A 1988 law regarding video rentals is still affecting the legal, and even the insurance and technology landscape, today.
The Video Privacy Protection Act was enacted in 1988 after judge and U.S. Supreme Court nominee Robert Bork found that a list of 146 videotapes he had rented over the course of two years were leaked by a video rental store clerk, the Harvard Law Review reported. Although the Bork tapes – as they’ve been called – didn’t reveal anything harmful or unsavory, it spurred a debate about the importance of intellectual privacy. The VPPA initially served to restrict the disclosure of video rental records without the watcher’s consent, although it is now being used to do much more than that.
“It’s a statute that’s designed to protect consumers from having their identities, in the video content that they purchase, rent, or review, shared with third parties without their knowledge or consent,” said Antonio Trotta, vice president and claims practice leader for cyber, professional liability and financial lines at QBE North America, on this episode of The Insuring Cyber Podcast. “It was originally, when it was drafted, designed to cover videotape service providers, so it was limited to really hard physical media. But in 2010, the Obama administration amended the statute to include electronic data as well.”
Now, a recent spike in lawsuits alleges that websites running the Pixel code from Meta, formerly Facebook, are violating the VPPA by sharing information about visitors’ video viewing habits and history back to Meta. Under these lawsuits, the definition of a business that delivers audio visual materials has been adapted to apply to modern technology, like video streaming services or websites with video capabilities.
“This most recent wave is really resulting from how companies are deploying ad technology across their web and mobile platforms,” Trotta said.
According to Meta’s website, the Meta Pixel is a snippet of JavaScript code that allows users to track visitor activity on their website. The latest wave of VPPA claims alleges that use of the code results in disclosing private consumer information to Meta, violating the VPPA. Claims have been brought against a variety of businesses, including news outlets, streaming services, and e-commerce companies. The Insuring Cyber Podcast reached out to Meta and did not receive a comment by press time.
One challenge with this approach to VPPA claims is the use of traditional legislation to litigate modern privacy issues and the uncertainty that can come along with that approach, said Odia Kagan, partner and chair of GDPR compliance and international privacy at law firm fox Rothschild, later in the episode.
“We have rights and we have harms that need rectification, and we don’t have normal recourse [in the U.S.] like a comprehensive privacy law like GDPR,” she said. “So plaintiff’s attorneys have been finding new ways to utilize old laws in order to achieve that purpose.”
She said it’s difficult to achieve legal certainty when litigation results from a law that has traditionally not been used in this way.
“You don’t know how the decisions are going to shake out,” she said. “Are you really a videotape service provider because you’re a website that happens to have a video on the website. Is the person visiting a consumer? You go into your video rental store, and you’re definitely a consumer. You’re going into a website that happens to have a video, and are you? In paralleled courts, that may be not consistent. It may be difficult to follow.”
Kagan said that while she believes more certainty will come as more legal precedent is established, in the meantime, businesses will need to take certain steps to get ahead and avoid VPPA claims.
“You need to figure out what personal information are you collecting, including in your tracking activities, your marketing activities, your lead generation, your social media presence,” she said. “You need to understand what is happening, not only what is happening in your organization, but also what your service providers are doing and what your third parties are doing. If you are sharing information with Meta or Google or whomever, you need to know what that information is that is being shared and what are they doing with it.”
Beyond the challenges for businesses and consumers, another concern regarding VPPA violations is on the insurance side.
“The VPPA has a statutory remedy of liquidated damages of not less than $2,500 per violation,” Trotta said. “You have a subset of your subscribers that interact with their PCs and their Macs, and that could be millions of people, honestly. It could be millions of people, and times that by the $2,500 that you have, right? And you’re looking at exposures that can run into the billions of dollars for some very large players out there. But even if you’re a smaller player, those numbers can add up pretty quickly.”
Trotta said that insurers should not only be worried about costs adding up, but indemnity obligations as well. These challenges are also adding up each time technology evolves, and VPPA claims evolve along with it.
“This is at least the second, if not the third wave, of VPPA suits using different technology,” he said. “Every time there’s a technology change with cookies, you usually see the VPPA being challenged.”
This is presenting particular concern for insurers that provide cyber policies.
“From an insurance perspective, these cases have traditionally been handled under media policies over the last decade,” he said. “So a lot of media policies included exclusions, which may exclude VPPA or mass privacy events such as these kind of claims, but cyber policies – which were really at the forefront – they were just getting started during that first wave of litigation. Most of these claims are being pushed to cyber policies. So if anything, it’s the cyber policies really that are at risk for these.”
Check out the rest of the episode to find out what else Antonio and Odia had to say, and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.
Was this article valuable?
Here are more articles you may enjoy.
As Rates Rise, Majority of Homeowners Say Insurance Industry Is in Crisis: Survey 
Coverage Needed: Hundreds of Thousands in SE Now in Flood Zones With New Maps 
Let Good Adjusters, Not Expensive Lawyers, Make the Difference on Claims, CEO Says 
Workers Sue Disney, Say They Were Wrongly Induced to Move to Florida 
