it. After all, it was Ethan’s browser that told Facebook what he’d rented, not Blockbuster’s web site. Since Ethan isn’t a video tape service provider, that’s the end of the story.

I don’t think that argument works, though, because Ethan’s disclosure to Facebook is pretty much a textbook example of an involuntary act. Yes, Ethan’s browser did the heavy lifting. But it did so because Blockbuster included some HTML on its page. Ethan didn’t parse the javascript and load the iframe himself, and if he was like me, he probably didn’t even realize that Blockbuster could get his browser to give Facebook that combination of information. (The trick works because the iframe both has some info that Blockbuster gave it and “belongs” to Facebook and can therefore access Ethan’s Facebook account. Awful clever, ain’t it?) Ethan’s browser was acting as Blockbuster’s agent, not Ethan’s.

Once we have that first disclosure, the disclosure by Facebook (step (6)) is easier. Facebook is acting in concert with Blockbuster, which is under a duty not to disclose. On principal-and-agent reasoning, Blockbuster effectively made those disclosures, and is therefore liable for them.

(I’m not sure you could get this result on your own if you looked just at step (6). The reasons are a bit subtle. Yes, it looks as though Blockbuster and Facebook are engaged in a scheme to reveal PII, but you need to be careful about the source of that PII. If Ethan had used the Movies app to tell Facebook voluntarily that he liked The Producers (which, purely incidentally, he bought online from Blockbuster), I don’t think Blockbuster has a duty to keep that fact from disclosure. A critical nexus has been sundered. That’s why we need to look at step (4)—to see whether it sunders the nexus between the purchase and information about that purchase. I think that the way Beacon operates means that the nexus is still intact; if you disagree with me about my characterization of step (4), you’ll think that Facebook takes the information free and clear, and owes no duty to anyone, even if Blockbuster is involved. There are some further legal complexities here that involve some very precise statutory reading, but I’ll omit them so as not to get into a digression from a digression.)

So that’s an affirmative case for some serious liability. Blockbuster could try to interpose a few defenses. I don’t think any of them work, but they’re worth discussing.

First, Beacon successfully identifies Ethan here even if he buys the movie from Blockbuster under a false name. The critical step is that the same person both buys the movie and is logged into Facebook. Thus, there will be some scenarios in which Blockbuster causes Ethan to be identified without itself having had any knowledge of his identity. In those cases, it seems hard to frame an argument that you can “disclose” something you never knew. Nonetheless, given the statutory definition of PII (“includes information which identifies a person as having requested or obtained specific video materials”), Blockbuster can “identif[y]” Ethan as having bought The Producers whether it knows who he is on Facebook or not. It provides to Facebook information sufficient to say that Mr. X bought a movie, and Facebook knows who Mr. X is.

Second, Blockbuster could argue that its step-(4) disclosure is “to the consumer” and thus allowed under subparagraph (b)(2)(A) of the VPPA. That works as to the information flows in steps (1) and (2), in which Blockbuster tells Ethan’s browser some things, but it doesn’t work as to the information flow in step (4). Facebook is not the “consumer” no matter how hard you stretch and strain. It also doesn’t work in step (6); if you think of the other users as the “consumer,” you’ve pretty much completely eviscerated the VPPA.

Third, there’s the whole can of worms around the temporary pop-up that Facebook showed to let users opt-out of sharing details. Each site using Beacon used to show users a pop-up letting them avoid having the transaction listed. Subparagraph (b)(2)(B) allows disclosure with “the informed, written consent of the consumer given at the time the disclosure is sought.” Those pop-ups failed that test in multiple ways:

  • They vanished if the user did nothing for twenty seconds or so. You can pretty much guarantee that some users won’t see the pop-up at all. So much for “informed.”
  • It’s been revealed that if you’d ever clicked “remember me” on Facebook, it would remember you in spades. Even if you weren’t logged in, your Beacon transactions would still result in personally-identifying web requests hitting Facebook’s servers—regardless of any opt-out requests. So much for “consent.”
  • Regardless of what Facebook’s request for consent looked like, Blockbuster’s was pretty clearly defective—viz.: nonexistent. Indeed, by the time you see the pop-up, your browser has already sent the critical step-(4) request to Facebook. All that saying “no” does is to prevent step (6) from happening. Thus, on my reasoning above, the user can’t prevent the first and critical disclosure from happening. So much for “given at the time the disclosure is sought.”
  • Indeed, if my analysis of step (4) is correct, then Facebook’s current policy (failure to click on the pop-up constitutes refusal, not acceptance) is still defective. It’s too late at that point to keep Facebook from learning that you, yes you Ethan K—, bought The Producers. The violations might still be accumulating. Facebook’s only arguable out would be that the company’s servers aren’t a “person,” so there’s been no actionable disclosure. I need to think more on this angle, but I have my suspicions that it might be too slender a reed to support Facebook’s awesome weight.

