Morgan Lewis logo

You Better Watch Out! New Legal Risks for Hosted Web Videos

Advertisement

Morgan Lewis

Websites are facing lawsuits alleging that the information collected and transmitted about viewers of their video content violates the Video Privacy Protection Act (VPPA), a 1988 law originally aimed at prohibiting video rental companies from disclosing the video tape rental records of consumers. In recent years, federal courts have held that the law applies to all video, regardless of technical format. Even more recently, plaintiffs are using the law to apply to website operators that host streaming video.

Advertisement

The Video Privacy Protection Act

The VPPA prohibits a video tape service provider from knowingly disclosing, to any person, personally identifiable information concerning any consumer of the provider without the consumer’s informed, written consent. VPPA provides for a private right of action, including statutory damages not less than $2,500 per consumer plus attorneys’ fees. Ouch.

Personally identifiable information for purposes of the VPPA means information that identifies a person as having requested or obtained specific video materials or services from a video tape service provider, i.e., any information that ties an identifiable viewer to a video.

Advertisement

Service providers to which the law applies are also subject to record destruction requirements. Personally identifiable information must be destroyed as soon as practicable, but not later than one year from the date that the information is no longer necessary for the purpose for which it was collected and there are no pending court orders or requests from law enforcement.

Advertisement

Risks for Streaming Video

The statutory damages prescribed in the VPPA, combined with the award of attorneys’ fees, have led plaintiffs’ attorneys to argue for the statute’s application to streaming video. Courts have generally obliged, finding that the VPPA protects viewers of videos regardless of the medium of transmission. Plaintiffs have then sought to prove violations of the VPPA by arguing that by sharing usage statistics with data analytics vendors such as comScore, streaming video providers are disclosing personally identifiable information in violation of the statute. How much consumer information may be permissibly shared with analytics vendors under the law and in what form are far from settled legal issues, but the key question in each case is, can the data shared with third parties, taken together, personally identify viewers with their video choices?

In the most recent ruling on the applicability of the VPPA to streaming video, a federal judge in Seattle ruled that the sharing of anonymous data alone, in the form of a unique serial number to a streaming video player, does not violate the VPPA, but if shared along with other correlative data capable of personally identifying viewers in combination, the provider could potentially be liable. Similarly, federal judges have held that other anonymous unique identifiers, including mobile device IDs or cloud service IDs, even when combined with video viewing history, do not personally identify users and therefore their transmission is not a violation. However, courts have also suggested that other login information, such as a social media ID provided through a “Like” button on a website, may constitute personally identifiable information subject to the VPPA. A provider may also be liable for information transmitted in cookies placed on its website by third parties, even if the provider cannot read or control the contents.

Although large media companies are the obvious targets for plaintiffs’ lawyers, with potentially millions of separate violations in the case of the largest services, any website or other online service that provides video content to consumers is potentially subject to legal risks under the VPPA. Companies whose websites provide even incidental video content should review their data collection and retention practices for risks that third parties with access to user data may be able to tie personally identifiable information to video viewing history. Some questions to consider include the following:

Advertisement
  • Is personally identifiable information collected when a user views hosted video content?

  • Is personally identifiable information passed to third-party advertising services or analytics vendors?

    Advertisement
  • Do analytics vendors or advertising services have direct access to user information? Is that information capable of being correlated with video viewing history?

  • Is video viewing history stored in cookies? If so, is that information shared with advertisers or otherwise persistent across third-party services?

    Advertisement
  • Are any social media–sharing features, such as a “Like” button, presented with video content?

Published by

National Law Forum

A group of in-house attorneys developed the National Law Review on-line edition to create an easy to use resource to capture legal trends and news as they first start to emerge. We were looking for a better way to organize, vet and easily retrieve all the updates that were being sent to us on a daily basis.In the process, we’ve become one of the highest volume business law websites in the U.S. Today, the National Law Review’s seasoned editors screen and classify breaking news and analysis authored by recognized legal professionals and our own journalists. There is no log in to access the database and new articles are added hourly. The National Law Review revolutionized legal publication in 1888 and this cutting-edge tradition continues today.