Video Privacy Law and Online Services

The statute provides a private federal right of action, and a court may award actual damages (but not less than liquidated damages of $2,500), punitive damages, attorney fees and equitable relief.

Sharing Habits

Over the past decade, consumers have increasingly shifted from brick-and-mortar video stores to modern video rental services that offer users several options, including dispensing DVDs from vending machines, offering a monthly subscription service that ships DVDs in the mail according to a customer's “queue,” or streaming digital content over the Web. In the past, a consumer's video rental history was likely held, if at all, on a single computer behind the checkout desk at a video store; now, however, information is more centrally stored and new services offer users the ability to share their viewing habits with friends on social networks.

Given the new atmosphere of sharing, litigants have sought to hold the new generation of video rental providers liable for unlawful retention and disclosure of users' video viewing information. For example, in Sterk v. Redbox Automated Retail, 672 F.3d 535 (7th Cir. 2012), the U.S. Court of Appeals for the Seventh Circuit took up the issue of whether the VPPA offers a private right of action under 18 U.S.C. '2710(e). As the appeals court noted, the interpretive problem is in the statute's failure to specify the scope of subsection (c), which creates a private right of action. If subsection (c) appeared after all the prohibitions listed in the statute, namely after (e) concerning the destruction of records, the natural inference would be that a violator of any of the listed prohibitions could be sued for damages. But subsection (c) is sandwiched in the middle, appearing immediately after the clause prohibiting disclosure of personal information.

The Seventh Circuit ruled that the placement of subsection (c) establishing a private right of action was likely no accident and that the VPPA only provides a right of action for wrongful disclosure of video information, not for a wrongful retention of data claim. This holding echoes a prior decision of the Sixth Circuit. See, Daniel v. Cantrell, 375 F.3d 377 (6th Cir. 2004). The Seventh Circuit commented that it would make little sense to award damages for a violation of the requirement of timely destruction of personal information in subsection (e) because of the “attenuated” nature of such a claim: “How could there be injury, unless the information, not having been destroyed, were disclosed?” Sterk, at 538.

Months later, a California federal district court followed the Seventh Circuit's Sterk ruling in Rodriguez v. Sony Computer Entertainment America, 11-4084 (N.D. Calif. 2012). There, the plaintiff alleged that a video game entertainment service violated the VPPA by indefinitely storing customers' PII beyond the time period set out in the statute. The suit further alleged that defendants unlawfully disclosed customer PII without permission. The court dismissed the plaintiff's wrongful retention of data claim, finding that the VPPA did not provide for such a cause of action, citing the Seventh Circuit's decision in Sterk.

Moreover, the district court reaffirmed its earlier ruling with respect to the plaintiff's disclosure claim, stating that the defendant's disclosure between its own corporate entities fell within a VPPA carve-out that allows disclosures made in the ordinary course of business, including transfer of ownership. See also, Sterk v. Best Buy Stores, 11-1894 (N.D. Ill. 2012) (claims that defendant's online store retained plaintiff's movie purchase history and later communicated it to its parent company did not state a claim under the VPPA, nor under the federal Stored Communications Act; plaintiff also lacked standing for failure to plead an injury-in-fact because he did not allege defendants sold his information or that he had not been able to sell his own information for as much value).

VPPA and Streaming

A California federal district court was the first to squarely address the issue of whether the VPPA applies to streaming video providers. In In re Hulu Privacy Litig., 11-03764 (N.D. Calif. 2012), the plaintiffs alleged that the online video streaming service disclosed their video viewing selections and PII without consent to third parties, such as online ad networks, Web analytics companies and social networks, in violation of the VPPA. The plaintiffs' personal information was allegedly shared via persistent cookies that could track users' Web browsing habits across multiple websites. The defendant argued that the explicit language of the VPPA only regulates businesses that sell or rent physical audiovisual materials, not digital services, and regardless, any disclosures were incident to the ordinary course of its business and not covered by the Act.

The VPPA defines “video tape service provider” as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.” 18 U.S.C. '2710(a)(4). Whether Hulu is a “video tape service provider” turned on the scope of the phrase “similar audio visual materials.” In denying Hulu's motion to dismiss, the court found relevant Congress' concern with privacy and protecting the confidentiality of an individual's video viewing choices, and ruled that the VPPA's protections would evolve to cover digital streaming services.

