Blog

The Atlantic is the latest to face a video privacy class action suit

Julie Rubash, Chief Privacy Counsel
December 19, 2022

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES


Google Class Action Certified for Injunctive Relief

A California District Court judge granted plaintiffs’ motion to certify a class action against Google, but only for injunctive relief and not for damages.

The case is claiming violations of the Federal Wiretap Act and the California Invasion of Privacy Act, among other allegations, based on Google’s alleged collection of user data (including IP address, cookie data, geolocation data, fingerprint data, and any available User IDs) even while users were in private browsing mode or “Incognito mode”.

The judge found that the requirements for a damages class were not satisfied, because questions affecting individual members of the class would predominate over facts common to all class members.

More specifically, with respect to all of the plaintiffs’ claims, implied consent is an affirmative defense, and in determining whether class members consented to the alleged conduct, individualized assessment of each class member’s experience would be necessary.

The judge held that the requirements for an injunctive relief class action were satisfied, however, because the injunction sought (specifically, precluding Google from collecting further private browsing information and requiring Google to delete previous private browsing information and any services developed therefrom) would apply to the entire class. 

WHY IT MATTERS

Although monetary damages are off the table for this class action, a successful grant of injunctive relief in this case could potentially be equally, if not more, damaging to Google than actual damages, depending on the specific injunction granted and the extent of Google’s reliance on, and development from, previously collected private browsing information.

Although GDPR-level consent is not explicitly required in the United States, in most cases, this case highlights the protections that evidence of consent may provide to companies against U.S. deception and common law claims. 


The Atlantic Hit With VPPA Class Action

A class action lawsuit was filed against The Atlantic in the Central District of California based on allegations the multi-platform publisher disclosed subscriber video-viewing preferences, in combination with identifying information (such as the user’s unique Facebook ID), to Meta in violation of the Video Privacy Protection Act (VPPA).

According to the complaint, “at no point do The Atlantic users consent to such sharing through a standalone consent form, as required by the VPPA”.

WHY IT MATTERS

We have seen several recent cases under the VPPA with similar allegations.

In 2022, class actions have been filed against the NFL, MLB, Buzzfeed, Healthline Media, Fandom, Paramount, Meredith, Patreon, Meta, Nextstar Media, Discovery Communications, HBO, and WebMD based on violations of the VPPA.

The case against WebMD recently overcame a motion to dismiss, allowing the action to proceed.

In September, a federal judge approved a $92 million class action settlement against TikTok based on allegations, among others, that TikTok violated the VPPA by sharing with Google and Facebook TikTok users’ device IDs and advertising IDs in combination with user video viewing history without user consent.


Kids Online Safety Act Bill Revised in End-of-Year Push

A revised version of the bill implementing the Kids Online Safety Act (S. 3663) was released December 15.

Among other changes, the new version explicitly states that the Act should not be construed to require covered platforms to implement age gating functionality or to collect any information regarding the age of users that the platform is not already collecting.  

WHY IT MATTERS

The amendment came days after letters were sent to Senate and House leaders from several advocacy groups pushing for passage of KOSA by year end.

Earlier in December, 90+ advocacy groups sent a letter urging lawmakers not to move the Kids Online Safety Act (KOSA) forward this session due to potential “unintended consequences” posed by the bill, citing, among other concerns, that requiring covered online services to place limits on use by minors would incentivize such services to collect more personal information to verify age, increasing risk to all users.

The amended version of the bill is presumably intended to address such concerns. Meanwhile, a tech group is seeking to block the California Age Appropriate Design Code (CAADC), claiming first amendment violations.

The CAADC will require online services “likely to be accessed by children” under 18 to estimate the age of users “with a reasonable level of certainty” and apply the highest privacy settings by default to children under 18. 

EUROPE

European Commission Publishes Draft Adequacy Decision for EU-US Data Privacy Framework

The European Commission announced that it has published and transmitted to the European Data Protection Board a draft adequacy decision to allow for transfer of personal data from the EU to the US.

The decision is based on the Executive Order issued by President Biden and regulations issued by US Attorney General Merrick Garland, which provide for a number of safeguards regarding access to data by US public authorities, as well as redress mechanisms available to EU citizens.

NEXT STEPS

The decision will still need to go through an approval process and adoption procedure before it can be finalized, but once the adequacy decision is officially adopted, European entities will be able to transfer personal data to participating companies in the United States without having to put in place additional data protection safeguards.

In the meantime, the Commission’s FAQ reminds companies that an adequacy decision is not the only tool for international transfers and that model clauses, which companies can introduce in their commercial contracts, are the most used mechanism to transfer data from the EU. 

CNIL Advisor Recommends Apple Receive 6 Million Euro Fine

An advisor to the French Data Protection Authority (CNIL) has recommended that Apple be fined 6 million euros based on allegations of privacy violations, according to Reuters.

The recommendation reportedly came in response to an investigation revealing that Apple conducted targeted ad campaigns using iPhone user personal data without clearly asking for prior consent.

WHY IT MATTERS

The advisor’s recommendations will be sent to the CNIL’s sanction body, which will make a final decision based on the recommendation. 

Slovenia Adopts Personal Data Protection Act

The Slovenia Ministry of Justice announced Slovenia’s adoption of the Personal Data Protection Act, which transposes the European General Data Protection Regulation (GDPR) into Slovenian law.

WHY IT MATTERS

Slovenia is the last member of the European Union to implement the GDPR into local law, which was supposed to have been done in 2018.

The action was taken in response to pressure from the European Commission, which sent an opinion to Slovenia in 2021, finding that Slovenia had failed to fulfill its obligations under GDPR due to its persistent failure to reform its pre-GDPR national data protection framework. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

FTC and Sensitive Location Data; New Pen Register Class Actions

December 9, 2024

FTC takes action against the sale of sensitive data...

California CPPA Issues Notice of Proposed Rulemaking

November 25, 2024

News out of California this week. The CPPA moved...

Mitigating risk under the Video Privacy Protection Act (VPPA)

November 23, 2024

Because VPPA is just one of many tools being...

Latest White Papers

E-book: Enterprise Guide To Cookie management & Tracker List Curation

July 1, 2024

How to review the tracking tech on your websites...

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]