The Risk Of Clicking Facebook’s Social Plugin

garykibel“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Gary Kibel, a partner in the technology, digital media and privacy practice group at Davis & Gilbert.

When developing an interactive campaign or product, incorporating social plug-ins is generally a quick and easy no-brainer. However, have you ever asked about what data is being collected by the plug-ins, or if there are any laws on the books that might apply to this activity?

The ad tech world often finds itself forced to resolve the conflict between decades-old laws and new technology. The round peg often does not fit into the square hole. This is precisely the situation in a pending class action lawsuit involving Hulu, the Facebook “like” button and the Video Privacy Protection Act (VPPA).

The VPPA is not some new law enacted to address online video. It was signed by President Ronald Reagan in 1988 in response to outrage over the disclosure of Supreme Court nominee Robert Bork’s video rental history. A reporter obtained the information from a local D.C. video rental store to highlight Justice Bork’s originalist views that the Constitution does not contain a right to privacy. He didn’t rent anything salacious, like “Rochelle, Rochelle,” by the way, but you can imagine why nervous policymakers passed the law in a hurry.

Pending Lawsuit

The plaintiffs assert that Hulu meets the definition of a “video tape service provider” under the VPPA. While the definition includes the word “tape,” it means a party engaged in the rental, sale or delivery of prerecorded audiovisual materials. The court held that the VPPA’s reference to “prerecorded video cassette tapes or similar audio visual materials” covers prerecorded video content in electronic or new formats, and not just hard copies. Therefore, the 1988 definition applies to modern online video services. The law was not just about physical videotapes, but was about preserving the confidentiality of private viewing preferences.

The plaintiffs next claimed that when the “like” button is clicked, it would transmit personally identifiable information to Facebook that was tied to these viewing preferences. Under the VPPA, personally identifiable information is that which “identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” For a time, the referrer URL being used included the title of the video being watched, the user’s IP address and Facebook ID. The court agreed that personally identifiable information does not need to include a name, but can include a Facebook ID transmitted through a “lu” cookie. Taken together, the argument made was that the user’s personal (not anonymous) video viewing habits were being shared without the user’s consent.

Consent for the transfer of such personally identifiable information would satisfy the VPPA, but there is generally no consent process when clicking a social plug-in. The law states that the consent must be “informed.” A site may not understand what data is being transmitted, and the user certainly has no idea what data is involved.

Broader Implications

Due to procedural and factual matters, this particular lawsuit may not go too far but the lessons learned should be clear. When working with another party that collects data on your site or service via a social plug-in, tag or other tracking mechanism, you must first know what is being placed on your service and understand exactly what data is being collected through such mechanisms. You must also understand, and possibly control, how the tracker will use the data and consider any legal implications.

Netflix managed to have the VPPA amended in 2012, but technology has always moved at a faster pace that the law. The VPPA vs. online video is certainly not the first clash between old law and new technology, and it will unlikely be the last. Persistent identifiers have rich detail and are ubiquitous online. The line between personally identifiable information and non-personally identifiable information is rapidly eroding.

If you liked this article, please click … oh, never mind.

Follow Gary Kibel (@GaryKibel_law), Davis & Gilbert LLP (@dglaw) and AdExchanger (@adexchanger) on Twitter.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!