Social sharing and the US Video Privacy Protection Act: Perilous for online video content providers
The Video Privacy Protection Act of 1988 (18 U.S.C. § 2710) (‘VPPA’) regulates the disclosure of information about consumers’ consumption of video content, imposing prescriptive requirements to obtain consumers’ consent to such disclosure. It presents a significant challenge for online video content providers, and navigating it requires careful attention, particularly due to the costly statutory damages regime and associated risk of class actions. Robert Blamires, Counsel at White & Case LLP, and Nathan Zhang, Senior Counsel at Applied Materials, Inc., shed light on the application of the VPPA in today’s digital age.
The VPPA was originally enacted to address a scenario that is almost obsolete today, and is out of step with today’s technology. For example, the statute still uses the concept of a ‘video tape service provider’ (‘VTSP’) rather than reflecting modern video content delivery methods and platforms. It is also inconsistent in its application to video content, given there are no similar restrictions for other types of media, like books, music and images. Further, it has an uncertain application, including in relation to both the operation of certain safe harbours and what constitutes ‘informed, written consent’ in the online context, which has been the subject of much litigation. This is especially so when online video content providers seek to integrate with social media (or indeed when social media providers incorporate video content directly into their offerings) and when other third-party technology platforms share data via cookies or other identifiers.
A little over 30 years ago, during the confirmation hearings of Supreme Court nominee Judge Robert H. Bork, a journalist published Judge Bork’s Blockbuster video tape rental history1. While the published rental history contained no salacious or controversial rentals, legislators nonetheless reacted swiftly, passing the VPPA little more than a year after the incident2. The VPPA prohibits the knowing disclosure by a VTSP of information identifying a person as having requested or obtained specific video materials or services from the service provider. The VPPA carries statutory damages of $2,500 per violation (plus potentially punitive damages, attorney’s fees and equitable relief) as outlined under §§ (c)-(d).
There was little litigation under the VPPA in the years immediately following its passage. Brick-and-mortar VTSPs had little reason or incentive to disclose the rental histories of their customers other than for direct marketing to the individual customers or in response to law enforcement requests. The VPPA provides exceptions for both of these scenarios under §§ (b)(2)(A) and (b)(2)(C).
More recently, as online video services have become ubiquitous, the VPPA began to present a real challenge to a major business and marketing opportunity for these services. The paradigm is this: an organisation’s business model involves the provision to consumers, either on a standalone basis or as part of its wider online platform (typically a social media platform), of online video content, making the organisation a VTSP. In the case of the standalone video content service, the VTSP is likely to want to enable its users to integrate their account they hold on the organisation’s platform with accounts they hold on third party social media platforms. In either case, the integration of video content consumption with social media provides a great opportunity for the consumers to create a dialogue about the VTSP’s service and the video content they are enjoying, both with each other and with non-users. In addition to this consumer-driven sharing, the VTSP might also proactively and independently share data about users (via cookies and other identifiers) with third-party platforms to enable users to enjoy a rich experience as they transition between the two, and be served with advertising that most suits their viewing habits.
Often, in non-VTSP scenarios involving a platform sharing user data with third parties, the appropriate compliance mechanism is for the platform to obtain consent from its users to such sharing (even if that consent must sometimes be explicit/opt-in, separate from other consents, etc.). However, prior to the amendment made in 2013, the VPPA provided VTSPs no mechanism or exception to permit such ‘social sharing’ or data exchange, and left VTSPs nervous of the expensive consequences if they enabled such functionality on their services. This became a special concern for online streaming services which, as companies like Hulu, LLC discovered, are also VTSPs subject to the VPPA3.
