When it comes to legislation, few laws are as controversial as the Video Privacy Protection Act, or VPPA. It was passed in 1988 by the Reagan administration, as result of Supreme Court nominee Robert Bork’s video rental records appearing in a newspaper. You’re probably thinking that he didn’t get the Supreme Court spot, right?
well you are correct, but it wasn’t because of some nasty pornography or things he didn’t us want to know. The list contained just a few British costume dramas and some Hitchcock films.
However, the posting of this list became a big deal, as it meant that such a breach of privacy was in fact legal. So, even though Bork didn’t manage to get into the Supreme Court, his rental list became a much-maligned thorn that has persisted even though the age of online video content. Let’s take a look at how this controversial law can still impact the lives of video retailers and creators, as well as viewers and customers.
In the initial draft of the law, the covered entities were solely video tape service providers. To regulate the activity of passing on personally identifiable information concerning those videos, the legislation had to be expanded a multitude of times to cover the functioning of online video content and the principles of modern video asset management.
The sharing of personal information was initially strictly forbidden, with a definition of personally identifiable information being – “any contact or personal data that may lead an individual to the successful identification of a stranger or known person”. However, in 2011, a change was made in the form of “The Netflix Amendment”.
The importance of the Netflix Amendment
Even though the VPPA had the protection of viewers and renters as a goal, it still hindered the influx of information under different circumstances. Netflix, the popular streaming and Production Company managed to breach the VPPA by disclosing other users’ video ratings and watch history during a contest in 2006.
In particular, an in-closet lesbian mother realized that people could view Brokeback Mountain in her watch history, which is a popular film about homosexual relations. She filled a class-action lawsuit in the federal court and the case became known as Doe v. Netflix.
Thus, because there was a clause in the User Agreement when logging onto the Netflix site that the user is accepting the possibility of Netflix using their info, the Netflix Amendment amended the VPPA’s consent provision act and it read – “to any person with the informed, written consent (including through an electronic means using the Internet) in a form distinct and separate from any form setting forth other legal or financial obligations of the consumer given at one or both of the following times: (i) the time the disclosure is sought; and (ii) in advance for a set period of time or until consent is withdrawn by such consumer.”
Online content – Issues and Solutions
Now, there was an obvious solution when the only medium for video watching was renting movies and TV shows. However, in the 21st century, the VPPA faced new challenges when it comes to private video hosting and online content. Obviously, it’s an area that is almost impossible to govern and it left many gray areas for lawmakers, video creators, and viewers to tackle.
The channel for the provision of video content was once simple. You become a paid subscriber to the service by paying a fee to have the physical copy under your supervision for a select period. There was much fuss about this particular area of video privacy, but every problem was easily solvable after the VPPA was created.
Online content has created a trifecta of possible privacy issues:
- The notion of “knowing disclosure”
- Are viewer’s consumers/subscribers despite them not providing compensation for viewed content
- Which data elements fall under the notion of PII (personal identifiable information) or not
To inform our readers, we’ve decided to cover each issue separately, to allow both businesses to shield themselves from unwanted lawsuits and viewers to know their rights.
The VPPA requires a “knowing” disclosure
In a class action against Hulu, an on-demand video provider, plaintiffs accused them of disclosing their identities to a third party, in this case – Facebook. The problem arose when a user clicked the “like” button via Facebook’s presence of the Hulu site. Because of this action, the site sent Facebook a cookie, which allowed Facebook to gain knowledge of their viewing habits and selections.
The case was closed when Hulu managed to convince the judge about the involuntary combinations of the streams of information – the cookie from the like and the URL of users’ viewing requests. What has this case taught us?
For businesses – Make sure you have a detailed User Service Agreement where you specify which data the website sends to social media and other third-party websites. You have to know all the services that get connected to your site.
For viewers – Make sure you read the UA carefully and look for a clause where the site states that you will have to agree to it to send cookies and URLs. Stay away from sites who don’t contain this particular clause.
The “consumers” group doesn’t include non-registered online viewers
In the case of Austin-Spearman v. AMC Network Entertainment, the plaintiff accused AMC of sharing PII to Facebook, when she watched the show on AMC’s websites. Since the VPPA accounts only for registered subscribers and consumers, Austin-Spearman didn’t fit the bill at all. She didn’t create an account, have a username or password, nor did she download an app or a program to view the content.
The district court where she tried to solve matters with AMC gave her an opportunity to prove that she was indeed a subscriber. She failed to do so and decided to restrain from filing a claim. Thus, the definition of a subscriber was somewhat determined. What has this case taught us?
For businesses – Be sure to disclose the definitions of subscriber and viewer on your website. Additionally, disclose the rights and obligations of each type of visitor, so that you can escape unwarranted claims.
For viewers – Read the UA with the utmost care, because some sites apply the same policy to non-registered viewers. If you choose to sue them, they will shield behind the notion of you not belonging to a group of paid subscribers.
Unique ID numbers are not considered PII
If we look at the case of Eichenberger v. ESPN, we can conclude that the notion of PII only encompasses a limited amount of data that can be traced to you. Using his Roku device, the plaintiff downloaded the WatchESPN Chanel app. The video history, alongside his Roku number, was sent to Adobe Analytics, a third-party company. They connected the Roku serial number to his existing data and had identified him as having watched a select number of videos.
The Western District Court of Washington found that ESPN did in fact not violate the VPPA when it sent the device number and the video history to Adobe Analytics. This verdict was on the grounds of PII being only data that is unique to a person as an individual, not as an existing entity using the services of a site he subscribed to.
For businesses – When it comes to sending data to third parties, be sure to check the legislation on what is permitted and what is not. Even if you don’t do anything illegal, state the material you will be sending in the UA. Also, include a statement about the absolute legality of those actions.
For viewers – Browse the web with a sense of responsibility. There are ways third-party websites may identify you, so be wary.