Mitigating risk under the Video Privacy Protection Act (VPPA)

Concerned about whether you could be at risk of a Video Privacy Protection Act (VPPA) class action? You wouldn’t be alone. Since 2022, over 100 lawsuits have been filed alleging violations of the VPPA, pointing to the sharing of identifiable video viewing information via the Meta tracking pixel without user consent. 

If you have video content on your website and use web tracking technology, it’s important to understand your risk under VPPA, and what strategies and tools are available to help you mitigate that risk. 

What is the VPPA? 

The VPPA is a federal law, enacted in 1988, which prohibits any video service provider” from knowingly disclosing personally identifiable information concerning “any renter, purchaser, or subscriber of goods or services” from the video tape service provider without their consent. 

Under the VPPA, personally identifiable information is defined as any information that identifies a consumer as having requested or obtained “specific video materials or services” from a Video Tape Service Provider. 

What’s behind the surge in VPPA class actions? 

There’s actually been an uptick in enforcement against web tracking in general. The FTC has engaged in a wave of enforcement within the last year against healthcare apps and web services that allegedly shared sensitive health information without user consent through the use of third-party tracking technologies like the Meta pixel. Class actions based on state and federal wiretapping laws, common law claims, and even claims under state constitutional rights have all been used to attack web tracking from different angles. 

The VPPA, specifically, was created during a time when physical video rentals were the norm, but the proliferation of online video content has made room for a broader understanding of who counts as a Video Tape Service Provider. Among the companies facing lawsuits are online news outlets like the Boston Globe (which has settled for $4MM), retail brands like Home Depot, and even fast food chains like Chick-fil-A. It’s common for websites to employ third-party technologies to track user behavior, and it’s also common for websites to feature video content. That combination makes for a wide net of potential targets for VPPA class actions. 

How are VPPA cases being ruled?

The complaints that are part of the recent surge typically follow similar patterns, arguing that: 

1. The defendant is engaged in the business of delivering pre-recorded video content, making them Video Tape Service Providers 
2. The plaintiff class members were subscribers to the defendant’s service of providing video content and thus “consumers” under the law. 
3. The defendant knowingly disclosed to Meta visitors’ Facebook IDs and title and URL of the videos they requested or obtained via a Meta tracking pixel. 
4. The information disclosed to Meta, including Facebook IDs and video titles, could be used to find public Facebook pages and identify site visitors—making that information personal identifiable information (PII) 
5. The website did not obtain written consent from users before disclosing PII to Meta, putting the defendants in violation of VPPA. 

The number of cases overcoming motions to dismiss is growing, and more companies are settling as a result. 

There have been successful motions to dismiss as well. Some cases have been dismissed in California where it was held that only pre-recorded content is covered under VPPA, but not live streamed content or when it was held that only users who have viewed or obtained video content as part of some sort of purchase (e.g., a subscription) can be considered consumers under VPPA. 

These dismissals provide signals to companies for which types of activity might pose the greatest risks, while at the same time clarify for plaintiffs which cases are more likely to overcome motions to dismiss in court. 

How can brands protect themselves from VPPA suits? 

If your brand has video content on your website, you’ll want to check if the pages that have video are associated with URLs or any other mechanisms that could identify what video content was viewed. If so, you’ll also want to understand what tracking technologies are being used on your site, whether any exist on those pages with video content, and whether the trackers will collect information that could be used to identify individual users in connection with the titles of videos they are viewing. If all conditions are met, you’re dealing with some risk under VPPA. 

Brands have some options for how to proceed, whether that’s removing the tracking technologies completely, or reconfiguring your video content set up and/or trackers to prevent or obfuscate the collection of video title information or user identifiers. You may also consider obtaining consent for the use of tracking technologies to comply with VPPA. 

Adopting a comprehensive approach to privacy

Because VPPA is just one of many tools being used in the crackdown against web tracking, adopting a long-term, strategic approach to privacy is the best way to future-proof your organization against microtrends in litigation, enforcement, or new privacy laws.

Brands that operate digital properties need to have an always-up-to-date understanding of how they handle personal information, including:

• What personal data is collected;
• Why it’s collected;
• Where it’s collected 
• Who is collecting it;
• Who it’s being shared with, and who they’re sharing it with.

Only when you gain a comprehensive view of how personal data flows through your tech ecosystem can you start applying privacy principles like transparency, downstream due diligence, and privacy-by-design. 

Attend our webinar to learn how to mitigate VPPA risk

Date & Time: October 18, 2023, 3:00 PM ET and 12:00 PM PT

Description: Class actions filed under the Video Privacy Protection Act (VPPA) have risen as part of increased scrutiny on tracking technologies in general. What started as a law to protect video rental history is now largely being aimed at companies who share identifiable video viewing information via the Meta tracking pixel without user consent.

REGISTER HERE

Sheppard Mullin joins Sourcepoint for this webinar to help us break down:

• The history of the Video Privacy Protection Act (VPPA)

• How VPPA has been applied to bring class actions against web tracking

• Trends in litigation and recent settlements

• How companies can mitigate the risks that come with using tracking technologies

• Strategies for complying with VPPA

California: This activity has been approved for 1 hour of Minimum Continuing Legal Education general credit by the State Bar of California. Sheppard Mullin Richter & Hampton LLP certifies that this activity conforms to the standards for approved education activities prescribed by the rules and regulations of the State Bar of California governing minimum continuing legal education.

New York: This program has been approved in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1 credit hour which may be applied toward the Areas of Cybersecurity, Privacy & Data Protection-General requirement, and is suitable for both transitional and non-transitional attorneys.

Texas: This course has been approved for Minimum Continuing Legal Education credit by the State Bar of Texas Committee on MCLE in the amount of 1 credit hour General credit hours.

Illinois: An application for accreditation of this activity will be submitted to the MCLE Board of the Supreme Court of Illinois.