One of today’s litigation hot spots has its roots among the cobwebs of ancient data privacy law. The United States today has a patchwork of national data privacy laws, all of which deal with sectors, be it ages of data subjects (like the Children’s Online Protection Act), healthcare patients (the Healthcare Insurance Portability and Accountability Act), and financial customers (the Gramm-Leach-Bliley Act). These laws were all passed before 2001, there has never since been a single comprehensive national data privacy act, and the proposed American Data Privacy and Protection Act has languished in fights about preemption.
We do have precedent for fast action in data privacy laws. The first true national data privacy law – one that required explicit opt-in for sharing of personal data – sailed through the Capitol in one year, in 1987-1988, by a bipartisan vote. Congress only needed the right motivation:
The Video Privacy Protection Act of 1988 (Pub. L. 100-618, 18 U.S.C. § 2710 et seq.) resulted from the 1987 Senate confirmation hearings for then-Supreme Court appointee Robert Bork. During these hearings, Michael Dolan, a reporter for the Washington City Paper, figured out that he frequented the same video rental store as Judge Bork. Reasoning there was no better way to know someone than to know what films he watched, Dolan obtained and published Bork’s rental history from the store – with an implicit threat that he would do the same for other politicians.
Dolan, however, did not exactly deliver a haymaker punch to Bork’s already-contentious nomination. The “Bork Tapes” revealed that the D.C. Circuit judge watched many videos but none rated R or X. As Dolan wrote in The New Republic in 2012, “Bork enjoyed whodunits and Brit films, costume drama and otherwise; he and his hadn’t rented anything remotely salacious enough to rankle patron Reagan’s buds in the Moral Majority.”
Although Bork’s nomination ultimately went nowhere – in no small part due to his role in a certain data privacy violation known as Watergate – the idea that “meddling journalists” could reverse-engineer viewing habits outraged Congress (we can only presume that some legislators had much more “interesting” viewing histories to protect). VPPA passed in record time, and it sparked almost universal duplication in state legislatures.
Today, physical videotape/DVD rental is a memory, but VPPA is not. Courts – such as in In re Hulu Privacy Litigation (2012) – applied VPPA to streaming services on the basis that the “video cassette tapes or similar audio visual materials” included streaming content. This was based on the legislative history, which the court observed to use media-neutral language. Some courts have limited standing to people who were formally “subscribers” such as in Austin Spearman v. AMC Network Entertainment, LLC (2015), but absent action by Congress, plaintiffs have continued to… innovate.
Today, plaintiffs allege VPPA violations in connection with using pixels in conjunction with videos in social media advertising. Pixels are code that is triggered by a user taking an action (viewing, clicking, buying, leaving). The contentious part is not letting an advertiser know merely that someone watched a video. Where the pixel also transmits identifying information about the subject to third parties (such as ad networks), plaintiffs have argued VPPA applies – and that absent explicit consent to transmit that information, advertisers are violating VPPA. Defenses have echoed those debated in previous upcycles of VPPA: Is the viewer a “consumer” and is the advertiser a “video tape service provider?” Defendants have also questioned whether the data transmitted by the pixel itself is identifiable information. These questions are case-specific, and the law is far from settled.
The current VPPA situation puts a risk/benefit proposition in front of businesses. Is the marginal value of particulars on video-watching worth the negative attention it could attract? VPPA carries statutory damages of $2,500 per violation and even absent class certification, defense costs are not trivial. VPPA may ultimately prove an unsuccessful vehicle for suits, but it may also be the case that sitting on the sidelines – and dialing back on pixel data collection – may be the best path.
- There is precedent for fast action on national data privacy laws, given the right “motivation.”
- Litigants and courts have been creative, and sometimes successful, in adapting a law written for video rental counters to control modern technologies.
- Organizations that lack a compelling business interest in collecting detailed pixel information, especially ones without cash reserves to defend class litigation, might want to suspend or severely limit pixel use.