Cookies Aren’t Really a Treat: How VPPA Violations May Give Insureds and Underwriters Indigestion

A growing number of lawsuits are being filed across the U.S. for alleged violations of the 1988 Video Privacy Protection Act by a range of entities from news and media outlets to digital health providers. Cyber insurers are paying close attention to these judgments, as they may influence privacy claims for years to come.
By: | May 31, 2023

It’s pretty standard these days to see a pop-up notification disclosing the use of “cookies” when we visit a website using Meta Pixel technology. Generally, it appears immediately to let us know that the host, as well as third parties that provide services on the site, may use cookies to collect information about the content we engage with while on the site.

But what happens when the site features video content and one of the third parties with access to visitors’ viewing history is, say, Facebook? Must the site request each visitor’s consent before sharing that information with a third party like Meta?

Many plaintiffs’ attorneys would say yes. A wave of litigation for alleged violations of the federal Video Privacy Protection Act of 1988 (VPPA) is underway across the U.S., and these suits may influence how companies that provide everything from health care to digital streaming handle all the legally protected personal information they acquire from both visitors and subscribers.

The VPPA was enacted shortly after a Reagan-era Supreme Court nominee’s video rental history was made public. Thereafter, companies that rent, sell or deliver prerecorded videos have been subject to hefty fines if they knowingly disclose subscriber identities along with their video viewing history to third parties without consent.

Today’s VPPA-based class actions revolve around how companies with video content integrated into their platforms manage the inner workings of their websites.

“A lot of websites are linking to social media [platforms and] they may not know what’s going on in the background and haven’t thought about the chain,” said Danielle Librizzi, head of professional liability at QBE. “It’s a supply chain type of issue.”

The biggest gap tends to lie with how consumer consent is handled between platforms. “When you’re accepting cookies on one website and you’re linked to another,” and there isn’t clarity around how the consent transfers from site to site, this is where companies find themselves vulnerable to accusations of violating the VPPA, Librizzi explained.

Unknown Outcomes in Unexpected Jurisdictions

Most recently, experts like Antonio Trotta, VP and financial lines claim practice leader for the cyber and professional liability practice at QBE, have seen VPPA cases pop up in typically predictable U.S. district courts such as the Northern District of California and the Southern District of New York.

“But that’s not to say these claims can’t be filed elsewhere,” Trotta said. An Iowa-based newspaper chain is among the latest organizations to face a potential class action for allegedly sharing readers’ personal information with Facebook via Meta Pixel.

The defenses in these claims are technical and hinge on experts explaining how Meta Pixel and other advertising technologies work, Trotta explained, which could make the companies that face these charges opt for a settlement rather than go to trial.

“Roughly a decade ago, in a wave of VPPA claims unrelated to Pixel technology, defendants had a much better chance of obtaining a favorable ruling on their motions to dismiss, and as a result, many claims settled for nominal amounts compared to what the potential is now,” Librizzi said.

Yet many of the recent cases involving advertising technologies such as Meta Pixel are surviving motions to dismiss, and the likely result is that this round of VPPA class actions could wreak havoc on the insurance industry. The VPPA provides a civil remedy of actual damages or liquidated damages of no less than $2,500. “A lot of liquidated damages statutes say up to a certain amount, but [VPPA] starts at $2,500. And that ‘no less than’ is an eye-opener given the number of claimants in these new cases,” Trotta said.

Imagine a huge streaming content provider with tens of millions of subscribers being forced to pay a settlement of this magnitude. That kind of exposure, Trotta said, “is something that can shrink insurance towers.”

Reduce Risks by Tightening Privacy Controls

“Because of the experience the cyber insurance industry has had in recent years with respect to ransomware, the privacy liability portion of cyber coverage tends to get less discussion,” Librizzi said.

This is why Librizzi sees a need for the insurance industry to keep a close eye on the outcomes of the latest round of VPPA litigation: “So that the market is moving in the right direction.”

Today, VPPA claims center around the use of Meta Pixels, but “months from now, we could be talking about some other type of [technology] and the same things are going to apply,” Trotta said. “And that’s why it’s really important for our customers to get this right.”

Trotta suggests a series of steps insureds — especially prime cyber targets like health care entities — can take to improve their privacy practices.

1) First, understand your company’s protocols for sharing electronic content with a third party. “Companies have to have some type of critical review procedure when handling any project that ultimately goes through the legal department,” he said.

2) “From there, if you’re using a technology with configuration protocols, what can you do to make that more legally compliant?” Trotta said. “Is there a way to configure it so that you’re not violating particular statutes but you’re still capturing essentially the information you want?”

3) For providers of a software or service, “make sure you know what contracts you have in place with your customers that provide indemnification,” Trotta said. “How well-protected are you in case you get dragged into litigation?”

4) Get consent from web users as soon as possible. For as much as pop-ups may present a visual distraction or deter some users from engaging with a site, Trotta sees them as a necessary precaution. And “it needs to appear before they actually engage with your content,” he emphasized.

5) Lastly, make sure you have a separate policy specifically about how you share personal information with third parties. “It can’t just be embedded in your privacy policy,” Trotta said. “A lot of the statutes, VPPA included, make it obligatory that this information be shared in a separate disclosure.”

Even though most users do not have weeks to read closely through terms and conditions, “they actually need to click ‘I agree,’ ” Trotta said. “You can’t just say they implicitly replied.”

For Librizzi, all carriers should be helping their insureds understand and try to contain exposures like those made apparent by recent VPPA suits. “That’s the part of the policy that doesn’t just respond to claims; it helps insureds get better at risk management.” &

Raquel Moreno is a staff writer with Risk & Insurance. She can be reached at [email protected].

More from Risk & Insurance