Over a number of years, plaintiffs brought a series of class action lawsuits against several online video content providers alleging breaches of the VPPA. Beginning in 2008 (perhaps not so coincidentally, a year after Netflix, Inc. began its video streaming service4) and peaking in 20115, a slew of complaints were filed not only against ‘traditional’ online video content providers, like Netflix, Hulu and Redbox Automated Retail LLC, but also against social networks like Myspace6. Facing increasing litigation under the VPPA, certain providers responded by lobbying Congress for an amendment to the VPPA to provide an exception where the user consented to the disclosure (e.g., so that a provider could enable users to opt-in to share their video content viewing on third-party social networks)7.
Congress amended the VPPA in 2013 (‘the Amendment’) to provide that disclosure to third parties is not wrongful if the consumer elects to give ‘informed, written consent (including through an electronic means using the internet)… in a form distinct and separate from any form setting forth other legal or financial obligations of the consumer…at the time the disclosure is sought, or in advance for a set period of time’ (up to two years). The user has to be given the opportunity, in a clear and conspicuous manner, to elect to withdraw on a case-by-case basis or from ongoing disclosures8.
The legislative history of the Amendment suggests the requirement to give users an opportunity to opt-out ‘in a clear and conspicuous manner’ was an attempt to address concerns by the Senate that simply permitting the typical ‘click here to agree to our collection and processing of your data’ type consent mechanism often used by online platforms would not be sufficient to address the privacy concerns surrounding data of this type9. While the Amendment goes part of the way to enable online platform providers to provide sharing functionalities, it did not allow those providers to ‘sleep easy’ while doing so. The language of the Amendment leaves uncertainties in its application in the online context: does clicking a ‘like’ button (and in the process sharing the content being viewed on a social media platform) constitute ‘informed, written consent?’ The savvy internet user might feel informed about the consequences of clicking such a button but what of a less experienced user? And does such an action comprise giving ‘written’ consent? As things currently stand, providers are left trying to persuade their product/ user interface teams to incorporate wordy consent language/legalese into the flow, designed to achieve ‘informed, written consent’ (in an offline style), as the user transitions from their platform to the social media platform.
Other permitted disclosures
The VPPA does provide a number of other exceptions which permit disclosures to third parties. Most notably, the VPPA permits the sharing of information about the user ‘to any person if the disclosure is solely of the names and addresses of consumers and if: (i) the VTSP has provided the consumer with the opportunity, in a clear and conspicuous manner, to prohibit such disclosure; and (ii) the disclosure does not identify the title, description, or subject matter of any video tapes or other audio-visual material; however, the subject matter of such materials may be disclosed if the disclosure is for the exclusive use of marketing goods and services directly to the consumer10.
This language is difficult to decipher. Starting from the beginning of the quoted language above, the VPPA permits disclosure of consumer information to third parties if it is only the name and address of the consumer, there is informed consent, and the subject matter of the video is not disclosed. Arguably, this serves more as a scenario where the information disclosed is not sufficient to be covered by the VPPA at all, than a true exception to the rule. If the disclosure is ‘solely of the names and addresses of consumers’ then in most scenarios there would be no sharing of VPPA-type personally identifiable information per se. However, the legislative history suggests that consumers are nevertheless given an opportunity to opt-out of this sharing to cater to the scenario where, because of the limited nature of the content supplied by the VTSP, disclosing even just the VTSP’s name with the customer’s name would de facto be a prohibited disclosure (albeit inadvertent) of the subject matter of the video content with the customer’s name (e.g., disclosing that that customer had obtained video content from a VTSP of exclusively Star Trek video content, would effectively disclose that the customer had viewed Star Trek video content)11.
There is also an opaque ‘exception to the exception,’ italicised in section (ii) above, i.e., sharing of information about the consumer to third parties is permitted so long as to facilitate marketing goods and services directly to a consumer. This is as confusing as it is poorly worded. Ultimately, the VPPA permits the disclosure of the name and address of the user together with the identity of the VTSP and subject matter of the video content so long as the disclosure is for the exclusive use of marketing goods and services directly to the consumer. This is intended to enable VTSPs to disclose customer lists to third parties, and in the process, disclose data they would not otherwise be permitted to disclose, for the sole purpose of direct marketing. The likely general scenario is along the following lines:
- a consumer signs up with a VTSP;
- he/she is given a chance to opt-out of the VTSP sharing his/her name and address with third parties;
- he/she chooses not to opt-out;
- he VTSP engages a third party for the purposes of sending direct marketing to that consumer; and
- the VTSP is permitted to share with the third party not just the consumer’s name and address but also the subject matter of any video tapes or other audio-visual material, watched by the consumer, for the sole purpose of enabling the third party to send marketing directly to that consumer.
