Judge Robert Bork had offered his assessment of privacy’s constitutional status in scholarly tomes and congressional testimony,1 but in the fall of 1987, the only theory of privacy that mattered was Michael Dolan’s. In The Bork Tapes, a self-consciously intrusive survey of Judge Bork’s video rental history published in the Washington City Paper, reporter Michael Dolan offered the following insight: “The only way to figure out what someone is like is to examine what that someone likes — take a hard look at the tools of leisure he uses to chip away life’s rough edges.”2 The article attempted to reconstruct the interior life of a U.S. Supreme Court nominee who would go on to criticize the constitutional right to privacy as “a loose canon in the law,”3 confronting Judge Bork with his own vulnerability to privacy harms. The list of 146 videotapes Judge Bork had rented over the course of two years, leaked by a store clerk, revealed nothing particularly salacious. Judge Bork favored Alfred Hitchcock films, spy thrillers, and British costume dramas; someone in the Bork household had an affinity for John Hughes movies. The list’s disclosure hardly intruded upon the sphere of intimate and domestic life protected from government intrusion by Griswold v. Connecticut4 and its progeny.5 Yet, against the backdrop of “[o]ne of the fiercest battles ever waged over a Supreme Court nominee,”6 the publication of The Bork Tapes drew bipartisan ire and generated consensus7 on the importance of intellectual privacy.8
The following year, Congress enacted the Video Privacy Protection Act9 (VPPA), which restricted the disclosure of video records without the watcher’s consent.10 The Act followed a spate of privacy-protective statutes enacted in the 1970s and 1980s: the Privacy Act of 1974, the Privacy Protection Act of 1980, the Cable Communications Policy Act of 1984, and the Electronic Communications Privacy Act of 1986.11 Policymakers had become increasingly concerned about “minimizing intrusiveness, maximizing fairness, and creating legitimate, enforceable expectations of confidentiality,”12 especially after repeated judicial failures to secure personal privacy rights in spheres less intimate than reproduction.13 Congress made its goals manifestly clear in supplementing constitutional privacy with statutory protection. First, the VPPA evinced a desire to embody purpose-specification,14 use-limitation, and individual-participation principles already familiar from the first iteration of the Organisation for Economic Cooperation and Development (OECD) Privacy Guidelines, a set of internationally agreed-upon privacy principles developed in the 1980s.15 Second, the Act recognized that a video watcher’s privacy — like a reader’s or a writer’s privacy — implicates First Amendment values that Congress ought to safeguard.16
The landscape of intellectual engagement has shifted significantly since 1988. A newspaper reporter who attempted to replicate Dolan’s experiment today would have trouble finding a brick-and-mortar video rental store — and, once there, would scarcely find a satisfactory set of subscribers to snoop on. A Supreme Court nominee wanting to check out something more scandalous than Pretty in Pink would probably opt for an online transaction, availing himself or herself of an oft-overlooked privacy benefit of a digitized intellectual environment: privacy from the store clerk.17 Our watching habits, like our reading habits, have moved online. The relevant players in video privacy are no longer Blockbuster and Hollywood Video, but rather Amazon, Netflix, and Hulu.18
Since 1988, doctrine has changed as well. Lujan v. Defenders of Wildlife19 redefined the meaning of standing to sue, placing the emphasis on injury in fact.20 In the lead-up to Spokeo, Inc. v. Robins,21 information privacy scholars expressed their concern that the Supreme Court’s ruling could undermine citizens’ ability to seek relief under privacy-protective statutes like the VPPA.22 In particular, Spokeo renewed interest in a persistent question: What kind of privacy harm constitutes an injury in fact?
In the United States’ patchwork privacy regime, the VPPA is a unique gap-filler, extending protection — if only in part — to the expressive activities recognized as vital to the First Amendment but left underprotected by the Fourth.23 This Chapter argues that technological and doctrinal changes have done less damage to the Video Privacy Protection Act than one might expect. The statute’s weaknesses lie in its drafting errors and in the more pervasive difficulties courts have with evolving definitions, such as the definition of “personally identifiable information.”24 Despite these weaknesses, the VPPA and recent cases deploying the Act suggest that courts are not hesitant to recognize privacy harms as “injuries” when the harms implicate intellectual privacy. Because of its broad, technology-neutral language, the VPPA has managed to weather the past forty years. Though the statute’s effectiveness, like that of any other statute, depends on reasonable judicial interpretation, the VPPA’s resilience despite technological and doctrinal changes indicates that the statute might prove an appropriate model for the next logical step in safeguarding the privacy of expressive activity: federal reader privacy legislation.
