The Video Privacy Protection Act, or How Not to Write a Law

The Seventh Circuit Court of Appeals dismisses class action against Redbox, blasting the Video Privacy Protect Act as "not well drafted." Too late, Netflix.

Redbox, the giant DVD-rental kiosk operator, has escaped a class action lawsuit because lawmakers in the 1980s didn't do a particularly good job of writing laws.

The plaintiffs sued Redbox for maintaining a "veritable digital dossier" on millions of its customers. The company held onto credit card information, contact and billing data, and most problematically, records of customers' video viewing history. That last part potentially put the company in violation of the Video Privacy Protection Act, which Congress enacted in 1988 after Supreme Court justice nominee Robert Bork's rental history was leaked to a newspaper.

It's currently a crime to hold onto old video viewing records for too long and to disclose this private information. Just one problem: In the rush to pass the legislation, Congress completely bungled the penalties. Proof lies in a decision published last week by the 7th Circuit Court of Appeals. which killed the plaintiffs' multimillion-dollar claims against Redbox.

Redbox pushed to have the lawsuit dismissed on grounds that penalties from one section of the VPPA -- talking about "wrongful disclosure of video tape rental or sales records" -- couldn't enforce another section of the VPPA -- talking about "destruction of old records."

A district court judge denied the motion to dismiss, so Redbox filed an interlocutory appeal at the 7th Circuit. The challenge landed on the desk of Circuit Judge Richard Posner, who has written a scathing rebuke of the way VPPA was drafted.

The VPPA has different parts. Here's a run-down:

  • Section A defines terms like "consumer" and "personally identifiable information."
  • Section B outlines the liability for those who knowingly disclose video data.
  • Section C covers what the damages are for violations.
  • Section D safeguards info turned up in any resulting case.
  • Section E tells companies they must "destroy personally identifiable information as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected."

So Posner asks, what the hell?

He writes:

"If (c) appeared after all the prohibitions, which is to say after (d) and (e) as well as (b), the natural inference would be that any violator of any of the prohibitions could be sued for damages. But instead (c) appears after just the first prohibition, the one in subsection (b), prohibiting disclosure.This placement could be an accident, but we agree with the only reported appellate case to address the issue...that it is not; that the more plausible interpretation is that it is limited to enforcing the prohibition of disclosure."

The plaintiffs sued Redbox for not destroying data, but Judge Posner determines that it's unclear whether there's any penalties for this. If only lawmakers had switched the order of provisions (c) and (e) in this law, the plaintiffs could have gotten to trial.

Meanwhile, Netflix, which has been organizing a furious lobbying campaign for many months to overturn the VPPA, faced a similar class action lawsuit for not destroying consumer records. The company backed down -- perhaps too soon. The company paid $9 million last month to settle claims from individuals who say that Netflix maintained video-viewing information in databases long after they had canceled the service. Oops. Millions of dollars spent for nothing? Yes, we keep records too.


Twitter: @eriqgardner