The California federal district court also ruled that the defendant's alleged data tracking activities were not “incident to the ordinary course of business.” The statute defines “ordinary course of business” as “debt collection activities, order fulfillment, request processing, and the transfer of ownership,” 18 U.S.C. '2710(a)(4). The district court, finding several factual issues in dispute, suggested that market research and Web analytics were not in the ordinary course of the defendant's online business of delivering video content to consumers.

Last, the Hulu court rejected the defendant's argument that Hulu users were not “consumers” under the statute (i.e., “any renter, purchaser, or subscriber of goods or services from a video tape service provider”) because they were not paying members of the service. The court found that Hulu users viewed video content on the site, and while the terms “renter” and “buyer” imply payment of money, the term “subscriber” did not, particularly because Congress could have used the term “paid subscriber” in the statutory text.

Relying on the Hulu decision's holding that online streaming services are covered under the VPPA, another user sought to find a provider liable for the alleged unauthorized display of her viewing history on her home television. In Mollett v. Netflix, 11-CV-01629 (N.D. Calif. 2012), the defendant's online video streaming service permitted users to access the service on their television screens. As part of the user interface, anyone watching the same television screen could see a list of the subscriber's recently watched video titles, the subscriber's queue of future titles, and other custom-generated lists of suggested content. Plaintiffs claimed that the unrestricted display of these lists on a subscriber's television violated the VPPA. The defendant argued its disclosures were made to devices registered to the subscribers themselves, and therefore permissible under the provision of the VPPA allowing disclosure “to the individual who is the subject of the record.”

The district court granted the defendant's motion to dismiss, concluding that users themselves authorized their devices to access their accounts and were implicitly choosing to allow others watching or using the television to view their PII. The court also ruled that the defendant lacked the requisite intent under the statute because it could not be reasonably inferred that the defendant knew that people other than the subscriber would be present when the service was accessed on any particular occasion.

Internet Radio

Similar to digital video streaming, terrestrial radio has, for some, been supplanted by Web-based radio services that stream music to computers or mobile devices, replete with predictive algorithms that offers users playlists or customized “stations” based upon their stated musical tastes. For example, when subscribers sign up for a Pandora Internet radio account, a “Personal Page” is created, containing the subscriber's profile information, listening history and bookmarked tracks and artists. Such information is available to other subscribers with knowledge of the particular user's e-mail address, and allegedly also available to a Pandora user's Facebook friends.

In Deacon v. Pandora Media, 11-04674 (N.D. Calif. 2012), a user alleged that the Pandora Internet radio service improperly disclosed his “private” music preferences and other information to the public and his Facebook friends in violation of Michigan's Video Rental Privacy Act, MCL 445.1712 (http://1.usa.gov/UfjT4n), which prohibits disclosure of certain customer information. Defendant Pandora argued that the claim under the Michigan law should be dismissed because streaming music to the plaintiff's computer could not be considered “selling at retail, renting, or lending ' sound recordings,” as required under the statute. The district court found that Pandora's provision of a temporary file on the user's computer to facilitate streaming ' a file that is automatically deleted following song play ' was not a “rental” of the music file or an act of “lending,” nor could the presence of a purchase link to a third-party online music store be sufficient to establish Pandora as a “seller” of sound recordings.

VPPA Update

Congress is considering legislation to update the VPPA to take into account new technologies, particularly digital video streaming and the sharing of user viewing habits within social networks. The House of Representatives passed H.R. 2471 (www.govtrack.us/congress/bills/112/hr2471/text), which would amend the VPPA to permit a video tape service provider to obtain a consumer's consent to disclose personally identifiable information through online means, and in advance for a set period or until such consent is withdrawn. The accompanying Senate bill, which contains several amendments that would update other federal electronic privacy statutes, was approved by the Senate Judiciary Committee and awaits further debate by the entire chamber.

The Video Privacy Protection Act (VPPA), passed by Congress in 1988, has reemerged as consumer video rentals have migrated from brick-and-mortar video stores to online subscription services, or sites that allow digital streaming of TV shows and movies over the Internet. The VPPA, which generally prohibits video service providers from releasing personally identifiable information (PII) without written consent, has become a relevant concern for modern media providers because such services are now typically linked to social media sites that allow users to share viewing habits, something that was not possible 20 years ago.