Section A discusses the VPPA’s adaptation to both the technological developments of the past forty years and the Supreme Court’s shifting standing doctrine. Section B addresses the lingering weaknesses in the statute’s language. Finally, section C argues that the statute as originally drafted could serve as a model for a much-needed federal reader privacy statute. Section D concludes.
The VPPA owes its resilience largely to the flexibility of its language. The VPPA prohibits videotape service providers from knowingly disclosing “personally identifiable information” to third parties unless the provider is compelled by a warrant, the provider obtains the consent of the record subject, the provider discloses only the names and addresses of consumers to engage in direct marketing to the consumer, or the provider makes the disclosure “incident to the ordinary course of business.”25 The Act defines “personally identifiable information” as “includ[ing] information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.”26 Congress cast a wide net with respect to standing, providing a cause of action to “[a]ny person aggrieved by any act of a person in violation of this section.”27 The civil remedies section was meant to “put teeth into the legislation,”28 where the evil the statute intended to remedy was that film buffs would be broadly surveilled by private actors and that once in government hands, their cinematic preferences could be used against them.
1. Technological Resilience. — Before the VPPA’s 2012 amendments, which allowed videotape service providers to obtain continuing rather than case-by-case consent from consumers to aggregate disclosure of their video records,29 there was some uncertainty as to whether the VPPA applied to online streaming services. During congressional hearings, Senator Al Franken expressed concerns that the VPPA had become an obsolete, inoperable relic as the world moved from VHS tapes to Netflix.30 However, this concern was unfounded; courts had not struggled to extend the VPPA to the internet, thanks to the statute’s technology-neutral language. Because the Act defined a videotape service provider as any person or entity in the business of rental, sale, or delivery of videotapes “or similar audio visual materials,”31 this provision transitioned relatively smoothly into the twenty-first century.
The first class action lawsuit under the VPPA against an online service, In re Hulu Privacy Litigation,32 was brought in July 2011.33 Hulu moved to dismiss for lack of subject matter jurisdiction, arguing that it was not a “video tape service provider” under the Act, because it did not sell or rent physical objects like the brick-and-mortar businesses Congress would have recognized at the time of enactment.34 Relying on dictionary definitions of “material,” as well as the VPPA’s legislative history, the district court concluded that Hulu was a “video tape service provider,” because it was a purveyor of “similar audio visual materials” to prerecorded video cassette tapes.35 The Oxford English Dictionary’s definition of “material” as “[t]ext or images in printed or electronic form . . . as reading material, etc.”36 predated the 1988 Act, and the Senate Report’s discussion of laser discs indicated “Congress’s intent to cover new technologies for pre-recorded video content.”37 In light of “Congress’s concern with protecting consumers’ privacy in an evolving technological world,” the district court held that the videotape service provider definition included online video streaming services.38
2. Doctrinal Resilience. — Doctrinal change also could have threatened the VPPA’s efficacy. While the Act was drafted to grant standing up to the constitutional limit, conferring a cause of action on “[a]ny person aggrieved” under the Act,39 Supreme Court cases decided in the years after the VPPA’s enactment clarified that constitutional limit. According to the formulation set forth in Lujan v. Defenders of Wildlife, a congressional grant of standing passes constitutional muster only when the plaintiff has suffered a concrete, particularized, and actual or imminent injury in fact.40
(a) The VPPA Under the Lujan Standard. — Because of the nature of the harm Congress sought to prevent, the statute had little trouble meeting Lujan’s standard, even though the enacting Congress could not have foreseen the doctrinal shift. The VPPA evinces Congress’s desire to prevent government intrusion upon the deliberative space in which citizens read, watch, think, and create. The Senate Report expressed Congress’s solicitude for intellectual privacy, describing the protection of “an individual’s choice of books and films [as] a . . . pillar of intellectual freedom under the [F]irst [A]mendment.”41 Surveying the case law — with particular emphasis on Stanley v. Georgia,42 which recognized the First Amendment right to receive even obscene materials in the privacy of one’s own home43 — the enacting Congress linked the VPPA with core First Amendment rights.44 Unregulated disclosure of records revealing “our loves, likes, and dislikes,”45 the Senate Report argued, could inhibit the intellectual process, delegitimize dissent, and undermine the First Amendment value of avoiding the prescription of orthodoxy of thought.46
