The VPPA was enacted in 1998 to prevent video rental services from sharing private information about their customers’ rental history. The law prohibits a “video tape service provider” (i.e., a person who provides rental, sale or delivery of prerecorded video cassette tapes or similar audio-visual materials) from knowingly disclosing information that identifies a customer as having requested specific video materials.

While the VPPA was designed to apply to a very specific set of business practices, the scope of it has been expanding for years, including to digital videos, because of aggressive litigation before the courts. Now, the most recent lawsuits focus on online video services embedded in web properties that use cookies and similar tracking technologies such as pixels. These tracking technologies capture information about a user’s interactions with the videos embedded in the web property and, in some cases, share it with third parties like social media companies. The data shared often contains identifiers that could (at least in theory) be used to determine viewing history. The claims made in the most recent spate of lawsuits allege that this form of data sharing violates the VPPA.

Plaintiffs have so far been met with mixed success in their efforts to further extend the VPPA. For example, in a recent ruling against the National Football League (NFL), the US District Court for the District of Rhode Island denied the NFL’s motion to dismiss as to tracking technologies embedded in prerecorded videos but granted the NFL’s motion with respect to live broadcasts, concluding that those were not “recorded” materials. Louth v. NFL Enterprises LLC, No. 1:21-cv-00405 (D.R.I. Sept. 12, 2022). The NFL ruling mirrors other recent rulings. (See, e.g., Ambrose v. Boston Globe Media Partners, LLC, N. 1:22-cv-10195 (D. Mass. Sept. 19, 2022).)

STATE WIRETAP LAWS

State wiretap laws, such as the CIPA, have similarly been extended to modern technologies through litigation. Among other provisions that have been litigated in privacy-related lawsuits, CIPA prohibits the interception of a communication, or the attempt to read or learn the contents of a communication, while in transit without the consent of all parties to the communication. CIPA also prohibits the “eavesdrop[ping]” or “record[ing]” of a confidential communication without the consent of the parties to the communication. Recent class actions have sought to apply this law to modern Internet technologies, focusing on two technologies in particular: session replay tools and chatbots.

Session replay tools collect information about a user’s interactions with a webpage, such as mouse movements, clicks and pageviews, to recreate a user’s experience on the website in a session. Session replay tools can also monitor a user’s movement on a particular webpage, including, for example, recording the details a user has entered into a webform. Plaintiffs now allege that the recording of these actions, often by a third party who provides the session replay tool, violate CIPA because users are unaware of and have not consented to the recording. Some of these claims have had success though. In Javier v. Assurance IQ, LLC, the US Court of Appeals for the Ninth Circuit reversed the trial court’s dismissal, holding that use of session replay tools without prior consent can be a violation of CIPA. No. 1:21-cv-16351 (9th Cir. May 9, 2022). The success of Javier has opened the door to a barrage of session replay and other similar claims.

As an extension of the session replay claims, CIPA actions have also begun to focus on chatbots. The gist of these claims is similar to those involving session replay tools: chatbots violate CIPA by recording or learning the contents of a user’s communications without the user’s consent.

And the drumbeat is not stopping in California. Plaintiffs are bringing similar claims under wiretap laws in other states, such as Florida and Pennsylvania.

HOW TO PREPARE

Companies should evaluate whether they use any of these tools that are being targeted by Plaintiffs, such as chatbots, session replay or tracking technologies embedded in videos (including, for example, training videos or commercial advertisements), and assess the risk posed by this recent wave of class actions. Companies can also take steps to mitigate their risk, such as clearly disclosing the use of these technologies in privacy notices and just-in-time notices where feasible.

[View source.]