Data Privacy Salon Follow-up | Video Privacy Protection Act (VPPA) FAQ

16 Aug Data Privacy Salon Follow-up | Video Privacy Protection Act (VPPA) FAQ

August 16, 2023 | On July 19, DEG held a webinar Digital Privacy Compliance: 2023 Trends and Risks with guests Jennifer Mitchell, Partner, BakerHostetler and Field Garthwaite, CEO, IRIS.TV. 

You may download the slides to the webinar here. We’ve summarized some of the key insights into a FAQ to help DEG members navigate the uncertainty of the Video Privacy Protection Act (VPPA) and similar regulations. 

What is the VPPA and how does it impact streaming video platforms and publishers?

Congress passed the Video Privacy and Protection Act (VPPA) (18 U.S.C. § 2710(b)) in 1998 to address video rental privacy concerns after Blockbuster disclosed a U.S. Supreme Court nominee’s video rental history to a news outlet. It’s one of the earliest federal consumer privacy laws. Specifically the law states:

The VPPA prohibits [1] a “video tape service provider” from [2] knowingly [3] disclosing [4] “personally identifiable information”

of [5] a “consumer,” unless certain enumerated exceptions apply.  18 U.S.C. § 2710(b)(1).  

In 2012, the VPPA was updated to cover digital streaming and on-demand services and the continued increase in VPPA claims is anticipated given the lack of clear consensus among the courts. 

Who are the typical defendants of VPPA lawsuits and what is at stake? 

Defendants include both publishers and brands. Companies that are found to be liable under the VPPA are potentially subject to actual or liquidated damages of at least $2,500 per affected consumer, punitive damages, attorneys’ fees and costs, and other equitable relief. 

Many DEG members now have ad-supported businesses that serve billions of ads per month. But if a publisher violates this law on just one million ad impressions it would result in a $2,500,000,000 fine. So this law is important, especially now as so many publishers are investing heavily to grow their streaming businesses.

Why are there such a wide range of companies facing VPPA lawsuits?

Privacy is a growing consumer concern and that has resulted in a growing number of consumer support for groups seeking to pursue these cases.

Starting in 2012, VPPA expanded coverage into streaming video. Data ranging from IP addresses, household IDs, and device IDs are all considered personal data, and these data sets can’t be co-mingled with program data like “show” or “episode” in streaming without properly hashing the video data. So what sounds like a simple request from an advertiser to publishers – “show me where my ad ran” – is actually pretty complex and requires new technology infrastructure to mitigate risk and properly manage first-party identity data and video data.

From the 70 VPPA actions filed that we know of, these are against operators of websites that offer online and common third-party analytics tools ranging from publishers to major brands. 

For legal teams considering the next steps, what can members of the DEG do to better understand what is permissible under the law and protect themselves? 

In recent weeks the Internet Advertising Bureau (IAB) held a discussion on the VPPA since vídeo data and identity data are both important to advertisers. The IAB laid out different paths for content distributors selling advertising on their video inventory including:

1. Do nothing and accept litigation risk/attempt to resolve issues through litigation
2. Get consumer consent before sharing specific video information
3. Push for reform to an outdated law
4. Mask or obfuscate specific video content (e.g.,  through the use of content IDs)

It’s important that operators in marketing and IT discuss the matter with legal. In addition to the VPPA there are new laws being enforced like the California Consumer Privacy Act (CCPA) along with several other state, federal, and international privacy laws. Because risk is growing internal legal counsel can bring in outside experts to help their legal and operating teams conduct an audit and help prevent these types of suits before any potential infringement occurs. 

If any members are already dealing with VPPA lawsuits now, what can they do?

There are a number of options for broadcasters to manage risk both for prevention, limiting legal liability, and properly defending these cases.

In court, key defenses still being litigated in the VPPA context include:

• The defendant is not a VTSP;
• The disclosure is not PII;
• The defendant is unaware of what information the website tracker is collecting;
• For providers of free video content, the plaintiff is not a “renter, purchaser, or subscriber of goods or services” from the VTSP; and
• The defendant provided the plaintiff informed consent in a distinct and separate form.

And First Amendment challenges.

What recommendations do you have for content owners managing compliance with privacy laws? 

CCPA enforcement begins in July 2023 and requires that businesses provide consumers the right to opt-out of the sale or sharing with third parties. Businesses must include language in privacy policy and “Do Not Sell or Share” link in footer of website, as well as implement Global Privacy Control. 

In addition to new laws going into effect, there are also at least 70 VPPA actions filed against operators of websites and digital platforms, which is relevant to all DEG members. All of the above will result in some impact to marketing teams.

Download the full presentation slides here!

For additional information, please email Jean Levicki (Jean@degonoline.org).