On Monday, this blog discussed a recent ruling by a California District Court judge regarding a lawsuit against Hulu.com, KISSmetrics, and several defendant. The suit alleged that the defendant companies tracked consumers without notice and consent. Hulu and others attempted to use the Video Privacy Protection Act (VPPA) as a defense, which the court rejected -- meaning movie/video streaming is covered by the VPPA. That blog post also mentioned lobbying efforts by Netflix and Facebook. Today, I'd like to discusses the lobbying activities related to H.R. 2471, and explore the related privacy issues.
H.R. 2471 was introduced in July 2011 by Representative Robert Goodlatte, and passed by the House of Representatives in December 2011. It amends 18 USC 2710, commonly referred to as the VPPA. The Senate has not yet voted on the proposed legislation. In July 2012, MediaPost reported:
"Sen. Patrick Leahy (D-Vt.) this week proposed amending the federal video privacy law to enable consumers to consent on an ongoing basis to the disclosure of information about their movie rentals. Leahy made the proposal as an amendment to a controversial Cybersecurity Act of 2012 (S. 3414)... even if the cybersecurity bill doesn't go through, Leahy's move indicates that the lawmaker agrees with Netflix that the law should be changed..."
Not everyone agrees that the law should be changed, or needs to be changed:
"University of Minnesota law professor Bill McGeveran testified to a Senate panel in January that Netflix could simply offer Facebook users a “play and share” button. If users click on that button, the company could then spread information about users' movie selections to their friends on a per-occasion basis."
Senator Leahy proposed the original VPPA legislation. Now, he supports changing it. You can read the senator's January 2012 statement about why he supports changing the VPPA. To the senator's credit, he mentioned several cautions:
"My original [VPPA] proposal was also to include library records, but we were unable to sustain that protection as the bill worked its way through Congress. More recently, I have worked to add protections for library and bookseller records to section 215 of the USA PATRIOT Act... I worry that sometimes what is “simpler” for corporate purposes is not better for consumers. It might be “simpler” for some if we had no privacy protections, no antitrust protections and no consumer protections, but that is not better for Americans... A one-time check off that has the effect of an all-time surrender of privacy does not seem to me the best course for consumers."
I think that there may be more going on. Forbes reported in December 2011:
"While Netflix has rolled out frictionless Facebook sharing for its Canada and Latin America customers, it has held off in the U.S. in the hopes that Congress will address the issue... Virginia Rep. Robert Goodlatte introduced an update to the Video Privacy Protection Act in July that will allow a "video tape service provider" to disclose people's activity on an "ongoing bases," and that "consent may be obtained through the Internet" -- meaning clicking a box will suffice... Political money analysis non-profit Maplight notes that "the online computer services industry (e.g., the Digital media Association and Netflix), which supported the bill, gave on average 73% more to House members who voted 'YES' ($2,644) than to House members who voted 'NO' ($1,525)."
A review of Senator Leahy's donors may also provide a clue. Media, entertainment, and film companies seem to dominate his donors who gave the most. As of August 15, the senator's largest donors ranked: Time Warner, 3; Walt Disney, 4; Vivendi, 5; Comcast, 9; and Sony, 14.
EPIC shared its views about the legislation:
"H.R. 2471 weakens the consent provision of the VPPA by diminishing the ability of users to control the use and disclosure of their personal information. Under the Amendment, companies like Netflix would be able to obtain one-time, blanket consent from a user and then continuously disclose on Facebook all of the movies watched by that user. Netflix would automatically post this viewing information regardless of whether users would choose to post such information themselves. In addition to transferring control over the user’s information from the user to the company, the Amendment’s blanket-disclosure provision allows companies to profit from the association between users and products. Currently, users of social networking services such as Facebook must take some affirmative action, such as liking or sharing, in order to associate themselves with the product. Thus, users are able to decide on a case-by-case basis which associations they want Facebook to disclose to their friends. By automatically disclosing everything a user watches, the Amendment would make simply watching a movie the equivalent of “liking” it."
The "one-time, blanket consent" that concerns EPIC appears to be the same, "one time check-off" Senator Leahy said he is concerned about. So, I hope that Senator Leahy and the Senate explore improvements to H.R. 2471 that address these concerns. The "one-time, blanket consent" seems tilted too far for the benefits of companies at the expense of consumers.
In my opinion, H.R. 2471 as passed by the House is unacceptable and insufficient. It doesn't go far enough to protect consumers' privacy. How much farther should the legislation go? What might better legislation include?
Below is my list of privacy issues which better legislation, including changes to the VPPA, should include:
- Keep consumers in control of their privacy. This means that the default privacy setting should be "nothing shared" unless the consumer gives explicit consent. A one-time consent is insufficient and undesirable.
- Privacy policies need to be accurate and readable. Since the days of VHS tapes, the Internet has grown along with the use by companies of privacy policies at their' websites. The legislation needs to ensure that privacy policies (including Netflix.com) are crystal clear about what personal information is shared and to whom. That includes any meta data (e.g., viewing time, device, number of views) delivered with the video/movie titles. Otherwise, consumers have no way to make an informed decision about giving consent.
- Mobile devices matter. This is critical since social networking web sites support mobile devices, and this support necessitates several corporate partners (e.g., the mobile device manufacturer, the device operating system manufacturers, telecommunications providers, co-marketing firms, advertisers). Given so many partners' privacy policies, it is difficult for consumers to determine which policy applies. The legislation needs to ensure that mobile app privacy policies are consistently accessible both before and after app installs, and are consistent with partners' website policies. Prior studies have documented poor and inconsistent access to mobile app privacy policies.
- Flexible consent options. For users to maintain control, there should be several sharing opt-in choices. I'd rather see opt-in as device-specific and not global (e.g., across all devices a consumer has). That control may also need to be topic or genre specific. Remember, not all movies are entertainment. Some are closer in content to books (e.g., documentaries) and include sensitive topics (e.g., health care, diseases).
- Consent has limits. The sharing options must provide consumers with the ability to distinguish between sharing with friends and sharing with advertisers. That control should distinguish between social networking websites. Some video/movie-sharing advocates claim, "... people are more willing to share information about what they're watching now." That doesn't mean all consumers nor all social networking websites. Consumers need the control to pick which social networking sites to share their video/movie choices. A single, one-time blanket consent to share is insufficient.
- Children matter. None of the articles I have read about proposed VPPA changes discussed privacy for children. The modified legislation must fit with existing privacy legislation for children, since 56% of parents give their children smart phones for safety and security reasons. Changes to VPPA need to reflect this, which H.R. 2471 does not seem to do.
- Consent can be revoked. Consumers change their minds. People get married, have children, change their consumption habits, experience a data breach, or whatever -- lifestyle changes and experiences impact consumers' privacy choices. The legislation needs to provide consumers with the ability to revoke consent and stop video/movie sharing. H.R. 2471 does not seem to address this.
- Geography alone is an insufficient reason. Just because frictionless movie sharing is already available in other countries (which H.R. 2471 proponents mention), doesn't mean it should be available in the USA. Plenty of laws vary by country or region.
- Speed is not the priority. The old saying, "haste makes waste" applies here, too. A speedy update of the VPPA is not wise. The issues need to be thought through and reconciled with other privacy laws.
In the interest of full disclosure, I am a Netflix subscriber.
If you have opinions or concerns about H.R. 2471, I encourage consumers to contact your elected officials in the Senate, as the Senate could vote to approve H.R. 2471, or develop its own version of legislation to amend the VPPA. Of course, if you are a Vermont resident, please contact Senator Leahy's office.
What's your opinion of H.R. 2471?