Meta Pixel Spawning Array of Streaming Video VPPA Suits
A growing wave of Video Privacy Protection Act suits in U.S. district courts targeting streaming video provision isn't expected to crest anytime soon, data security and privacy lawyers tell us. While there have been other bursts of VPPA litigation in the past, Susan Israel of Loeb said the latest crop is focused largely on use of Meta Pixel for analytics and ad targeting -- Pixel being a piece of JavaScript code that allows for tracking visitor activity on a website.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
For most of VPPA's 34-year history, lawsuits were rare because the law "was so specific," said Philip Yannella of Ballard Spahr. The rise of online video brought with it attempts at applying the law to online video sharing, he said. Most such suits were largely dismissed, but the interest of plaintiff's lawyers "never waned" and they have refined their theories to tap into the law, he said. He said a major driver of VPPA lawsuit interests is that it provides for liquidated damages, meaning every consumer whose rights have been violated is entitled to actual damages of $2,500 per incident. “That's a lot of money,” he said. Also driving the current VPPA litigation wave are court rulings seen as containing holdings friendly to plaintiffs' arguments, Yannella said.
Heightened attention to data privacy in areas of tracking and targeted advertising helped bring the latest wave of VPPA suits, said Dominique Shelton Leipzig of Mayer Brown. Trying to apply VPPA to the digital world has left questions about what's considered personal information for purposes of the statute as well as wrangling over what VPPA means in the context of new technologies, she said.
The negative attention Facebook often gets might make it seem "an easier sell" for litigation, Israel said. VPPA wasn't designed for internet, so when there's a new analytics mechanism, ‘it lends itself to testing the application of the VPPA" because the incentives to sue are so large, she said.
Under VPPA, "a video tape service provider who knowingly discloses ... personally identifiable information concerning any consumer of such provider" is liable, with "video tape service provider" meaning people in the business of prerecorded video cassettes "or similar audio visual materials." It was adopted into law in 1988, after federal Judge Robert Bork's videotape rental history made its way into news coverage regarding his nomination to the Supreme Court.
This year alone has seen complaints against plaintiffs ranging from HBO, Bloomberg, BuzzFeed and Nexstar to ESPN, Paramount, Warner Bros. Discovery and its CNN.com, and Sony and its Crunchyroll streaming service.
Without telling its digital subscribers, defendant horror streaming service Shudder "profits handsomely from its unauthorized disclosure of its digital subscribers’ Personal Viewing Information to Facebook ... at the expense of its digital subscribers’ privacy and their statutory rights under the VPPA," Daineira Mangum, an Illinois Shudder subscriber, said in one such suit filed last month in U.S. District Court for the Northern District of Illinois (docket 1:22-cv-04857). Per the suit, seeking class-action status, Facebook installed its Pixel code on Shudder, allowing it to track when subscribers enter Shudder or the Shudder app and view videos.
Shudder then tracks and discloses to Facebook the subscribers' viewed videos and their personally identifiable information, it said. "Because Shudder digital subscribers are not informed about this dissemination of their Personal Viewing Information -- indeed, it is automatic and invisible -- they cannot exercise reasonable judgment to defend themselves against the highly personal ways Shudder has used and continues to use data it has about them to make money for itself," the complaint said. Shudder parent AMC Networks, the defendant in the suit, didn’t comment.
Meta emailed it has clear policies regarding the kinds of information businesses can share with it and said it requires them to provide clear explanations to their users about data collection practices. It said advertisers shouldn't share business tools data that they know or reasonably should know is from children or about children.
Often targeted in the suits aren't traditional streaming services but news organizations that embed news videos on their websites, and there's an unsettled question as to whether those organizations meet the definition of a video service provider, Yannella said. There also are questions about whether the website video is conveying personally identifiable information, he said. That determination often gets into how cookies work and what they are sharing. He said some such issues could become more settled in coming months as rulings start coming in the various pending suits.
Leipzig said the litigation hasn't started affecting companies' practices yet. Given the value brands put on reputations for trust and integrity, companies should think about damage to those reputations that can come from publicity over lawsuits, Leipzig said. Communications about what data is collected and how it is shared can be "the Get Out of Jail Free card when it relates to privacy," she said. While a company's digital team wants to avoid "friction" in user interfaces, getting consent can still be done relatively quickly and simply, she said.
Loeb's Israel said one potential hurdle the suits might face is judges being a little leery of ruling that "might blow up an entire industry." She said some advocates of a federal privacy law would also like to see uniform standards that preempt VPPA, making compliance more clear-cut. She said while federal privacy legislation has stalled for now in Congress, "there's a decent amount of energy behind it" and midterm election results could bring some kind of compromise.
VPPA consent has to be done explicitly with a signature or active consent, it has to be separate from other disclosures, and there has to be a process for people opting out, Yannella said. All of which adds up to a cumbersome process, he said: “If it was a matter of adding language to your privacy policy, everybody would do it right now."
Legislative changes to the VPPA legal landscape don't appear to be in the cards. "I have heard of no interest in Congress to take this up," Yannella said.
Leipzig said while there are no private rights of action under the California Privacy Protection Act, it wouldn't be surprising if the California Privacy Protection Agency waded into video issues.