Old Privacy Laws, New Digital Dilemmas: How Outdated Legislation Continues to Challenge Website Providers

November 5, 2024

With the rise of digital advertising and data analytics, website providers have come under increasing scrutiny for their use of tracking cookies and video content. Many of these practices are targeted under statutes that were enacted before the internet era-laws initially meant to protect consumer privacy in traditional settings. Today, website providers face lawsuits leveraging these "old" laws in novel ways, pushing them to reconsider how these technologies are rolled out and to reassess the marketing benefits against the unyielding legal risk.

The VPPA and Its Application in Video Content Tracking

The Video Privacy Protection Act (VPPA)ⁱ, enacted in 1988, was originally created to prevent video rental companies from disclosing customer rental information without express consent. Under this law, the regulated video service providers are interpreted broadly, including any business that is engaged in delivery of "audio-visual materials." Claims may be filed against such providers for disclosure of video-viewing history or habits and/or disclosure of lists of video titles tagged for later viewing to third parties without express consent. In this advancing digital age, recent actions have focused on the use of third-party advertising pixels associated with videos and the inherent disclosure to related advertising and analytics providers in connection with such services.

Pixels are snippets of code embedded within a website that can track user behavior, such as video viewing habits, page views, and clicks. These pixels-often provided by third-party advertising and analytics companies and incorporated into videos and advertisements by website providers-can collect user data and associate it with unique identifiers (user IDs). Importantly, the website provider doesn't necessarily have access to these user IDs-and often does not-but the respective service provider does have such access. As a result, courts have generally found that personal information is shared. The identifiers don't necessarily contain a person's name, but they allow an ordinary person to link to user profiles that reveal a user's personal identity, either directly or indirectly.

Recently, on October 15, 2024, a new Second Circuit ruling, Salazar v. National Basketball Association, broadly expanded the definition of "consumer" under the VPPA. The Salazar Court focused on the definition of "consumer" under the VPPA, finding that the VPPA's definition of "goods and services" is not limited to "audio-visual materials." This ruling trends away from prior District Court rulings which limited the application of the VPPA to situations where there was a nexus between the subscription and the video content, i.e., a plaintiff needed to be a "consumer" of "audio-visual materials." The Second Circuit is the only Circuit Court to thus far adopt such an expansive reading of the VPPA. The Sixth and Seventh Circuits are set to decide similar issues, and it remains to be seen whether they will agree with the Second Circuit or if a Circuit Court split is forthcoming.

Key considerations for compliance with the VPPA include, but are not limited to:

• If collecting any information related to embedded videos (including advertisements) on a website, express written consent is required;
• Express consent must be unambiguous and cannot be folded into consent of general terms and conditions;
• Consent is only valid for 2 years and must be re-obtained;
• The use of advertising or analytic pixels in connection with embedded videos that require the sharing of information may trigger VPPA violations;
• A website's inability to identify a user with video title or viewing information does not necessarily render the law inapplicable when using third-party analytics providers who themselves can identify the user through associated user IDs;
• If video related data is not needed, consider not collecting title or other informative information about the video watched to maximize defenses; and
• There is risk that non-paying customers are still subscribers, so companies with free websites, applications or services should not assume VPPA's inapplicability;

Wiretap Laws and Tracking Cookies

State wiretap laws, initially designed to prevent unauthorized phone tapping and eavesdropping, are increasingly being applied to the use of tracking cookies on websites. Plaintiffs argue that these cookies function like "wiretaps" by recording user interactions without proper consent, particularly when the information is "shared" with third parties.

Under the California Invasion of Privacy Act (CIPA), plaintiffs have filed class-action lawsuits against websites that allegedly use session replay cookies to monitor mouse movements, clicks, and page interactions or third party software to power their website chat or search functionality, which plaintiffs argue is equivalent to wiretapping and eavesdropping. However, the tide may be turning. Recently, a California District Court determined that no violation of CIPA occurred where the plaintiff had failed to present evidence that would allow a reasonable jury to conclude that the third-party service provider "read, attempted to read or learn" the contents of any communication while it was in transit.ⁱⁱ Similarly, the Massachusetts Supreme Judicial Court, rejected the theory that third-party website technology violates the Massachusetts Wiretap Act, finding that because the plaintiff's interactions were with the website and not another person, her interactions with the website were not considered "communications."ⁱⁱⁱ It remains to be seen how these rulings will affect the application of wiretap laws going forward.

And, despite some recent favorable rulings, the plaintiff's bar continues to file cases in California and beyond, including in states like Pennsylvania and Florida, which have strict two-party consent requirements for recording conversations or data. These lawsuits argue that these tracking technologies capture user behavior without both parties' consent, thereby violating wiretap statutes. Lawsuits related to these issues highlight the importance of clear disclosures and consent mechanisms to dissuade litigants from bringing any action. Unlike the VPPA, these laws do not require express consent, but instead may be satisfied through inferred or implied consent.

Key considerations for compliance with CIPA and similar laws include, but are not limited to:

• Companies operating websites nationally must ensure that their website policies and use of website technologies comply with the wiretap laws of each state where the website is accessed.
• Companies contemplating using technology that involves recording or analysis of website visitors' communications with the website should ensure that clear and informed consent is obtained from website visitors before any communications are recorded.
• Where technologies used overlap with technologies covered under other laws like the VPPA or other laws like the California Consumer Privacy Act[iv], it is important to assess how consent is going to be obtained given consent under CIPA may not satisfy consent under another law.
• Carefully review third-party service provider contracts to ensure that they are not using any collected data for their own use and that no data is being shared with other third parties.
• Consider limiting the data collected to exclude personal identifying or otherwise confidential information.

Conclusion: Putting It All Together

As the plaintiff's bar continues to latch onto decades old privacy laws against modern website practices, there is a newfound recognition by courts and regulators that laws need to account for the growing uses of tracking technologies. Although these statutes were enacted long before the digital age, they are still viewed as meaningful legal protections for consumers to challenge data-sharing practices beyond their consent.

However, as illustrated by these two different laws that confront similar technologies, the type of consent required differs, and operationalizing such consent mechanisms and related disclosures can prove to be more nuanced and difficult than simply "adding a cookie banner" or updating a website's Terms of Use and Privacy Policy. Website providers need to carefully think about the benefits and risks of these respective technologies-sometimes a uniform approach can create legal risks or minimize engagement rates, and such effects should be carefully considered prior to any specific approach for compliance.

As the digital landscape evolves, so too does the application of privacy and consumer protection laws. Website providers must stay vigilant, as the legal landscape around tracking cookies and video content continues to shift. Adopting transparency, establishing adequate consent mechanisms, and staying aware-and ahead-of emerging precedents can help protect against unexpected liabilities under these evolving interpretations of established laws.

Dentons regularly advises and defends clients facing privacy related claims and assists clients with compliance with data privacy laws, including the VPPA and CIPA. Dentons' team of Privacy and Cybersecurity litigation and advertising/regulatory lawyers and professionals is ready to help. From data-mapping to cybersecurity risk assessments, our cross-practice team is well suited to provide guidance on compliance efforts or to assist with your litigation needs. With rare depth in this area, Dentons is well-equipped to hit the ground running. For further details or assistance with compliance or a lawsuit, please contact us.

[i] 18 U.S.C.A. §§ 2710 et seq.

[ii] Gutierrez v. Converse, CV 23-6547-KK-MARx, 2024 WL 3511648 (C.D. Cal. July 12, 2024).

[iii] Vita v. New England Baptist Hospital, et al., SJC-13541, 2024 WL 4558621 (Mass. Oct. 24, 2024).

[iv] California Civil Code § 1798.100