Video Privacy Protection Act

From Wikipedia, the free encyclopedia

Video Privacy Protection Act of 1988
Great Seal of the United States
Long titleAn act to amend title 18, United States Code, to preserve personal privacy with respect to the rental, purchase, or delivery of video tapes or similar audio visual materials.
Acronyms (colloquial)VPPA
Enacted bythe 100th United States Congress
EffectiveNovember 5, 1988
Public lawPub. L. 100–618
Statutes at Large102 Stat. 3195
Titles amendedTitle 18 of the United States Code
U.S.C. sections created18 U.S.C. § 2710
Legislative history
Major amendments
Pub. L. 112–258 (text) (PDF)

The Video Privacy Protection Act (VPPA) is a bill that was passed by the United States Congress in 1988 as Pub. L. 100–618 and signed into law by President Ronald Reagan. It was created to prevent what it refers to as "wrongful disclosure of video tape rental or sale records [or similar audio visual materials, to cover items such as video games and the future DVD format]." Congress passed the VPPA after Robert Bork's video rental history was published during his Supreme Court nomination. It makes any "video tape service provider" that discloses rental information outside the ordinary course of business liable for up to $2500 in actual damages.

Computer-based VPPA litigation[edit]

Prior to 2007, VPPA had not been cited by privacy attorneys as a cause of action involving computing devices. With the emergence of new-age computing technology and devices in the early 2000s came websites, 3rd party advertising, and tracking firms that posed a possible risk to the user's privacy. While computer technology was progressing rapidly, federal and state laws had failed to stay up to date. As such, legal actions for violations were minimal to non-existent. A new method to litigate Federal privacy cases was needed to protect the hundreds of millions of people violated by the unauthorized tracking of user's activities online. No law firms had litigated cases involving the computer technology inherent within the exchange of user data between third-party affiliated entities, thus there was no case precedent, no "blueprint" to follow. Earlier cases, such as the double-click "cookie" case in 2001, had relied on using a wiretap statute, the Electronic Communication Privacy Act ("ECPA"). While a plausible allegation, it was a weak allegation since the website user had granted such permissible use within the website's terms of service ("TOS").

In 2007, Texas-based attorney Joseph H. Malley filed a Federal Class Action lawsuit against Facebook and thirty-three companies; including Blockbuster, Zappos, and, due to privacy violations caused by the Facebook Beacon program citing VPPA.[1] This program resulted in users' private information, obtained from third-party affiliate marketing websites, being posted on Facebook without consent. This act was referenced in the Lane v. Facebook, Inc. class action lawsuit. Based on this act, it is generalized to other forms of rental records such as DVDs, video games and more.

Malley had previously litigated in the early 2000s using another federal privacy law, the Driver's Privacy Protection Act ("DPPA"), which provided statutory damages for to the unauthorized access of DMV records. This law allowed Malley to successfully file numerous federal class actions against hundreds of companies, but a new theory of liability was needed for added assurance to survive a motion to dismiss. The problem, no case law involving this new-age type of technology. Substantial research was thus required, eventually revealing an "archaic" statute created in 1988: Video Privacy Protection Act ("VPPA"). Arguably unrelated to present technology, VPPA concerned about obtaining information from a physical location and involved VHS and Betamax recordings. As such, lawsuits involving online entities that used audio-video would need to plead comparisons between the "old-new" technologies for advertising.

The online advertising industry, in association with analytic companies, had begun using video ads to conduct its ubiquitous tracking, consumer's attention shown to be drawn to such as opposed to written content, In later years, these tracking methods would expand to photos and audio, IE., In 2008, cell phones were re-designed to include a new method of tracking, the use of social apps to collect photos, a process which now permitted a one-step "click" process to uploading a photo as opposed to the previous six steps. This allowed content to be provided for free and which formed the basis for the tracking, IE., Exif data. Such acts were captured when Malley used software applications to log HTTP/HTTPS traffic between a computer's web browser and the Internet, analytic tests using two computers interfaced, producing indisputable evidence of such activities: moreover, detailed reports of any and all parties involved in such nefarious activities, IE., "tracking the trackers". In the continuing research of the Industry's business practices in order to determine its monetization interests, such revealed the incorporation of complex graphics within online ads, and the exchange of data derived from video ads not confined to an internal network, used via a TCP/IP protocol. This unauthorized activity would become the core allegation.

