Lawmakers, Stakeholders Discuss Amendment to the Video Privacy Protection Act

By Angelique Carson, CIPP/US

Should consumers have the power to choose whether to share their personal information, or should Congress legislate when they have that right? 

That question was up for debate at yesterday’s hearing on the proposed amendment to the Video Privacy Protection Act (VPPA), during which lawmakers and witnesses discussed consumer rights, the viability of easily accessible opt-out mechanisms and how to adequately update a consumer privacy law sure to soon again fall behind the forward march of technology. 

Witnesses at “The Video Privacy Protection Act: Protecting Viewer Privacy in the 21st Century” hearing, held by the Senate Judiciary Committee’s Subcommittee on Privacy, Technology and the Law, agreed the VPPA needs updating, but to what extent and how didn’t always draw consensus.

House Resolution 2471—which passed the House of Representatives in December 2011--would amend the VPPA to allow consumers to give one-time, blanket consent for their viewing preferences to be shared by a “video tape service provider,” and for that consent to be obtained via the Internet. 

The VPPA was passed in 1988—years before online video streaming and data sharing were prolific—after a Supreme Court nominee’s video rental history was published in a newspaper. The law forbids the disclosure of video renters’ personal information without the consumer’s informed, written consent at the time of disclosure. Disclosure is permitted under certain circumstances–such as for law enforcement under a court order or warrant, or if the consumer provides written consent–provided a video’s title, description or subject matter isn’t disclosed.

EPIC’s Marc Rotenberg said the VPPA aimed to provide a higher level of protection against companies disclosing data under opt-out provisions that would reveal significant details about a person’s personal interests and likes.

Rep. Melvin Watt (D-NC) noted that a video subscriber’s data “exposes a member’s personal interest and struggles with various highly personal issues including sexuality, mental illness, recovery from alcoholism and victimization from incest, physical abuse, domestic violence and rape.”

Internet subscription service Netflix says consumers should ultimately control what information they share, not Congress. Ambiguities under the VPPA recently halted Netflix’s plans to integrate its video streaming services with Facebook in the U.S. Though the service is available in 44 countries, the VPPA prevents such disclosures, even if customers have opted in, said Netflix General Counsel David Hyman.

The proposed amendment “leaves the opt-in standard on VPPA undisturbed,” Hyman said, but clarifies users’ abilities to share. “Netflix supports opt-in standards and believes this approach is workable. We hope the Senate will see the value of clarifying the right of consumers to opt-in to ongoing sharing and quickly approve HR 2471.”

Christopher Wolf of the Future of Privacy Forum agrees with Hyman in his support of HR 2471, saying the choice should remain in the consumers’ hands. 

“A law that takes away that choice ignores that there are people who want to (share everything on Facebook),” Wolf said. “I don’t see how it’s the business of Congress to dictate how and when people share.” 

But Watt testified that it was a mistake that HR 2471 moved through the House so quickly and without a hearing. The bill would have unintended negative consequences for consumers as well as affected businesses because it fails to specify what constitutes a “video service provider”; leaves a consumer’s private information vulnerable to third parties; fails to appropriately update the law on consumer-oriented provisions, and fails to consider the impact it would have on state laws, Watt said. 

Rotenberg said he believes the members of the House who voted for the bill may not have understood its consequences, and the bill would not only allow video renters’ Facebook friends to see their viewing preferences but also Netflix’s business partners and potentially law enforcement agents. 

“What Netflix is asking users to do is provide blanket consent that gives them the opportunity to disclose specific movie viewing data to any party in any circumstance that Netflix wants. This knocks out the cornerstone of the act,” he said. “Obviously I don’t think this is going to support online privacy, and frankly, I don’t think Netflix users want these provisions. But I do think changes can be made to the act to update and improve it.” 

Although Wolf disagreed that the bill would offend users or undermine the VPPA’s fundamental purpose, he agreed that as a privacy best-practice, opt-in should be the default for sharing and should be presented prominently, separately and distinctly from general privacy policies.

“For many people, automatic sharing and social media is how they shape online identities and how they share ideas,” he said. “When it comes to sharing online video preferences, the law gets in the way.”

Subcommittee Chairman Sen. Al Franken (D-MN) closed the hearing by saying that he doesn’t believe the amendment is comprehensive and that it should include a broader definition on “video tape service provider” to ensure the law applies to online video streaming.

In the end, said Wolf, “Privacy is and all along has been about giving people the choice to share their information and who sees it and how it’s disclosed.”


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»