Updating Video Privacy or Gutting It?
The video rental business is among a few sectors of the U.S. economy with strong federal limits on the collection and sharing of consumer data. Under the Video Privacy Protection Act, which was passed in 1988, “video tape service providers” generally are not permitted to share a consumer’s video usage information without “the informed, written consent of the consumer given at the time the disclosure is sought.” VPPA also prohibits companies from retaining personal information beyond the period prompting its initial collection. Companies like Blockbuster ran afoul of VPPA by sharing its users’ rental information with social network contacts, without their consent, and by retaining personal information, including credit card numbers, of users who canceled their accounts. In September, Facebook began making it easier for millions of U.S. customers to effortlessly share, via a new timeline, more of their online activities, such as the music they’re enjoying and the articles they’re reading. Left off the timeline: the details of the movies they’re renting–due to VPPA’s requirement that consumers explicitly consent at the time of disclosure. Thus began Netflix’s renewed lobbying efforts to amend VPPA, so that Facebook users could automatically share their Netflix rental activity without requiring their rental-by-rental consent.
Those efforts have begun to pay off. The House recently passed a bill, H.R. 2471, which would amend VPPA to makes clear that “informed, written consent” may be obtained electronically using the Internet. Such consent must be obtained distinctly and separate from any other legal or financial terms that are presented to consumers. Representative Goodlatte stated in his remarks on the House floor that the bill maintains an opt-in consent requirement. H.R. 2471 also addresses what it means that consent must be obtained from a consumer “at the time the disclosure is sought.” If adopted, the bill would make clear that consumers may provide their consent to information-sharing in advance of a disclosure, so long as such consent may be withdrawn by the consumer. So a Facebook user’s one-time grant of approval, opt-in style, would permit the automatic sharing of video-rental activity, that is until the user changed his or her mind and opted out. On one view, the amendment is dismantling the high water mark for consumer privacy protection. Marc Rotenberg, executive director of the Electronic Privacy Information Center, explained to the New York Times that Congress isn’t “trying to modernize the law,” it is “trying to gut the law.” At stake, he argued, is not the ostensible sharing of a person’s video viewing history, but rather the larger issue of meaningful consent. On an another, the Center on Democracy and Technology’s Director on the Consumer Privacy Project Justin Brookman sees the amendment’s insistence on separate notice and consent for the opt-in sharing of video information as sufficiently protective of consumer privacy. He argues that “if people want to tell all their friends every single thing they watch without the bother of clicking “Okay” each time, that should be their prerogative.” As Brookman explains, although the VPPA amendment doesn’t compromise consumer privacy, CDT “would feel stronger about the bill if it offered some benefit to consumers who don’t plan to take advantage of automatic sharing, such as by clarifying that the law applies to online streaming of movies — something that wasn’t envisioned when the VPPA was passed in 1988. More broadly, there’s a lot more consumer interest in generally improving privacy protections to make sure they understand what data is being collected and used about them, and to give them stronger controls around that data.” Chris Wolf, co-chair of the Future of Privacy and director of Hogan Lovells’ privacy practice, agrees that if consumers want to share their video choices with others in the way they now can share their music and reading preferences, they should be able to do so.
Rotenberg is spot on in his larger concern about meaningful consent. I’ve long been a notice skeptic — people tend not to read privacy policies and don’t understand them if they do. But that’s not to say that notice can’t be done right. The VPPA isn’t all bad–it demands that sharing permission be given separately from other legal or financial terms. Ryan Calo‘s important work on the flaws of notice regimes across various areas points to the potential for design to address those concerns. If notice can be done right, then the notion of privacy as control may not be illusory. And if CDT has its way in its important work supporting various proposed privacy laws, consumers may in the future be able to better understand what companies collect about them and have greater controls over collection practices. Yet what remains is a nagging feeling that notice and choice regimes can’t do it all, that some lines need to be drawn on the kinds of personal data that ought to be collected. Perhaps the collection cat is already out of the bag, and so we need to remain focused on providing protections related to use and distribution. I’m looking forward to getting my copy of the Brooking Institute’s volume on Constitution 3.0 co-edited by Jeff Rosen (who had a fabulous interview with NPR’s Terry Gross on the book): Orin Kerr has an interesting chapter on the promise of disclosure restrictions. But nonetheless minimizing data collection is something that may be of crucial importance, especially in an era when we feel more and more comfortable gauging privacy protections on what people want. So often, people’s rationality is indeed bounded when it comes to privacy. They don’t truly understand the long-term implications of their consent — and it might be impossible even for the most sophisticated consumers.