Go back to the year 1988. This has all come about thanks to a former Supreme Court nominee, his Blockbuster video rental history, and a quote from a journalist pursuing insights into the high court’s nominee’s life:
The only way to figure out what someone is like is to examine what that someone likes — take a hard look at the tools of leisure he uses to chip away life’s rough edges. (Harvard law Review)
This was the uneven birth of the VPPA (Video Privacy Protection Act). Now fast forward to the retail media craze, a TikTok and its pixel are under fire and the Michael Kors brand is at the center of the lawsuit. There is a caveat to all of the upside, a specific kind of off-site advertising – which is often supplied by first-party data – is facing legal action. I explained this derivative of retail media in “Step Function.”
Off-site advertising, which refers to ads that are shown to audiences outside of a marketplace’s website or app, has traditionally relied on third-party data to target and measure effectiveness. However, by analyzing the buying patterns, search queries, and preferences of their users, marketplaces’ advertising products have offered a higher rate of success. Additionally, recent changes in privacy regulations and the increasing emphasis on user privacy have led to a shift towards using first-party data in off-site advertising.
Amid rising tensions between the United States and China, concerns have escalated over the protection of American users’ data on TikTok, the popular platform owned by Chinese company ByteDance. As TikTok’s popularity surges, with over 150 million American users as of 2023, its data privacy practices have come under scrutiny, inciting discussions about applying existing laws, such as the Video Privacy Protection Act (VPPA), to modern tech companies.
American politicians are looking for any reason to do away with TikTok’s influence over the nearly half of all Americans who have downloaded the app. If a recently filed lawsuit does its part, the state by state privacy laws (with California leading the trend) may give way to federal privacy actions that can lead to national actions against technology companies.
The California Civil Lawsuit
I read the recently (and quietly) filed case: Gabriella Hernandez v. Michael Kors (USA), Inc. that was filed on June 13, 2023. As the case proceeds, it will surely become a lightning rod for interest in national security and the over-reach of big tech.
This case presents a class action complaint filed by a plaintiff, a resident of California, against a company that operates michaelkors.com. The plaintiff alleges that the defendant, through its website, is violating the Video Privacy Protection Act (VPPA). The primary concern is that Michael Kors allegedly reports viewing activities on its site to TikTok, which is owned by ByteDance. ByteDance, as the complaint suggests, is controlled by the People’s Republic of China (PRC) and is known to have used TikTok to spy on Americans under the PRC’s orders.
Under the VPPA, it is illegal to knowingly disclose a person’s personally identifiable information (PII) based on their video viewing habits to third parties without their consent. The plaintiff, identifying as a “consumer advocate” or a “tester”, claims that Michael Kors is doing precisely this by using TikTok’s Pixel code to report page view events to TikTok, which, in turn, could provide information to the PRC.
The plaintiff and others in the class action suit (defined as all in the United States who played video content on the website and whose PII was disclosed by Kors to any third party during the two years preceding the filing of this action) seek judgment against the Kors for violating the VPPA. The defendant, Michael Kors, potential defense may need to address whether it knowingly disclosed PII, whether such disclosure falls under the VPPA’s definition of “ordinary course of business”, and whether there was any form of consent from the users. But this isn’t the only example of TikTok’s recent VPPA stumbles.
TikTok and Data Protection Concerns
Recent reports from South China Morning Post and Forbes suggest that TikTok may have misled American authorities about the actual location of stored user data, particularly the sensitive information about American creators who sign up to earn money through the app. While TikTok claims that the majority of U.S. user data is stored in the U.S. and Singapore, investigations reveal that the financial information of TikTok’s largest American and European creators is stored on servers in China. Here is a key excerpt from the Forbes report, highlighting TikTok’s potential defense:
In TikTok’s response to their questions, the company said there is a difference between “U.S. user data collected by the TikTok app” and information that creators give to TikTok so they can be paid for content they post. The former is stored in TikTok’s data centers in the U.S. and Singapore, TikTok said. It did not explicitly state where the latter is stored. A trove of internal documents obtained by Forbes, and several people across different parts of the company familiar with the matter, have shown that tax forms, social security numbers and other information from creators and outside vendors has been stored in China; payments to both are managed through tools from TikTok’s China-based parent ByteDance.
