The era of video rentals is long over, but a 1988 law designed to protect video tape service providers is having legal and financial repercussions for streamers, media conglomerates, and even digital health providers.
A recent wave of lawsuits filed for alleged violations of the 1988 Video Privacy Protection Act (VPPA) may lead to organizations having to pay extremely costly settlements or court verdicts, a cyber and professional liability expert told Insurance Business.
“This is a systemic issue in both cyber and media insurance policies, and these are very large exposures,” said Antonio Trotta (pictured below), vice president and financial lines claim practice leader for the cyber and professional liability practice at QBE North America.
The wave of legal actions related to VPPA leaves many organizations vulnerable to high-stakes class action lawsuits, Trotta warned.
VPPA is a federal statute that requires companies to obtain consent from consumers before providing their identities and the titles of any video content that they may view or purchase to third parties.
It was passed by US Congress to restrict video providers’ abilities to disclose the titles of videos, such as a movie or TV show, that a person requested or obtained from the provider without that person’s consent.
VPPA applies to so-called “video tape service providers,” or those who rent or sell prerecorded video cassette tapes or “similar audio-visual materials.” The latter term could put streaming services and digital health platforms on the hook.
This is because the current lawsuits are focused on the use of meta pixels (also known as “cookies”) to gather and share viewing histories with third parties, such as Meta (previously Facebook).
Companies such as HBO Max and Hulu have been accused of violating VPPA by not obtaining visitor consent before sharing information.
“The interesting thing about the VPPA is that it’s unlike other consent requirements that you find in privacy statutes,” said Trotta.
“It's extremely specific in that it requires a company seeking consent to provide it in a notice that is separate from any other notice that places a legal or financial obligation on the consumer.”
This means that companies can't say that they complied with the law if they embedded the notice in their subscriber agreement or in their general privacy policy, Trotta explained.
“The claims being made against these companies allege that their use of pixel technology, usually the Facebook pixel on their websites, violates the statute, as consumers aren't being told that the pixel is sharing this information when they watch video content,” he said.
According to Trotta, there are several hundred lawsuits that involve the Meta pixel, and even more that involve other claims by pixel technologies that are violating other statutes.
Even if the lawsuits don’t go to trial, organizations that are alleged to have violated VPPA could end up paying enormous settlements, and insurers may end up footing part of the bill.
“The VPPA has a civil remedy that provides for actual damages, but not less than liquidated damages of $2,500 per violation,” Trotta said. “But the bottom line is that plaintiffs are pushing for companies to pay $2,500, either per person or each time a video was viewed.
“Now, when you talk about these very large media companies, such as streamers or companies that do a lot of their communication and content online, you can imagine the millions of people that watch the content. You can do the math [on the potential claims].”
Companies can take steps to protect themselves against VPPA claims by tightening data privacy controls online. Legal teams also need to understand what their organizations are sharing online and what data they’re collecting.
“The way to do that is to get somebody with a legal and technology background into that process mechanism early, to work with marketing departments so that they can identify those issues for larger compliance reviews,” said Trotta.
“The second thing is that companies need to think hard about putting pop-up windows on their sites before people engage with their websites.”
Pop-up windows often get a bad rap because they interrupt the user experience, Trotta said, but they can help protect companies from VPPA and other privacy-related claims.
However, they’re not a blanket fix.
“One of the issues that we have seen is that a company was doing pop-up windows but embedding them in the middle or after the [user’s] interaction with the content,” Trotta told Insurance Business.
“The court found that that does not protect you. You can’t retroactively obtain consent. It has to be done before the interaction, at the earliest possible stage.”
Do you have any comments about this story? Share them below.