By Venkat Balasubramani

The Video Privacy Protection Act (VPPA) has spawned plenty of litigation over the past couple of years; but this litigation has resulted in a few relevant recent rulings. One hot-button area has been lawsuits brought by plaintiffs to enforce the “purging requirement” imposed by the VPPA. Another has been the applicability of the statute to online streaming services. Plaintiffs have achieved mixed results in these cases.

Lawsuits alleging failure to purge

Sterk v. Best Buy Stores, LP, 11 C 1894 (N.D. Ill. Oct. 17, 2012): This lawsuit is a putative class action alleging that plaintiff purchased DVDs from Best Buy and that Best Buy retained the purchase history for over a year, and disclosed this information to an affiliated entity, Best Buy Co., Inc.

  • No private right of action for improper retention of personal information. Section 2710(e) of the VPPA is a loosely worded provision that requires covered entities to purge personally identifiable information “as soon as practicable but no later than one year from the date the information is no longer necessary for the purpose for which it was collected.” The Seventh Circuit in Sterk v. Redbox held that section 2710(c) does not provide for a private right of action under 2710(e). Given that this court is bound by the Seventh Circuit’s ruling, plaintiff tried to argue that he could assert a claim under the Stored Communications Act, which is part of the same chapter as the VPPA, as opposed to the VPPA. The judge considered and rejected plaintiff’s argument in Sterk v. Redbox, on remand, and the court follows suit here. Another court in the Northern District of California recently came to the same conclusion.
  • Plaintiffs lack standing to pursue injunctive relief. Plaintiffs also sought injunctive relief, which required the court to address the issue of standing. The court runs through the classic test for standing, but importantly says that Congress cannot create standing for plaintiffs who do not satisfy Article III’s minimum standing requirement. The court also notes—citing the Seventh Circuit’s opinion in Sterk, and to Van Alstyne v. Elec. Scriptorium, an e-mail privacy case—that under the VPPA, only plaintiffs who are “aggrieved” may seek relief. Here, any injury from retention is nonexistent and shouldn’t support standing. Plaintiffs’ disclosure claim similarly did nothing to establish injury—the data was being disclosed to a 100-percent parent corporation. Plaintiffs also tried to rely on the diminution of value of their information and the fact that they allegedly overpaid for the services provided by Best Buy, but the court easily rejects these arguments. Apart from a few stray rulings, these rulings have rarely gotten any traction in courts.
  • Plaintiffs also brought a breach of contract claim. The court says that claims based on older purchases were time-barred. Claims based on later purchases were dismissed due to lack of alleged damages. Plaintiffs are permitted to replead these.

Does the VPPA apply to streaming services?

In re Hulu Privacy Litigation, C 11-03764 LB (N.D. Cal.; Aug. 10, 2012), Hulu is facing a putative class action alleging that it improperly disclosed the video viewing choices of its users without obtaining consent. Hulu initially argued that plaintiffs lacked standing. Relying on the Ninth Circuit’s decision in First American Fin’l Corp. v. Edwards, the court said that alleging a violation of a federal statute was sufficient to satisfy Article III standing. Now the court looks at whether the allegations state a claim under the statute.

  • Is Hulu a “video tape service provider”? The VPPA only covers the rental, sale or delivery of “prerecorded video cassette tapes or similar audiovisual materials.” Hulu argued that this language does not cover online providers. The court disagrees. The court looks to the language of the statute and finds that the phrase “similar audiovisual materials” focuses on the content, not the means of delivery. While the dictionary definition of the word “material” is inconclusive, and everyone agrees that online delivery wasn’t around when the VPPA was enacted, the court looks to the legislative intent:

Congress was concerned with protecting the confidentiality of private information about viewing preferences regardless of the business model or media format involved. The question is whether the mechanism of delivery here—streaming versus bricks-and-mortar delivery—ends this case at the pleading stage…Given Congress’s concern with protecting consumers’ privacy in an evolving technological world, the court rejects (Hulu’s) argument (that it’s not covered by the statute because the statute does not cover digital distribution).

  • Other defenses: Hulu raised two other defenses, neither of which the court buys, at least at the initial stages of the litigation. First, Hulu says that its disclosures fall within the VPPA’s “ordinary course of business” exception. The statute defines ordinary course of business to include “debt collection activities, order fulfillment, request processing and the transfer of ownership.” Hulu’s disclosures—to Facebook, Doubleclick, QuantCast, Google Analytics and ScoreCard—do not clearly fall under this definition. The court declines to dismiss at the pleading stage based on this defense.

Second, Hulu argued that plaintiffs were not “consumers” as defined by the VPPA. The statute defines consumers as “any renter, purchaser or subscriber,” and since the proposed class did not involve paying Hulu customers, Hulu argued that they were not consumers. The court disagrees with Hulu, saying, “[I]f Congress wanted to limit the word ‘subscriber’ to ‘paid subscriber,’ it would have said so.”


It’s interesting to see courts give a broad reading to the VPPA and conclude that it applies to online service providers. This means that a whole lot of entities are potentially subject to its prohibition; e.g., Vimeo; YouTube. Given the uncertainty around its consent provisions, this puts online service providers in a tricky position when it comes to sharing viewing histories. There has been at least one proposal floated to legislatively tweak the VPPA’s consent provisions, but it has not passed to date. As a side note, courts have rejected two lawsuits in this space. First, a lawsuit brought against Netflix for disclosing viewing habits within a household, and second, a lawsuit brought against Pandora for allegedly violating Michigan’s version of the VPPA.

Claims alleging failure to purge under the VPPA represent the far extreme of privacy lawsuits. As the Seventh Circuit’s ruling from Sterk, as well as the rulings in Rodriguez and Sterk v. Best Buy demonstrate, courts will not be very enthusiastic about these claims. The majority of courts have rejected claims for damages on the basis that the VPPA does not provide for a private right of action. Interestingly, the court here cited the Supreme Court’s decision in First American Finance Corp. v. Edwards in concluding that plaintiffs lacked standing to pursue claims for injunctive relief. Although First American Finance dealt with standing to sue under the Real Estate Settlement Procedures Act, in advance of the ruling, many thought this case would alter the landscape for privacy lawsuits and standing. The ruling from the Supreme Court was largely viewed as anti-climactic from a broader privacy standpoint, but maybe it has more vitality than originally thought. The court’s decision illustrates one thing: Courts will not hesitate to use standing to kick out lawsuits that they view as alleging inadequate harm.

Venkat Balasubramani is a cofounder of Focal PLLC, a Seattle-based law firm focusing on media, technology and Internet-related clients. He blogs at Eric Goldman’s Technology & Marketing Law Blog. You can also follow him on Twitter, @VBalasubramani.

Read more by Venkat Balasubramani:
Northern District of California confirms Pineda v. Williams-Sonoma applies retrospectively
Mass. Court: ZIP Code is personal identification info under credit card statute but plaintiff must still allege harm—Tyler v. Michaels Stores


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»