Privacy & Information Security Law Blog

On July 28, 2022, a federal judge approved TikTok’s $92 million class action settlement of various privacy claims made under state and federal law. The agreement will resolve litigation that began in 2019 and involved claims that TikTok, owned by the Chinese company ByteDance, violated the Illinois Biometric Information Privacy Act (“BIPA”) and the federal Video Privacy Protection Act (“VPPA”) by improperly harvesting users’ personal data. U.S. District Court Judge John Lee of the Northern District of Illinois also awarded approximately $29 million in fees to class counsel.

On October 8, 2014, the United States District Court for the Northern District of Georgia granted Cartoon Network, Inc.’s (“Cartoon Network’s”) motion to dismiss a putative class action alleging that Cartoon Network’s mobile app impermissibly disclosed users’ personally identifiable information (“PII”) to a third party data analytics company under the Video Privacy Protection Act (“VPPA”).

On December 18, 2012, the U.S. House of Representatives passed H.R. 6671, a bill that would amend the Video Privacy Protection Act (“VPPA”) consent requirements for disclosing consumers’ viewing information. The Senate approved the bill without changes on December 20, 2012. The bill would make it easier for companies to develop innovative technologies for the sharing of consumers’ video viewing habits. The current version of the VPPA requires certain video providers to obtain a consumer’s consent each time they wish to share the consumer’s viewing information ...

On August 10, 2012, a federal district court in California denied Hulu’s motion to dismiss the remaining claim in a putative class action suit alleging that the online streaming video provider transmitted users’ personal information to third parties in violation of the Video Privacy Protection Act (“VPPA”). The VPPA prohibits a “video tape service provider” from transmitting personally identifiable information of “consumers,” except in certain, limited circumstances. According to the complaint, Hulu allegedly allowed KISSmetrics, a data analytics company, to place tracking codes on the plaintiffs’ computers that re-spawned previously-deleted cookies, and shared Hulu users’ video viewing choices and “personally identifiable information” with third parties, including online ad networks, metrics companies and social media networks.

In recent months, two high-profile cases involving Hulu and Netflix have raised questions regarding the scope and application of the Video Privacy Protection Act (“VPPA”), a federal privacy law that has been the focus of increasing attention over the past few years. In the Hulu case, Hulu users claimed that the subscription-based video streaming service disclosed their viewing history to third parties. Specifically, their complaint alleges that Hulu worked with KISSmetrics, a data analytics company, to track subscribers’ viewing histories and then share that information with third parties such as Facebook. In its response, Hulu has maintained that it is not subject to the VPPA because it is not a “video tape service provider,” which is defined in relevant part as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials…” Alternatively, Hulu has argued that its information sharing with third parties was permitted by the VPPA’s exception that allows disclosures “incident to the ordinary course of business of the video tape service provider.” The case, which currently is headed to mediation, could have far-reaching effects if it is determined that video streaming services are subject to the VPPA’s requirements.

On December 1, 2011, a consolidated litigation against Netflix was ordered to private mediation pursuant to an agreement between the parties. As we previously reported, the plaintiffs allege that Netflix’s practice of maintaining customer movie rental history and recommendations after their subscriptions are cancelled violates the federal Video Privacy Protection Act (“VPPA”). In August 2011, several similar cases against Netflix were consolidated by a federal court in California.

News of the mediation order comes as a significant amendment to the VPPA awaits Senate ...

On July 25, 2011, Netflix stated that it will hold off on the launch of its Facebook integration in the U.S. due to legal issues related to the Video Privacy Protection Act (“VPPA”).  The new Facebook feature would allow Netflix subscribers to share their movie viewing information with friends online.  Netflix indicated in its second quarter shareholder letter that it supports House Bill 2471 (“H.B. 2471”), a proposed bipartisan amendment to the VPPA intended to clarify the consent requirement for sharing consumer video viewing information.  The letter states that “[u]nder the VPPA, it is ambiguous when and how a user can give permission for his or her video viewing data to be shared” and that the VPPA “discourages us from launching our Facebook integration domestically.”  As a result, the company plans to limit the campaign to Canada and Latin America until questions concerning the VPPA are resolved.

On June 15, 2011, Senator Al Franken (D-MN) and Senator Richard Blumenthal (D-CT) introduced the Location Privacy Protection Act of 2011 (the “Act”).  As we reported previously, Senator Franken is chairman of the newly-created Senate subcommittee on Privacy, Technology and the Law.   In his press release, Senator Franken explained that the Act is designed to “close current loopholes in federal law” while giving customers the ability to learn about and prevent the collection of their location information.  The Act would apply only to non-government entities and would not impact law-enforcement activities.  At a May 10, 2011 hearing, both Google and Apple were questioned about their privacy practices, and Franken subsequently challenged them to require their application developers to adopt clear and understandable privacy policies.

On March 11, 2011, Virginia resident Peter Comstock filed a class action complaint against Netflix, Inc. in the United States District Court for the Northern District of California.  According to the complaint, Netflix “tracks its users’ viewing habits with respect to both videos watched over the Internet...and physical movies ordered through the Internet and watched at home,” while encouraging “subscribers to rank the videos they watch.”  The complaint alleges that Netflix’s practice of maintaining customer movie rental history and recommendations, “long after subscribers cancel their Netflix subscription,” violates the federal Video Privacy Protection Act (“VPPA”), and California’s Customer Records Act and Unfair Competition Law.  In addition, the complaint alleges that Netflix’s failure to properly store user information and its sale of customer data to third parties led to its unjust enrichment and a breach of its fiduciary duty.  Comstock and the putative class are seeking both an injunction to stop Netflix’s current practices and monetary damages.