In Amazon.com LLC v. Lay,47 Amazon sued the North Carolina Department of Revenue under the VPPA and the First Amendment, seeking injunctive relief to avoid complying with a request to disclose the names and addresses of its customers in addition to detailed descriptions of the products ordered by each customer.48 The Department of Revenue had requested the records to determine whether Amazon had evaded sales taxes on online sales to North Carolina residents.49 Because the Department of Revenue had already obtained product code numbers and “other . . . details” including “the order ID number, seller, ship-to city, county, postal code, the non-taxable amount of purchase, and the tax audit record identification” from Amazon, Amazon argued that complying with the request would give the Department of Revenue “all information necessary to know the expressive content of all purchases from Amazon by individual North Carolina residents.”50 The district court agreed that combining the two data sets would violate the VPPA and concluded that standing presented no obstacle under the VPPA or the First Amendment, seeing the two as inextricably linked.51
First, given relaxed standing requirements in the First Amendment arena, the court reasoned, there was no reason to wait for the privacy violation to lead to some tangible harm, such as economic damage, to grant standing.52 Because “[i]n the context of First Amendment speech, a threat of enforcement may be inherent in the challenged statute,” the claim was ripe for review.53 Furthermore, the court found imminent harm associated with the potential VPPA violation of the chilling effect that disclosure would have on speech: “the fear of disclosure of their reading, watching, and listening habits poses an imminent threat of harm and chill to the exercise of First Amendment rights.”54
In Sterk v. Redbox Automated Retail, LLC,55 the Seventh Circuit found that a class of consumers whose video rental information had been disclosed to one of Redbox’s third-party vendors had standing to sue. First, the court acknowledged Congress’s role in “creating legal rights, the invasion of which creates standing, even though no injury would exist without the statute.”56 Second, the court anticipated the holding of Spokeo — that bare procedural violations fell short of the constitutional standing requirements articulated in Lujan. The Seventh Circuit was explicit that the VPPA protects core privacy rights: “‘technical’ violations of the statute (i.e., impermissible disclosures of one’s sensitive, personal information) are precisely what Congress sought to illegalize by enacting the VPPA.”57 Accordingly, the plaintiffs easily cleared the constitutional standing requirements.58
In Austin-Spearman v. AMC Network Entertainment LLC,59 the U.S. District Court for the Southern District of New York found that plaintiffs suing under the VPPA had standing. Writing that by enacting the VPPA Congress had created a legal right, the invasion of which constituted injury in fact, the court concluded that “wrongful disclosure even without additional injury [afforded] a right to relief.”60 Underscoring the similar standing rationales offered by the Seventh, Ninth, and Eleventh Circuits, the Austin-Spearman court noted that “every court to have addressed this question has reached the same conclusion, affirming that the VPPA establishes a privacy right sufficient to confer standing through its deprivation.”61
(b) Spokeo Inc. v. Robins. — Spokeo v. Robins generated a wealth of scholarly debate long before being decided by the Supreme Court — and with good reason. The case was expected to resolve the uncertainty surrounding the so-called “no injury” class action.62 Spokeo presented an opportunity to clarify what types of consumer protection and privacy injuries satisfied the injury-in-fact requirement.
Spokeo is a website that aggregates information on “individuals, including contact data, marital status, age, occupation, economic health, and wealth level.”63 Thomas Robins’s Spokeo entry indicated that he was a wealthy advanced-degree holder who was married with children.64 Robins was none of those things. In fact, Robins was actively seeking employment.65 Robins sued Spokeo in the Central District of California, alleging that Spokeo had violated the Fair Credit Reporting Act (FCRA) by disseminating consumer reports that fell below the “maximum possible accuracy” standard.66 The district court held that, even though Robins claimed the inaccurate reports had hampered his job search, Robins had not yet suffered an injury in fact and thus did not have standing.67 The Ninth Circuit reversed.68 Spokeo appealed and the Supreme Court granted certiorari on the issue of standing.69
Fifteen information privacy scholars filed an amicus brief in the case, expressing several concerns. First, the scholars argued that a broad conception of standing was necessary “[t]o reinforce the statutory obligations of reasonableness and transparency.”70 Second, the scholars argued that the FCRA’s statutory design envisioned “enlist[ing] consumers themselves in the process of correcting inaccurate information.”71 Third, the scholars explained the concrete harms that Robins and similarly situated consumers could suffer due to inaccurate information on Spokeo: reduced employment prospects as employers screen out applicants whose applications do not match other available records or applicants who seem overqualified.72 Fourth, the scholars argued that “[a] broad ruling in this case would disrupt established privacy law well beyond the boundaries of the FCRA.”73 The scholars went further, alleging that “[a] broad ruling in this case could foreclose the private suits Congress envisioned as VPPA remedies.”74 The scholars’ amicus brief reflected a consensus view that Spokeo could be potentially disastrous for privacy-protective statutes, vitiating privacy protections by narrowing the scope of privacy harms.75