So that’s Blockbuster. What about Facebook? There’s the joint enterprise theory; since Facebook and Blockbuster acted together, and Blockbuster is liable, so too is Facebook. There’s a split in the VPPA caselaw as to whether liability runs only against the video tape service provider, or can run also against the person who induced the disclosure. Those cases, though, typically involve police officers getting rental information without going through proper law enforcement channels (a search warrant, grand jury subpoena, or court order). I’m not sure quite how they’d apply here, where Facebook is more clearly acting in concert with Blockbuster to engage in further disclosures. My sense is that Facebook could win or could lose, depending on how the court chooses to interpret the VPPA. The risks are substantial.

Put this all together, and the legal situation looks a bit bleak for Facebook and Blockbuster. The VPPA provides damages of $2,500 per violation, plus punitive damages and attorneys’ fees. I have no idea how many movies wound up in people’s news feeds, but it doesn’t have to be too many for the total to hurt. Class action lawyers, start your engines.

Addendum 2007-12-11: There’s an interesting discussion over at Concurring Opinions of the “marketing exception” of subparagraph (b)(2)(D). That exception allows disclosures of the genres of movies you rent, if there’s a “clear and conspicuous” opt-out, and “for the exclusive use of marketing goods and services directly to the consumer.” The exception fails in at least three (!) ways:

  • “Clear and conspicuous” opt-out? I don’t think so, not if the opt-out pop-up disappears on you.
  • Beacon showed actual titles, not just genres.
  • Marketing to the consumer’s friends is different from marketing “to the consumer.”

Addendum 2007-12-11: heebner, in comments, raises the issue of whether Facebook is a “person.” It is. The definitions section (18 U.S.C. § 2711) for the chapter of the U.S. Code that includes the VPPA (18 U.S.C. ch. 121) includes a bunch of definitions from another definitions section (18 U.S.C. § 2510), including one that defines “person” as:

any employee, or agent of the United States or any State or political subdivision thereof, and any individual, partnership, association, joint stock company, trust, or corporation.

My apologies for previously making that issue seem harder than it is, and thanks to heebner and Mike Malone for bringing it up.

Very interesting idea you have here! When I first heard about Beacon, I knew there was something very wrong, and I even quit Facebook over it. But I didn’t know it was possibly illegal. Any way we can get this privacy-infringing company to suffer for its actions would be good. I only hope that someone sues them.

So the class action settlement will give plaintiffs movie rentals and by that time, there will be some premium features on Facebook, so the award will also include 20% off. Justice will be served! ;-)

Very interesting. Another thought — if Blockbuster gets sued, there’s a chance that they might turn around and sue Facebook for breach of contract. Coca-cola already claimed that Facebook either failed to disclose, or misrepresented the opt-out procedure and implementation details of Beacon. If Facebook misrepresented how the system operated (e.g., said it was completely opt-in), Blockbuster may have thought they were in the clear when they weren’t. I mean, it’s hard for me to believe that Blockbuster would have been unaware of this law, and I’m sure their lawyers took a look at Beacon before the company agreed to sign up. If the violation is so blatant (and it seems to be) how could Blockbuster have agreed to the deal?

1) beacon only gets triggered when you add to your queue, not when you actually rent/ship/buy a movie. So your statement “so some of the items that wound up in people�s news feeds were the names of videos they�d bought” is wrong. Splitting hairs maybe, but technically it’s not a user’s rental history or purchase history, it’s a list of movies that may be rented. You don’t need to be a subscriber to add movies to your queue either. I cancel my subscription when I run out of things to watch and build a queue to keep track of movies I want to see… and if the queue gets big enough I may turn it on by subscribing. Or I may not. In any case I think a queue is not precisely the same as a rental.