The permitted disclosures help avoid liability for disclosures by VTSPs whose business name is enough to create an inadvertent prohibited disclosure, and the ‘exception to the exception’ assists a business wanting to disclose an individual’s content viewing to facilitate the sending of direct marketing to that consumer. However, while useful for their respective purposes, neither the permitted disclosure nor the ‘exception to the exception’ provides any comfort for online video content businesses who are looking to engage in the types of data sharing envisaged earlier in this article.
The Amendment and permitted disclosures certainly have not stood in the way of continuing litigation concerning the VPPA in the online space. For example, throughout 2015, there were a number of notable cases published regarding the VPPA’s scope and application, including rulings finding that:
- consumers who use free mobile applications do not qualify as ‘subscribers’ under the VPPA12;
- intra-corporate disclosure of personal information does not violate the VPPA13;
- VTSPs cannot be held liable under the VPPA for circumstances where subscribers’ personal information was displayed on devices, such as televisions, that could potentially be viewed by third parties, because the viewing of such devices was beyond the companies’ control14; and
- applicable personally identifiable information for the purposes of the VPPA ‘is information which must, without more, itself link an actual person to actual video materials15.’
In re Nickelodeon Privacy Litigation
One of the most recent and high profile cases involves the sharing of data between Viacom Inc. and Google LLC. The plaintiff class action alleged ‘a VTSP knowingly disclos[ing], to any person, personally identifiable information concerning any consumer of such provider,’ and therefore comprising a breach of §§ (b) of the VPPA, entitled the plaintiffs to relief16. The case was appealed from the U.S. District Court for the District of New Jersey to the U.S. Court of Appeals for the Third Circuit (‘the Third Circuit Court’), which issued its opinion on 27 June 201617.
First, the Third Circuit Court found that Google, as a third-party recipient of data from Viacom, was not an appropriate defendant under the VPPA. This is because the VPPA only allows plaintiffs to sue a person or entity that discloses ‘personally identifying information,’ and not a person who merely receives such information18 (otherwise “there would be no need for the VPPA to define a video tape service provider in the first place19”).
Second, the Third Circuit Court clarified that ‘personally identifiable information’ under the VPPA “applies only to the kind of information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior20,” holding that IP addresses, device identifiers, or browser fingerprints do not meet this requirement and therefore fall outside of the scope of the VPPA21. The Third Circuit Court did recognise, however, that its interpretation is subject to the current state of technology, leaving open the possibility that at some point in the future, a digital identifier may be sufficient to impose liability under the VPPA. The Third Circuit Court therefore advised companies to “think carefully about customer notice and consent22.”
Wider context and conclusions
As well as being clearly frustrating (and potentially expensive) for businesses such as video content providers, the VPPA also looks somewhat out of place, not only in its ‘clunky’ application to modern online platforms such as streaming services, but also in its application solely to video content. Even in Europe, which typically takes the strictest approach in relation to the protection of an individual’s privacy, there is no comparable legislation (with a statutory damages regime exposing businesses to awards potentially in the millions of dollars) and any processing or disclosure of such ‘personal data’ would be permitted with appropriate notice and consent mechanisms.
Reform of the language of the VPPA, both to bring concepts like ‘video tape service provider’ up to date with modern content delivery, and to provide clarity to the disclosure safe harbours and concepts like ‘written, informed consent’ in the online context, would be a large step in the right direction of providing certainty and reassurance to online video content providers, enabling them to integrate their services without fear of expensive class action litigation.
