On December 17, 2009, a class action suit was filed against online movie rental giant, Netflix, Inc., in the United States District Court for the Northern District of California. Plaintiffs in the suit are claiming that Netflix has “perpetrated the largest voluntary privacy breach to date.”
According to the Complaint, Netflix knowingly and voluntarily disclosed the sensitive and personal information of approximately 480,000 Netflix subscribers when Netflix provided participants in a contest initiated to improve Netflix’s movie recommendation systems with data sets containing over 100 million subscriber movie ratings and preferences. Netflix has claimed that the data sets provided to the contest participants were anonymized and that the subscribers’ movie ratings were accompanied only by “a numeric identifier unique to the subscriber” (as opposed to the subscriber’s name or other personal information). However, the complaint sites the results of several researchers who, in fact, were able to crack Netflix’s anonymization process and identify individual subscribers.
Plaintiffs argue this disclosure constitutes a sever invasion of their privacy by Netflix, which violates, among other things, the Video Privacy Protection Act of 1988 (18 U.S.C. 2710 (2002)). Additionally, the lead plaintiff in this case, Jane Doe, claims that Netflix’s disclosure of her movie rental history and ratings has and/or will “identify or permit inference of her sexual orientation… [which… ] would negatively affect her ability to pursue her livelihood and support her family, and would hinder her and her children’ ability to live peaceful lives within Plaintiff Doe’s community.”
The Video Privacy Protection Act (the “Act”) was originally enacted in 1998 (in response to a public disclosure of a Supreme Court nominee, Robert Bork’s, video rental history), and, according to the Electronic Privacy Information Center, while not often invoked, the Act “stands as one of the strongest protections of consumer privacy against a specific form of data collection.”
The Act prohibits, with certain exceptions, any “video tape service provider” from “knowingly disclosing the personally identifiable information concerning any customer of such provider” (18 U.S.C. 2710(b)). The Act defines a “video tape service provider” as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials…” and “personally identifiable information” as including “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider” (18 U.S.C. 2710(a)).
In addition to violating this prohibition on the disclosure of personally identifiable information, the Plaintiffs in Doe v. Netflix also allege that Netflix violated another provision of the Act, which requires that a video tape service provider “destroy personally identifiable information as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected” (18 U.S.C. 2710(e)).
The Plaintiffs are demanding relief in the form of (among other things) statutory damages, actual damages, punitive damages, injunctive relief, disgorgement of wrongfully obtained profits and revenues, and attorneys’ fees.
In addition to the Act, a number of states, including California, have also enacted similar video privacy laws. In addition to the Act and other laws, the Complaint alleges that Netflix has violated the California Customer Records Act (CA Civil Code 1798.80).