Two of the country’s largest video rental services, Netflix and Redbox, have been sued for allegedly violating the federal Video Privacy Protection Act (“VPPA”). The plaintiffs in both suits contend that the rental services stored information about their rental histories for long after that information had ceased being “necessary” to provide the services for which customers had signed up, in violation of the VPPA. The Netflix complaint also alleges that the company unlawfully maintained the information even after customers had cancelled subscriptions to the service.
One central issue in both cases will be the question of the point at which information collected by a company is “no longer necessary for the purpose for which it was collected” — specifically, with respect to Netflix, whether it was reasonable for it to retain subscriber information after cancellation of the service.
The answer to this question about the substantive requirements of the VPPA may also have ramifications beyond the law of video privacy. As we have previously detailed, the FTC’s recent staff report on consumer privacy recommended that businesses do more to incorporate substantive privacy protections at every stage of a product’s lifecycle. The FTC, which characterized this approach as “privacy by design,” stressed the importance of limited data retention.