An ongoing challenge in identifying potential exposures in data privacy and security created by a company’s operations is having to account for creative ways in which new technology is wedged into seemingly unrelated statutes. An example of these exposures is the recent rash of class action lawsuits filed in Pennsylvania and nationwide under the Video Privacy Protection Act (VPPA), 18 U.S.C. Section 2710.

VPPA prohibits a “video tape service provider” from knowingly disclosing a consumer’s “personally identifiable information,” defined by the statute as information identifying a person as having requested or obtained specific video materials or services from a video tape service provider, to a third party without the consumer’s consent. Congress quickly enacted the statute after the Washington City Paper had published an expose disclosing then-U.S. Supreme Court nominee Judge Robert Bork’s recent video rental history. “The paper had obtained (without Bork’s knowledge or consent) a list of the 146 films that the Bork family had rented from a Washington, D.C.-area video store over a two-year period.” See In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262, 278 (3d Cir. 2016). Seems straightforward, right?