The Video Privacy Protection Act (“VPPA”) became one of the country’s first federal privacy laws when it was enacted by Congress in 1988. This Reagan-era legislation came after then–Supreme Court nominee Judge Robert Bork’s rental records were leaked by a video store to a reporter and published in a local newspaper during the evaluation of his candidacy. Although Bork’s video rental history was innocuous, the response was a bipartisan outcry for more privacy protections as “sophisticated record-keeping systems [were] a new, more subtle and pervasive form of surveillance.” Reflecting the particular situation the legislation was designed to address, the VPPA provides a private cause of action against a “video tape service provider who knowingly discloses, to any person, personally identifiable information” which “identifies a person as having requested or obtained specific video materials or services.”
Although the particularized language of the statute, which is entitled “Wrongful disclosure of video tape rental or sales records,” appears confined to antiquated forms of media, the VPPA’s definition of “video tape service provider” has permitted a modern interpretation in this new age of digital surveillance. Since 2022, there has been a flood of consumer litigation based on a broad interpretation of the VPPA, with more than one hundred complaints filed against companies that employ web cookies that track and harvest user data for analytics and advertising. The novel application of the VPPA seen in these putative class actions targets video content featured on websites that employ tracking technologies, such as Meta Pixel and Google Analytics, which plaintiffs argue have the effect of disclosing identifiable information about the users’ video consumption to third parties. The ultimate success of these claims based on the decades-old statute remains uncertain; however, most courts have concluded that various plaintiffs have plausibly alleged a VPPA claim by arguing that video-watch histories were disclosed without their consent via such tracking technologies.
At a high level, the VPPA limits the disclosure of video records without the watcher’s consent. Specifically, the VPPA prohibits a “video tape service provider” from knowingly disclosing “personally identifiable information” of a “consumer,” unless certain enumerated exceptions apply. The most common exceptions include where the disclosure is “incident to the ordinary course of business of the video tape service provider,” and where the consumer provides “informed, written consent.” Concerning the consent exception, written consent must be obtained “in a form distinct and separate from any form setting forth other legal or financial obligations of the consumer.”
Under the VPPA, “personally identifiable information” (“PII”) is “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” Further, “video tape service provider” is defined as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio-visual materials.”
A court may award “actual damages but not less than liquidated damages in an amount of $2,500,” as well as punitive damages and attorneys’ fees. For claims brought on behalf of a putative class, damages would be assessed on a per class member, per violation basis. The availability of statutory damages has incentivized the spate of class actions brought by the plaintiff ’s bar and contributed to the high stakes involved in recent cases seen against website operators.
Despite the VPPA’s nondigital origin, a proliferation of lawsuits over the past year have targeted the modern tracking technologies employed by website publishers that offer video content. In this new wave of claims, plaintiffs allege violations of the VPPA by online news outlets, streaming service retailers, and other defendants for the disclosure of PII obtained through embedded website codes and cookies that track user activity. According to most complaints, website publishers qualify as “video tape service providers” because their websites feature video content, and they share information about which videos consumers watch via an embedded analytics code, such as Meta Pixel. Plaintiffs allege their information, which includes video watching habits, is transmitted to Facebook (via Meta Pixel), which then links this information to the users’ Facebook accounts, violating the VPPA.
District courts continue to grapple with the issues surrounding the application of the VPPA to modern technology, but recent decisions have offered some guidance on the statute’s scope and limits. Courts have been receptive to the basic theory that the use of Meta Pixel technology can result in the disclosure of a plaintiff ’s PII and underlie a viable claim under the VPPA. Recently, many courts have denied motions to dismiss these types of VPPA claims, reasoning that a plaintiff need only to allege that a tracking technology discloses a user ID, and that user ID is something an ordinary person can type into a website to identify an individual.
However, boilerplate allegations by plaintiffs that PII was disclosed have failed, with courts requiring these VPPA claims to be pled with specificity. In Martin v. Meredith Corp., plaintiff William Martin brought suit against five corporations, alleging “the defendants unlawfully disclosed information about his video viewing history to Facebook,” specifically concerning his use of the website People.com. People.com utilized “Base Pixel” code that matched site visitors with Facebook account IDs, which the plaintiff argued violated the VPPA generally. The court granted defendants’ motion to dismiss for failure to state a claim. The court reasoned, in pertinent part, that “simply disclosing the name of a webpage and an associated Facebook ID leaves off essential information for a VPPA claim, including at least: (1) whether the webpage contains a video; (2) if so, the name of the ‘specific video materials’ on the page; (3) whether there are multiple videos on the page and, if so, which ‘specific video materials’ were requested or obtained by the website visitor; and (4) whether the website visitor ‘requested or obtained’ any videos at all, or instead merely read an article on the webpage.”
In contrast to the plaintiff in Martin, which was situated in the U.S. District Court for the Southern District of New York, the plaintiff in Belozerov v. Gannett Co., which was situated in the U.S. District Court for Massachusetts, overcame the defendants’ motion to dismiss. In Belozerov, the plaintiff was a user of the USA Today app, which allegedly tracked user activity and stored user data through the implementation of “cookies, software development kits, and pixels.” The court found that “[a] Facebook ID . . . is a unique identifier that can be used to look up an individual’s Facebook user account. Together, that information enables Facebook or any computer-savvy person to discern the identity of the digital subscriber and the specific video content he or she viewed on the USA Today website or app.” The court further held, citing Yershov, that the plaintiff sufficiently pled that USA Today constituted a “video tape services provider” under the VPPA, and that the deliberate coding necessary to implement cookies and pixels demonstrated a “knowing” disclosure of PII.
