Privacy & Cybersecurity Law Blog

In recent months, two high-profile cases involving Hulu and Netflix have raised questions regarding the scope and application of the Video Privacy Protection Act (“VPPA”), a federal privacy law that has been the focus of increasing attention over the past few years. In the Hulu case, Hulu users claimed that the subscription-based video streaming service disclosed their viewing history to third parties. Specifically, their complaint alleges that Hulu worked with KISSmetrics, a data analytics company, to track subscribers’ viewing histories and then share that information with third parties such as Facebook. In its response, Hulu has maintained that it is not subject to the VPPA because it is not a “video tape service provider,” which is defined in relevant part as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials…” Alternatively, Hulu has argued that its information sharing with third parties was permitted by the VPPA’s exception that allows disclosures “incident to the ordinary course of business of the video tape service provider.” The case, which currently is headed to mediation, could have far-reaching effects if it is determined that video streaming services are subject to the VPPA’s requirements.

In another notable case, court documents filed on May 25, 2012, in the U.S. District Court for the Northern District of California indicate that Netflix has agreed to settle a class action claim that it violated the VPPA by retaining the viewing histories of former Netflix customers longer than permitted by the statute. The VPPA requires video tape service providers to delete a customer’s personally identifiable information, including his or her viewing history, “as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected.” The suit alleged that former Netflix customers who logged back into cancelled accounts were able to see certain past viewing history that should have been deleted as required by the VPPA. As part of the settlement, Netflix will pay $6.75 million to privacy groups and $2.25 million to the plaintiffs’ attorneys.

Read our previous coverage of the Netflix case.