Over the last few years, fast food giant Chick-fil-A has produced a Christmas video series called “The Stories of Evergreen Hills.” A new privacy lawsuit alleges that viewers were getting more than just heartwarming holiday animations, as the website hosting the videos was engaging in data collection that it did not obtain the requisite consent for.
Data collection without proper notice and consent would not normally be a major story for a United States company, given that there is little in the way of federal law requiring it. But the privacy lawsuit alleges that Chick-fil-A did manage to violate one of the very few federal regulations that apply to this sort of targeted advertising, which applies only to personally identifiable information collected during the viewing of videos.
Chick-fil-A data collection may have run “afowl” of federal video privacy law
The law in question is the Video Privacy Protection Act (VPPA), a 1988 regulation that was aimed more at now-defunct video tape rental stores than anything else. It put special protections on personally identifiable information collected during video rentals, forbidding it from being shared outside of narrow business-related parameters.
The privacy lawsuit contends that these terms apply to internet video as well, and that Chick-fil-A is in violation due to its sharing with Meta (Facebook). The company added the ubiquitous Meta pixel to the pages hosting its videos at the “evergreenhills.com” website, sharing select data about visitors and how they interacted with the content.
The privacy lawsuit hinges on the court deciding that the Meta pixel constitutes “personally identifiable information.” The pixel does not directly collect any such information, essentially gathering anonymized analytics data about what is viewed on the site. However, it does assign each individual user a unique ID number for tracking purposes.
The argument will be that the end user could potentially be identified in this way by Facebook and other Meta companies, as well as any data partners they might sell this information to or share it with. There is not much legal precedent for this in the US, but in the EU Google recently found itself in trouble for something similar involving its widely used Google Analytics platform.
Multiple privacy lawsuits spring up as VPPA faces court tests
Law firms appear to have identified the VPPA as potential fertile ground for class action revenue, as dozens of similar privacy lawsuits were filed in 2022 against similarly recognizable brands such as CNN, Buzzfeed and the NBA. A ruling for the plaintiffs in this or any one of these “big name” cases might upend the way data collection is done in connection with internet video and put a major financial squeeze on a variety of companies.
While European law is certainly not a precedent or bellwether for decisions in US courts, the fact that Google was found liable for something very similar in the EU at least demonstrates that it is possible that a judge could arrive at this conclusion. The chief difference is that EU nations are governed by the General Data Protection Regulation, which was invoked in the case; the US has nothing comparable in terms of federal data protection law. That EU decision found that individual websites partnering with Google were directly liable if they embedded Google Analytics on the site, even though personal identification would not be possible without access to Google’s internal stores of marketing data.
The lead plaintiff in the Chick-fil-A privacy lawsuit, Keith Carrol, appears to be betting big on the courts reaching a similar conclusion; in addition to suing the chicken giant, he has recently filed five similar data collection lawsuits against Dave & Busters, La-Z-Boy, Mattel, J.M. Smucker, and Procter & Gamble.
This case will likely be a tougher sell as the VPPA has specific language indicating it regulates only “video tape service providers.” It was clearly directed at the records kept by stores such as Blockbuster Video, at a time when the internet was not even a known concept to most of the population. Federal court cases in general also require plaintiffs to demonstrate a concrete form of damage to themselves personally.
The VPPA has been tried in court as a means of regulating internet-based services in at least several prior cases, the earliest appearing in 2007. This first effort was a similar volley of cases that also involved Facebook along with Overstock.com, Zappos and other major online retailers of the time. This case was somewhat different, however, as it attempted to label the technology companies as “video providers” more generally due to the fact that they make use of video on their platforms; the complaint included data collection garnered by other means not necessarily tied directly to the videos, in a time when YouTube and compressed streaming was only just getting underway and video was not nearly as ubiquitous as it is now.#Privacy lawsuit alleges that by embedding the Meta pixel on pages hosting its videos, Chick-fil-A violated a 1988 federal law which applies only to #datacollection of #PII when viewing videos. #respectdataClick to Tweet
This first effort was limited by the Obama administration in 2013, however, when an amendment to the VPPA went into effect that allows rental history to be shared via social media platforms if the platform first obtains user consent. A similar lawsuit brought against Hulu resulted in a 2015 decision by a federal appeals court that VPPA protections do not apply to those using free Android apps.