Video Privacy Protection Act: what website owners need to know


Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

Having videos on your website is a great way to communicate the value of your products or services to potential customers, but did you know that such videos may put you at risk of lawsuits via the Video Privacy Protection Act? This law was originally passed in 1988 to prevent the disclosure of video tape rental or sale records or similar audio visual materials. While a video on a website is not the same as a record of what VHS tapes were rented, attorneys across the United States have filed numerous lawsuits alleging that the sharing of data of what videos consumers have watched online is a violation of this law, and have claimed hundreds of thousands of dollars in damages. Since violations of the Video Privacy Protection Act can garner statutory damages of up to $2,500 per website visitor and video watcher, it is important to properly display videos on your website to avoid large fines. In this article, we will discuss the history of this law, how it relates to websites, recent lawsuits, and tips on how to protect your business. 

History of the Video Privacy Protection Act

In 1987, Judge Robert Bork was nominated to the United States Supreme Court. As the nomination was being considered, reporter Michael Dolan from the Washington City Paper published an article that listed the videotapes that the Judge rented over a period of two years. The list contained 146 videotapes, leaked by a store clerk, and showed that the Judge liked spy thrillers and Alfred Hitchcock films. While this was not the damning evidence that some had hoped for, the leak drew bipartisan support for the protection of intellectual privacy and thus, in 1988, the Video Privacy Protection Act was passed. The purpose of the Act is to restrict the disclosure of video records, thereby protecting the privacy of individuals. 

After its initial passage, the law did not receive much attention as there was little incentive for video rental stores to share the video viewing habits of their customers. However, with the advent of the Internet and associated privacy violations, the Video Privacy Protection Act was amended in 2013. The Amendment provided that the sharing of video viewership records with third parties was not unlawful if the consumer provides consent and has the ability to withdraw that consent. 

What does the Video Privacy Protection Act have to do with websites? 

Since the law was passed in 1988 to protect privacy in the context of VHS tape rentals, you may be wondering how the Video Privacy Protection Act is related to videos on modern websites. The law states that it applies regardless of the medium over which the content is delivered, meaning that it can and does apply to videos on websites. It also applies whenever Personally Identifiable Information (PII) such as names or addresses and details about the video watched are sent to a third party. For example, if your website has a Facebook Pixel that fires whenever someone watches a video so that ads could be shown to that individual, that data would be shared with Facebook (a third party), leading to a violation of this law. Additionally, if you have embedded a Youtube video on your website, the viewing history may also be shared with Youtube, potentially causing a violation as well. While there is a lot of confusion as to what constitutes a violation of this law, it most definitely applies to websites and the best way to avoid violations and lawsuits is to not share what consumers viewed which videos with third parties. 

Video Privacy Protection Act lawsuits 

The Video Privacy Protection Act is unique in that it allows consumers to sue businesses for violations and allows for damages of up to $2,500 per consumer. Thus, it should come as no surprise that a large amount of lawsuits have been filed claiming violations and damages. 

For example, a number of class action lawsuits have been filed alleging that websites that use Google Analytics and/or the Meta Pixel code to track and share video viewership records with these third parties, are in violation of the law. The class action lawsuits allege that this information was shared without the user’s consent. In another lawsuit against TikTok, which was settled for $92 million, the plaintiffs argued that TikTok violated the law by harvesting users’ personal data and disclosing video viewership data to third parties without permission. Furthermore, Chick-fil-A was also sued due to the allegation that they shared PII about the video watching habits of website visitors with Meta through the Meta Facebook Pixel. 

Since the passage of this law, there have been more than 170 decisions that have cited the Video Privacy Protection Act. For example, a lawsuit in 2008 in Dallas County, TX, claimed that Blockbuster Video violated this law due to sharing video rental records with Facebook through Facebook’s Beacon ad service. The lawsuit was settled for $50,000 and Blockbuster Video was prohibited from using the Facebook Beacon. 

Since each case under the Video Privacy Protection Act can be handled by different jurisdictions, there is a lot of inconsistency on how this law is actually applied. For example, in Eichenberger vs. ESPN, the Court found that the lawsuit should be dismissed because the consumer failed to allege that PII was actually disclosed to a third party as a Roku device serial number was not sufficient to identify a particular person. On the other hand, the case Yershov v. Gannett Satellite Info. Network, Inc. found that an Android ID and a GPS location does constitute PII within the meaning of the Video Privacy Protection Act but the case was dismissed because the consumer was not a “subscriber” as defined by the law. 

Tips for protection 

To avoid similar claims under the Video Privacy Protection Act, website owners should: 

  1. Avoid sharing PII and video viewership records with third parties; 
  2. Avoid implementing Meta Pixels on videos and using that data to run advertisements; 
  3. Avoid implementing Google Analytics on videos; 
  4. Have a compliant Privacy Policy that accurately discloses what PII is collected on their websites, how that PII is used, and who it is shared with; and 
  5. Have a cookie consent banner that asks individuals to agree to being tracked by cookies and pixels and that ensures that individuals are not tracked until they provide consent.

If you’re using videos on your website and don’t yet have a solution in place for your policies, Termageddon can help.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy




How To's

Privacy Policy

Terms of Service

Subscribe for Updates