While Chick-fil-A was serving you sandwiches, it was also serving up data to Facebook’s parent company Meta. According to a new lawsuit filed Sunday, the fast food chain did that in a way that violated one of the only federal privacy laws in the United States.
Chick-fil-A has been putting out bizarre animated videos during the Christmas season over the last four years titled “The Stories of Evergreen Hills.” We’ve posted a seven-minute-long example below, which you can watch, if you’re out of your mind. These low-budget holiday masterpieces are available on YouTube, or you can check them out on Chick-fil-A’s dedicated website, evergreenhills.com. That website caught privacy lawyers’ attention due to the way it tracks and shares data.
Like hundreds of millions of other websites, evergreenhills.com has an embedded Meta pixel, a tracker that sends the social media company data about who’s visiting the site. Companies like Chick-fil-A use that information to retarget people with ads and measure how well ad campaigns are working. The plaintiffs allege that Chick-fil-A broke a law called the Video Privacy Protection Act (VPPA), which says you can’t share personally identifiable information about people’s video viewership without their consent.
The Meta pixel does not typically collect your name, phone number, or home address, but it does gather unique ID numbers that the social media company uses to identify you and target you with ads. According to privacy advocates, that obviously meets the criteria for personally identifiable information, because it’s information that identifies you individually. But the aggrieved Chick-fil-A customers will have to make that argument to the judge.
Contrary to popular belief, there are basically no privacy laws in the United States, especially at the federal level. The few state laws related to data privacy, such as the California Consumer Privacy Act, give you some rights after the data is collected, but they generally require companies to get your consent.
But when there’s video involved, you step into a legal gray area.
The VPPA is an obscure 1988 law meant to protect information about people’s video tape rentals called the Video Privacy Protection Act (VPPA), written after the press leaked a list of failed Supreme Court nominee Robert Bork’s movie watching habits.
Three-and-a-half decades later, that law may land Chick-fil-A in the fryer, along with a growing list of basically every company on the planet that shows videos online.
The VPPA says that “video tape service providers” (or anyone who offers similar services) cannot disclose personally identifiable information about what videos you watch without your informed, written consent. If a company shares your data in violation of the law, they owe you $2,500, not counting potential punitive damages and attorneys’ fees. When there’s a class-action lawsuit with thousands or millions of potential victims involved, that money adds up fast.
However, it is not clear whether the structure of the internet is within the scope of the Reagan era privacy law. The multi-million dollar question is how courts will define “personally identifiable information.”
Chick-fil-A is in good company. There has been an absolute explosion of class-action lawsuits filed for alleged VPPA violations over the last year or so. In October, Bloomberg Law identified 47 different lawsuits, a number which has only grown since, filing claims against companies including NBA, GameStop, CNN, BuzzFeed, and Dotdash Meredith, owner of People Magazine. It almost seems as though lawyers are trawling the web looking for more websites to sue. It’s like a meme for attorneys.
Reading the text of the law, it seems clear that sending data about video watching that lets a company identify you is in spirit of what Congress wanted to protect back in the ’80s. But if that is true, the chicken is going to hit the fan. This kind of data sharing is just how the internet works (which is unfortunate, for anyone who’s a fan of not being spied on). There are Meta pixels and similar tracking tools on practically every website you visit. If every one of those websites that has videos on it broke the law, companies could be on the hook for tens or even hundreds of trillion of dollars.