Did Blockbuster and Facebook violate the VPPA via Beacon?

James Grimmelmann has an excellent post over at the Laboratorium. His summary:

Another member of a professorial mailing list I’m on asked whether Facebook may have violated the Video Privacy Protection Act of 1988. Nicknamed the “Bork Bill” (a newspaper published his video rental records during his confirmation hearings), the VPPA protects your privacy in the videos you rent and buy. Well, guess what? One of Facebook’s Beacon partners was Blockbuster, so some of the items that wound up in people’s news feeds were the names of videos they’d bought. Oops.

I dug a bit into the legalities of the issue, and this is roughly what I came up with: Facebook and Blockbuster should hunker down and prepare for the lawsuits. Their recent move to allowing a global opt-out may cut them off from accruing further liability, but there’s probably an overhang of damages facing them from their past mistakes.

As usual with James, it’s a very detailed analysis; the discussion is also excellent.

Looking specifically at Blockbuster’s liability, there’s an interesting parallel to my as-yet-unanswered question in the thread about Beacon’s announcement of a global opt-out about whether Beacon caused advertisers to violate their privacy policies. In the web 2.0 world, the dependencies between software components mean that service providers (Facebook in this case) can put their customers (Blockbuster) at legal risk. As Google, Yahoo, Microsoft, Amazon, eBay, Facebook et. al. compete, it will be a major advantage to whoever first seizes the high ground by providing services and platforms that are noticeably less risky. In addition to the classic considerations like security and ability to deliver on service level agreements (SLAs), this will increasingly include considerations like well-thought-out policies — and getting and listening to a broad range of perspectives, including from privacy advocates, before launching new services.