In Spokeo v. Robins, the Supreme Court reaffirmed that “a bare procedural violation, divorced from any concrete harm, [could not] satisfy the injury-in-fact requirement of Article III.”76 The Court first noted that the Ninth Circuit erred in conflating Lujan’s particularity and concreteness prongs when determining whether Robins had suffered an injury in fact.77 Spokeo was largely a restatement of settled law. The Court reiterated that “[t]o establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’”78 Rather than narrow the scope of privacy harms to require economic damage, the Court stated that “intangible injuries can nevertheless be concrete,” citing free speech and free exercise rights as examples of intangible interests that nevertheless generate standing to sue.79 The Court suggested that because Congress is “well positioned to identify intangible harms,” courts ought to consider legislative judgments when assessing whether a plaintiff has standing under a statutory provision, as long as that provision protects a concrete interest.80 To determine whether an intangible harm is concrete, the Supreme Court instructed the judiciary to relate alleged intangible harms to harms traditionally regarded as providing the basis for a lawsuit in English and American common law.81 The majority opinion made no statement on whether Robins’s hampered job search or the mere inaccuracy of the information contained in Spokeo’s searchable database would confer standing,82 instead remanding the case to the Ninth Circuit.83
(c) Status Quo Post-Spokeo. — Contrary to the dire prognostications of the information privacy scholars and even some post-decision commentators,84 Spokeo did little to change the way courts treat privacy harms under the VPPA. Post-Spokeo cases confirm this. In In re Nickelodeon Consumer Privacy Litigation,85 the Third Circuit extensively analyzed Spokeo and found that “[t]he Supreme Court’s recent decision . . . does not alter our prior analysis.”86 In so concluding, the court relied on the congressional judgment that certain types of information ought to remain private, regardless of whether disclosure presents a material risk of harm.87 The court then noted before proceeding to the merits that the privacy the VPPA protects is a traditional basis for a lawsuit.88 Despite its fanfare, Spokeo proved not to be particularly revolutionary — and the intellectual privacy harms that the VPPA seeks to prevent and to remedy are not so hard to grasp.
As a caveat, there is one provision of the VPPA where standing doctrine as articulated in Spokeo poses a genuine problem: the data retention provision. Courts have held that the Act’s data retention provision does not create a private right of action.89 While these opinions have depended on typical statutory interpretation arguments,90 not a restrictive theory of injury in fact, Spokeo suggests that even a well-drafted VPPA might not authorize data retention suits.91 Like the consumer notification provision of the FCRA analyzed in Spokeo, the data retention provision is likely to be deemed a procedural requirement that cannot, without a more detailed showing of harm, support standing for suit.92 Furthermore, Justice Thomas’s concurrence distinguished between suits alleging the violation of private rights and suits alleging the violation of public rights.93 For suits alleging violations of private rights, a plaintiff need only allege that his legal rights were invaded to have standing to sue — but if a plaintiff sues to enforce “general compliance with regulatory law,”94 a showing of concrete and particularized harm stemming from the violation is necessary.95 The data retention provision of the VPPA is unconnected to an individual’s (private) intellectual privacy rights, and as such would likely be considered “a series of regulatory duties . . . owe[d] to the public collectively.”96 A plaintiff could perhaps allege concrete and particularized harm by pointing to the enacting Congress’s purpose in including the retention provision: “to reduce the chances that an individual’s privacy will be invaded, by requiring the destruction of information in an expeditious fashion.”97 But courts thus far have not appeared amenable to this argument.98 Furthermore, even if a court accepted that the violation of the retention provision increased the plaintiff’s risk of a privacy violation, the plaintiff would struggle to claim that retention beyond the statutory limits produces an imminent risk of harm — and thus would lack standing.99
As it turns out, the primary obstacle to seeking redress for privacy harms under the VPPA is not standing’s injury-in-fact requirement. Rather, privacy problems present themselves as ordinary statutory interpretation problems. More so than by standing doctrine or the evolving nature of technology, plaintiffs are barred by: (1) the definition of the word “subscriber,” (2) the definition of “personally identifiable information,” and (3) statutory ambiguity as to whether only “videotape service providers” can be defendants in VPPA lawsuits. To make the VPPA actionable in the twenty-first century requires more reasonable interpretations and, perhaps, more thoughtful drafting. Courts may not currently interpret the Act to keep pace with technological change, but since most obstacles to doing so are not inherent in the statute, there is no reason courts could not embrace more reasonable interpretations of the statute’s broad language. The standing overhaul some commentators expected of Spokeo v. Robins would have done little to give the VPPA sharper “teeth,” but revisiting these statutory interpretation questions might. Data retention provision aside, when plaintiffs stumble in their quests for relief under the VPPA, they trip over the meaning of words, not the meaning of privacy.