U.S. legislators, concerned about potential data exploitation by the Chinese government, have introduced legislation aimed at preventing American data from being used by foreign adversaries. This legislation, if passed, would control exports of personal data, including data handled by companies like TikTok, directly to restricted foreign governments. SCMP explained:
The bill would direct the Commerce Department to identify categories of personal data that could harm US national security and create a list of high-risk countries where sensitive data exports would be blocked.
In this context, we may consider how the VPPA precedent might become a tool for American politicians, regulators, and judicial activists to address the data protection issues at stake, possibly substantiating a federal ban on TikTok’s practices or a full ban on the platform.
The VPPA and Modern Tech Companies
The VPPA was enacted in 1988 in response to a violation of Supreme Court nominee Robert Bork’s video rental history privacy. The Act prohibits the wrongful disclosure of video tape rental or sale records, making it a landmark piece of legislation in the realm of privacy protection. While the Act was designed to protect physical video rental records, it has been invoked in legal cases involving modern digital streaming services. The reach of the VPPA extends to the data privacy concerns raised by the digital era and could apply to companies like TikTok, which, while not primarily a video rental service, does collect, store, and potentially distribute user data in a similar manner.
The critical aspect here is the unauthorized disclosure of “personally identifiable information” about users’ video consumption habits. In the context of an app like TikTok, if it were found that the company was sharing personally identifiable viewing data with third parties without users’ consent, this could potentially be seen as a violation of the VPPA. However, how the VPPA applies to platforms like TikTok would likely hinge on the specifics of the case and the way the court interprets the law in light of technological advancements.
If lawmakers and legal practitioners interpret the VPPA to cover digital services, there could be significant implications for TikTok and similar platforms. Under the VPPA, TikTok’s collection and overseas storage of data, particularly if disclosed without consent, could potentially be deemed illegal. The acknowledgement by TikTok of storing sensitive American creator information in China could be seen as a violation of the VPPA, if the Act is deemed applicable. This could provide legal grounds to restrict TikTok’s operations in the U.S. or perhaps ban the platform altogether.
The VPPA also provides for civil remedies, allowing individuals to seek redress if their privacy rights are violated. As a result, users whose data is being stored in China could potentially sue TikTok, leading to substantial legal and financial implications for the company. However, applying the VPPA to TikTok is not straightforward and faces significant challenges. The VPPA was drafted long before the advent of social media and may require reinterpretation or amendment to extend its protections to platforms like TikTok. Additionally, the application of the VPPA to foreign companies raises complex jurisdictional issues that courts will need to resolve.
As concerns about data privacy grow, there is a strong case for leveraging existing legislative tools like the VPPA to safeguard the data of American citizens. Not only does the VPPA hold potential in challenging TikTok’s practices directly, but it also sets a valuable precedent for how privacy law can evolve to meet the needs of an increasingly digitized society.
By applying the principles of the VPPA to modern tech companies, regulators, politicians, and judicial activists could demonstrate their commitment to data protection, setting the stage for more comprehensive privacy legislation that is in step with today’s technological landscape. While applying the VPPA to TikTok’s practices might necessitate overcoming legal hurdles, the precedent could prove useful in the broader goal of promoting and enforcing data privacy. The TikTok case also serves as a cautionary tale for tech companies operating globally while dealing with the legal rights of individual American states, highlighting the potential consequences of inadequate data privacy practices. The scrutiny that TikTok is currently under is likely to impact its standing in the United States.
While the application of the VPPA to TikTok’s situation may be complex, the potential of this precedent to strengthen the regulation of modern tech companies is undeniable. It emphasizes the necessity of clear, robust legislation to protect data privacy in the era of digital interconnectedness. As this issue unfolds, it will be important to watch for potential changes to privacy legislation and the broader influence this could have on the internet media industry at large.
By Web Smith | Art by Alex Remy and Christina Williams
Part I: Where Natsec Meets Commerce