Netflix, the web's top video-rental service, has been accused of violating US privacy laws in five separate lawsuits filed during the past two months, records show.
Each of the five plaintiffs allege that Netflix hangs onto customer information, such as credit card numbers and rental histories, long after subscribers cancel their membership. They claim this violates the Video Privacy Protection Act (VPPA).
Netflix declined to comment.
In a four-page suit filed on Friday, Michael Sevy, a former Netflix subscriber who lives in Michigan, accuses Netflix of violating the VPPA by “collecting, storing and maintaining for an indefinite period of time, the video rental histories of every customer that has ever rented a DVD from Netflix”. Netflix also retains information that “identifies the customer as having requested or obtained specific video materials or services”, according to Sevy's suit.
In a complaint filed 22 February, plaintiff Jason Bernal, a resident of Texas, claimed “Netflix has assumed the role of Big Brother and trampled the privacy rights of its former customers”.
Jeff Milans from Virginia filed the first of the five suits on 26 January. One of his attorneys, Bill Gray, told ZDNet Australia‘s sister site CNET yesterday that the way he knows Netflix is preserving information belonging to customers who have left the company is from Netflix emails. According to Gray, in messages to former subscribers, Netflix writes something similar to “We'd love to have you come back. We've retained all of your video choices”.
Gray said that Netflix uses the customer data to market the rental service, but this is done while risking its customers’ privacy. Someone's choice in rental movies could prove embarrassing, according to Gray, and should hackers ever get access to Netflix's database, that information could be made publicly available.
“We want Netflix to operate in compliance of the law and delete all of this information,” Gray said.
All the plaintiffs filed their complaints in US District Court for the Northern District of California. Each has asked the court for class action status. [More here].
In Europe there has been a lot of discussion about “the Right to be Forgotten” (see, for example,
Le droit à l’oubli sur Internet). The notion is that after some time, information should simply fade away (counteracting digital eternity). The Right to be Forgotten has to be one of the most important digital rights – not only for social networks, but for the Internet as a whole.
The authors of the Social Network Users’ Bill of Rights have called some variant of this the “Right to Withdraw”. Whatever words we use, the Right is a far-reaching game-changer – a cure as important as the introduction of antibiotics was in the world of medicine.
I say “cure” because it helps heal problems that shouldn't have been created in the first place.
For example, Netflix does not need to – and should not – associate our rental patterns with our natural identities (e.g. with us as recognizable citizens). Nor should any other company that operates in the digital world.
Instead, following the precepts of minimal disclosure, the patterns should simply be associated with entities who have accounts and the right to rent movies. The details of billing should not be linked to the details of ordering (this is possible using the new privacy-enhancing technologies). From our point of view as consumers of these services, there is no reason the linking should be visible to anyone but ourselves.
All this requires a wee bit of a paradigm shift, you will say. And you're right. Until that happens, we don't have a lot of alternatives other than the Right to be Forgotten. Especially, as described in the law suits above, when we have “chosen to withdraw.”