• Privacy Picks
  • Posts
  • Using Meta Pixel may invoke the Video Privacy Protection Act of 1988 (VPPA)

Using Meta Pixel may invoke the Video Privacy Protection Act of 1988 (VPPA)

Plus: Illinois Anti-Doxxing Law, proposed HIPAA amendments for reproductive health information, and Google Workspace's commitment to privacy in the AI era

Recently, the online course streaming platform MasterClass was accused of violating the Video Privacy Protection Act (VPPA) by secretly sending “details about certain users and the videos they’ve watched to Facebook” for advertising purposes.

The claim alleges that MasterClass used a tracking pixel to transmit user data, including watch history and Facebook IDs, to Meta. The law firm is seeking $2500 under the VPPA for each affected consumer through mass arbitration.

I was a little surprised to see the VPPA mentioned in a current privacy matter. If you’re unfamiliar with the Video Privacy Protection Act of 1988, that’s completely understandable.

Its original privacy protection goal - preventing the unauthorized disclosure of your video cassette rental information - is a little outdated.

However, several recent class action suits targeting companies who use Meta’s pixel-tracking technology for ad targeting have brought this law back into relevance.

So… what is the VPPA?

The VPPA was enacted in response to leaked video rental records during Robert Bork’s 1987 U.S. Supreme Court confirmation hearings.

While the actual rental records that were disclosed turned out to be pretty innocuous, the nature of the leak triggered a backlash over the lack of consumer privacy safeguards in this context and led to the passage of the VPPA in 1988.

The Act prohibits the unauthorized disclosure of personally identifiable information (PII) that identifies a consumer and links the consumer to “specific video materials or services” that they rent, purchase, or subscribe to from a “video tape service provider.”

A “video tape service provider” includes anyone who provides “prerecorded video cassette tapes and similar audio visual materials.”

In order to disclose PII, a service provider must obtain the customer’s informed consent in writing at the time of disclosure or in advance. Advance consent can be valid for up to 2 years.

The Act includes a private right of action allowing plaintiffs to recover up to $2500 in statutory damages. The VPPA does not preempt states from enacting similar laws with broader provisions and stiffer penalties.

In the case of MasterClass, Yanka Industries, Inc (the owner of MasterClass.com) would be the “video tape service provider” who potentially violated the VPPA by sharing the PII of users who have a Facebook account (watch history + Facebook ID) without their informed consent.

What’s Next for the VPPA?

It remains to be seen whether courts will extend the protections of the VPPA to web publishers and developers who use the Meta pixels on their sites or platforms. But as the MasterClass claims demonstrate, that hasn’t stopped plaintiffs from trying:

Since 2022, 115 lawsuits have been filed alleging violations of the VPPA by online news outlets, streaming services retailers, and other defendants, almost all of which are based on use of the Meta pixel. The lawsuits allege that the information shared through the Meta pixel can be used to find a public Facebook page and thus to identify the consumer in question. [Perkins Coie]

If you run a media co, website, app, streaming service, etc., and install the Meta Pixel (or similar tech) to track users on your platform, be sure to keep a close eye on how these cases unfold.

In the meantime, it’s always best to understand the details of how you actually use this technology and whether your consent procedures and privacy policies align with this use under applicable state and federal laws, including the VPPA.

Now on to some more privacy picks…

🎯 Privacy Picks

Zoom Terms of Service Debacle

The Zoom terms of service changes caused a major uproar over language indicating that they plan to train their AI with user content. And, as Axios notes, this may just be the tip of the iceberg:

Think about the consent mess that will ensue when online meeting-goers all bring their own AI-powered virtual assistants, created by a variety of different software firms — each with its own terms of service. [Axios]

Illinois Anti-Doxxing Law

Illinois passed an anti-doxxing law, making it possible for victims to sue attackers who "intentionally" publish their personally identifiable information with the intent to harm or harass them. [Ars Technica]

HIPAA and Reproductive PHI

A proposed amendment to the HIPAA Privacy rule would prohibit the disclosure of reproductive-protected health information (PHI) held by Covered Entities:

[w]here the use or disclosure is for a criminal, civil, or administrative investigation into a proceeding against any person in connection with seeking, obtaining, providing, or facilitating [lawful] reproductive health care. [JD Supra]

Google’s AI Privacy Commitment for Workspace

Regarding their use of generative AI with the new Duet AI in Google Workspace, the company is trying to reassure its users that “generative AI does not change [its] foundational privacy protections for giving users choice and control over their data.”

Google further pledges that:

  • Workspace data is not used to train or improve generative AI models without permission.

  • Interactions with intelligent Workspace features are anonymized and aggregated to improve user experience.

  • Google does not use Workspace data for advertising purposes.

➕ More Picks

  • Best practices for talking to kids about online privacy [NIST]

  • Comparing X (formerly Twitter) vs. Threads from a privacy perspective [MakeUseOf]

  • Amazon’s “Just Walk Out” tech raises some serious privacy concerns [Daily Beast]

Thank you for reading Privacy Picks. This post is public so feel free to share it.