Consumers are Suing Dozens of Companies for Sharing Tracking Data

A privacy class action that first exploded in September of this year highlights consumers suing a handful of companies for violating the federal Video Privacy Protection Act. The multitude of class actions hold the Meta Platforms Inc’s Pixel tracking tool accountable for the tracking of consumer data from online platforms. News outlets, sports organizations, and streaming services are all facing lawsuits related the alleged complaints.

What is the complaint about?

The federal Video Privacy Protection Act of 1988 initially prohibited the disclosure of video rental records containing personally identifiable information. The law was originally drafted to protect videotape rental records, since then the Act has been broadened to bar any digital video provider from disclosing any identifiable information. The video privacy laws require providers to obtain written and informed consent before disclosing information. The consent must also be separate from user agreements. The Act also provides that any person who is harmed by a violation of the Act may bring civil actions for damages.

The complaints allege that a variety of entities that contain videos knowingly disclosed information without consent, in violation of the federal act. These entities allowed Meta’s Pixel tracking tool to share a subscriber’s viewing activity and private Facebook ID with multiple social media platforms. Entities like NFL and NPR are also being held accountable in the growing privacy lawsuit. However, the list does not stop there, companies like GameStop, Bloomberg LP, NYP Holdings, and National Public Radio all have privacy cases against them. Though, these cases have been voluntarily dismissed and no comment has yet been made as to the reason behind the dismissal.

An example of an entity that is currently being sued for violation of the act is the Boston Globe. The complaint alleges that the media company illegally shared personally identifiable information with Meta’s company, Facebook, in violation with the federal Video Privacy Protection Act of 1988. David Ambrose, one of the plaintiffs involved in the suit said he found that that the media company, “knowingly disclosed its subscribers personally identifiable information-including a record of every video clip they viewed- to Facebook without consent.” A case is currently ongoing, so it is unclear whether a judge will agree with this view.

Why is there a need for increased federal regulation?

The Boston Globe case is a clear example of need for increased federal regulation related to consumer privacy legislation. The Video Privacy Protection Act does not protect against violations of data sharing in hospital settings, and the Health Insurance Portability and Accountability Act (HIPAA) does not sufficiently address the issue.

Little over 664 medical provider and hospital system websites have sent data to Facebook via its Pixel tracking tool. By sending patient data, Facebook is able to target ads related to individuals’ specific illness and diagnoses. By not disclosing the use of the Pixel tracking tool, medical providers are allowing patients to falsely assume that their health-related information is protected and not being disclosed to third-parties. Many of the invasions of privacy and consumer protections complaints seen against hospitals and health care providers refer to other state/federal laws different from that of the federal Video Privacy Protection Act of 1988.

As data gets passed around third parties, whether it be medical or browser history based, there are not just corporations benefiting and profiting from the data sharing, but there is also the risk of personal data being breached and leaked in a way that causes real harm. Consumer data privacy laws can give individuals rights to control their data, however if implemented poorly or made to restrictively, it could unfortunately maintain the status quo.

Current privacy laws, as seen with HIPPA, and the Video Privacy Protection Act, have created a mess of sectoral rules. Within the Unites States there are a handful of disparate federal and state laws, however there is no one singular law that that covers privacy of all types of data. As seen in many industries, companies are free to share, sell or collect any data without notifying you, often, sharing sensitive information like your health or location to third parties.

A federal law should give individuals the right to see what data companies collect and the right to tell those same companies to not sell or share your data. This could take the form of a data-breach notification law or a standalone bill, however there is yet to be a policy enacted that comprehends such an idea.

As more cases and lawsuits emerge, it is crucial for companies to understand the importance of current federal and state privacy laws and comply by their requirements. It is also crucial for the government to take action to standardize data control regulations across industries that can apply to all types of data sharing.