When Facebook Beacon was first announced and the first screenshots shown, I pointed out in a comment on TechCrunch (#43) the issues around the collection of data in addition to notification. Four days later, GigaOm called out Beacon's privacy issues as well, and has carried a torch since.
Beacon is a brilliant move by Facebook, but they're toeing a huge line (wrt privacy concerns). Regardless of their conceding on notification issues, Beacon represents an unparalleled level of user profiling without user control or transparency. Everybody knows that every media company on the Web is profiling each of us, but that said we still have more privacy online than we do offline -- most profiling to date is typically associated to an IP address only.
Beacon is coupling personally identifiable information (aka PII) to widely distributed collection of browsing behavior and attention data. Their data collection is not limited to their beacon partners -- Facebook can collect valuable user browsing behavior anywhere they want, via an ad unit, image, or any distributed beacon that calls back home -- whether or not you're signed in. In doing so, Facebook even collects behavioral information on non-users. And Beacon partners are basically giving Facebook all their commercial activity. Many spyware companies of 2003-2004 didn't have it this good!
I believe this is one of the reasons why Microsoft bought into Facebook. Think about Beacon in every ad unit served by Microsoft! The reach of Microsoft's ad network, coupled with Beacon partners and all their transaction data, coupled with the PII within Facebook -- this represents an unprecedented level of personally identifiable attention data collection if they pull it off.
This is way way more than a notification issue. And I wouldn't be surprised to see NY General Attorney Elliot Spitzer joining the fracas. Remember the DoubleClick controversy of 1999? They came under intense public scrutiny, with lawsuits from 10 states, for their attempts to merge anonymous browsing behavior with PII. There is very little different here ...
I spend a lot of time thinking about how to directly couple user value to deep user profiling. There is a tremendous market advantage to any company whose users are incentivized to provide information about themselves and their browsing behavior -- as doing so increases the value of the service. (Others Online is one such attempt.) It's a virtous cycle of value, for both the company and the user. But there has to be full transparency and control for the user, otherwise it will be given the dreaded spyware label.
Unless Facebook ceases their data collection efforts, allows users to opt-out of ALL data collection, and/or provides full transparency and control, then they risk earning the label "spyware 2.o".