2) Beacon had an “opt-out” window for a short period of time… it is now opt in. So you’re dealing with a fairly narrow window in which violations could occur. Wouldn’t that limit their exposure? Are you saying that even in an opt-in model there is still exposure here? Keep in mind that class action lawyers need a decent chunk of change before they’re willing to rev their engines.

3) The key question I think is, is Facebook a person? You quoted the law saying that “A video tape service provider who knowingly discloses, to any person, personally identifiable information.” Since beacon is now opt-in, your argument for ongoing liability rests on the assumption that Facebook is a person (since nothing is being sent to newsfeeds without permission). If FB deletes the data when a user doesn’t opt-in, has someone been told? If a tree falls in the forest….???

just some thoughts

This also highlights the absurdity that such a privacy law applies only to video transactions and not to everything else as well. The list of sites using Facebook Beacon at launch is: AllPosters.com, Blockbuster, Bluefly.com, CBS Interactive (CBSSports.com & Dotspotter), ExpoTV, Gamefly, Hotwire, Joost, Kiva, Kongregate, LiveJournal, Live Nation, Mercantila, National Basketball Association, NYTimes.com, Overstock.com, (RED), Redlight, SeamlessWeb, Sony Online Entertainment LLC, Sony Pictures, STA Travel, The Knot, TripAdvisor, Travel Ticker, TypePad, viagogo, Vox, Yelp, WeddingChannel.com and Zappos.com.

There are a lot more invasive privacy violations in there, and that the law doesn’t recognize them as well is pretty sad.

Are you saying that even in an opt-in model there is still exposure here?

Yes, because the opt-in is “should Facebook share this info with your friends” and not “should Blockbuster share this info with Facebook”. With the opt-in as it is, you don’t get a choice about the latter.

Mike: good point about the relationship between Facebook and Blockbuster. Interestingly, I could see a demand for indemnification going in either direction, if one of them ends up on the hook for damages.

heebner: Also good points. In order:

  • The queue/rental distinction is relevant, but I don’t think it matters. That’s because PII is defined in the VPPA as including information about the videos people “requested,” not just the ones they actually “obtained.” Moreover, the PII definition of PII uses the word “includes,” which means it isn’t even limited to that case. A mere expression of interest—which queueing certainly is—seems sufficient, if it really is personally “identifiable” as it is with Beacon.
  • The number of notices that went out during that window is a big factor in the class-action calculus. Punitive damages are also on the table, which could sweeten the pot for them. Also, the VPPA is specifically enough drafted that I wouldn’t rule out step (4) leading to liability even in a regime in which people had opted into the overall program.
  • Is Facebook a person? The general federal rule is that “person” means any human being born alive (see 1 USC § 8). That’s not the end of the matter, though, since disclosing information to Facebook’s computers might be considered to be equivalent to disclosing that information to the people who operate those computers and run Facebook.

Facebook is receiving data opt-out or not.

Facebook’s Beacon sends information about your transaction to facebook.com even if you never use Facebook.

How to block Beacon: http://blockthefacebook.com

vis-a-vis the last comment. It seems blockbuster disclosed potentially personally identifiable information about everyone who has rented a movie from their site since Beacon was instituted. If we think of Facebook as a person (strong case that they are a newspaper) then all these disclosures are illegal, even if they stopped in the newsroom (Facebook’s servers). Where was blockbuster’s legal team on this? Makes me wish I had a Blockbuster account. :) That’s some serious money.

James, re: the question of whether Facebook is a “person,” you commented above that a person is “any human being born alive.” IANAL(!) but whenever I read the word “person” in a statute like this (without any additional context) I assume the term could refer to either a natural person or, more broadly, any entity that could be considered a “juristic person.” If we assume “person” means “natural or juristic person,” then Facebook would certainly be considered a “person” with respect to this law. Is my assumption incorrect, or were you being conservative in your interpretation of the law?

I should have been more meticulous in looking at the “person” question earlier, and checked all the relevant definition sections. Facebook is a person for purposes of the VPPA, and unambiguously so. See the second addendum to the post for details.

