Over the past year, a barrage of class action lawsuits asserting violations of the Video Privacy Protection Act (“VPPA”)—a vintage Reagan-era federal consumer privacy law—has shed light on potential liability facing companies that embed video content onto company websites and simultaneously collect and share consumer viewing data in the course of marketing analytics.
The VPPA is, until recently, a rarely invoked federal statute that was enacted to protect the privacy of information about people’s video tape rentals after the press leaked a list of a Supreme Court nominee’s movie watching habits in 1987. However, the VPPA is now providing the foundation for a new class of consumer privacy lawsuits based upon the way companies may be tracking and sharing data collected when consumers view video content posted on company websites, apps, and/or shared via email marketing.
A. What is the VPPA?
The VPPA prohibits a person or business that rents, sells, or delivers prerecorded “video cassette tapes or similar audio visual materials” from “knowingly disclos[ing], to any person, personally identifiable information concerning any consumer of such provider. . . .,” absent informed, written consent as defined by the VPPA. 18 U.S.C. § 2710(a)-(b). Under the Act, “personally identifiable information” or “PII” is “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 18 U.S.C. § 2710(a)(3).
If liability is found, the VPPA allows consumers to seek the trifecta of remedies—(1) statutory damages in the amount $2,500 per violation, (2) punitive damages, and (3) recovery of attorneys’ fees. 18 U.S.C. § 2710(c).
B. VPPA Claims in 2023
A slew of nationwide lawsuits are asserting violations of the VPPA. These lawsuits have nothing to do with video rental stores, instead alleging that businesses are illegally sharing consumers’ viewing history and PII with Facebook and other social media companies through a tracking pixel placed on company websites that can collect, among other things, a consumer’s navigation to a page containing an embedded video or audio visual file.
These universally utilized “tracking pixels” are pieces of code for Google Analytics and/or Meta Platforms Inc. that are incorporated into a company website that collect information about how users interact with the site, such as whether users initiate purchases, what content users view, and other details, and then shares information about the individual including the title and URL of the video.
C. Current Litigation
It has been reported that over 70 lawsuits asserting claims under the VPPA have been filed in the past year, and due to the willingness of some courts to entertain these claims at least past a motion to dismiss stage, it is very likely that more lawsuits will continue to be filed.
Companies faced with VPPA claims have argued that the information collected by the tracking pixels does not rise to the level of PII. There is a split of authority dictating what qualifies as PII. For example, the United States District Court for the District of Massachusetts in the First Circuit has adopted a broad approach, holding that the transmission of viewing records along with GPS coordinates and a device’s unique identification number constituted PII despite requiring additional information in order to link the plaintiff to their video history. In contrast, other courts including the United States District Court for the Southern District of New York in the Second Circuit have adopted a narrower view, requiring that for information to qualify as PII the disclosure itself, without any additional information, must identify a particular person.
Other arguments advanced in motions to dismiss VPPA claims include the following:
- The plaintiff is not a consumer under the VPPA. The VPPA defines “consumer” to mean any renter, purchaser, or subscriber of goods or services from a video tape service provider;
- The plaintiff cannot show that defendant is a “video tape service provider” under the VPPA;
- The plaintiff failed to plausibly allege that the defendant “disclosed” personally identifiable information because it is the consumer’s web browser, as opposed to the company website, that transmits the purportedly identifying consumer data;
- The plaintiff failed to plausibly allege that the defendant “knowingly” disclosed PII since the defendants have no access to or knowledge of the existence of the cookie on the web browser that may transmit the additional information; and
- The VPPA is unconstitutional because it restricts commercial speech in violation of the First Amendment.
Faced with these arguments, at least three courts—the United States District Court for the Districts of Massachusetts, Southern District of New York, and Northern District of Georgia— have denied motions to dismiss, finding that the plaintiffs plausibly asserted a claim under the VPPA, and allowing the VPPA claim to proceed to discovery.
Some defendants, however, have found success. As noted above, the Southern District of New York takes a narrow view on what qualifies as PII, and as a result dismissed a VPPA claim on the basis that the plaintiff failed to plausibly allege that the information the defendant company disclosed to third parties was PII. Federal district courts for Rhode Island and the Northern District of California have also dismissed VPPA claims where the viewed content at issue was live-streamed content, as opposed to prerecorded, on the basis that this fell outside the definition of “video tape service provider” in § 2710(a)(4).
The orders issued from these cases thus far demonstrate that there is no imminent consensus among federal courts. Until there is a clear consensus among federal courts on the viability of VPPA claims, we can expect to see a continued stream of VPPA litigation.
The slew of lawsuits alleging VPPA claims seek to impose enormous liability on what has become routine and universal data analytics. As a result, companies that utilize video content in brand marketing and advertising analytics could potentially be opening themselves up to a new class of consumer privacy litigation seeking $2,500 in statutory fees per violation, as well as potential punitive damages and attorneys’ fees.