The VPPA, 18 U.S.C. '2710, http://1.usa.gov/Woigzh, prohibits video tape service providers from knowingly disclosing PII concerning any consumer to any person. The impetus for the Act occurred when a reporter obtained a list of videotapes that the late U.S. Supreme Court nominee Judge Robert Bork rented from his local video store. Specifically, the Act prohibits a “video tape service provider” from:

1. Knowingly disclosing to any person;
2. Personally identifiable information (PII) concerning any consumer of such provider;
3. Except for certain disclosures ' such as to the consumer or law enforcement, or for disclosures “incident to the ordinary course of business” of the video tape service provider, defined as “debt collection activities, order fulfillment, request processing, and the transfer of ownership.”

18 U.S.C. '2710(a)(4).

Beyond requiring providers to keep PII confidential, the Act further requires them to “destroy personally identifiable information as soon as practicable, but no later than one year after the date when the information no longer became necessary for the purpose for which it was collected.” 18 U.S.C. '2710(e).

The statute provides a private federal right of action, and a court may award actual damages (but not less than liquidated damages of $2,500), punitive damages, attorney fees and equitable relief.

Sharing Habits

Over the past decade, consumers have increasingly shifted from brick-and-mortar video stores to modern video rental services that offer users several options, including dispensing DVDs from vending machines, offering a monthly subscription service that ships DVDs in the mail according to a customer's “queue,” or streaming digital content over the Web. In the past, a consumer's video rental history was likely held, if at all, on a single computer behind the checkout desk at a video store; now, however, information is more centrally stored and new services offer users the ability to share their viewing habits with friends on social networks.

Given the new atmosphere of sharing, litigants have sought to hold the new generation of video rental providers liable for unlawful retention and disclosure of users' video viewing information. For example, in Sterk v. Redbox Automated Retail , 672 F.3d 535 (7th Cir. 2012), the U.S. Court of Appeals for the Seventh Circuit took up the issue of whether the VPPA offers a private right of action under 18 U.S.C. '2710(e). As the appeals court noted, the interpretive problem is in the statute's failure to specify the scope of subsection (c), which creates a private right of action. If subsection (c) appeared after all the prohibitions listed in the statute, namely after (e) concerning the destruction of records, the natural inference would be that a violator of any of the listed prohibitions could be sued for damages. But subsection (c) is sandwiched in the middle, appearing immediately after the clause prohibiting disclosure of personal information.

The Seventh Circuit ruled that the placement of subsection (c) establishing a private right of action was likely no accident and that the VPPA only provides a right of action for wrongful disclosure of video information, not for a wrongful retention of data claim. This holding echoes a prior decision of the Sixth Circuit. See , Daniel v. Cantrell , 375 F.3d 377 (6th Cir. 2004). The Seventh Circuit commented that it would make little sense to award damages for a violation of the requirement of timely destruction of personal information in subsection (e) because of the “attenuated” nature of such a claim: “How could there be injury, unless the information, not having been destroyed, were disclosed?” Sterk, at 538.

Months later, a California federal district court followed the Seventh Circuit's Sterk ruling in Rodriguez v. Sony Computer Entertainment America, 11-4084 (N.D. Calif. 2012). There, the plaintiff alleged that a video game entertainment service violated the VPPA by indefinitely storing customers' PII beyond the time period set out in the statute. The suit further alleged that defendants unlawfully disclosed customer PII without permission. The court dismissed the plaintiff's wrongful retention of data claim, finding that the VPPA did not provide for such a cause of action, citing the Seventh Circuit's decision in Sterk.

Moreover, the district court reaffirmed its earlier ruling with respect to the plaintiff's disclosure claim, stating that the defendant's disclosure between its own corporate entities fell within a VPPA carve-out that allows disclosures made in the ordinary course of business, including transfer of ownership. See also, Sterk v. Best Buy Stores, 11-1894 (N.D. Ill. 2012) (claims that defendant's online store retained plaintiff's movie purchase history and later communicated it to its parent company did not state a claim under the VPPA, nor under the federal Stored Communications Act; plaintiff also lacked standing for failure to plead an injury-in-fact because he did not allege defendants sold his information or that he had not been able to sell his own information for as much value).

VPPA and Streaming

A California federal district court was the first to squarely address the issue of whether the VPPA applies to streaming video providers. In In re Hulu Privacy Litig., 11-03764 (N.D. Calif. 2012), the plaintiffs alleged that the online video streaming service disclosed their video viewing selections and PII without consent to third parties, such as online ad networks, Web analytics companies and social networks, in violation of the VPPA. The plaintiffs' personal information was allegedly shared via persistent cookies that could track users' Web browsing habits across multiple websites. The defendant argued that the explicit language of the VPPA only regulates businesses that sell or rent physical audiovisual materials, not digital services, and regardless, any disclosures were incident to the ordinary course of its business and not covered by the Act.