Despite Congress’s care in drafting provisions that would withstand technological change, the Video Privacy Protection Act is, in some sections, sloppily drafted. Though it is susceptible to the ordinary canons of statutory interpretation, courts are sometimes forced to conclude that the drafters were simply careless. For one thing, the civil remedies provision is sandwiched between the nondisclosure and data retention provisions, creating ambiguity as to whether remedies are available only for unauthorized disclosure, or for unlawful retention as well.100 For another, in 18 U.S.C. § 2710(b)(1), the statute states that “[a] video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person for the relief provided in subsection (d).”101 But subsection (d) is not a remedies provision; it sets forth the definition of personal information.102 These drafting faults have not impeded the enforcement of the VPPA altogether, but they have allowed judicial discretion to narrow the protections the statute offers.
1. Subscriber Definition. — Any aggrieved “renter, purchaser, or subscriber of goods or services from a video tape service provider” may sue under the VPPA.103 The VPPA’s definition of a “subscriber” has given rise to disagreement among courts. In Ellis v. Cartoon Network, Inc.,104 the Eleventh Circuit held that “a person who downloads and uses a free mobile application on his smartphone to view freely available content, without more, is not a ‘subscriber’ . . . under the VPPA.”105 The court in Ellis reasoned that subscriber status requires “some type of commitment, relationship, or association (financial or otherwise) between a person and an entity,”106 and that such commitment might be established by “payment, registration, commitment, delivery, [expressed association,] and/or access to restricted content.”107 Notably, payment for a separate service that allows broader access to free material on another platform does not create a subscriber relationship.108 In contrast, the First Circuit in Yershov v. Gannett Satellite Information Network, Inc.109 looked to the plain meaning of “subscriber” and found that installing a mobile app was sufficient to create a subscriber relationship when the installation required the user to exchange personal information for access to services.110
The textualist critique of Yershov is matched by the purposivist critique of Ellis, but this Chapter hopes to underscore that this provision’s vagueness begets further vagueness. If a financial commitment is not required to be a subscriber, because such a requirement would obliterate the statutory distinction between renters or purchasers and subscribers, what kind of commitment suffices? The Ellis court stated that by downloading the Cartoon Network app, Ellis “did not provide any personal information to Cartoon Network, . . . did not sign up for any periodic services or transmissions, and did not make any commitment . . . that would allow him to have access to exclusive or restricted content.”111 When seemingly limited-purpose mobile apps collect information on users’ geolocation data, browser history, calendar events, photo library, contacts, and device information as a matter of course,112 is it plausible that Ellis did not provide Cartoon Network with any personal information? Why is an agreement to adhere to an app’s terms of service or to allow sweeping access to one’s cell phone an insufficient commitment? Would the court have been inclined to call Ellis a subscriber if Cartoon Network had pushed content to the app, or if Ellis had enabled push notifications for the arrival of new content? On the other hand, if Yershov became a subscriber simply by providing the USA Today App with personally identifying information (PII), the nonconsensual disclosure of which necessarily generates a VPPA claim, does the “subscriber” limitation do any work at all? The VPPA has generally adapted well to the shift toward online video consumption. But as media companies waver between “free with advertising” and “freemium” models,113 Congress should clarify what subscription without payment might mean if the VPPA is to remain vital.
