• by Wendy Davis  @wendyndavis, September 30, 2011

A Michigan resident has sued Pandora for violating a state privacy law by sharing information about the music he listens to online.

Peter Deacon alleges that Pandora's integration with Facebook in April 2010 resulted in the disclosure of "sensitive listening records" to his friends on the site. He also says that Pandora had a separate feature that allowed anyone to search for and access users' profile pages by their email addresses. Profile pages include material like favorite groups and listening history.

Deacon argues that Pandora violated Michigan's Video Rental Privacy Act, which prohibits companies that offer books, music or videos from disclosing customers' identities without their consent. That law was enacted in Michigan more than 20 years ago, at around the same time that Congress passed the federal Video Privacy Protection Act. The Michigan law is broader than the federal statute, which only applies to movies.

Michigan's statute provides for damages of $5,000 per violation; Deacon is seeking class-action status.

Deacon says in his lawsuit that Pandora's integration with Facebook allowed the music company to learn many peoples' real names, even if they had signed up for Pandora with pseudonyms. Pandora then allegedly connected people's real identities with their Pandora accounts and revealed information about their music tastes.

"At no time did Pandora ever receive consent to disclose its users' protected information to their Facebook contacts," Deacon alleges in his complaint, filed in U.S. District Court for the Northern District of California.

Pandora declined to comment on the lawsuit.

Pandora was among the first of Facebook's "instant personalization" partners. That feature, launched last year, automatically shares logged-in Facebook users' names and photos with outside partners. Facebook's other initial partners were Yelp and Microsoft Docs. The social networking service since added Trip Advisor, Clicker, Scribd and Rotten Tomatoes to the roster of instant personalization companies.

People could always opt out of instant personalization, but when Facebook launched the feature it operated by default. (The feature is different from Facebook's social widgets program, which involves placing "like" buttons on outside publishers' sites. Facebook doesn't share users' information with the sites that merely have a widget on them.)

Deacon's lawyer, Jay Edelson, says that other states have laws that may protect the music-listeners' privacy. "We are currently analyzing those as well," he says.

Edelson adds that companies only violate those privacy laws when they share data without users' consent. "Pandora," he says, "acted unilaterally when it integrated its users' accounts with Facebook without giving its customers a chance to say no."

At least one other music company, Spotify, is now sharing information about people's music choices with their Facebook friends. Spotify now requires new users to connect to the service through their Facebook log-ins, but the company also just launched a private-listening mode that lets people stream music without sharing it on Facebook.