Does your website feature streaming video, gratis. Does your company track video viewing behaviors of users in order to serve up targeted information or create customized products. If so, you might need to take steps to protect the company from claims that it has violated the Video Privacy Protection Act (“VPPA”). In light of the recent decision in in re Hulu Privacy Litigation, it is likely that the VPPA applies to Website operator’ use of streaming technology to distribute its content.

  1. Why Your Company Should Pay Attention
  1. The VPPA

The VPPA prohibits a video tape service provider from knowingly disclosing to any person personally identifiable information (“PII”) belonging to any of its consumers. 18 U.S.C. § 2710(b)(1). This prohibition is subject to several limited exceptions. See 18 U.S.C. § 2710(b)(2). These exceptions include information provided in the ordinary course of business, and disclosures limited to the names and addresses of consumers. 18 U.S.C. § 2710(b)(2)(D)-(E). Video tape service providers must destroy PII “as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected.” 18 U.S.C. § 2710(e).

The VPPA defines the term “video tape service provider” to mean “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials, or any person or other entity to whom a disclosure is made under subparagraph (D) or (E) of subsection (b)(2), but only with respect to the information contained in the disclosure.” 18 U.S.C. § 2710(a)(4).

The VPPA defines the term “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” 18 U.S.C. § 2710(a)(1).

The VPPA defines the term “ordinary course of business” to mean “only debt collection activities, order fulfillment, request processing, and the transfer of ownership.” 18 U.S.C. § 2710(a)(2).

Rather than defining the term “personally identifiable information,” the VPPA stated that it “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 18 U.S.C. § 2710(a)(3).

  1. Based Upon the recent Hulu Decision, the VPPA Can be Construed to Apply to a Website Operator’s Free Streaming Service

The applicability of the VPPA depends on whether a website operator, in distributing its content for free by streaming digital video online, falls within the definition of “video tape service provider.” It is likely that a company will be considered a “video tape service provider” if it (a) streams video on its website; (b) tracks users viewing activities and links same to personally identifiable information.

One case in which a court has considered a similar issue is in re Hulu Privacy Litigation, 2012 WL 3282960 (N.D. Cal. Aug. 10, 2012). In that case—a putative class action—the plaintiffs sued Hulu LLC (“Hulu”), a provider of online streaming digital video content, for violating the VPPA. Id. at *1. Notably, all but one of the plaintiffs viewed streaming video on Hulu’s website for free. Id. at *7. In its motion to dismiss, Hulu stated that this was the first and only VPPA case brought against “an Internet company that streams digital video content.” In re Hulu, 3:11-cv-03764-LB, Dkt. No. 49 (N.D. Cal. Mar. 30, 2012).

The in re Hulu court, rejecting Hulu’s argument that the VPPA should only apply to providers of physical goods, found that Hulu was a “video tape service provider.” In re Hulu, 2012 WL 3282960 at *6. The court was persuaded by the legislative history of the VPPA, which shows Congress’ intent to “ensure that VPPA’s protections would retain their force even as technologies evolve.” Id. The court was also persuaded that Congress intended the VPPA to provide broad protection for consumers’ privacy. Id.

A court that is persuaded by the in re Hulu decision is likely to find the Website operator is a “video tape service provider,” and that Website operator is subject to the VPPA whether or not it charges a fee for its video streaming services.

  1. Guidance

In light of the likely applicability of the VPPA, we offer the following guidance. Please note that points 2 and 3 are only applicable if a company maintains website visitor (“Visitor”) information in such a way that a Visitor’s video viewing history is associated with other PII belonging to that Visitor.

  1. Website operator should delete a Visitor’s PII if that Visitor has not visited any of the company’s “websites” (as that term is defined in the company’s privacy policy) within the past 365 days. See 18 U.S.C. § 2710(e)
  2. If a Visitor opts out of receiving commercial emails or withdraws her consent to the sharing of her PII with third parties (per paragraph I of Website operator’ privacy policy), the company should consider immediately decoupling the Visitor’s video viewing history from any other PII belonging to that visitor.
  3. Website operator should only share Visitors’ PII with third parties in the following situations:
    1. The disclosure is limited to the Visitor’s name and address (see 18 U.S.C. § 2710(b)(2)(D)); or
    2. The disclosure is incident to the ordinary course of business. See 18 U.S.C. § 2710(b)(2)(E).

This guidance is borrowed from settlement agreements preliminarily approved in Missaghi v. Blockbuster, 0:11-cv-02559-JRT-JSM, Dkt. No. 48 (D. Minn. Aug. 7, 2012) and in re Netflix Privacy Litigation, 2012 WL 2598819 (N.D. Cal. July 5, 2012). Both cases involved class allegations that an online video rental provider retained its customers’ PII longer than necessary, in violation of 18 U.S.C. § 2710(e). See id. at *1; see also Missaghi, 0:11-cv-02559-JRT-JSM, Dkt. No. 44, Ex. 1 at 1 (Parties’ Settlement Agreement). The injunctive portion of both settlement agreements requires the defendant to decouple a customer’s viewing history from the rest of that customer’s PII once that customer discontinues its relationship with the video rental provider. See id. at 7-8; see also in re Netflix, 5:11-cv-00379-EJD, Dkt. No. 76, Ex. 1 at 10-11. Specifically, Netflix must “implement a data retention practice such that, for Subscribers who have cancelled their Netflix subscription and have not been a Netflix subscriber for a period of 365 days, Netflix will cause his or her Entertainment Content Viewing History to be decoupled from his or her Identification Information and Payment Method.” Id. Similarly, Blockbuster, upon a customer’s cancellation and the return of a specified form, must “promptly decouple the member’s personally identifiable information from information that identified the member as having requested or obtained specific video materials. Missaghi, 0:11-cv-02559-JRT-JSM, Dkt. No. 44, Ex. 1 at 8.

Note that the in re Hulu court rejected Hulu’s argument that disclosure to online market research, ad network, and web analytics companies was in the ordinary course of business. In re Hulu, 2012 WL 3282960, at *7. Instead, the court maintained a narrow reading of the VPPA’s definition of “ordinary course of business.” Id.

  1. Conclusion

If other courts follow Hulu, it is likely that the VPPA applies to companies who offer streaming video on their websites. As the VPPA carries with it statutory damages of $2500 per violation, this might become the new litigation de jour for class action attorneys. Your company should pay attention to this trend and its video streaming/tracking policies to avoid lawsuits.