2. Permissible Defendants. — The VPPA is unclear on whether defendants other than video service providers may be held liable. Some courts have held that because “there is no limitation in” 18 U.S.C. § 2710(c)(1) itself, plaintiffs can sue not only disclosers of personally identifiable information, but also receivers of that information.114 A majority of circuit courts that have weighed in on the issue, however, have found that only videotape service providers who disclose personally identifiable information can be held liable.115 While this statutory ambiguity underscores the general problems with the statute’s drafting, the provision has not aged particularly badly. Increasingly, the pertinent privacy threats are posed by online video service providers that maintain records rather than receive them, because such entities can contribute to and compile “digital dossiers” — that is, “[d]etailed records of an individual’s reading materials, purchases, diseases, and website activity,” which can form the basis of “a profile of an individual’s . . . psychology, beliefs, politics, interests, and lifestyle.”116
3. “Personally Identifying Information.” — Perhaps the most alarming aspect of Spokeo is Justice Alito’s flippant treatment of the importance of a zip code.117 A zip code is not typically considered PII, the mere disclosure of which could cause or risk harm,118 but “the combination of a ZIP code, birth date, and gender will be sufficient to identify 87% of individuals in the United States.”119 Given rapid technological developments, perhaps the concept of PII is expanding more quickly than the Supreme Court — and legislators — can keep up.120 Indeed, the term has been criticized as increasingly meaningless.121
VPPA cases highlight courts’ difficulty interpreting the term “personally identifiable information.” In In re Hulu Privacy Litigation,122 for example, the U.S. District Court for the Northern District of California acknowledged the flexibility in the VPPA’s treatment of PII. The statute provides examples of information — names, addresses — that could constitute personal information, but wisely does not limit the PII definition. As the court put it, “[t]he statute does not require an actual name and requires only something akin to it.”123 The court found that the harm from disclosure of PII is present whether or not a third party actually identifies the user, but the court eventually decided that the disclosure of “a unique identifier” to a third party, without more data, does not violate the VPPA.124 Because there was no evidence that a third party correlated the unique identifier with any other information to identify specific people as having requested or obtained video materials or services, the court determined that no “personally identifiable information” had been compromised.125
Two approaches to the PII problem predominate. The First Circuit interprets PII as any “information reasonably and foreseeably likely to reveal,” directly or indirectly, an individual consumer’s identity.126 In contrast, the Third and Ninth Circuits have defined PII as “information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior,”127 partly because this approach gives better notice to video service providers than a standard that depends on the sophistication of the third party to which the service provider provides information.128 The statutory language and structure reasonably encompass the First Circuit’s less rigid interpretation of PII.129 The Third Circuit arrived at a narrower interpretation, which the Ninth Circuit later adopted,130 despite recognizing that an interpretation of “identifiable” as simply “capable of identifying” is within the plain meaning of the statute.131 Only after consulting the legislative history did the Third Circuit settle upon its “ordinary person” test.132 But under this purposivist approach, the “ordinary person” test cannot be right for two reasons. First, the Senate Report states that the PII provision “uses the word ‘includes’ to establish a minimum, but not exclusive, definition of personally identifiable information.”133 Second, the “ordinary person” test excludes information routinely treated as PII, but which an ordinary person could not use, from the statutory PII category. An ordinary person could not, without more, deduce identity from a Social Security Number — but a Social Security Number is routinely treated as identifying.134 It is possible the Third and Ninth Circuits adopted the “ordinary person” test because the dissemination of a unique identifier generated by a corporation to track its users, rather than by a government to track its citizens, seems harmless135 — but that is a standing question, not a definitional one.
Some courts have agreed with the essential point that an ordinary person cannot link even names and addresses (which the VPPA explicitly categorizes as PII) to individual consumers without referencing other data, but have balked at the “reasonable foreseeability” test’s perceived overbreadth.136 But liability isn’t unlimited under this test. The test’s limiting principle is exactly what it says on the tin: video service providers would be liable only for disclosure that could reasonably and foreseeably lead to identification, and “there is certainly a point at which the linkage of information to identity becomes too uncertain, or too dependent on too much yet-to-be-done, or unforeseeable detective work.”137 To the extent evidence suggests that we are not approaching the point at which all information is reasonably likely to lead to personal identification,138 courts can incorporate that judgment call into the reasonable foreseeability test; it is no less daunting a task than a judicial determination of the technological savvy of the average citizen. By treating “foreseeable” as if it means “conceivable,” the Third and Ninth Circuits misconstrue the First Circuit’s test and miss an opportunity to remain faithful to both Congress’s language and purpose.
There is no particular reason that courts could not come to recognize, as scholars have, that information beyond names and addresses could be PII. Particularly in light of people-search services like Spokeo itself, “data availability heightens the ability to turn non-PII into PII.”139 Again, this fault is one of cramped statutory interpretation — the statute does not prohibit the disclosure of identities, but rather the disclosure of identifiable information. What is needed here is not redrafting, but instead a more current judicial understanding of what is identifiable and a recognition that the VPPA was not drafted for video service providers’ convenience, but for patrons’ privacy.140 One could envision a plaintiff alleging that the disclosure of non-PII created an imminent risk of being identified. In this scenario, a court willing to accept the already-available metrics for assessing the risk of identification that different types of information pose141 could find a violation of the VPPA even when disclosing unique identifiers — and Spokeo would pose no bar.
The Video Privacy Protection Act addresses harms caused when individual records of consumption of expressive material are disclosed without authorization; its legislative history and its unchanged viability after Spokeo both rest on the Act’s First Amendment bent. But there is no VPPA equivalent for books. The rise of ebooks and electronic reading platforms has led to a state of private surveillance over reading habits similar to private surveillance over video watching.142 In some cases, the private actors are the same — yet a consumer could conceivably sue Amazon for disclosing that he watched Fifty Shades of Grey but not that he read it.
