On Tuesday of this week, a class-action lawsuit was filed in U.S. District Court in Northern California against Facebook and several of its Beacon Program Affiliate companies for violating several computer and consumer privacy laws during 2007 -- before Facebook updated its Beacon Program opt-out policy.
The complaint alleges that Facebook and its affiliates (e.g., Blockbuster.com, Fandango.com, Hotwire.com, Overstock.com, Gamefly.com, and others) violated one or several laws:
- Violation of Electronic Communications Privacy Act, 18 U.S.C. § 2510
- Violation of Computer Fraud and Abuse Act, 18 U.S.C. § 1030
- Violation of Video Privacy Protection Act, 18 U.S.C. § 2710
- Violation of California’s Consumer Legal Remedies Act, California Civil Code § 1750
- Violation of California’s Computer Crime Law, Penal Code § 502
I've Been Mugged reviewed the complaint, which described the Beacon Program's processes:
"Every time someone visited a Facebook Beacon Activated Affiliate’s website and performed a pre-defined action, that action triggered a script that set the Beacon program into action. The Beacon script contacted Facebook notifying Facebook of the event or action taking place at the Facebook Beacon Activated Affiliate’s website."
The complaint outlined the alleged problems with the Facebook Beacon Program:
"... the Beacon program was not designed to obtain any consent, and indeed, did not obtain any consent prior to the communication of identifying transactional information to Facebook. By the time any user was notified that Facebook was (at a minimum), an observing party to the transaction, and that Facebook was asking for an approval to publicly broadcast identifying information regarding the event, personally identifying information had already been communicated to Facebook."
What I found particularly surprising and troublesome (bold added for emphasis):
"The Beacon program sent information regarding specific user transactions on Facebook Beacon Activated Affiliates’ websites to Facebook regardless of whether the user was a Facebook member or not. Thus, no consent was sought, nor was any consent obtained from persons who utilize the Facebook Beacon Activated Affiliate’s website who were not Facebook members. Thus, non-Facebook persons who utilized the Facebook Beacon Activated Affiliate websites were not told that their transaction, and indeed, every transaction they engaged in upon the website was being communicated to a third party (Facebook) with whom they had norelationship whatsoever."
Yes, you read that correctly. Beacon Program Affiliate company sites allegedly sent consumers' personally identifiable data to Facebook for both Facebook subscribers and users who were not Facebook subscribers. The complaint also outlined how Facebook allegedly used the cookies file on consumers' web browsers:
"What made the Beacon program distinguishable from other forms of website interaction, was the way in which a website that was not open in a user’s browser (in this case, Facebook.com) had become actively involved in the exchange between a user and a third-party website. Beacon utilized cookies to obtain information from the user’s computer..."
The complaint also outlined how the Beacon Program processes allegedly used iFrame technology to perform actions unaware to users:
"If the user was not a Facebook member, Facebook still obtained the notification from the Facebook Beacon Activated Affiliate. Facebook then undertook the same action of (theoretically) generating a pop-up on the Facebook Beacon Activated Affiliate website, however, the iFrame was slightly modified – it was a ghost iFrame, so-called because the information was rendered transparent and the viewer did not see anything. But the same data was still sent to Facebook, and Facebook still responded and interacted with the Facebook Beacon Activated Affiliate’s website with respect to the user’s transaction."
This lawsuit is very appropriate. First, it outlined how not to design a behavioral advertising program with an opt-out mechanism:
"... the proffer to obtain that consent made to the user was wholly inadequate, uninformed, misleading, untimely, and deceptive. It was inadequate because, on most Facebook Beacon Activated Affiliate websites, where it was operational at all, it was only available as a quick pop-up for approximately 10 seconds or even less, and if a user missed it, misunderstood it, had another window browser open, or even looked in the wrong direction when it was momentarily available, such actions and a host of other similar non-consensual occurrences were all interpreted as and defaulted to “consent. It was uninformed because the pop up did not explain or specify how, which, or through what means the information concerning the transaction at the Facebook Beacon Activated Affiliate website would be broadcast both to Facebook and to the Facebook user’s friends list. It was misleading because it implied that the user was given some control over information to be communicated when, in fact, no such control was offered or available to the user. It was untimely because by the time the pop up asked for consent to communicate transactional information, the transactional information had already been communicated. It was deceptive because, in almost every instance, the information sharing was contrary to the stated privacy policies of the Facebook website and every other Facebook Beacon Activated Affiliate that had signed up for the program."
Second, the lawsuit highlights the problems when companies rush to develop behavioral advertising with an opt-out system default: all users are included, whether or not they want to be. This system default places the burden on consumers to opt-out; when opting out can be tricky and complicated. The opt-out mechanism can be difficult to find, and can be complicated -- requiring repeated visits since the opt-out may not apply to all advertisers in the program.
As I've written in prior behavioral advertising posts, the system default should be opt-in: consumers are only included in the program after they explicitly opt-in and give consent. And, as advertisers leave or join the network, the opt-in should be re-presented.
A system default with opt-in is not difficult. Company web sites have employed registration pages since the mid 1990's. And, if the behavioral advertising program actually delivers the benefits promised, that would make the opt-in easy and beneficial for all.
To learn more, select the "Behavioral Advertising" keyword in the tag cloud in the right column, or download a copy of the complaint.