Plaintiffs' class action attorneys have filed a cascade of recent Video Privacy Protection Act (VPPA) suits against major brand names. These suits can present a significant exposure because the VPPA provides for statutory penalties. Additionally, "harm" need not be pled for a plaintiff to remain in court. These can be costly cases with potential negative public exposure.

The important issues for in-house counsel to understand are the following:

  1. Why are so many companies getting sued?
  2. What can a company do to decrease the likelihood of being named in a VPPA suit, or at least bolster defenses in the unfortunate event of such a suit?

Sharing "Personal Information" of Viewing Habits Is Not Allowed by the VPPA

The VPPA prohibits companies from sharing "personal information" about the video viewing habits of consumers without their consent. Violations of this prohibition are the key issue for a significant number of suits to date, including suits against major media companies and online content providers. The reason for the multiplicity of suits is twofold. The first reason is the lure of the noted statutory penalties. The second reason, which has been the primary catalyst for these lawsuits, is the evolution of the online advertising and marketing ecosystems. It is now common for mobile apps, websites and network-aware products to share purely technical information with third-party advertisers and marketing entities that will uniquely distinguish a consumer's device or software installation from all others. This type of information – unique identifiers – is shared deep behind the scenes and may enable third-party advertising and marketing entities to personally identify end-users by correlating the information with data from other sources. This is a relatively new and growing phenomenon.

The difficulty for companies is that generally the individuals who are responsible for policing VPPA exposure are not in a position to know:

  • whether technical information is being collected and shared
  • the nature of the identities receiving the information
  • whether the particular information at issue actually presents a risk of identifying the end-user

The types of unique identifiers at issue in suits so far have been wide-ranging, including:     

  • Android ID
  • device serial numbers for streaming video boxes
  • MAC address (the hardware address for WiFi communications)
  • unique IDs contained in browser cookies

As diverse as this list is, there are a large number of other technical identifiers that share similar properties; are widely shared by apps, websites and network aware products; and could be exploited by plaintiffs' counsel as grounds for suit. Media companies offer consumers access to online or Web-based content and plaintiffs are alleging violations of the VPPA due to consumer interactions with media websites, audio/video players and streaming. 

Companies Can Be Proactive to Minimize the Risk of VPPA Claims

The best way to play defense against the growing tide of VPPA claims includes three steps:

  1. Identify which of your apps, websites, video/audio players, or other online services provides access to videos. These include full-length videos, video clips and content that is piped-in from the outside by content providers or third parties.
  2. Conduct or commission technical testing of these video-related apps, websites and network-aware products in order to spot when unique identifiers are being shared and identify the nature of the particular unique ID.
  3. Evaluate the information from the technical testing to determine the extent of the potential VPPA exposure; whether certain technical characteristics or sharing needs to be changed; and deploy the changes.

For those companies that need assistance on these matters, Holland & Knight maintains an internal privacy testing lab where technical testing necessary to spot and mitigate potential VPPA exposure at the technical level is conducted. In addition to spotting and eliminating risks, getting this type of technical assistance from your lawyer also allows the testing and evaluation process to be protected by the attorney-client privilege to the greatest extent possible under the law.