Well that certainly makes things more interesting… since data is still sent to Facebook after you opt-out, Blockbuster could still be in violation of the VPPA. The law’s language doesn’t seem to consider how the information is used, whether it’s stored, etc. So the fact that Blockbuster is sending the data at all could constitute a disclosure.

I’m really getting sick of all these privacy complaints about big sites. If you care about your privacy DON’T GO ON THEIR FUCKING WEBSITE!! This really isn’t that crazy an idea. It is their website, they own it, and they are allowed to keep an eye on how people use THEIR WEBSITE and do whatever that want with that information.

Think about it, that’d be like making it illegal to look at the shoe prints made by people walking through your property. Would you tolerate something like this? Of course not, so stop expecting it of other people.


Setting aside the fact that in this particular case, the law specifically says that they can’t do whatever they want with that data, would that it were so easy.

1) In modern society, you have to do business with somebody. If they’re all doing it, that’s not much choice, is it?

2) Unfortunately, a vast number of the worst kind of privacy invasions are not perpetrated directly on the offending site. For example, if you want to avoid having a Google profile, you not only have to send no email to people using Gmail and not browse any site that uses AdSense or Google Analytics or any of their embedded services, but also prevent everyone you send mail to from forwarding your mail through Gmail. In other words, this is impossible, and even if it were possible, it’s an undue burden on the user, because it’s not just Google, it’s every other site that operates that way. Sure, you can block Google if you want, and then there are a hundred others you also have to block.

Dear Mr. Henderson,

Please be aware that Facebook and Blockbuster are two different entities, and that each of my friends constitutes an entity separate from both.

When two persons are not the same as each other, it is possible for one to perform an illegal action with regard to the other that would be legal if that entity had performed the action with regard to itself. For example, I can put some money into my own pocket and then perform acts upon myself from which I derive sexual pleasure, but (as my lawyer has repeatedly emphasized to me), I cannot do the same thing with your mom, despite the fact that she is quite willing and finds her primary means of financial support thereby.

I think your analogy is off the mark anyway, but in this case it doesn’t even apply.

@Jeffrey - In certain circumstances I’d agree with you. If a company makes it clear that they plan to use data in a certain way before you give them the data, then you can make an informed decision about whether you want to interact with that company / give them your data. If, on the other hand, a company that you have an ongoing relationship with decides to change their data policy after you’ve given them your data, that’s a different story.

In this case you don’t even have to go to facebook’s website for beacon to be invasive, so your solution won’t work. A better metaphor for beacon’s operation would be if local stores in your area teamed up with your local newspaper to publish a list of items you bought during the week by associating your credit card number with purchases and other personal information. Would you have a problem with that? Would you think “don’t shop at those stores,” (you’re not even sure in advance which ones they are) or “don’t use credit cards” (you pretty much have to these days) would be reasonable solutions?

“It seems blockbuster disclosed potentially personally identifiable information about everyone who has rented a movie from their site since Beacon was instituted.”

I disagree. The law says “A video tape service provider who knowingly discloses, to any person, personally identifiable information…”

Think about how beacon works. For any personally identifiable information to occur, a handshake has to occur, which requires that a user be actively logged in to Facebook.com. Blockbuster does not actually pass personally identifiable information to Facebook. Facebook infers personally identifiable information based on the user’s logged-in state on their site. Blockbuster passes the action to Facebook, not the person’s name. Thus, there is no personally identifiable information exchanged for a) non-Facebook users or b) Facebook users who are logged out. And those two user states would comprise (by far) the lion share of activity in the beacon exchange between Facebook and Blockbuster…thus that would limit the number of cases significantly. Remember, if you’re not actively logged in to Facebook with a cookie, Facebook doesn’t know who you are, and Blockbuster’s information exchange doesn’t shed any light.

re: heebner

If a person were to rent from blockbuster while logged out of facebook, facebook has the opportunity to set a tracking cookie on that person’s browser. Should they later login to or signup for facebook without clearing their cookies, facebook knows enough to connect them with their rental history. Even if they DONT EVER visit facebook, facebook can correlate their rental history with purchases made with other beacon partners. That counts as personally identifiable in my book. Bring on the lawsuits!

Forgot to mention my larger point. Blockbuster has no inkling of what a visitor’s status regarding facebook session is. They behave the same regardless. If their behaviour is illegal in any instance it is illegal in all instances.