Federal reader privacy legislation is sorely needed for three reasons. First, most states have enacted statutes preventing the disclosure of individual library records,143 but these laws create a “patchwork,” providing inconsistent protection nationally.144 For example, some state statutes prevent public libraries, subject to open-records laws, from disclosing a patron’s borrowing records to private citizens — the paradigmatic nosy reporter — but impose no requirements on government access to such records.145 Other states, however, require a warrant before library records may be disclosed to law enforcement.146
Second, unlike the VPPA, which protects both purchases and rentals, library records laws do not extend to book purchases and rentals from for-profit entities.147 This regime creates an artificial distinction between borrowing and purchasing, when there is no obvious difference in the intellectual privacy significance of the two acts. Most state laws also distinguish between borrowing a physical book and borrowing an ebook from a library; in the latter case, the terms of the ebook license dictated by the electronic delivery service would govern whether reader information could be disclosed to third parties.148
Third, and most importantly, the notion of reader privacy implicates First Amendment values that the First Amendment cannot protect. The Supreme Court has observed that “[t]he authors of the First Amendment . . . chose to encourage a freedom . . . [that] embraces the right to distribute literature, and necessarily protects the right to receive it.”149 The Court has also recognized the chilling effect that surveillance can have on protected First Amendment activity,150 including surveillance activity that undermines the ability to speak anonymously.151 But in the absence of statutory protection, the First Amendment is not enough to prevent the chilling effect of surveillance on the consumption of expressive materials. The First Amendment governs state action, but citizens are increasingly surveilled not by state actors, but by private corporations that render the need for direct government surveillance of such activity redundant.152 Private actors can serve as government data collection agents, skirting the state action requirement despite replicating the fear driving Stanley v. Georgia — that the government might use an individual’s reading habits against him in a criminal proceeding.153 The Supreme Court has directed lower courts to use “the most scrupulous exactitude” to determine whether a warrant for the seizure of expressive material is sufficiently particularized.154 But this heightened Fourth Amendment scrutiny vanishes when the government seeks such material from a third party rather than conducting a search or seizure directly.155 In addition to the state action problem, attempts to derive a reader privacy right from the First Amendment right to receive information have largely languished in the realm of theory156 — and besides, such attempts would fall into the category of “chilling-effects” claims fraught with standing issues157 that the VPPA has overcome. If readers are to expect privacy from private actors as they read ebooks or paperbacks, whether they live in California or Kentucky, Congress will have to enact federal reader privacy legislation.
A review of the scholarship reveals several commonly proposed features of a federal reader privacy statute.158 First, the statute should prohibit the nonconsensual disclosure of reader-identifying information in association with particular transactions, except when disclosed to law enforcement after a showing of probable cause.159 Second, a reader privacy statute should bar tracking and disclosure of reader activity beyond what is necessary to render the reading service usable, as well as limit the retention of reader records for longer than is necessary to complete the transaction or to protect a business’s financial interest in the transaction.160 Third, a reader privacy statute should disfavor aggregate consent to surveillance and disclosure of reader activity, but rather should encourage opt-in disclosure on a transaction-by-transaction basis.161 Fourth, a reader privacy statute should reliably create a private right of action and make statutory damages available.162 Plaintiffs who have sued under privacy-protective statutes, alleging harm from data collection, have often been unable to state a cognizable injury.163 An effective reader privacy statute must avoid this pitfall.
Finally, at a higher level of generality, federal privacy legislation should try to avoid the shortcomings that have plagued other privacy-protective statutes. For example, Professor Orin Kerr has criticized the Electronic Communications Privacy Act as premised on assumptions that “[c]hanging technology and evolving constitutional law have dramatically shifted.”164 Broad drafting that permits expansive statutory interpretation lends itself toward endurance in the face of technological change.165 Some argue that Congress is better positioned than courts to determine how best to deal with privacy threats posed by advancing technology.166 This may be true, but Congress inconsistently amends privacy statutes in response to technological change — the Family Educational Rights and Privacy Act167 (FERPA) and the Consumer Credit Protection Act168 (CCPA) have been updated, while the Electronic Communications Privacy Act of 1986169 (ECPA) remains largely unchanged.170 In light of this variable pattern, reader privacy legislation should not be drafted with the expectation that Congress will find the political will to amend it after every paradigm-shifting product launch. Rather, it ought to be drafted to evolve with the times and to withstand potential doctrinal obstacles.
