As set forth in BakerHostetler’s 2023 Data Security Incident Report, privacy litigation is on the rise. Indeed, 2023 saw a nearly 100 percent increase from 2022 in the number of lawsuits filed in connection with data security incidents. Many of those lawsuits were filed against colleges and universities and arose from ransomware incidents or email compromises involving the unauthorized access to or acquisition of files containing individuals’ Social Security numbers, driver’s license numbers and/or financial account information.

Since early 2022, we have seen many lawsuits filed against hospital systems, alleging that their use of Meta (formerly Facebook) Pixel and other technology to monitor user activity on their websites constitutes an unlawful invasion of privacy. The Pixel lawsuits brought against hospital systems typically assert causes of action under general tort law (i.e., invasion of privacy, unjust enrichment), wiretapping laws and various state laws, such as California’s Confidentiality of Medical Information Act. Recently, however, universities (along with the operators of their athletic team websites) have also begun to be named as defendants in putative class action complaints based on their use of Pixel and other tracking technology. Unlike the lawsuits against hospital systems, however, the actions against universities are being brought under the Video Privacy Protection Act of 1988 (VPPA).

Below, we (a) provide an overview of the VPPA, (b) describe how the VPPA is being used as a cause of action in Pixel litigation and (c) address best practices for universities moving forward.

Overview of the VPPA

The VPPA – one of the earliest federal privacy laws – was enacted in 1988, after Supreme Court nominee Robert Bork’s VHS videotape rental history was obtained by a news organization without his permission. The VPPA prohibits a videotape service provider from disclosing –without the consumer’s informed, written consent – certain personally identifiable information (PII) of a consumer, including information that identifies a person as having requested specific video materials. The statute defines “video tape service provider” as “any person engaged in the business, in or affecting interstate or foreign commerce, of rental, sale or delivery of prerecorded cassette tapes or similar audio-visual materials.”

VPPA Causes of Action in Pixel Litigation Against Universities

For several years, plaintiffs’ attorneys have been creatively interpreting the VPPA to apply not just to brick-and-mortar video stores but also to modern technologies, like websites. Indeed, in early 2023, we began seeing one plaintiffs’ firm file putative class action lawsuits against universities, alleging VPPA violations. To date, these lawsuits have targeted the official websites of four college athletic programs – the University of Florida, the University of Nebraska–Lincoln, the University of Texas and the University of Southern California. In the most recent of these lawsuits, however, filed against the University of Southern California, the plaintiffs allege that the websites of at least 173 other collegiate athletic programs also use some form of website tracking technology; therefore, we may see similar lawsuits against other colleges in the near future.

The putative class action complaints allege that the defendants violated the VPPA by knowingly disclosing the Facebook users’ ID and video viewing history to Meta via the Meta Pixel without providing the requisite notice and obtaining consent before doing so. The plaintiffs allege that the defendants committed a separate violation of the VPPA each time a user watched a video on one of the defendants’ websites and their Facebook user ID and video viewing history were shared without their consent.

Entities that are found liable for VPPA violations are potentially subject to actual damages but not less than liquidated damages in an amount of $2,500 per affected consumer, punitive damages, reasonable attorneys’ fees and costs, and other equitable relief. Therefore, with hundreds of thousands of consumers potentially comprising a class, the potential damages in these matters are significant.

What to Expect Next, and Best Practices Moving Forward

In recent months, there have been several positive rulings dismissing VPPA actions on the basis that a subscriber of newsletters is not a “consumer” under the act and that a business must be “centered, tailored, or focused around providing and delivering audiovisual content” in order to be a videotape service provider under the act.

Likewise, positive strides are being made in the VPPA cases against universities. The University of Texas prevailed on its motion to dismiss based on qualified immunity. Subsequently, the plaintiff voluntarily dismissed his VPPA claims against the University of Nebraska–Lincoln and the University of Nebraska Department of Athletics.

The University of Florida’s motion to dismiss remains pending and raises the issues of Eleventh Amendment immunity, state sovereign immunity, and arguments that plaintiffs failed to allege that the university is a “person” against whom the VPPA provides a remedy; that plaintiffs are not consumers; that the university disclosed PII; that the university acted knowingly; that the university is a video tape service provider; and that plaintiffs failed to consent. If plaintiffs do not voluntarily dismiss the claims against the university, the court’s ruling on this motion may provide valuable insight regarding the future viability of the VPPA claims against universities. Therefore, universities are well served to monitor the status of those cases. Additionally, it is imperative that universities conduct security risk assessments to ensure that they understand (a) whether and to what extent they are using tracking technologies to monitor website traffic or track user activity, (b) how that information is transmitted to third parties, and (c) whether their current website privacy notices and terms of use are sufficient under the circumstances.

[View source.]