Understanding VPPA Privacy Risks

Background

In 1988, while being confirmed as a Supreme Court justice, Robert Bork’s video rental records were published by the Washington City Papers. Soon after, Congress passed the Video Privacy Protection Act of 1988. This is a U.S. federal law meant to protect the privacy of consumers’ video rental history. It prohibits video service providers from knowingly disclosing consumers’ personal information (PI) and video viewing records without their consent.

When the law was enacted, video viewing was an offline activity. As video rental and viewing shifted to online,  the VPPA was amended in 2013 to include online video viewing.  Starting in 2022, a sharp increase in VPPA case filings began, expanding beyond traditional video companies to a wide array of industries. 

In LOKKER’s privacy risk research of S&P Websites last year, we found that almost all medium size or larger  sites have at least one video. Companies with video on their site are at risk of being sued using this law. Let’s understand the nuances of this risk and how to mitigate it. 

Key Criteria of a VPPA Claim 

There are several important definitions included in the VPPA which are found in most VPPA claims:

Video Tape Service Provider: Plaintiffs must demonstrate a defendant is a “video tape service provider”. While the original VPPA focused on video the 2013 amendment extended it to include providing service “through an electronic means using the Internet.” 

Knowingly Disclosed:The plaintiff must show that the defendant knowingly disclosed the consumer’s PII.

Consumer: The plaintiff must be a “consumer” of the video tape service provider, meaning a renter, purchaser, or subscriber of audio-visual goods or services. The level of commitment required for a user to be considered a “subscriber” varies. Some courts require an ongoing relationship between the user and the entity that owns the website or app, while others require that the subscription be related to the site’s audio-visual materials.

Personal Information:  The information disclosed must be PI, meaning information that identifies a person as having requested or obtained specific video materials or services.

Today, plaintiffs’ attorneys commonly assume a site violates the VPPA when these 4 key conditions exist: 

1. You are a potential video tape service provider if your website includes one or more pages that contain video content.  
2. You have knowingly disclosed consumer data if at least 1 site page with video content shares user data with a third party, typically a social media site. 
3. The social media site has personal information on its users, ex. Facebook and can link the data received to a real person.
4. The website serving the video has not collected sufficient consent from the site consumers. 

Typical targets of VPPA claims have included online news and media outlets like The Boston Globe and BuzzFeed who faced VPPA suits for embedding pixels on video pages.  Streaming services and video platforms were sued for transmitting user viewing data to third parties.  Retail and E-Commerce websites with product or marketing videos have become targets, even though they are not video-centric businesses. And, healthcare, education, and financial sectors websites are also targeted if they include informational videos and share data with third parties.

Common Arguments and Defenses in VPPA Lawsuits

1. Broad Definition of “Video Tape Service Provider”
Plaintiffs argue any site offering video content qualifies under the VPPA, even if its main business is unrelated to video.  Defense Strategy:  Courts have dismissed some cases where video content was incidental e.g. for marketing or training. e.g., Southern District of California dismissed a case against a fashion retailer.

2. Broad Interpretation of “Consumer” or “Subscriber”
Plaintiffs often claim to be subscribers simply by signing up for a newsletter or accessing free video content. Defense Strategy:  Many courts ruled that signing up for an email or browsing public videos does not make one a VPPA subscriber.  

3. Use of Third Party Pixels tied to Consumer PI Data
Websites allegedly use analytics or advertising pixels (e.g., Meta Pixel) that disclose users’ video viewing history and identifiers like the Facebook ID. to third parties without consent.  Defense Strategy:  When data shared to a third party did not include specific video titles tied to a unique consumer identifier, courts found no VPPA violation.  

4. Lack of User Consent
Disclosures are made without the distinct, written consent required by the VPPA, even if a site has general privacy policies or cookie notices. Defense Strategy:  The defendant could show explicit, standalone consent was given.

Two additional, less common defenses have been used including Standing and Harm – Most courts found that unauthorized disclosure of video viewing info constitutes a concrete privacy harm.  There have also been Constitutional Challenges – Some defendants began challenging the VPPA’s constitutionality, but courts have yet to rule it unconstitutional.

Effectiveness of Defenses and Case Outcomes

• “Not a Video Provider” Defense: Effective for non-media businesses.
• “Not a Subscriber” Defense: Highly effective, but weakened by certain appellate rulings.
• “No PI Disclosure” Defense: Effective when the pixel data did not include specific video or identity pairings.
• Consent Defense: Rarely successful without explicit opt-in consent.
• Standing Defense: Generally ineffective; most courts find VPPA violations cause real privacy harm.

Overall Outcomes (2023–2024):
Many cases have been dismissed or settled. Courts have filtered out weak claims, especially against non-media companies or where plaintiffs lacked subscriber status. However, some cases have survived and even succeeded on appeal, indicating the statute remains a potent privacy tool.

Mitigating VPPA Risk

Because of the VPPA risk, all companies should collect the required information, and assess their risk:

• Audit all the pages on websites for the presence of video content. Remove or limit third party data sharing on pages with video content. As third parties receiving data typically get the page URL and meta tags with keywords, remove risky words like “video” from page URLs and meta tags. See more below. e.g. from  www.sleepytime.com/sleep-advice/video  to  www.sleepytime.com/sleep-advice/one 
• Audit third-party data sharing, especially for data sent to social media sites like Facbook that have PI on their users.
• Assess your consent banner and privacy policy compliance. Provide the appropriate notice in your privacy policy and obtain clear, standalone user consent that video viewing data may be shared with third parties.
• Educate your organization about these risks. 

In summary, the complex VPPA continues to be actively litigated, and its application is evolving in real time with significant implications for businesses across all sectors.  Legal interpretations and defense strategies are still developing, making  proactive risk mitigation crucial. By understanding the key elements of VPPA claims,  potential risks, and effective  defense strategies, businesses can take  steps to minimize their exposure to  costly litigation and protect user privacy.  Remember the onus is on businesses to navigate this landscape effectively, ensuring compliance and avoiding potential  legal pitfalls.

Request A Sample Report Now

Have questions or concerns? Reach out to us to get a free sample report showing how we can help you detect and monitor your VPPA and other risks. 

APPENDIX

URL and Meta Tag Keyword Risk
The following keywords in a page URL of your site, and/or used in a meta tag on a page have the potential to create risk:

“third-party sharing”