The VPPA’s flexibility over time and technology, in addition to its consistent ability to afford plaintiffs standing, suggest that with some tweaks and more careful drafting, the statute could serve as a model for broader protection of records of expressive consumption. First, outside the law enforcement context, the Act bars providers of expressive material from nonconsensually disclosing information identifying the material’s consumer.171 The Act also requires government actors seeking such records or related identifying information to obtain a warrant172 and provides a clear statutory exclusionary rule173 not commonly found in the United States’ slate of sector-specific privacy statutes.174 Second, the Act permits the nonconsensual disclosure to parties other than law enforcement only when such disclosure is made to collect a debt, fulfill an order, process a request, or transfer ownership.175 In addition, the Act’s retention provision, though it provides a generous one-year grace period, embodies the desired purpose-limitation principle.176 Third, the VPPA’s original iteration required case-by-case consent to disclosure of video watching history and related identifying information.177 Fourth, as discussed in section A.2, the VPPA has managed to avoid the standing obstacles that have limited the practical effectiveness of other privacy statutes. Moreover, in a civil action, the Act provides for statutory damages, as well as punitive damages and reasonable attorney’s fees for prevailing plaintiffs.178 Finally, the VPPA’s broad language means that technological change has not narrowed its scope or rendered its protections obsolete, unlike other privacy statutes that retain arbitrary distinctions based on outdated understandings of the tools citizens would use to communicate and receive ideas.179
The VPPA’s enacting Congress recognized the close link between the First Amendment and reader privacy as well as video privacy, with one Senator noting: “It is nobody’s business what Oliver North or Robert Bork or Griffin Bell or Pat Leahy watch on television or read or think about when they are home.”180 In fact, the enacting Congress considered extending protection to books, “recognizing that there is a close tie between what one views and what one reads,” but the Senate Judiciary Subcommittee on Technology and the Law “was unable to resolve questions regarding the application of such a provision for law enforcement.”181 Federal reader privacy legislation modeled on the Video Privacy Protect Act, then, is an opportunity to correct the Act’s original sin.
In his Taxonomy of Privacy, Professor Daniel Solove echoes Professor William Ian Miller by suggesting that privacy is essential to the “production of civilized society”182 — and more importantly, that human beings need privacy in order to become themselves.183 It is that notion of privacy — privacy as creating a space for self-discovery and self-production through the consumption of expressive materials — that the VPPA protects. If the window to Judge Robert Bork’s soul and the answer to Michael Dolan’s question — “But does anyone really know Robert Bork? I mean, really?”184 — could be found in the judge’s rental history or Netflix queue, it is no wonder that Spokeo’s holding failed to gut the VPPA.
The fear that Spokeo would fundamentally alter the landscape of standing in a way that harmed plaintiffs alleging privacy harms was unfounded, at least in the arena of intellectual privacy. A deeper analysis of why courts have found standing when plaintiffs have sued under the VPPA should reassure privacy scholars, because it reaffirms — as Spokeo did explicitly — that intangible harms, including privacy harms, are no less cognizable for being intangible. Concepts of intellectual privacy beyond tort privacy, which has been criticized for its limitations, will remain cognizable after Spokeo, since statutory privacy protections remain related, if not identical, “to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.”185 Despite some scholarly attempts to lump the VPPA in with consumer protection statutes, the VPPA is not a consumer protection statute at all — it is deeply bound up in the First Amendment and its various self-expression justifications.186 Against this backdrop, the seemingly amorphous harm, a disclosure without a material threat of identity theft, other economic damage, or even deep psychological distress, is easy to understand. Courts have been grappling with the idea that burdens on the First Amendment right chill socially valuable behavior for decades.187 Though the VPPA does not address itself primarily to state actors, but rather recognizes that private actors could easily become a tool in the government surveillance of the production of ideas, the harm VPPA guards against is so fundamental and so ordinary in courts of law, that Spokeo has not made a major change.
As the post-Spokeo VPPA cases show, the VPPA contains many flaws — but failure to grant standing is the least of them. The VPPA could use redrafting, not to bring the Act into the twenty-first century, but to bring courts clarity. The weaknesses in the VPPA are mostly a matter of statutory interpretation, particularly a cramped judicial notion of what information is personally identifiable. The Act also suffers from a narrow “subscriber” definition and a lack of clarity on who can be held liable under the Act. Ideally, these flaws would be addressed by congressional revision, but in the absence of legislative action, plausible statutory arguments can be made for broader interpretations of these provisions. If targeted redrafting came to pass, the VPPA could prove a broadly useful model to safeguard the reader records left underprotected by the current regime. Of course, as with any statute, whether redress is available under this statute once plaintiffs are through the courtroom door will remain largely a matter of interpretation.
Developments in the Law — More Data, More Problems, 131 Harv. L. Rev. 1715, 1722 (2018).