Editor's note: The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains.
This article is part of an ongoing series that will explore issues or recent developments in data, cybersecurity and artificial intelligence governance.
To begin your week, I recommend reading IAPP Managing Director, Washington, D.C., Cobun Zweifel-Keegan's, CIPP/US, CIPM, insightful article on the U.S. Supreme Court's decision to grant the petition for certiorari in Salazar v. Paramount Global on the Video Privacy Protection Act.
The quick summary is that the VPPA is a classic patchwork of federal and state privacy laws. In 1988, Congress adopted the VPPA after a newspaper disclosed Supreme Court nominee Robert Bork's video rental history without his consent. VPPA generally requires a video tape service provider — think Blockbuster Video — to obtain the express consent of a consumer before disclosing their personally identifiable information, i.e., information that identifies them as having requested or obtained specific video materials or services from a video tape service provider.
Of course, Blockbuster Video, and other brick-and-mortar video rental places, have gone the way of the dodo bird, so it would be logical to think the VPPA is not really relevant anymore. Unfortunately, logic does not prevail here as the VPPA is one of several privacy law darlings of the plaintiff's bar, as it carries a private right of action, liquidated damages of no less than USD2,500, attorneys' fees and other remedies. The plaintiff's bar has been working for more than a decade, with various degrees of success and failure in different circuits, to apply VPPA to online streaming services in the context of pixels/online tracking, and otherwise.
The most recent effort before the Supreme Court now concerns whether the VPPA applies broadly to situations where an individual rents, purchases or subscribes to non-audio-visual goods or services. See the brief in opposition for more detail. The specific legal question revolves around the definition of "consumer" in the VPPA, which provides that "the term 'consumer' means any renter, purchaser, or subscriber of goods or services from a video tape service provider," 18 USC § 2710 (a)(1).
The defendant in the case, 247Sports, provides audiovisual content about college sports on its website for free. Because users cannot rent, purchase or subscribe to this audiovisual content, the plaintiff could not pursue 247Sports as a "consumer" under the VPPA.
Instead, the plaintiff decided to "subscribe" to the site's free, written email newsletter, which does not contain audiovisual content, and is leveraging that subscription to assert that he meets the remaining criteria to be a "consumer" under the VPPA because he "subscribes" to a "good or service" from 247Sports. And the plaintiff thinks this entitles him to VPPA privacy protections for all the information related to his having requested or obtained video content on the site. Or, perhaps more precisely, he, and every other individual who subscribes to the newsletter and obtain free visual content on the site, are entitled to USD2,500 liquidated damages each plus attorney's fees. You can do the math: if there are 1 million subscribers to the free, text-only email newsletter, that's USD2.5 billion plus attorneys' fees.
This can't be, right? How could someone claim such exorbitant liquidated damages under the VPPA as a bootstrapping consequence of subscribing to a free, text-only email newsletter? Well, the plaintiff argues that the plain language of the definition of consumer does not refer to an individual that rents, purchases or subscribes to "audiovisual" goods and services, but rather just any "goods or services."
The audiovisual term is missing from the definition of consumer. I think an ordinary person reading the statute, including its application exclusively to video tape service providers, would interpret the statute as triggered only for audiovisual content. But I don't think the defendant's position is a lock.
If you want some deeper background on how the Court evaluates questions of statutory interpretation, I recommend the thoughtful recent book by U.S. Supreme Court Associate Justice Amy Coney Barrett on Listening to the Law. Barrett articulates that, in our government with separation of powers, Congress enacts the laws, the president enforces the laws and the Court merely interprets the laws as written. She explains the Court should not adjudicate outcomes based on what the justices would like to see as an outcome, but rather on the basis of what the plain text of the law provides. She notes that this means the justices are not always happy with the outcomes of their cases, but the reality is that we all benefit from living in a society with a separation and balance of powers.
It reminds me of similar comments by Chief Justice John Roberts during his confirmation hearings where he compared justices to baseball umpires — calling balls and strikes, nothing more. In any event, as with any Supreme Court case, we need to be prepared that Salazar vs. Paramount Global could go well for business or it could not go so well.
Several observations on all of this
Businesses are not happy with the current patchwork of federal and state privacy laws. Businesses are getting clobbered by these almost random privacy laws that embed private rights of action and statutory damages. Should a website's disclosure to an advertiser that a consumer streamed a college sports video content really entitle the consumer to USD2,500 plus attorney's fees? Should a site face a possible existential threat of a multibillion-dollar penalty because it offered a free written newsletter? Other less than ideal results have emerged in recent years under various other federal and state privacy laws, such as the Illinois Biometric Information Privacy Act, the California Invasion of Privacy Act and more.
Consumers are not satisfied with the current patchwork of federal and state privacy laws. On the consumer side, surveys consistently show U.S. consumers feel they do not have meaningful legal protection and control over their personal data. For example, the Pew Research Center shows that a substantial majority of consumers (73%) feel that they have little or no control over what companies do with their data.
The political will seems to be lacking at the federal level to fix this issue. We are past due for some kind of federal standard and preemption on state data breach notification laws. And with the surge in state comprehensive privacy laws, we're already into the sweet spot of where preemption through a federal standard could really help. One could imagine that a federal law on data, cybersecurity and artificial intelligence could address many of the concerns all at once, but at this point it's not clear that a serious effort along these lines will materialize soon.
Several recommendations in the current environment
Businesses should focus on the real risk posed by this patchwork of data privacy laws. Businesses need to understand not only which privacy laws apply to their operations, they also need to evaluate carefully the likelihood and severity of penalties associated with such laws, i.e., COSO-style risk assessment. Privacy laws that contain private rights of action and statutory damages — even seemingly random ones like the VPPA — can raise potentially significant risks.
Data professionals should re-examine these risks in light of current trends, and flag any developments, such as an adverse outcome in Salazar v. Paramount Global, for leadership, as they could change prior assessments and require a reevaluation of compliance strategy.
Businesses should evaluate the sufficiency of the resources applied to manage interactions with the digital advertising ecosystem. The reality is that the digital advertising ecosystem is developing and changing rapidly across technologies, platforms, data and business models. And, at the same time, the data and privacy goal posts are moving with new laws and regulations, as well as novel plaintiff's actions, aggressive regulatory actions and related challenges. Senior business leaders do not want to hear that more resources or attention is needed, but given this environment, it's an important time to evaluate the resources as applied.
Data professionals should remember to stay within their lane as trusted advisors. Data professionals will always do well to stay within their lane as trusted advisors to senior leaders on these issues. Do the homework on the changing risk landscape, and how the company's current compliance posture addresses the risks and where improvements can be made. Know that improvements can always be made, as we do not live in a perfect world. If the risks are potentially serious, try to have a verbal discussion with supervisors and/or leadership before reducing thoughts to writing, as the supervisors and/or leadership may very well have more context that could lessen or change the perceived risks. Ultimately, let the senior leadership make the significant risk decisions, as they are the ones who run the business.