We’re still potentially 2 months out from getting finalized rulemaking from the CPPA, but there has been some important information trickling out in the meantime. Recently, the CPPA has touched on notices, contracts, and opt-out mechanisms like GPC. As the Video Privacy Protection Act (VPPA) is causing a stir amongst large companies, this will tie in with CPRA compliance.

About VPPA

In 1987, Ronald Reagan nominated Robert Bork as a candidate for the Supreme Court. Bork was a staunch, extreme conservative who believed that there was no constitutional right to privacy at all. A list of his movie rentals was released by a video store in Washington, DC. Republicans were incensed and the nomination for Bork was declined.

In response, the VPPA was passed the following year by Congress. The “video tape service providers” (or anyone else who provides comparable services) are prohibited by law from disclosing personally identifying information about what you watch unless you have given your informed, written consent. In a class action lawsuit, an entity that violates the law is liable for a $2,500 fine for each plaintiff. In today’s world of the Internet, where businesses monitor our every move and share information with many third parties, companies fall under the VPPA.

Class Actions from VPPA

According to Gizmo, numerous businesses, including the NBA, GameStop, CNN, BuzzFeed, and Dotdash Meredith, publisher of People Magazine, are being sued by customers. This year, at least 47 VPPA class actions have been filed, and the number is growing with an estimated 200 to come to fruition in Q1 2023 alone.

What You Need to Know

It cannot be overstated that there is and will be a huge focus on opt-out signals under CPRA. You simply must abide by GPCs that limit the collection of this information based on video viewing. We saw a mobile app enforcement sweep a few weeks ago and the California AG Robert Bonta is pulling no punches when it comes to sending notices to non-compliant companies. There’s no gray area that you need to prepare for this rulemaking now.

According to Boltive, 37% of Consent Management Platforms fail to honor GPC. “When a user opts in/out, consent signals are sent to the CMP, which then dictates how that information is used moving forward. However, these consent signals fail over one-third of the time,” Boltive wrote.

Why the VPPA Complicates Compliance

In rulemaking, you can’t ask for additional information as the GPC, by design, is intended to be anonymous. If a user enters a site anonymously, the website is not allowed to ask for an email, for example. You’ve got to protect the anonymity of the consumer. But now it’s difficult to prove that you respected the opt-out mechanism. Under this new round of litigation around the VPPA, there’s often a need for you to defend yourself and provide evidence that you’ve abided by the GPC – which is challenging because you can’t emphasize the collection of the information. How do you really demonstrate compliance? This is a conflict that I see in the rulemaking package.

As this unfolds further, Truyo will host a webinar on how to achieve compliance and produce comprehensive compliance evidence. If you have questions about respecting GPC signals or how Truyo helps in GPC compliance & evidentiary documentation, reach out to hello@truyo.com.