How could an obscure privacy law from 1988 majorly disrupt online video streaming as we know it and make tech giants like Meta and Netflix targets of class action lawsuits? Well, depending on who you talk to (and those involved in the related class action suits) every website that serves you a video is violating the Video Privacy Protection Act, otherwise known as the VPPA.
How the Video Privacy Protection Act Was Born
In 1987, President Reagan nominated the ultra-conservative, strict-constitutionalist Judge Robert Bork for the Supreme Court. Judge Bork’s confirmation hearings were contentious and laborious. On the subject of privacy, Judge Bork believed that Americans were only guaranteed the privacy protections specifically conferred by legislation and nothing more.
To prove a point, a DC-based journalist who frequented the same video rental store as Judge Bork asked the store manager for a list of the 146 video tapes Judge Bork had rented over the past two years. He then published it for all to see.
There was nothing salacious in the rental history – turns out Judge Bork enjoyed Hitchcock and British costume dramas. But the blatant ease with which potentially private information about a high-level official could be obtained was unacceptable to the conservative-led Congress and they decided something had to be done. The Video Privacy Protection Act (VPPA) was streamlined through Congress within a year.
Judge Bork didn’t make it to the Supreme Court, but his legacy through the VPPA has continued over the past 35 years and with a rise in online video and streaming services, it may continue to be relevant into the foreseeable future.
What is the Video Privacy Protection Act (VPPA)?
The Video Privacy Protection Act (VPPA) prohibits a business that rents, sells, or delivers “prerecorded video cassette tapes or similar audio visual materials” from disclosing “personally identifiable information” that could reveal the “specific video materials” that an individual rents or views. 18 U.S. Code § 2710
If a company is found liable under the VPPA, consumers are allowed to pursue a trifecta of remedies: 1) statutory damages in the amount of $2,500 per violation, 2) punitive damages, and 3) recovery of attorneys’ fees. 18 U.S. Code § 2710(c).
One unusual aspect of the VPPA is that it is a Federal protection of consumer privacy against a specific form of data collection on individual citizens. The regulation did not preempt State laws, leaving the States to enact broader protections where they felt necessary. With the VPPA, individual consumers can bring an action directly against violators in Federal Court without having to navigate through formal regulators.
When the law was drafted, there was no way Congress could have imagined that today nearly every movie or video imaginable would be just a few clicks away and watchable from the palms of our hands. At the time, visiting Blockbuster Video stores and similar establishments were the only way to rent videos. But the language of the statute is vague; including phrases such as “similar audio visual materials” and “video materials or services” means that, arguably, contemporary video delivery and streaming services could fall under the scrutinizing eye of the VPPA.
The History of Video Privacy Protection Act Lawsuits
The VPPA mostly lived a life of obscurity while the video rental industry slowly declined and stores closed throughout the 1990’s. In the early 2000’s as the Internet became an exciting medium for video delivery, some enterprising opportunists and a few law professors questioned whether a partnership between Blockbuster and Facebook could invoke the dormant VPPA.
Between 2008-2011 a series of lawsuits were filed against online video streaming services including Hulu and Netflix alleging violations of the VPPA. Thanks to some lobbying efforts, those video providers were able to convince Congress to amend the VPPA in 2013 so that users could opt-in and allow their video content viewing to be shared with third-party social networks. The sites had to obtain “informed written consent” from viewers “including through an electronic means using the Internet.”
Fast forward to the Fall of 2022 when there was a “Meta-sized” -spike in the number of class action lawsuits invoking the VPPA. It seemed like almost any website hosting video could be a target including the NFL, NBA, CNN, NPR, and ESPN. But one company was implicated in almost every lawsuit: Facebook and their parent company Meta Platforms, Inc.
The core issue of the complaints is the “Meta Pixel” which tracks, views, and sends data about who is visiting the site to the social media company. This information doesn’t usually include a person’s name or home address, but it does generate unique ID numbers that are shared with the business’ associated Meta account, so they can target individual users with ads on Meta platforms.
