It’s often said that you just can’t teach an old dog new tricks. In the recent IAPP web conference, VPPA: The Current State of Play, panelists said while there’s truth to that old idiom, it doesn't quite apply to the Video Privacy Protection Act (VPPA). It’s a little more complicated than that.
At first glance, that nuance is difficult to see. Boiled down, the 30-year-old act prohibits "a video tape service provider from knowingly disclosing personally identifiable information of a consumer of such provider,” said Davis Wright Tremaine’s Christine McMeley during the web conference. The 1988-borne piece of legislation was catalyzed both by a report that divulged a Supreme Court judge’s video rental history during his confirmation hearings, and other more veiled threats toward politicians. Before the law, it was sort of, “wise up, Teddy Kennedy and Joe Biden, or we’re coming for your Blockbuster Video histories.”
“Nothing gets Congress to act faster than threatening to expose their video rentals, apparently,” McMeley said.
Fast forward 28 years. Video stores are considered inconvenient relics while mail-order and online video streaming services like Netflix, Redbox, and Hulu rule the day. While the technological landscape is nearly unrecognizable to that which consumers were accustomed to in 1988, the VPPA has been left virtually unchanged. This, McMeley and co-panelist Ryan Andrews of Edelson PC contend, breeds considerable contention.
Congress “just has not kept up with the changes in technology. So you’re taking this old statute and applying it to all these methods for delivery,” McMeley said.
“A lot of the VPPA decisions dealing with apps and related streaming technology are based on a misunderstanding of what that tech is doing, the nature of data mining and the nature of data analytics,” Andrews added.
Then there’s the additional issue of a far less cut-and-dry definition of “consumer,” and what personally identifiable information (PII) looks like online. While the initial law was “designed to keep the clerk behind the counter from sharing information,” what about mere site visitors who enjoy website or mobile app content without either sharing their name or address, or even purchasing a video?
“Today, information floats,” McMeley said. “We’re living in the information age. So now you’re relooking at all of this data on the Internet that is freely shared, and third parties that are needed to offer service delivery, analytics ..."
One cannot forget that IP addresses and information accessed over mobile phones can also provide data miners and other companies with information about a consumer, providing courts with another angle to consider.
“There’s a difference between information that singles out someone or is info about a person, and information that actually identifies that person,” Andrews said. “And whether or not something identifies someone is always going to depend on the context and it's always going to depend on what the recipient has.”
Needless to say, it gets complicated. For everyone involved.
“Courts have to interpret [the VPPA]," McMeley said. "And more than just one court has talked about fitting the square peg into a round hole, and they don’t like to do it, but they have to,” she continued.
“Plaintiffs have not faired very well with these particular cases,” Andrews said, highlighting the four different types of VPPA suits. There’s the retention claims, like Sterk v. Redbox, where companies have held on to consumer data much longer than necessary. Traditional disclosure suits, such as Lane v. Facebook, occur when an organization shares a user’s viewing history without their consent. Mobile data-streaming device and online disputes are what Andrews calls “the heart of [VPPA] cases to date," and where he believes future battles will be fought as it’s where consumers are “actually getting their video today.”
With cases running every gamut, it’s easy for companies to misstep and find themselves in legal hot water.
“Great minds don’t always think alike,” McMeley said. “Great minds can differ, and they are, depending on the court.” However, getting it right is paramount. “It’s more than just legal compliance,” she said. “Companies do want to have ongoing relationships with their customers, or their viewers … they want to make people happy and they want to people to come back.”
Avoiding risk may be as simple as putting users in control. “We’re always fans of companies giving consumers that choice” of what is done with their data, Andrews said. Don’t share when you don’t have to. Know what information your website is collecting. Be transparent.
It’s not all doom and gloom, however. “From our perspective, I think the tide is turning,” Andrews said. “As courts are becoming more familiar with the harms associated, you know, along with the never-ending stream of data breaches that we’ve seen and government surveillance and collection of private data … we think the courts are probably going to become more receptive to these claims.”
photo credit: TV, Television and remote controller - stock photo via photopin (license)
If you want to comment on this post, you need to login.