The VPPA is an old school privacy law, but is currently the subject of active litigation involving Gannet (USA Today) which may significantly influence standing arguments in related areas, such as data breach. The expansion of definitions to include new and emerging technology and uses remind us that change is inevitable and keeping up with the law is part of managing that change.
|Statute||Video Privacy Protection Act|
|Reference||18 U.S.C. §2710|
|Covered Entity||"Video tape service providers"|
|Regulated Activity||Disclosing personally identifiable information in video rental records|
|Private Right of Action||Yes|
|Remedies||Civil fines, not less than $2500; Punitives; Attny. Fees|
A. Background. The Video Privacy Protection Act ("VPPA") was passed in 1988 in reaction to the disclosure of Supreme Court nominee Robert Bork's video rental records in a newspaper. The fact that this was legal came as a surprise to many senators on the judicial committee. The Act was tailored to protect from disclosure the personally identifiable information ("PII") found in the rental records of "prerecorded video cassette tapes or similar audio visual material." So, protected PII pertaining to a rental might include your name, phone number, and email address when shared with the movie title and date of rental. Disclosure is not allowed without the consent of the individual. In 2011, the "NetFlix Amendment" amended the Act's consent provision to read "to any person with the informed, written consent (including through an electronic means using the Internet) in a form distinct and separate from any form setting forth other legal or financial obligations of the consumer given at one or both of the following times: (i) the time the disclosure is sought; and (ii) in advance for a set period of time or until consent is withdrawn by such consumer." The amendment, while specific to consent, also introduced the understanding that video tape service providers took many forms in Internet era and that regulated activity was not necessarily limited to tape.
B. Who is covered? The VPPA regulates "video tape service providers" which, generally, include "any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials, or any person or other entity to whom a disclosure is made …." Providers of similar audio visual materials have included gaming companies, social media content providers, and companies providing streaming video services.
C. What personally identifiable information is covered? PII under the Act "includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider." Unlike laws like HIPAA, the VPPA does not expressly itemize data elements that comprise PII. Therefore, it is a question of fact as to whether disclosed information provides the ability to individually identify the subject of the rental record. As technology evolves, elements not previously considered identifiable such as device ID or location information can fall within the definition.
D. What you can and can't do. The Act generally prohibits the disclosure of PII unless the consumer consents to such a disclosure in writing. Information about a user's preferences, such as genres of movies or favorite actors, can be disclosed provided the company allows the user an option to opt out of such disclosures. Disclosure to the police is only allowed under a valid warrant or court order. Companies storing video rental records must destroy such records no later than one year after a user account is terminated. Intra-corporate disclosure of information in the execution of business operations are not disclosures under the Act.
E. What happens if you don't comply. Violators can be sued in federal court. If found liable, companies can be subject to actual damages but not less than liquidated damages in the amount of $2,500. Additionally, violators are at risk of punitive damages, reasonable attorneys’ fees, other litigation costs reasonably incurred and any other equitable relief the court deems appropriate. Claims are subject to a two year statute of limitations. However, courts have ruled that while retaining rental records beyond the one year limit is a violation of the Act, it is not one subject to a private right of action.
F. Risks and Recommendations
a. Are you a regulated entity? If you provide any video or similar media as part of your service offering, carefully consider if your business might qualify as a "video tape service provider" and if the customer records you retain qualify as "video rental records" under the Act. As a best practice, of course, any time you are collecting PII, you should have administrative safeguards in place in the form of policies and procedures. Such policies should include provisions on customer notice, choice consent and security.
b. What information is "personally identifiable?" Think carefully about what information you are sharing, even if "aggregated" or "transaction-focused" with direct identifiers (i.e. name, phone numbers, address, etc.) removed. As technology evolves and the ability to link data sets only continues to improve, you need to be wary of indirect identifiers (i.e. IP addresses, device IDs) as much as direct identifiers.
c. Consent and Choice. A golden rule: when in doubt, get permission. As with all privacy laws, providing consumers clear notice of your disclosure practices and obtaining verifiable consent to use customer information in accordance with those practice will ensure consumer awareness and will reasonably protect your business from claims of unauthorized disclosure.