Extensive research and case analysis of Federal and State laws, regulations, and Court Opinions, yielded limited assistance. An adaptation of the law was needed to litigate this new computer technology involving unauthorized access to online consumer's data. Malley seized on an archaic law written concerning the technology of the 1980s involving video cassettes, VHS, and Betamax, the Video Privacy Protection Act ("VPPA"), 18 U.S. Code § 2710 - Wrongful disclosure of video tape rental or sale records, (1988), envisioning that the websites and any affiliated third-parties, which used the audio and/or video within its marketing ads were "video-providers"; moreover, this content, ads, and online games, merely a video; moreover, the essential functionality of the illegal transfer, a "wrongful disclosure", (core elements needed to prove-up a VPPA violation). The use of the VPPA law in regard to this new-age computer technology would set precedent, and become the new "blueprint" used in Federal privacy litigation.

In December 2009, Joseph H. Malley representing an anonymous plaintiff, filed a lawsuit against the online DVD rental company Netflix over its release of data sets for the Netflix Prize, alleging that the company's release of the information constituted a violation of the VPPA.[2]

Netflix cited the VPPA in 2011 following the announcement of its global integration with Facebook. The company noted that the VPPA was the sole reason why the new feature was not immediately available in the United States, and it encouraged its customers to contact their representatives in support of legislation that would clarify the language of the law.[3] In 2012, Netflix changed its privacy rules so that it no longer retains records for people who have left the site. This change was due directly to a lawsuit indicating violation of the act.[4] Joseph H. Malley was contacted by the U.S. House of Representatives Chief Counsel of the Democratic Subcommittee on IP to provide legal assistance related to blocking the 2012 VPPA Amendment proposal. In January 2013, President Obama signed into law H.R. 6671 which amended the Video Privacy Protection Act to allow video rental companies to share rental information on social networking sites after obtaining customer permission. Netflix had lobbied for the change. While VPPA was amended, efforts to limit the extent of the VPPA amendments were successful. To date, when a Netflix consumer desires to share viewing history to the accounts of their Facebook friends, an indicator on the Netflix site provides notice of the actual use by Netflix of their data.

In a continuing effort to limit consumer's privacy violations, Malley filed a class action involving Hulu in 2012. A San Francisco federal trial court found the VPPA's subscriber protections apply to users with Hulu accounts.[5] In 2015, the United States Court of Appeals for the Eleventh Circuit found that those protections do not reach the users of a free Android app, even when the app assigns each user a unique identification number and shares user behavior with a third-party data analytics company.[5]


  1. ^ Vijayan, Jaikumar (April 18, 2008). "Blockbuster sued over Facebook Beacon information sharing". Computerworld.
  2. ^ Singel, Ryan (December 17, 2009). "Netflix Spilled Your Brokeback Mountain Secret, Lawsuit Claims". Wired Magazine.
  3. ^ "Help Us Bring Facebook Sharing to Netflix USA". Netflix Blog. Archived from the original on September 23, 2011. Retrieved September 22, 2011.
  4. ^ "Class-action lawsuit settlement forces Netflix privacy changes". Ars Technica. July 31, 2012.
  5. ^ a b "Ellis v. Cartoon Network, Inc.: Eleventh Circuit Limits the Scope of "Subscriber" for VPPA Protections". Harvard Law Review. 129: 2011. May 10, 2016.

Musil, Steven (January 10, 2013). "Obama signs Netflix-backed amendment to video privacy law". CNET. Retrieved June 18, 2015.