While Chick-fil-A served you sandwiches, it also served data to Facebook’s parent company, Meta. Aaccording to a new trial filed Sunday, the fast food chain did so in a way that violated one of the only federal privacy laws in the United States.
Chick-fil-A has been releasing bizarre animated videos during the Christmas season for the past four years called “The Evergreen Hills Stories.” We’ve posted a seven-minute sample below, which you can watch if you’re crazy. These budget vacation masterpieces are available on YouTube, or you can check them out on Chick-fil-A’s dedicated website, evergreenhills.com. This website has caught the attention of privacy lawyers because of the way it tracks and shares The data.
Like hundreds of millions of other websites, evergreenhills.com incorporates a Metapixel, a tracker that sends data about people who visit the site to the social media company. Companies like Chick-fil-A use this information to retarget people with advertisements and measure how well advertising campaigns are working. The Pplaintiffs allege that Chick-fil-A violated a law called the Video Privacy Protection Act (VPPA), which states that you cannot share personally identifiable information about people’s video audience without their consent.
The metapixel does not typically collect your name, phone number, or home address, but does collect unique identification numbers that the social media company uses to identify you and target you with advertisements. According to privacy advocates, this obviously meets the criteria for personally identifiable information, because this is information that identifies you individually. But aggrieved Chick-fil-A customers will have to make that argument to the judge.
Contrary to popular belief, there are basically no privacy laws in the United States, especially at the federal level. The few state laws related to data privacy, such as the California Consumer Privacy Act, give you some rights after the data is collected, but they generally require companies to get your consent.
But when there’s video involved, you step into a legal gray area.
The VPPA is an obscure 1988 law meant to protect information about people’s video tape rentals called the Video Privacy Protection Act (VPPA), written after the press leaked a list of failed Supreme Court nominee Robert Bork’s movie watching habits.
Three-and-a-half decades later, that law may land Chick-fil-A in the fryer, along with a growing list of basically every company on the planet which shows videos online.
The VPPA states that “videotape service providers” (or anyone offering similar services) may not disclose personally identifiable information about the videos you watch without your informed, written consent. If a company shares your data in violation of the law, they owe you $2,500, not including any punitive damages and attorneys’ fees. When there is a class action lawsuit involving thousands or millions of potential victims, that money quickly adds up.
However, it is unclear whether the structure of the Internet falls under Reagan-era privacy law. The multi-million dollar question is how the courts will define “personally identifiable information”.
Chick-fil-A is in good company. There has been an absolute explosion of class action lawsuits filed for alleged violations of the VPPA over the last year or so. In October, Bloomberg Law identified 47 different lawsuits, a number that has only grown since, filing complaints against companies including NBA, GameStop, CNN, BuzzFeed and Dotdash Meredith, owner of People Magazine. It almost seems like lawyers are scouring the web looking for more websites to sue. It’s like a meme for lawyers.
Reading the text of the law, it seems clear that sending video viewing data that allows a company to identify you is in the spirit of what Congress wanted to protect in the 80s. But if that’s true, the chicken is gonna hit the fan. This kind of data sharing is just like the way the internet works (which is unfortunate for anyone who likes not to be spied on). Metapixels and similar tracking tools exist on virtually every website you visit. If each of these websites with videos broke the law, the companies could be held liable for tens or even hundreds of years. Billions of dollars.