The VPPA defines “video tape service provider” as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.” 18 U.S.C. '2710(a)(4). Whether Hulu is a “video tape service provider” turned on the scope of the phrase “similar audio visual materials.” In denying Hulu's motion to dismiss, the court found relevant Congress' concern with privacy and protecting the confidentiality of an individual's video viewing choices, and ruled that the VPPA's protections would evolve to cover digital streaming services.

The California federal district court also ruled that the defendant's alleged data tracking activities were not “incident to the ordinary course of business.” The statute defines “ordinary course of business” as “debt collection activities, order fulfillment, request processing, and the transfer of ownership,” 18 U.S.C. '2710(a)(4). The district court, finding several factual issues in dispute, suggested that market research and Web analytics were not in the ordinary course of the defendant's online business of delivering video content to consumers.

Last, the Hulu court rejected the defendant's argument that Hulu users were not “consumers” under the statute (i.e., “any renter, purchaser, or subscriber of goods or services from a video tape service provider”) because they were not paying members of the service. The court found that Hulu users viewed video content on the site, and while the terms “renter” and “buyer” imply payment of money, the term “subscriber” did not, particularly because Congress could have used the term “paid subscriber” in the statutory text.

Relying on the Hulu decision's holding that online streaming services are covered under the VPPA, another user sought to find a provider liable for the alleged unauthorized display of her viewing history on her home television. In Mollett v. Netflix, 11-CV-01629 (N.D. Calif. 2012), the defendant's online video streaming service permitted users to access the service on their television screens. As part of the user interface, anyone watching the same television screen could see a list of the subscriber's recently watched video titles, the subscriber's queue of future titles, and other custom-generated lists of suggested content. Plaintiffs claimed that the unrestricted display of these lists on a subscriber's television violated the VPPA. The defendant argued its disclosures were made to devices registered to the subscribers themselves, and therefore permissible under the provision of the VPPA allowing disclosure “to the individual who is the subject of the record.”

The district court granted the defendant's motion to dismiss, concluding that users themselves authorized their devices to access their accounts and were implicitly choosing to allow others watching or using the television to view their PII. The court also ruled that the defendant lacked the requisite intent under the statute because it could not be reasonably inferred that the defendant knew that people other than the subscriber would be present when the service was accessed on any particular occasion.

Internet Radio

Similar to digital video streaming, terrestrial radio has, for some, been supplanted by Web-based radio services that stream music to computers or mobile devices, replete with predictive algorithms that offers users playlists or customized “stations” based upon their stated musical tastes. For example, when subscribers sign up for a Pandora Internet radio account, a “Personal Page” is created, containing the subscriber's profile information, listening history and bookmarked tracks and artists. Such information is available to other subscribers with knowledge of the particular user's e-mail address, and allegedly also available to a Pandora user's Facebook friends.

In Deacon v. Pandora Media, 11-04674 (N.D. Calif. 2012), a user alleged that the Pandora Internet radio service improperly disclosed his “private” music preferences and other information to the public and his Facebook friends in violation of Michigan's Video Rental Privacy Act, MCL 445.1712 (http://1.usa.gov/UfjT4n), which prohibits disclosure of certain customer information. Defendant Pandora argued that the claim under the Michigan law should be dismissed because streaming music to the plaintiff's computer could not be considered “selling at retail, renting, or lending ' sound recordings,” as required under the statute. The district court found that Pandora's provision of a temporary file on the user's computer to facilitate streaming ' a file that is automatically deleted following song play ' was not a “rental” of the music file or an act of “lending,” nor could the presence of a purchase link to a third-party online music store be sufficient to establish Pandora as a “seller” of sound recordings.

VPPA Update

Congress is considering legislation to update the VPPA to take into account new technologies, particularly digital video streaming and the sharing of user viewing habits within social networks. The House of Representatives passed H.R. 2471 (www.govtrack.us/congress/bills/112/hr2471/text), which would amend the VPPA to permit a video tape service provider to obtain a consumer's consent to disclose personally identifiable information through online means, and in advance for a set period or until such consent is withdrawn. The accompanying Senate bill, which contains several amendments that would update other federal electronic privacy statutes, was approved by the Senate Judiciary Committee and awaits further debate by the entire chamber.