In the meantime, it is clear that the VPPA will remain a concern for providers of online video content and even those social networking and other platforms with which those providers integrate their offering. As these technology companies continue to explore new ways to improve their customer experience and integrate their products, and the underlying technology continues to evolve at a rapid pace, the VPPA, absent further amendment, looms in the background, requiring a careful analysis against each applicable new product, iteration or integration, and an expectation that plaintiffs’ lawyers will be ever ready to round up a class and bring a VPPA challenge23.
1 See Dolan, Michael, The Bork Tapes, Washington City Paper, 25 September 1987.
2 See Dolan, Michael, Borking Around, The New Republic, 19 December 2012 (retrieved 15 March 2018).
3 See In re Hulu Privacy Litigation, Case No. 11-cv-03764, 2012 WL 3282960 (N.D. Cal. 10 August 2012).
4 See Helft, Miguel, Netflix to Deliver Movies to the PC, The New York Times, 15 January 2007 (retrieved 15 March 2018).
5 Based on public court records, 37 complaints were filed between 2008 and 2011 alleging violations of the VPPA, with 25 complaints filed in 2011 alone. Since 2011, an average of ten new VPPA lawsuits have been filed every year through 2015.
6 See e.g., Milans v. Netflix, Inc., Case No. 11-CV-00379 (N.D. Cal. 26 January 2011); Garvey v. Hulu, LLC, Case No. 11-CV-03764 (N.D. Cal. 29 July 2011); Boesky v. Redbox Automated Retail, LLC, Case No. 11-CV-01729 (N.D. Ill. 11 March 2011); Valdez v. Myspace, Inc., Case No. 10
CV-05484 (C.D. Cal. 23 July 2010).
7 See Musil, Steven, Senate Approves Netflix-Backed Amendment to Video Privacy Law, C|net, 20 December 2012 (retrieved 15 March 2018).
8 See the Video Privacy Protection Act Amendments Act of 2012 (126 Stat. 2414, 10 January 2013).
9 See Senate Committee on the Judiciary’s Subcommittee on Privacy, Technology and the Law, Senate Hearing 112- 869, 112th Session of Congress, 31 January 2012.
10 The VPPA also allows for the disclosure of information to the consumer; to a law enforcement agency pursuant to a warrant, grand jury subpoena, or court order; and to any person if the consumer has given informed, written consent or if the disclosure is incidental to the ordinary course of business of the VTSP. See § 2710(b)(2) of the VPPA.
11 Senate Committee on the Judiciary, Senate Report 100-599, 100th Session of Congress, 21 October 1988.
12 Ellis v. Cartoon Network, Inc., 803 F.3d 1251 (11th Cir. 2015).
13 Rodriguez v. Sony Computer Entm’t Am., LLC, 801 F.3d 1049 (9th Cir. 2015).
14 Mollett v. Netflix, Inc., 795 F.3d 1062 (9th Cir. 2015).
15 In re Nickelodeon Privacy Litigation, Case No. 12-cv-07829 at Dkt. No. 84 (D.N.J. 20 January 2015) (unpublished).
16 See Ibid. at Dkt. No. 1 (26 February 2013).
17 In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d. Cir. 2016), cert. denied 137 S. Ct. 624 (2017).
18 See Ibid. at 281.
20 See Ibid..at 290.
21 See Ibid. at 289. GPS coordinates of a device’s location would be sufficient under the Third Circuit Court’s interpretation. See Ibid. (citing Yershov v. Gannett Satellite Info. Network, Inc., F.3d, 2016 WL 1719825, at *3 (1st. Cir. 2016)).
22 See Ibid. at 290.
23 As of the publication of this article, no fewer than 82 federal district court and circuit court decisions have cited to the Third Circuit Court’s 2016 In re Nickelodeon Privacy Litigation opinion.
This article was first published in Data Protection Leader, May 2018.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.