Netflix may now be able to use Facebook to further alienate its consumers while pursuing a lucrative revenue stream. The House amended the Video Privacy Protection Act (VPPA) to relax written consent requirements for sharing information on movie rentals. This opens the door to Netflix having a Spotify-like presence on Facebook feeds and finally lets me see how many of my Facebook friends truly appreciate “The Room.”
The House’s vote, which was surprisingly more contentious than anticipated and attracted a bit of money, is an important step in changing our strict consent requirement (written consent required for every disclosure) for the sharing of video rental information. The amendment allows for continuous consent obtained on the Internet, while still asking for it to be “informed, written consent.” It requires such consent to be distinct and separate from other legal or financial obligations. This means consent need only be established once on the Internet, though it can be revoked. The full text is here, and will take longer to load than to read, and does not tell us how consent on the Internet is actually achieved.
The amendment has a startling lack of the words “opt-in” or “opt-out” along with any requirement of notification due to change in company policy. The bill looks like an opt-in regime (it still asks for “informed written consent”) that will require notification of change of significant policy, but it does not address the political divide around these words. Of course, given our propensity for opt-out schemes, I could be reading this completely reasonably but incorrectly. One representative (Hanna, R-NY) explains his reasoning that the amendment “clarifies” current consent law, requiring an “opt-in” but allowing an “opt-out” at any time.
Privacy advocates are skeptical of this change, bringing serious concerns over the loss of meaningful information privacy control. Mark Rotenberg of EPIC (the main opposition to this amendment) claims this destroys the right to meaningful consent. He reads the amendment as diminishing user’s control over their own personal information. The Center for Democracy and Technology was less condemning in its responses, suggesting this to be considerably less important than other privacy issues Congress should be tackling. The CDT also points out that the original VPPA is a high-water mark for privacy legislation, and any degradation of it will be taken as a general attack on privacy. Members of Congress were more concerned about their own personal problems rather than their constituents’ problems.
One concern that lurks in the background is that the amendment allows “consent” to be defined as “check/uncheck this box to continue on to your normal Netflix experience, and by the way we are sharing your information with all your Facebook friends and/or anyone that asks.” The actual concern might not be that ridiculous, but there is definitely a knee-jerk reaction here to the thought that this purportedly “opt-in” amendment will still allow an automatic enrollment in the service until you opt-out. Without thinking about the history of opt-in/opt-out, the statutory language potentially precludes that by requiring consent to be given in a context free of other legal and financial obligations. Still, it’s easy to remember Spotify’s rather unchallenged entrance into Facebook as feeling like this, considering how we were all mystified when people started asking about our seemingly endless love for Kate Bush (YouTube). This is not a minor concern, but it is also not something we give companies complete freedom to do.
The FTC sent clear signals to social media sites and advertisers that dramatic changes to privacy policies concerning personal information will not be acceptable without some sort of new consent. Facebook just got in a whole heap of trouble for this sort of thing, and is subject to privacy audits and requirements of privacy “opt-ins” from users for substantial changes to policy. It also just closed comments on another privacy enforcement action with a behavioral advertising company, ScanScout, that used “flash cookies” in a rather deceptive way. The proposed ScanScout consent order requires strict notification and meaningful opt-out requirements, resembling to some degree the FTC’s proposal for Do Not Track legislation or regulation. Netflix, Hulu, Amazon Instant, iTunes, and other “rental” services should be well aware of the problems they can run into and the broad power of enforcement the FTC is exercising, which will surprise no one if they start investigating abuses in an area of newly reduced privacy.
The FTC involvement in major industry problems is forcing the industry to take more accountability in hopes of avoiding run-ins with the FTC and reducing the need for regulatory action. Much of the principles centers on either notice before a practice starts (looking more like an opt-in) or a pervasive reminder of a service (looking like the elusive “meaningful opt-out”). While the FTC might only be able to go after the big fish, industry standards reflective of the FTC’s position seem to be taking hold.
In the end, I think this bill is “ok” and will not have the negative and destructive effects that Rotenberg implies. An individual’s consent can still be revoked, and it’s difficult to see this practice taking everyone by surprise. If it did, the FTC might have some further words with Mr. Zuckerberg about their prior agreement. While I’d like to see our politicians more directly confront what we expect from our privacy regime, I’m more comfortable letting the FTC experts, industry players, and privacy advocates come to a consensus on what “works” before Congress tells us what aspect of privacy is most important or opens the floodgates of private litigation.