« The University of Chicago Law Review, Issue 74:3 (Summer 2007) | Main | How to Send Us Cool Stuff: Concurring Opinions Publicity Guidelines »
November 16, 2007
The Facebook-Fandango Connection: Invasion of Privacy?
Facebook recently rolled out a new advertising program called Social Ads, where Facebook users' images, names, and words are used to help advertise products and services. I blogged about Facebook's Social Ads here and here, contending that they are likely a violation of the tort of appropriation of name or likeness as well as the right to publicity tort.
Peter Lattman at the WSJ Blog has a great new post about Facebook that throws in another even more troubling wrinkle:
Last Sunday the Law Blog purchased three tickets to “Bee Movie” on Fandango, the movie site. After we did this, Facebook automatically updated our profile to say, “Peter bought ‘Bee Movie’ on Fandango.”Huh? Did we want everyone on Facebook to know our movie-buying habits? Not really. But it seems we agreed to this. According to Fandango’s privacy policy, which we agreed to by using the site, “If you are a member of a social network service (such as Facebook, MySpace, etc.) or you use other Internet sites where you have authorized them to gather information about your online behavior on Fandango . . . Fandango may share information regarding your activities . . . with those third parties pursuant to your authorization.”
Then we checked out our privacy settings on Facebook. Under “Privacy Settings for External Websites,” there’s a Fandango icon, indicating that we’ve agreed to have our actions on Fandango sent to our Facebook profile. We changed our profile, mandating that they never — never! — do this again.
This case illustrates why the current legal regime regulating personal information at most websites is so deeply flawed. The default settings are set to allow information sharing and disclosure, with users often completely unaware of how their information is going to be used. Businesses frequently tout how they are protecting privacy by providing users with "notice and choice" about how their information will be collected, used, and disseminated. Yet the system rarely results in informed consumers or meaningful choices.
So imagine: You go to Fandango and buy tickets to see a movie -- and then all of a sudden your purchase is being revealed publicly to everybody you know on Facebook. You probably didn't even know that Facebook had this deal with Fandango. What if more websites like Fandango start to collude with Facebook? Does this mean that every time we visit a website, every time we make a purchase, the information starts showing up in our Facebook profiles and on our friends' Facebook profiles?
At least Social Ads, as I understood it, involved people publicly stating they liked or used a product. This is still problematic, for the reasons I discussed in my posts -- being used in an ad unwittingly is a harm even if one has publicly praised the things being advertised in the past. But now Facebook is taking things one step beyond by exposing people's personal information to the public. Perhaps Peter Lattman doesn't want the world to know that he saw Bee Movie. Perhaps he does. But this is something he should decide, not the corporate officials at Facebook or Fandango.
"Poor Peter," Fandango and Facebook will say, "But you should have read our privacy policies! It's all your fault Peter." Fandango's privacy policy states:
If you are a member of a social network service (such as Facebook, MySpace, etc.) or you use other Internet sites where you have authorized them to gather information about your online behavior on Fandango (for instance, to notify your friends that you have viewed a video or bought movie tickets), including participation in any behavioral reporting program that they may operate on or off of their own site (i.e., Facebook Beacon, etc.), Fandango may share information regarding your activities on our Site or other Service with those third parties pursuant to your authorization, and they may associate that information with Personally Identifiable Information they already have about you (such as your Facebook Profile) and use it to improve their site or services or for other purposes. Fandango does not control the privacy policies of such third parties, and their privacy policies will govern their use of your information once it has been transmitted by Fandango. Fandango assumes no responsibility or liability for the actions of such third parties with respect to their use of your information or otherwise. Accordingly, make sure you are aware of and comfortable with the privacy policies of any third parties that you authorize to gather information from Fandango.
Get that? If you don't like it, Fandango is saying you should take it up with Facebook. This paragraph is buried in a very lengthy policy of 2474 words. But if you've used Fandango, you've agreed to it, whether you read it or not. According to the policy:
When you use the Site or other Service, you are accepting the terms and conditions of this Privacy Policy, and Fandango will have the right to use your Personally Identifiable Information or other information about you as described in this Privacy Policy.
So Fandango passes the buck to Facebook. On to Facebook then. Facebook's privacy policy clocks in at 3514 words. Plus, you can't just read that. You also need to read the Terms of Use (a mere 6445 words). And then check your default settings, which are preset to maximize the exposure of your information. And of course, the privacy policies of Facebook, Fandango, and any other website that might later share information with Facebook are subject to change at moment's notice, all without notifying you of the change!
So read up! Read often! Does this really make sense as a meaningful way to protect consumer privacy?
There's another way to protect people's privacy -- opt-in. If Fandango wants to share your information with Facebook, it should ask for your consent first before doing so. Simply providing a privacy policy, a verbose and lengthy document that nobody reads and that is subject to change at any moment isn't sufficient. You don't consent just because they assume you do. If Facebook wants to disclose what you're doing and buying on other websites, or use your name or image in an ad, then it should ask you. Instead, these companies hide behind thousands of words of legalese, claiming that by merely providing a little link to these policies at the bottom of their websites, you've consented to them the second you start using the site. This isn't meaningful consent. And it isn't a meaningful way to protect consumer privacy.
Posted by Daniel J. Solove at November 16, 2007 01:57 PM
Trackback Pings
TrackBack URL for this entry:
http://www.concurringopinions.com/movabletype/mt-tb.cgi/2744.
Comments
It's not just Fandango, seems to be at least a few different retailers. I just bought a pair of moccasins on Zappos.com and the same thing happened to me. The fact that I'd bought the shoes, and a link to them, was on my main profile page. Now there's a Zappos icon in my privacy settings. Facebook users will have to actively change the privacy setting for every online store where they shop that has this kind of relationship with Facebook each time they make a purchase, and don't want the purchase broadcast on their profile. That doesn't seem right.... even if I "should have" read the privacy policy.
Posted by: 2L at November 16, 2007 08:16 PM
It gets worse than that at facebook. Facebook gives you no chance to opt-out of sharing that information from 3rd party sites until after they have already received something and posted it.
If you go to the external websites tab in your privacy settings on Facebook, you don't see any websites listed unless they have already received some information from one.
So the harm to your privacy is already done before you get a chance to stop it from happening.
Posted by: unc 2L at November 17, 2007 09:38 AM
Yep, i just checked and i got dinged because i logged on to "Swap Anything."
I am not part of the age demographic that lives and dies by Facebook, and i find the public face of that demographic disheartenig to say the least, but I refuse to become a dinosaur. So i checked it out.
But all the on line and software user agreements we all sign are 1) onerous 2) usually unintellible 3) without a doubt contracts of adhesion and 4) almost certainly incapable of standing up in court.
But they are so ubiquitous and so seldom an issue that no one will do anything about it until, and unless there is a really big scandal. Ivolving blood. Mayhem.
Or some DEEP pockets.
Good luck, to those of you who would ask for decency, fairness, common sense. These are crrently out of vogue, as the meanspirited among the comments above show all to well.
Posted by: carrollstraus at February 15, 2008 01:07 PM
