Facebook Violated User Privacy, Suit Says

The online social networking site Facebook Inc. violated users' privacy by sharing personal information about other Web sites they visited without their knowledge or consent, a federal class-action lawsuit alleges.

The case involves Facebook's online joint marketing venture with a number of other corporations, including Blockbuster, Hotwire, Overstock.com, Zappos and Gamefly.

Those affiliates in the "Facebook Beacon" venture also have been named as defendants in the case.

According to the complaint, filed in the U.S. District Court for the Northern District of California, when Facebook members visited the affiliates' Web sites and engaged in so-called "Beacon trigger activities," reports on their actions were forwarded to Facebook.

The activities include downloading, commenting, and shopping and ordering, according to the complaint.

The information about those activities was then published on the user's home and profile pages on Facebook and broadcast to designated "friends" on Facebook.com.

According to the complaint, Facebook members can distribute information to their network of "friends" about their activities at 44 sites that have partnered with Facebook, including those involved in the lawsuit.

When a Facebook member uses a Beacon affiliate's site, a pop-up window reports that the affiliate is sending a summary of activity to the user's Facebook profile.

The pop-up includes a "no, thanks" option that the user can click to prevent the information from being shared with other Facebook members, but that is the only opt-out mechanism, and it is not adequate to protect the user, the complaint says.

The policy, with its various privacy options, is lengthy and complicated, and the pop-up last only about 10 seconds, the plaintiffs say.

Because so many Facebook members began to complain about the pop-up's opt-out feature, the company changed to an opt-in system so that a member had to give explicit permission before any information would be shared.

Nevertheless, the suit says, Facebook still receives personal information from participating Web sites whether or not the Facebook member has chosen to distribute the information.

"In other words, the Beacon system was designed to be difficult, cumbersome and time-consuming to block," the complaint says.

The plaintiffs say they are suing on behalf of all Facebook members who visited one or more of the Facebook Beacon affiliates' sites from Nov. 7, 2007, to Dec. 5, 2007, when Facebook deactivated the program, and engaged in activities that triggered the program.

The complaint alleges violations of the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Video Privacy Protection Act, California's Consumer Legal Remedies Act, and its Computer Crime Law.

The plaintiffs are asking the court to certify the class and award injunctive relief and monetary damages.

To comment, ask questions or contribute articles, contact West.Andrews.Editor@ThomsonReuters.com.

They are represented by Alan Himmelfarb of KamberEdelson LLC in Vernon, Calif.; Scott Kamber of Kamber Edelson LLC in New York; and Joseph Malley in Dallas.