Zachary Gross
Privacy law governing video service providers’ disclosure of viewers’ video consumption has long operated under a regime focused on consent: so long as the consumer checks a box, video service providers may freely disclose information about that consumer’s viewing habits to any entity whatsoever. This consent-based regime is the result of the Video Privacy Protection Act (“VPPA”), a relatively obscure 1988 statute passed after a video rental store clerk leaked Supreme Court nominee Robert Bork’s video rental history to an enterprising reporter.[1] Aghast at this privacy violation, Congress quickly passed the VPPA, which prohibits video providers from disclosing consumers’ video-watching records, subject to certain exceptions.[2]
Crucially, the 1988 bill contained an exception allowing video tape service providers to disclose consumers’ records “to any person” so long as the consumer had provided “informed, written consent . . . at the time the disclosure [was] sought.”[3] In 2012, after lobbying by Netflix, Congress expanded that exception such that the consent could be given “in advance for a set period of time, not to exceed 2 years . . . .” The 2012 amendment largely gutted the VPPA’s protections by entirely shifting the regulatory framework to a feeble consent-based model whereby video service providers can easily obtain consumers’ blanket, ongoing consent for the disclosure of their viewing records.[4]
Video service providers have existed happily under this favorable regulatory framework for many years. However, several online privacy bills introduced in Congress in 2019 indicate that lawmakers are increasingly questioning the viability of the consent-based regime. While none of these bills presents a wholesale challenge to that regime, they do presage that the era of ultra-light-touch privacy regulation, grounded entirely in the notion of consumer consent, might be nearing its end.
For example, Senator Edward Markey’s (D-MA) Privacy Bill of Rights Act contains a “prohibition on take-it-or-leave-it” privacy terms, stipulating that covered entities “may not refuse to serve an individual who does not approve the collection, use, retention, sharing, or sale of the individual’s personal information . . . on the basis of that lack of approval[.]”[5] The bill further prohibits covered entities from offering discounts or other financial incentives in exchange for consumers’ consent to the use and sharing of their personal information.[6] Senator Marsha Blackburn’s (R-TN) BROWSER Actlikewise contains provisions prohibiting covered entities from “condition[ing], or effectively condition[ing], provision of . . . service on agreement by a user to waive privacy rights[.]”[7]
A number of online privacy bills introduced in 2019 contain provisions allowing consumers to access, correct, or delete their data. For example, the Online Privacy Act, recently introduced by Representatives Anna Eshoo (D-CA) and Zoe Lofgren (D-CA), requires covered entities to “make available a reasonable mechanism by which an individual may request the deletion of [their] personal information . . . .”[8] These provisions would impose obligations on video service providers beyond those of the VPPA, which for the most part concerns only disclosure, rather than the maintenance, of personal information. The Online Privacy Act also contains an explicit prohibition on waivers, stipulating that “[a]ny agreement purporting to waive compliance with or modify any provision of this Act shall be void as contrary to public policy.”[9]
These provisions challenge the current status quo whereby all is fair so long as the consumer has checked a box granting blanket consent. Prohibitions on take-it-or-leave-it privacy terms make it feasible for consumers to withhold consent: they can do so without jeopardizing their access to Netflix’s catalog. Individual rights to access, correct, and delete data likewise impose obligations on video service providers over and above their blanket consent waivers: even where consumers have given consent to the collection and use of their data, they would retain the right to, for example, have the video provider delete certain data.
Even if any of these bills were to be enacted into law, the VPPA’s consent-based regime would remain largely untouched. Video service providers would continue to seek, and consumers would still largely grant, blanket consent for disclosure of their viewing habits. The import of these bills is not that they would seriously challenge the VPPA’s consent-based framework, but rather that they reveal a nascent, yet growing judgment among lawmakers that companies should be held to privacy standards that cannot be dismissed through the all-too-easily obtained device of consumer consent.
[1] S. Rep. No. 100-599, at 5 (1988)
[2] Video Privacy Protection Act, 18 U.S.C. § 2710 (2012).
[3] Video Privacy Protection Act, Pub. L. No. 100-618, 102 Stat. 3195 (1988) (amended 2012).
[4] See William McGeveran, The Law of Friction, 2013 U. Chi. Legal. F. 15, 27 (After the 2012 amendment, “Netflix and other video service providers may secure a consumer’s advance blanket approval for disclosures.”). See generally John A Rothchild, Against Notice and Choice: The Manifest Failure of the Proceduralist Paradigm to Protect Privacy Online (Or Anywhere Else), 66 Clev. St. L. Rev. 559, 562, 564 (2018) (arguing that “notice-and choice is a fatally flawed approach” that should be replaced with “substantive privacy rules . . . premised on theories of unfairness and unconscionability.”)
[5] Privacy Bill of Rights Act, S. 1214, 116th Cong. (2019).
[6] Id.
[7] Balancing the Rights of Web Surfers Equally and Responsibly Act of 2019, S. 1116, 116th Cong. (2019).
[8] The Online Privacy Act of 2019, H.R. 4978, 116th Cong. (2019).
[9] Id.