Is Every Website That Plays Videos Breaking An '80s Privacy Law?

A pile of VHS tapes.
A pile of VHS tapes.
  • Oops!
    Something went wrong.
    Please try again later.
  • Oops!
    Something went wrong.
    Please try again later.

In 1987, Ronald Reagan nominated Robert Bork to the Supreme Court. Bork was an extreme, hard-line conservative whose views included the idea that Roe v. Wade should be overturned because he believed there was no constitutional right to privacy whatsoever. In response, a Washington, DC video store leaked a list of his movie rentals, which included films like A Day At the Races and The Man Who Knew Too Much. It was nothing salacious, but Republicans were furious. Bork’s nomination was rejected.

The next year, a Republican-controlled Congress passed the Video Privacy Protection Act (VPPA) in response. Bork faded away; the VPPA lived on. Back then, it was probably hard to imagine the world of the internet, where companies spy on our every move and send the data to countless third parties, but here we are. The Reagan-era law says that “video tape service providers” (or anyone who offers similar services) can’t disclose personally identifiable information about what you watch without your informed, written consent. If a company breaks the law, they owe a cool $2,500 to every plaintiff in a class action suit, not counting potential punitive damages and attorneys fees. That could add up to millions of dollars fast. And depending on how you interpret the VPPA in 2022, a majority of the millions of websites that show videos could be breaking the law. More than a few lawyers see it that way.

Read more

A few months ago, I began seeing Instagram ads asking me to join class actions over alleged video privacy violations. One blaring exhortation read, “Do you have an account with the NY Post? Have you watched videos on If so, you may be entitled to compensation.” A little digging unearthed an absolute flood of VPPA lawsuits. Consumers are pursuing lawsuits against dozens of companies, including the NBA, GameStop, CNN, BuzzFeed, and Dotdash Meredith, owner of People Magazine, among others. There have been at least 47 VPPA class actions filed this year, and the pace is picking up. More than half were filed in September alone, according to Bloomberg Law. (Buzzfeed declined to comment, the other companies didn’t respond to questions.) A judge allowed one VPPA case to move forward in September, a good sign for the rest.

“When the law was written, you’d think of Blockbuster or Hollywood Video, but the statute makes it very clear that it applies regardless of the medium over which the video content is delivered,” said Alan Butler, president of the Electronic Privacy Information Center, who’s filed briefs supporting plaintiffs suing for VPPA violations in the past.

Here’s an open secret: almost every website you visit—including this one—has trackers on it that share data with companies in the advertising business. Meta trackers, in particular, are all over the internet, and the tech giant is listed as a recipient of the plaintiffs’ video data in almost every recent case.

If you watch a video, and the website sends Meta your personal details, you might have yourself a VPPA violation. That’s happening all the time on the internet, though. (The law can get a little tricky depending on how you define personally identifiable information.)

There are some exceptions. Companies can share data if it’s for transactional business purposes like billing, and courts have ruled that sharing data for internal analytics is fine, too. But if it’s for advertising, that’s a no-go. Companies can’t just stick a few lines in a privacy policy and call that consent either—a far stricter definition of consent than you get in most privacy laws.

“Congress’s intent with the VPPA was to protect your personal privacy when it comes to the videos you watch,” said Simon Grille, a lawyer at the law firm Girard Sharp, which is litigating several VPPA cases on behalf of consumers. “The streaming economy and the prevalence of data harvesting make that goal more important than ever.”

If you’re watching She-Hulk: Attorney At Law, it’s probably not going to ruin your life if other people find out you’re a fan of Marvel’s forays in to the fast-paced world of the courtroom. But the privacy implications can be a lot more significant in some cases. Think about how the videos you watch could reveal your medical information, say, or your sexual orientation.

“The people who are retaining us feel pretty strongly about it, and I don’t blame them,” Grille said.

VPPA is unusual because it includes a “private right of action,” which means you can sue a company for violating your rights. Most consumer protection laws only let regulators file cases, which means enforcement is much less likely. Business boys hate the private right of action, but consumer advocates love it. In fact, that disagreement is so fierce it’s one of the main reasons legislators haven’t passed more privacy regulations.

These cases will probably turn on how the courts interpret the way the digital advertising works. In previous cases, some courts have set a high standard for what counts as personally identifiable information. Your name and your phone number? That’s personal. But an ID number linked to your phone or your Facebook account? Legally, it’s a little up in the air, even though that’s exactly what tech companies use to personally identify you.

Previous legal decisions have also limited websites’ liability. Courts have decided that the personally identifiable information and the details about the video have to be sent in the same packet of information, even though the whole reason this data is being collected is because it’s easy to tie together. But, it’s possible that this and other case law could be overturned.

“The statute has a strong framework, but it’s sufficiently ambiguous for judges to read it narrowly if they don’t understand how identification happens in an internet context,” said Butler, from the Electronic Privacy Information Center.

The most unusual thing about the VPPA, though, is that it exists at all. There are hardly any privacy laws at the federal level, and most of the important ones were written well before data was big business. The Health Insurance Portability and Accountability Act, more commonly known as HIPAA, which you hear about in conversations about medical data, was passed in 1996. In the absence of a federal privacy law, lawyers are left to jerry-rig the few regulations we have to fit them into the world of the internet.

The fact that there are so many VPPA lawsuits right now could actually hurt their chances, according to one New York lawyer who’s worked on significant privacy cases, who asked to remain anonymous so they could be more candid.

“When you’re taking a very old law, you don’t file a thousand cases testing it, you find one with very good facts and then develop positive case law with it,” the lawyer said. When judges see how many cases there are, they might be hesitant to make a ruling that will be disruptive to the market, especially when the privacy violations don’t include particularly sensitive data. “I don’t think that bodes well for the cases, or our privacy in general,” the lawyer said.