VPPA trends: considerations for limiting exposure

The Video Privacy Protection Act

The VPPA prohibits “video tape service providers” from knowingly disclosing “personally identifiable information,” which broadly includes any “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.”[3] While the term “video tape service provider” traditionally meant brick-and-mortar stores like Blockbuster and Family Video, the plaintiffs’ bar has sought to apply the term to any website operating with embedded videos that shares data with analytics firms and other third parties for marketing purposes.

Recent complaints typically allege that the following actions violate the VPPA:

1. a consumer-facing website contains embedded videos and has implemented certain cookies to support those videos;
2. consumers accessing the website are logged into third party websites — typically social media sites — while viewing videos on the website;
3. an embedded tracking pixel “fires” upon the occurrence of a predetermined event, such as a video view, and transmits data regarding that page, including the title of the video and a unique user ID, to the third party website that tracks the consumer across websites and platforms; and
4. the website operator knowingly disclosed the consumer’s video-watching data to the third party tracking providers.

Defense Strategies and Recent Rulings

In general, courts have embraced an expansive view of the scope of the VPPA. More recently, however, signs have emerged that courts are ready to impose limits on its application, interpreting the Act’s broad statutory language holistically and with an eye to Congress’ original intent in enacting the statute. The new scrutiny has focused on a few key issues, including whether the defendant is a “video tape service provider,” whether the plaintiff is a “consumer,” and whether “personally identifiable information” has been conveyed to a third party.

Video Tape Service Providers

Several federal courts have dismissed VPPA claims where the viewed content was live-streamed, as opposed to pre-recorded.[4] Relatedly, though many courts have accepted at face value that website operators that embed pre-recorded videos on their websites are subject to the VPPA[5], other courts have begun to question the broad application of the law. In a recent decision from a federal court in California, the court dismissed a VPPA claim against a fashion retailer because the defendant’s business model was not “significantly tailored” to delivering video content on its website; it was not enough that the company engaged in the peripheral action of providing consumers with access to embedded videos through their retail website.[6]

Personally Identifiable Information

The VPPA is limited to disclosures of “personally identifiable information.” The courts have consistently held that a user ID, typically one that links a user to a social media account, paired with video viewing information is sufficient to constitute personally identifiable information.[7] The First Circuit held that precise GPS coordinates and device ID were sufficient, given the ease with which an individual’s identity can be discerned by locating a corresponding home address,[8] while the Ninth Circuit has held that a device serial number and video viewing information was insufficient.[9] A new wave of plaintiffs have alleged that certain social media pixels also transmit personally identifiable information; however, the courts have yet to rule on these allegations.

Knowing Disclosures of Data

Recently, a court dismissed a VPPA claim based on a showing by the defendant, a video streaming service provider, that it did not “knowingly” disclose personally identifiable information to third parties.[10] There, the defendant alleged that there was no evidence that it knew that a tracking pixel was collecting and disclosing personally identifiable information, as defined under the VPPA. Other courts have ruled that merely including certain pixels on a website was sufficient to show a knowing disclosure of personally identifiable information.[11]

Consumer

Courts also have dismissed VPPA claims after finding that plaintiffs fall outside of the scope of “consumers.” While there is a consensus that a plaintiff need not pay money to be considered a consumer, the circuits have split regarding the degree of commitment a plaintiff must have made to be considered a subscriber. The First Circuit held that downloading a mobile application and providing personal information and GPS coordinates to the defendant was sufficient,[12] while the 11^thCircuit held essentially the opposite.[13]

Heightened Pleading Requirements

Several courts have also found that plaintiffs cannot rely on generally pleading that video watch data automatically includes personally identifiable information; instead, those plaintiffs must plead with sufficient specificity to bring a claim, such as by describing the categories of personally identifiable information subject to disclosure.[14]  

As this is a rapidly developing area of law, it is important to review the latest caselaw to understand the latest successful defenses taken by VPPA defendants.

Considerations for Website Operators

VPPA claims continue to proliferate. BCLP assists clients in reviewing their website tracking technologies and their use of embedded videos, and defending organizations that are the subject of VPPA claims. Given the changing nature of VPPA claims and the emergence of key defense trends in response, organizations should be mindful of potential risks and should take several steps to limit potential VPPA class action exposure, such as:

• Limiting the use of pixels and other tracking technologies to pages without video content or configuring pixels and cookies to avoid sharing personally identifiable information with third parties.
• Updating cookie preference centers, or similar mechanisms, to collect separate consent from users prior to disclosing video-watching data.
• Updating the website privacy policy to accurately disclose whether personally identifiable information is disclosed to third parties, and how that personally identifiable information is used.