It's no secret that plaintiffs' firms have been developing legal theories relating to third-party software technologies used on websites. This includes a recent spike in lawsuits alleging that websites running the Meta "Pixel" code are violating the Video Privacy Protection Act (VPPA) by sharing information about visitors' video viewing habits and history with Meta. These lawsuits continue the growing trend of consumer privacy class action litigation across the country and represent a significant risk to a wide variety of companies. This alert provides an overview of the VPPA and best practices for your company to mitigate these potential risks.
VPPA Overview
The VPPA was enacted by Congress in 1988 after then-Supreme Court nominee Robert Bork's video rental history was leaked to a news organization without his consent. Under the VPPA, a "video tape service provider" is generally prohibited from disclosing the personally identifiable information (PII) of a consumer derived from specific video materials or services without their consent. A video tape service provider includes any person engaged in the business of the rental, sale, or delivery of video tapes or "similar audio-visual materials." The open-ended language of that definition has allowed the VPPA to evolve with technology over the last 35 years and is now being used by plaintiffs' counsel to target companies in a variety of industries.
Over a decade ago, an upsurge of lawsuits alleging VPPA violations against online video streaming services, such as Hulu and Netflix, led to an amendment to the VPPA allowing video tape service providers to disclose PII to third parties after obtaining informed, written consent from consumers.
Evolution of the VPPA and "Pixel" Litigation
Plaintiffs' lawyers are creatively interpreting the definition of businesses that deliver audio visual materials to apply to modern technologies that allow video files to be accessed by website visitors in addition to online sales of DVDs or other visual media. Therefore, under these theories, any business that has a website with video capabilities could potentially be a video tape service provider"under the VPPA.
The latest wave of VPPA claims targets businesses with websites that run Meta's Pixel code, alleging that the use of the code results in the disclosure of consumer PII to Meta in violation of the VPPA. Over the last year, this has resulted in claims being asserted against a wide variety of website operators, including news outlets, movie studios, streaming services, professional sports organizations, and e-commerce companies across the country. Notably, many of these claims are being asserted against businesses with websites that are not primarily intended to stream videos or rent, sell, or deliver video media. This was recently evidenced in a January 2023 lawsuit against a major fast-food restaurant alleging violations of the VPPA related to a holiday-themed website operated by the company.
The success of businesses in securing dismissal of VPPA claims has been mixed and is largely dependent upon jurisdiction. The Southern District of New York has adopted a narrow view on the type of information that qualifies as PII, leading to more frequent dismissals of claims. Similarly, federal courts in Rhode Island and the Northern District of California have also dismissed VPPA claims where the viewed content was live-streamed (as opposed to prerecorded), on the grounds that this scenario fell outside the VPPA's definition of video tape service provider. However, courts in Massachusetts and the Northern District of Georgia have denied motions to dismiss, holding that plaintiffs filed plausible claims under the VPPA and allowed such claims to proceed to discovery.
Potential Damages and Best Practices
Companies that are found to be liable under the VPPA are potentially subject to actual or liquidated damages of at least $2,500 per affected consumer, punitive damages, attorneys' fees and costs, and other equitable relief. Therefore, with hundreds of thousands of consumers potentially comprising a class, the potential damages are significant.
The continued increase in VPPA claims is anticipated, given the lack of clear consensus among the courts. Companies should closely monitor VPPA claims as they are evaluated by the courts. Additionally, as a best practice, companies should assess and understand their use of Meta's tracking Pixel, Google Analytics, or any other software technology being used to potentially monitor website traffic or track consumer activity. As part of such assessments, companies should review their policies and procedures, website privacy notices, terms of use, consent forms, and other procedures for obtaining opt-in/opt-outs from consumers.
Based on the VPPA class action trend, Baker Donelson is assisting clients in reviewing their website tracking technologies with their marketing teams to recommend additional changes and considerations to mitigate against VPPA and other consumer privacy class action claims. If your company is interested in how the VPPA may affect its website tracking strategies or other best practices regarding policies, notices, and other procedures to mitigate potential risk from VPPA claims, please contact Aldo M. Leiva and Alexander F. Koskey, CIPP/US, CIPP/E, PCIP, or any member of the Baker Donelson Data Protection, Privacy, and Cybersecurity Team.