News, Developments, and Insights

high-tech technology background with eyes on computer display

Facebook Fandango

Facebook recently rolled out a new advertising program called Social Ads, where Facebook users’ images, names, and words are used to help advertise products and services. I blogged about Facebook’s Social Ads here and here, contending that they are likely a violation of the tort of appropriation of name or likeness as well as the right to publicity tort.

Peter Lattman at the WSJ Blog has a great new post about Facebook that throws in another even more troubling wrinkle:

Last Sunday the Law Blog purchased three tickets to “Bee Movie” on Fandango, the movie site. After we did this, Facebook automatically updated our profile to say, “Peter bought ‘Bee Movie’ on Fandango.”

Huh? Did we want everyone on Facebook to know our movie-buying habits? Not really. But it seems we agreed to this. According to Fandango’s privacy policy, which we agreed to by using the site, “If you are a member of a social network service (such as Facebook, MySpace, etc.) or you use other Internet sites where you have authorized them to gather information about your online behavior on Fandango . . . Fandango may share information regarding your activities . . . with those third parties pursuant to your authorization.”

Then we checked out our privacy settings on Facebook. Under “Privacy Settings for External Websites,” there’s a Fandango icon, indicating that we’ve agreed to have our actions on Fandango sent to our Facebook profile. We changed our profile, mandating that they never — never! — do this again.

This case illustrates why the current legal regime regulating personal information at most websites is so deeply flawed. The default settings are set to allow information sharing and disclosure, with users often completely unaware of how their information is going to be used. Businesses frequently tout how they are protecting privacy by providing users with “notice and choice” about how their information will be collected, used, and disseminated. Yet the system rarely results in informed consumers or meaningful choices.

So imagine: You go to Fandango and buy tickets to see a movie — and then all of a sudden your purchase is being revealed publicly to everybody you know on Facebook. You probably didn’t even know that Facebook had this deal with Fandango. What if more websites like Fandango start to collude with Facebook? Does this mean that every time we visit a website, every time we make a purchase, the information starts showing up in our Facebook profiles and on our friends’ Facebook profiles?

At least Social Ads, as I understood it, involved people publicly stating they liked or used a product. This is still problematic, for the reasons I discussed in my posts — being used in an ad unwittingly is a harm even if one has publicly praised the things being advertised in the past. But now Facebook is taking things one step beyond by exposing people’s personal information to the public. Perhaps Peter Lattman doesn’t want the world to know that he saw Bee Movie. Perhaps he does. But this is something he should decide, not the corporate officials at Facebook or Fandango.

“Poor Peter,” Fandango and Facebook will say, “But you should have read our privacy policies! It’s all your fault Peter.” Fandango’s privacy policy states:

If you are a member of a social network service (such as Facebook, MySpace, etc.) or you use other Internet sites where you have authorized them to gather information about your online behavior on Fandango (for instance, to notify your friends that you have viewed a video or bought movie tickets), including participation in any behavioral reporting program that they may operate on or off of their own site (i.e., Facebook Beacon, etc.), Fandango may share information regarding your activities on our Site or other Service with those third parties pursuant to your authorization, and they may associate that information with Personally Identifiable Information they already have about you (such as your Facebook Profile) and use it to improve their site or services or for other purposes. Fandango does not control the privacy policies of such third parties, and their privacy policies will govern their use of your information once it has been transmitted by Fandango. Fandango assumes no responsibility or liability for the actions of such third parties with respect to their use of your information or otherwise. Accordingly, make sure you are aware of and comfortable with the privacy policies of any third parties that you authorize to gather information from Fandango.

Get that? If you don’t like it, Fandango is saying you should take it up with Facebook. This paragraph is buried in a very lengthy policy of 2474 words. But if you’ve used Fandango, you’ve agreed to it, whether you read it or not. According to the policy:

When you use the Site or other Service, you are accepting the terms and conditions of this Privacy Policy, and Fandango will have the right to use your Personally Identifiable Information or other information about you as described in this Privacy Policy.

So Fandango passes the buck to Facebook. On to Facebook then. Facebook’s privacy policy clocks in at 3514 words. Plus, you can’t just read that. You also need to read the Terms of Use (a mere 6445 words). And then check your default settings, which are preset to maximize the exposure of your information. And of course, the privacy policies of Facebook, Fandango, and any other website that might later share information with Facebook are subject to change at moment’s notice, all without notifying you of the change!

So read up! Read often! Does this really make sense as a meaningful way to protect consumer privacy?

There’s another way to protect people’s privacy — opt-in. If Fandango wants to share your information with Facebook, it should ask for your consent first before doing so. Simply providing a privacy policy, a verbose and lengthy document that nobody reads and that is subject to change at any moment isn’t sufficient. You don’t consent just because they assume you do. If Facebook wants to disclose what you’re doing and buying on other websites, or use your name or image in an ad, then it should ask you. Instead, these companies hide behind thousands of words of legalese, claiming that by merely providing a little link to these policies at the bottom of their websites, you’ve consented to them the second you start using the site. This isn’t meaningful consent. And it isn’t a meaningful way to protect consumer privacy.

Originally Posted at Concurring Opinions

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
LinkedIn Influencer blog

TeachPrivacy Ad Privacy Training Security Training 01