Websites are facing lawsuits alleging that the information collected and transmitted about viewers of their video content violates the Video Privacy Protection Act (VPPA), a 1988 law originally aimed at prohibiting video rental companies from disclosing the video tape rental records of consumers. In recent years, federal courts have held that the law applies to all video, regardless of technical format. Even more recently, plaintiffs are using the law to apply to website operators that host streaming video.
The Video Privacy Protection Act
The VPPA prohibits a video tape service provider from knowingly disclosing, to any person, personally identifiable information concerning any consumer of the provider without the consumer’s informed, written consent. VPPA provides for a private right of action, including statutory damages not less than $2,500 per consumer plus attorneys’ fees. Ouch.
Personally identifiable information for purposes of the VPPA means information that identifies a person as having requested or obtained specific video materials or services from a video tape service provider, i.e., any information that ties an identifiable viewer to a video.
Service providers to which the law applies are also subject to record destruction requirements. Personally identifiable information must be destroyed as soon as practicable, but not later than one year from the date that the information is no longer necessary for the purpose for which it was collected and there are no pending court orders or requests from law enforcement.
Risks for Streaming Video
The statutory damages prescribed in the VPPA, combined with the award of attorneys’ fees, have led plaintiffs’ attorneys to argue for the statute’s application to streaming video. Courts have generally obliged, finding that the VPPA protects viewers of videos regardless of the medium of transmission. Plaintiffs have then sought to prove violations of the VPPA by arguing that by sharing usage statistics with data analytics vendors such as comScore, streaming video providers are disclosing personally identifiable information in violation of the statute. How much consumer information may be permissibly shared with analytics vendors under the law and in what form are far from settled legal issues, but the key question in each case is, can the data shared with third parties, taken together, personally identify viewers with their video choices?
In the most recent ruling on the applicability of the VPPA to streaming video, a federal judge in Seattle ruled that the sharing of anonymous data alone, in the form of a unique serial number to a streaming video player, does not violate the VPPA, but if shared along with other correlative data capable of personally identifying viewers in combination, the provider could potentially be liable. Similarly, federal judges have held that other anonymous unique identifiers, including mobile device IDs or cloud service IDs, even when combined with video viewing history, do not personally identify users and therefore their transmission is not a violation. However, courts have also suggested that other login information, such as a social media ID provided through a “Like” button on a website, may constitute personally identifiable information subject to the VPPA. A provider may also be liable for information transmitted in cookies placed on its website by third parties, even if the provider cannot read or control the contents.
Although large media companies are the obvious targets for plaintiffs’ lawyers, with potentially millions of separate violations in the case of the largest services, any website or other online service that provides video content to consumers is potentially subject to legal risks under the VPPA. Companies whose websites provide even incidental video content should review their data collection and retention practices for risks that third parties with access to user data may be able to tie personally identifiable information to video viewing history. Some questions to consider include the following:
- Is personally identifiable information collected when a user views hosted video content?
- Is personally identifiable information passed to third-party advertising services or analytics vendors?
- Do analytics vendors or advertising services have direct access to user information? Is that information capable of being correlated with video viewing history?
- Is video viewing history stored in cookies? If so, is that information shared with advertisers or otherwise persistent across third-party services?
- Are any social media–sharing features, such as a “Like” button, presented with video content?