Almost every week, a new streaming service is announced in response to the growing demand for online video content.  Whether visiting a website, downloading an app, or accessing content via “smart” TVs and other devices, viewers want access to content anywhere, at any time, on any device.  In turn, major networks, cable channels, and online content providers are racing to keep this digital stream flowing. 

When video content is transmitted over the Internet, however, other data can go with it.  Companies now have the ability to collect and transmit information about the viewing habits of their streaming video users, and this increasingly is resulting in challenges by consumers.  If your website or mobile app offers online video content, you should be aware of the Video Privacy Protection Act and its requirements.



Technology: Balancing data analytics, data privacy and e-discovery 

Dominique Shelton, Alston & Bird


What is the Video Privacy Protection Act?

The Video Privacy Protection Act (VPPA) prohibits a video tape service provider from sharing a customer’s personal information with third parties, without the viewer’s consent. When the law was first enacted in 1988, the obvious “video tape service providers” were your local video stores. At that time, the law seemed fairly straightforward. It was easy to determine which establishments had to abide by the law.  After all, the VPPA was passed in 1988 after Judge Robert Bork’s video rental history was published in the Washington City Paper during his Supreme Court nomination. 

Over the past few years, a number of viewers have brought their cases to court, suing for violations of the VPPA. While these cases are mainly favorable for streaming services, they offer a number of valuable lessons about viewer privacy and what information a website or mobile app may share with social media networks, third party advertisers or analytics companies without running afoul of the VPPA. 

If you’re thinking about providing online video content to viewers, here are a few privacy and compliance questions to consider:

1.    To whom does the law apply? The VPPA applies to a “video tape service provider” or any person “in the business” of renting, selling, or delivering prerecorded videocassette tapes or similar audio/visual material. Online streaming companies, websites and apps have all been considered “video tape service providers” under the VPPA, and courts have found streaming content can fit within the definition of “video” or “similar audio visual material” under the VPPA. This means that movies, episodes or even short video clips all potentially fall under the law. 

2.    Who’s streaming your content? The law is intended to protect the disclosure of “consumer” information, where a consumer is a renter, purchaser or subscriber to a “video tape service provider.” While virtually anyone can stream content online, not all viewers are afforded the protections of the law. If a viewer does not register for an account, create a user ID/password for the site, or download an app or program to view the content, they are unlikely to fit the law’s definition of a “consumer” or “subscriber.” In that case, a provider could share the user’s viewing history with third parties and likely not trigger the VPPA. 

3.    What data are you collecting? The VPPA specifically covers “personally identifiable information” (PII) which includes whether a person has requested or obtained specific video materials or services from a provider. In the digital context, this could be a consumer’s actual viewing history or even information about a consumer’s video queue or watch list. Aside from viewing information, the law’s definition of PII is rather limited and has not been interpreted as encompassing other related information like a unique device identification or serial number. This means that a video provider could disclose a consumer’s unique device ID coupled with a user’s viewing history and it would not violate the VPPA (although there may be other non-VPPA privacy considerations at play, such as representations in a company’s privacy policy to honor).  The law has yet to definitively recognize social networking IDs or names as PII;however, courts seem open to the idea. That would mean that a video provider couldn’t disclose viewing history coupled with a social networking ID (like Facebook IDs).     


4.    How do you share that data? Many streaming services link to third party social media sites via plugins or share viewing data with analytics companies for marketing and advertising purposes. Websites and streaming companies can run into trouble especially when they team up with popular social media sites and embed a “like” or “follow” button on their pages or within their content.  If your service incorporates a social media button, you’ll want to make sure that the data you exchange with any third party social media site is anonymized and doesn’t identify specific users if you are also sending information about that user’s viewing history. Similarly, you will want to anonymize data when sharing it with third parties for analytics or tracking purposes.  

5.    How can you prevent a violation? The VPPA creates a “private right of action” meaning any individual can sue a video provider alleging a violation of the law.   Under the VPPA, courts can award statutory damages upwards of $2,500 per violation (in addition to attorney fees). Since providers may have thousands of viewers, VPPA claims are prone to class actions, which can make violations costly.  

One way to ensure compliance is for a video provider to obtain informed, written consent to disclose a consumer’s personal information. Consent can be obtained online, for a two-year period but can be withdrawn by the consumer. In certain circumstances, a video provider can disclose the subject matter of video materials if that information is used exclusively for the marketing of goods and services directly to the consumer.

To avoid VPPA violations, video providers should also have a clear understanding of the data they collect from viewers and how providers share or exchange that data with third parties.  Another best practice is to clearly communicate data privacy practices and VPPA obligations to consumers in online terms of use and privacy policies, and appropriate “just in time” disclosures at the point where personal information is collected.

Is your site or app thinking of adding online video content? Do you have concerns about how to comply with the VPPA? Share your take in the comments below.