Second Circuit Ruling Expands VPPA Scope: What Organizations Need to Know

Background

Michael Salazar filed a class action lawsuit against a professional sports organization alleging that it violated the VPPA by disclosing his personal viewing information to a third-party social media provider without his consent. Salazar had signed up for the organization's free online newsletter and visited the organization's website, where he watched videos. Salazar alleges that his video viewing history and social media ID were shared with the third party through pixel tracking software embedded in the organization's website without his permission. The district court dismissed Salazar's claims largely on the basis that the organization's online newsletter was not an audiovisual "good or service" and there was no nexus between subscribing to the online newsletter and the provision of video content on the organization's website. The rationale for the dismissal was similar to what many other courts have cited in dismissing VPPA claims in other jurisdictions.

Qualifications to be a "Subscriber" Under the VPPA

The central issue on appeal with the Second Circuit was whether Salazar qualified as a "subscriber of goods or services" under the VPPA by only being a subscriber to the organization's email newsletter and not purchasing any video services. The Second Circuit rejected the district court's narrow interpretation that only audiovisual "goods or services" could qualify a person as a subscriber under the VPPA. Instead, the appellate court held that the term "goods or services" was not limited to audiovisual content and, because Salazar had provided personal information in exchange for access to the organization's newsletter, he was considered a "subscriber" under the VPPA. Accordingly, the court held that the organization must comply with the VPPA when Salazar watches videos on its website.

Potential Impact on VPPA Claims

The Second Circuit's decision in Salazar significantly expands the scope of who qualifies as a "consumer" under the VPPA. Under this interpretation, any individual who registers or subscribes to a free newsletter or other digital service from an organization that also provides video content may be considered a subscriber and, thus, would be protected by the VPPA. The ruling increases the risk for organizations that provide video content on their websites or other digital platforms. It is important to note that the Second Circuit did not address whether the organization's disclosure of subscriber data to the third-party social media company was a violation of the VPPA, and the decision did not impact other common defenses asserted by organizations to VPPA claims. Nonetheless, an expanded scope of potential claimants means an expanded scope of potential exposure and risk to organizations that collect and share personal information related to video content.

Best Practices to Mitigate Risks

Organizations that provide video content through websites and other digital platforms should take immediate steps to assess how they use pixels and other tracking technologies on such platforms. Below are some recommended best practices to mitigate the increased risks associated with VPPA claims in light of the Salazar decision:

• Analyze Data Privacy Practices: Organizations should thoroughly review their data privacy practices to ensure compliance with the VPPA. This includes an evaluation of how the organization collects, stores, and shares user data related to video viewing history and habits.
• Update Privacy Policies and Disclosures: All privacy policies and other consumer-facing disclosures should be updated to disclose the collection of a user's video viewing data and clearly define how such data is handled including whether the data is shared with third parties and the purposes for the disclosure. Organizations should also ensure that their privacy policies are understandable to users, easily accessible, and prominently displayed on their websites and/or digital platforms.
• Obtain Explicit Consent from Users: The VPPA requires organizations to obtain written consent from consumers in order to share such information with third parties. To date, no court has opined on what constitutes appropriate and valid consent under the VPPA. Regardless, organizations should consider implementing mechanisms to obtain explicit consent from users before collecting or sharing video viewing data.
• Implement Data Minimization Strategies: Organizations should limit the collection of video viewing information to only what is necessary for the intended purpose and not store such information for longer than necessary. As more privacy regulations implement data minimization concepts, the same philosophy should be considered by organizations regarding VPPA-related data.
• Provide Employee Training and Monitor Vendor Compliance: Employees should be trained on the requirements of the VPPA and similar consumer data privacy laws as it is essential for them to understand the importance of protecting user data and the legal implications of noncompliance. Organizations should also conduct regular compliance audits of third-party vendors to ensure that their data collection practices and technologies embedded in digital platforms align with legal obligations.

The Second Circuit's decision in Salazar further clouds what were already muddy waters regarding VPPA claims. Courts will likely continue to disagree on the application of the VPPA and the interpretation of its defined terms. Therefore, additional confusion is expected and a jurisdictional split is not out of the question. Organizations would benefit greatly by engaging experienced counsel to help implement the best practices outlined above in an effort to mitigate the risks amid this growing uncertainty. Please contact Alex Koskey, Al Leiva, or any member of Baker Donelson's Data Protection, Privacy, and Cybersecurity team if you have any questions concerning these issues or any aspect of your privacy or cybersecurity programs.