Most recent VPPA litigation has turned on whether the plaintiff met the Act’s definition of “consumer.” To file a VPPA claim, the plaintiff must be a “consumer,” meaning a “renter, purchaser, or subscriber of goods or services from a video tape service provider.” In determining whether an individual is a VPPA “consumer,” courts consider several factors, such as the existence of payments, registration, commitment, delivery, expressed association, or access to restricted content. In Carter v. Scripps Networks, LLC, subscribers to the HGTV.com newsletter brought a class action against the website’s owner (“HGTV”), arguing that HGTV was collecting and disclosing their video-streaming activities on HGTV.com to Facebook (via the Meta Pixel) in violation of the VPPA. Although the plaintiffs were not subscribers to HGTV’s television offerings, they argued they were still “consumers” within the meaning of the VPPA based on their subscriptions to HGTV’s newsletter. However, the court disagreed, finding that merely opting-in to a newsletter was insufficient to classify the plaintiffs as “consumers” under the VPPA.
Another recent decision aligns with this limit of VPPA claims, holding that plaintiff ’s allegations of entering her name and email to “subscribe to [defendant’s] email list” were not sufficient to make her a “subscriber” under the VPPA. Likewise, another district court held that “open[ing] an account separate and apart from viewing video content” on a defendant’s website is not sufficient to render a plaintiff a “subscriber” under the VPPA. However, cases in the Northern District of Georgia, where signing up for newsletters gave the user access to video content, have come out the other way. In Lebakken, the court held that the plaintiff adequately pleaded she was a “subscriber” because she pleaded that she did more than just download a free mobile application: “[S]he exchanged her email address to receive [defendant’s] e-newsletter and . . . she also created her own [] account [with defendant].”
A recent decision established further limits of the VPPA’s reach in this modern context with regard to the “video tape service provider” element. In Carroll v. General Mills, Inc., plaintiffs alleged that their video viewing activity had been shared with third parties via tracking code embedded in the defendant’s website, purportedly in violation of the VPPA. Ultimately, the federal court dismissed the claim after finding that the defendant did not fall within the scope of the VPPA’s definition of “video tape service provider”—“any person . . . engaged in the business . . . of rental, sale, or delivery of prerecorded video cassette tapes or similar audio-visual materials.” In Carroll, the plaintiffs argued that General Mills was “in the business” of video delivery through its creation and distribution of online videos to “increase[] its brand presence.” However, the court found this failed to meet the VPPA’s definition of “video tape service provider,” holding that the Act “does not cover every company that merely delivers audio visual materials ancillary to its business.” The court explained that a plaintiff seeking to bring a claim under the VPPA must plead facts demonstrating that a defendant’s “particular field of endeavor” is the delivery of audiovisual materials, rather than merely a “peripheral part of its marketing strategy.” Carroll provides a strong threshold defense to future VPPA litigation by clarifying that the posting of video content that is only incidental to a company’s core business is not subject to the Act.
Several courts have found a clear limit to the application of the VPPA in the modern context of third-party data sharing with regard to the video content offered. Reflective of the Act’s origins in video tapes, the VPPA covers prerecorded video content; however, live video streams fall outside of the scope of the law. As these recent decisions illustrate, at this juncture, the success of businesses in securing dismissal of VPPA claims has been mixed and is largely dependent upon jurisdiction.
This growing trend of consumer privacy class action litigation poses a significant risk to a wide variety of companies across industries. Companies commonly deploy website cookies to try to understand how users are interacting with their website and to try to improve website functionality. Cookies are also frequently used to track users in order to understand their preferences and better personalize their experiences, including the ads they see. Most websites, including many government websites, employ third-party trackers. This omnipresent deployment of website cookies to track user data exposes many consumer-oriented companies who operate and advertise online to similar consumer privacy litigation under the VPPA.
Although there is little binding appellate precedent regarding these novel VPPA claims, the district court decisions reviewed in the prior section indicate some efforts to curtail the scope of the VPPA’s possible application to modern data tracking and analytics. While courts continue to define the contours of the law as it applies to modern-day cookies, businesses can mitigate their risk under the VPPA in several ways. Companies should ensure they secure consent from users prior to the disclosure of any information regarding prerecorded videos that the user has watched. Additionally, businesses should thoroughly understand and assess the use of any third-party cookies or tracking technologies embedded on their websites, which may lead to exposure to VPPA liability. Businesses should assess the value added by these cookies, given the potential exposure to VPPA litigation.
Recent VPPA litigation has provided companies with potential defenses when facing this type of claim. Businesses may successfully argue that the disclosure of PII falls under one of the enumerated exceptions. Additionally, businesses do not face liability under the VPPA (1) where the plaintiff is not considered a “consumer,” or (2) where the business is not a “video tape service provider.” A plaintiff ’s failure to prove either of those two elements provides a strong threshold defense to VPPA liability. Where a business operates a website with video content that is only peripheral to the company’s core business, the defendant may raise a compelling argument that the company falls outside of the definition of “video tape service providers,” and thus beyond the scope of the VPPA. With many VPPA putative class action lawsuits remain unresolved, it is crucial that website operators that offer video content continue to monitor legal developments that provide further guidance and clarity regarding these claims and continue to take steps to mitigate risks associated with third-party data tracking or analytics.
The rise of VPPA claims brought against website operators that offer video content is expected to continue as courts work to define the Act’s scope in lawsuits that target modern tracking technologies. Without clear, binding limits of the VPPA in this context, as a matter of best practice and in order to mitigate litigation risks, businesses should assess and understand their use of third-party cookies and/or any other software technology being used to monitor website traffic and use, particularly on websites with video content. With the legal landscape in flux, it is imperative that businesses stay abreast of forthcoming guidance either in the form of appellate rulings or potential congressional amendment of the VPPA.
The author gratefully acknowledges the contributions of Maya Fouad, J.D., Georgia State University College of Law.
