When it was enacted in 1988, the Video Privacy Protection Act (VPPA) was meant to protect consumer data from being shared by video rental companies like Blockbuster. As video rentals have given way to streaming, however, its application has evolved.
Class action lawsuits have cropped up throughout the United States, including dozens of filings against Meta’s Pixel tracking tool — they assert that Meta’s pixel tool use violates the VPPA by tracking viewing history and protected consumer data. And this is just one of many ways the VPPA has been interpreted in the last 35+ years.
As rulings based on this law continue to transform in the digital age, businesses face uncertainties regarding online practices.
Initially, the VPPA aimed to hold videotape service providers liable for knowingly disclosing personal information without written consent. Until 2022, the VPPA was rarely cited in consumer privacy lawsuits. These cases reframed “video tape service providers” as any website with video content and user-tracking pixel tools. Additionally, users don't need to be paying customers to assert a VPPA claim.
Recent legal disputes underscore the complexity of data sharing in the online space, where user expectations clash with a lack of legislation for data governance. The wave of VPPA claims in 2023 has resulted in over 70% being dismissed by a judge or voluntarily before the defendant responded. In Carroll v. General Mills, the court dismissed the claim of video data sharing when the videos in question were “a peripheral part of its marketing strategy.”
The two largest settlements involving video data tracking – Sony Corp. and the Boston Globe – have largely limited the law’s reach to businesses and websites that offer video content. At a minimum, companies violating the VPPA may pay a fine of up to $2,500, plus punitive damages, attorney fees, litigation costs, and additional equitable relief.
But even the minimum legal costs to file a motion to dismiss can be avoided with proactive data management.
To mitigate any risks associated with the VPPA, you need to invest in privacy compliance. In general, your company should aim to disclose all of your tracking methods and give your customers the option to decline tracking. These four tips will guide you in that direction and potentially help you avoid unnecessary litigation.
Complying with the VPPA today demands the same commitment to transparency as it did when enacted in 1988. Communications should answer key questions about how data is collected, processed, and shared with third parties, such as:
As consumers demand more data privacy, being clear about how data is used and limiting how much is collected will reinforce trust. Some businesses create an easy-to-understand Privacy Policy, others like The Guardian create a video to simplify the process for users.
Obtaining explicit consent from users before collecting any data is vital. Proactive consent can be as simple as incorporating proper language into cookie preference banners. For example, a GDPR-compliant consent form must:
Prioritizing user awareness and control over how data is used reflects your commitment to privacy best practices.
Cookie preference centers serve as a user-friendly way to manage consent choices. But you can’t create a cookie policy and leave it alone — it needs to be updated routinely. By regularly updating these windows, businesses can easily reflect changes in data practices and offer up-to-date control over the latest privacy options.
Any time you add new cookies or make updates to comply with new data laws you have the opportunity to audit your policies. For instance, the Utah Consumer Privacy Act (UCPA) – one of many state laws that requires businesses to inform consumers on how data is used – goes into effect on December 31, 2023 and mandates a privacy notice that includes:
With tracking tools like Meta’s Pixel serving as a common target for VPPA claims, minimizing your exposure to this type of tracking is a proactive strategy. Data collecting technologies should be tailored to limit the data they collect or share by:
Partnering with Osano helps keep data privacy compliance simple for your organization – from starting your privacy program to reducing risk and sustaining customer trust.
Rather than reacting to privacy challenges, our consent solutions can help you take a proactive stance in identifying and managing VPPA risks to reduce potential fines or penalties — before they happen.
From initial assessments to adapting to regulatory changes, Osano ensures that your business remains well-prepared to navigate the complexities of the VPPA and other data privacy regulations.
Stay ahead of shifting regulatory landscapes and protect your business with Osano's comprehensive platform. Schedule a demo today.