To be fair, this is nothing new. In the 1990’s, sites started tracking browsing activities through “cookies.” The reality is that you can assume that every website you visit is tracking your activities, and then sharing or selling that data because user data has become one of the most valuable commodities in the internet age.
The VPPA & Facebook Meta Class Action Lawsuits
The consensus in courts today is that if a site is tracking and sharing viewer information (Personally Identifiable Information - PII) and selling it for advertising or marketing purposes, that is a violation of the VPPA. There is an exception in the statute allowing companies to share data if it’s for transactional business purposes (what the statute calls “legal or financial obligations” 18 U.S. Code § 2710(2)(B)(i)).
One of the primary questions courts are trying to navigate is how exactly to define PII online – Does an IP address or other ID number associated with an individual’s online account suffice as PII? Or does a consumer’s name and phone number have to be included so that it immediately and unquestionably identifies an individual?
In January 2023, a lawsuit was filed against Chick-Fil-A alleging the fast food chain violated the VPPA. Over the last several years Chick-Fil-A has released an online holiday advertising campaign called “The Stories of Evergreen Hills” with a dedicated website that included animated videos for visitors to watch. Like millions of other websites, the site had embedded a ‘Meta Pixel’ that didn’t collect names, phone numbers, or home addresses, but did gather unique ID numbers that the business could use to identify individual website viewers and target them with ads on Facebook. Privacy advocates insist this information constitutes “personally identifiable information” (PII) that is prohibited from being collected by the VPPA.
Tracking technologies have been the subject of a recent surge of class action lawsuits including alleged Health Insurance Portability and Accountability Act (HIPAA) violations over the use of Meta Pixels. Healthcare providers that use tracking on their websites are coming under fire for collecting and sharing private medical information (based on individual user activity) to Facebook for targeted advertising. VPPA is adding yet another layer of complexity in these suits with many healthcare providers using video on their websites.
So how are courts interpreting this ancient-by-internet-standards statute in the dozens of lawsuits and class-actions brought against companies hosting videos and tracking visitors? Obviously, those companies argue that the tracking pixels don’t collect PII based on traditional definitions. Some courts agree and land on a narrow approach declaring that PII must actually identify an individual with more than an ID number. But other courts cast a wide net when defining PII and state that a unique ID number is sufficient for PII, even when additional information is needed to actually link an individual to their video viewing history (see discussion Czarnionka v. The Epoch Times Ass'n, 22 Civ. 6348 (AKH) (S.D.N.Y. Nov. 17, 2022).
Will Class Action Lawsuits Shape the Future of the VPPA and Online Video?
In the meantime, the VPPA is law and companies must abide by its directives. This is complicated considering most of the internet today is greased and supported by tracking and selling visitor activity. The question remains: how should we push forward if VHS-era rules can be applied to video-streaming realities?
First, any company using video content in their marketing or website must establish comprehensive privacy protocols so they can confidently protect any user data that comes into their possession. This isn’t easy and can be costly. At some companies this means establishing cross-functional teams across legal, privacy, compliance, security, and marketing to do it right.
Remember, companies are allowed to share viewing data as long as they obtain consent from individuals beforehand. But this means being proactive and transparent to a degree that could hamper the marketing goals of collecting user activity data in the first place.
In the end, it may require a digital-grass-roots effort to examine the purpose of the rule in today’s world. If enough consumers and viewers revolt against the tracking of their personal information and stop watching videos online, Meta and other companies would certainly take notice… but that is extremely unlikely, given most private citizens don’t appear to be bothered by the practice and continue to click play.
If nothing else, the current proliferation of class action lawsuits is definitely bringing attention to the antiquated VPPA. Ultimately, these class action lawsuits could spur an outcry for change and amendments that shape the future video streaming and online data privacy protections as we know it.