I wanted to pick up where a previous article of mine on recent class action lawsuits filed under the Video Privacy Protection Act left off.  In recent months several class action lawsuits have been filed against prominent retailers based on allegations that their retention of customers’ personal information (including credit or debit card numbers, billing addresses and video viewing histories) violated the VPPA.  The claims are essentially that the defendants kept this information longer than they needed to or were authorized to; for instance, in Sterk v. Redbox Automated Retail, LLC, currently pending in the Northern District of Illinois, plaintiffs alleged that “Redbox stores and maintains customers’ PII for purposes of collecting debts and providing refunds” and that Redbox does not give refunds after ninety days have passed from the rental date.  Thus, once this 90 day period has expired, plaintiffs contend, Redbox has to destroy the PII further to the VPPA, which provides that such PII shall be destroyed “as soon as practicable, but no later than one year from the date which the information is no longer necessary for the purposes for which it was collected.”  18 U.S.C. 2710(e).

Redbox moved to dismiss by arguing that the VPPA did not provide for a private right of action and, even if there was a private right of action, plaintiff had not stated a claim for relief.  In support of its contention that the VPPA did not authorize suits for violations of the destruction of old records sub-section (quoted above), Redbox argued that the only provision of the VPPA that contains liability language is the unlawful disclosure provision set forth in sub-section b.  18 U.S.C. 2710(b) (stating that “[a] video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any customer shall be liable to the aggrieved person for the relief provided [herein”).  In rejecting Redbox’s contention, Judge Kennelly held that the appropriate section to focus on was (c) which provided for a private right of action generally applicable to all sections of the VPPA; “subsection 2701(c)’s plain language makes it clear that a plaintiff can bring a private suit for violation of any of the requirements and prohibitions contained in [the VPPA].”

Redbox also contended that plaintiffs had not stated a claim for relief because, based on the plain language of the VPPA, it had “one year from the date the information was collected” and such period had not expired as of yet.  Judge Kennelly rejected that argument; finding that such an interpretation would essentially read the “as soon as practicable” language out of the VPPA. 

Finally, Redbox contended that the VPPA allows for the collection of customer information for “marketing and advertising purposes” so long as customers are provided “with the opportunity, in a clear and conspicuous manner, to prohibit such disclosure.”  Judge Kennelly stated that a determination of whether Redbox’ Terms of Use and Privacy Policy provided a method for customers to prohibit such disclosures was a fact question beyond the purview of the motion to dismiss. 

These cases are significant because they are the result of, at least in part, the current piecemeal state of federal privacy protections.  In many privacy class actions (which follow closely on the heels of any breach notification – much more on this soon), Plaintiffs (and their lawyers) struggle to get past the pleading hurdle because they often can’t evidence standing as there is no presently ascertainable injury (and even if there were it would be difficult to pinpoint defendant’s conduct as the likely cause of it).  Laws like the VPPA are well-received by plaintiffs’ counsel (to put it mildly) because they obviate the need to evidence actual injury, and (in this writer’s opinion) provide for a disproportionate windfall.  The VPPA provides for the recovery of “actual damages but not less than liquidated damages in an amount of $2,500,” as well as for potential recovery of punitive damages, attorneys’ fees, costs and injunctive relief.  By providing for statutory relief, Congress has removed the requirement of actual injury (Article III standing), and make these cases extremely attractive to plaintiffs and their counsel.  Finally, these cases also remind of the need for data minimization and audits – it is becoming increasingly important to only collect data that is necessary for the purpose(s) it was obtained and to perform periodic audits to determine what information (and whether a need for it) exists.

Judge Kennelly’s decision denying the motion to dismiss is accessible here: RedboxMTDOrder.