19 www.loubar.org December 2025 a disclosure to the consumer, or with their express written consent). Although originally passed in response to Supreme Court nominee Robert Bork’s video tape rental history being disclosed to a reporter, the VPPA has been brought into 21st century by plaintiffs alleging that defendants who facilitate the online delivery of digital video content qualify as “video tape service providers.” There are numer- ous circuit splits on nearly every element of a VPPA: What kind of businesses qualify as “video tape service providers”? Is informa- tion collected by automatic information col- lection technologies “personally identifiable information”? What does the relationship between a plaintiff and defendant need to be for the plaintiff to be a “consumer”? Notably, the VPPA provides a private right of action for violations and minimum statu- tory damages of $2,500 per violation. e-Commerce Transactions Multiple state laws prohibit the collection of non-essential personal data as a condition for accepting payment cards (see, e.g., the Song-Beverly Credit Card Act (Cal. Civ. Code § 1747.08), Massachusetts Consumer Privacy in Commercial Transactions Act (Mass. Gen. Laws ch. 93, § 105), Del. Code. Tit. 11, § 914(b)(1)(b), Md. Code, Com. Law § 13-317(a), N.J. Stat. 56:11-17, 6 R.I. Gen. Laws § 6-13-16(a), Kan. Stat. § 50-669a). Plaintiffs in California are entitled to statu- tory damages of at least $1,000. Best Practices to Avoid Liability Identify automatic information collec- tion technologies used by your website. Plaintiffs in wiretap cases allege that de- fendant’s automatic information collection technologies, like cookies and pixels, are “pen registers” or “trap and trace” devices because they capture the “dialing, routing, addressing, or signaling information” of a plaintiff’s interactions with the defendant’s website. For example, these technologies capture the HTTP header information of the GET and POST requests made between the plaintiff’s browser and the defendant’s web- site server. These cases disproportionately, although not exclusively, focus on the use of the Meta Pixel and TikTok Pixel. Many organizations may not even be aware that their website uses these automatic in- formation collection technologies. This is common when the development and main- tenance of the website has been outsourced to a third party. Organizations who choose to use automatic information collection technologies like non-essential cookies, pixels and session replay software should evaluate their use cases and determine if the value of such use is commensurate with the potential litigation risk. Ensure metadata concerning viewed videos does not include the video title. Although the VPPA does contain a “con- sent” defense, the requirement is too dif- ficult to meet to be practical in most cases. The VPPA requires that the consent be written and obtained “in a form distinct and separate from any form setting forth other legal or financial obligations of the consumer” (18 U.S.C. § 2710(b)(2)(B)(i)), meaning that organizations may rely on ex- press or implied consent to a privacy notice. Instead, organizations should seek to fall outside one or more statutory definitions. For example, an effective risk mitigation technique to avoid liability under the VPPA is to review the metadata that is being trans- ferred and ensure that the website does not transmit the title of the video to any third party. The VPPA defines “personally iden- tifiable information” as “information which identifies a person as having requested or obtained specific video materials or ser- vices from a video tape service provider” (18 U.S.C.A. § 2710(a)(3)). By removing video title, from metadata collected by third-party integrations, such as analytics tools, advertising pixels, content delivery networks and customer data platforms, the information would not be considered “personally identifiable information.” Distinguish between essential and incidental personal data collected in e-commerce transactions. Litigation related to e-commerce transac- tions, particularly under the Song-Beverly Credit Card Act, focuses on non-essential personal data collected during check-out that plaintiffs allege was a “condition” of the transaction. While collection of a consumer’s payment card information, billing address and ship- ping address may be required to complete the transaction, information collected that is incidental to the transaction, such as phone number, should be clearly indicated as optional. Review user interface elements to ensure enforceability of Terms of Use. Website Terms of Use are often used to lower the risk of costly litigation through mandatory arbitration, class action waiver, choice of venue, choice of law and limita- tion of liability clauses. However, many organizations have been surprised to find that these carefully considered provisions were not binding on plaintiffs. A defendant seeking to enforce the provisions of a web- site’s Terms of Use must demonstrate the formation of a valid contract. Therefore, state law principles of contract regarding contract formation govern, which include, in relevant part, consent to the terms of the contract. Many organizations use “advisements,” which are short statements alerting users to the existence of a Privacy Notice and Terms of Use, to put users on notice to the existence of these terms and argue that the user consented to the terms. How- ever, courts have closely scrutinized these advisements and articulated ever-higher standards for enforceability. The following are best practices identified from case law: • Uncluttered layout. Present only essen- tial elements—core fields and the advise- ment—and remove nonessential content. • Advisement visible in context. Ensure the advisement appears on the same screen as the action button without scrolling. • Equivalent prominence. Match the advisement’s font, color and size to sur- rounding text of comparable importance. • Reasonable conspicuousness. Place the advisement in a position that inter- rupts the natural flow—ideally immedi- ately above the action button. • Distinct hyperlinks. Make links to Terms of Use and Privacy Notice clearly distinguishable—use all caps, underlines, bold and a contrasting color. • Textual concordance. Align action button text with the advisement language (e.g., “Continue” where the notice says “By clicking ‘Continue’ you agree…”; “I agree” where “I agree” is referenced). • Explicit arbitration reference. State that agreement includes acceptance of mandatory arbitration. • Explicit jury waiver. State that agree- ment includes a waiver of the right to a jury trial. • Affirmative assent. Require active acknowledgment (e.g., clickwrap or checkbox). Clickwrap is more defensible than passive browsewrap. Conclusion Website data collection practices now carry outsized litigation and enforcement risk, which will likely only increase as time goes on. Engaging a qualified attorney who understands current litigation trends to evaluate your website, advise on legal risk and provide court-tested best practices is a great way to not only reduce your legal exposure, but also safeguard your brand, budget and customer trust. Dalton Cline is a member of the Dentons Global Data Privacy and Cybersecurity Group based in Louisville. As a Certified Information Privacy Professional (CIPP/US, CIPM, CIPT), he rou- tinely advises businesses of all sizes in a variety of industries and sectors regarding compliance with domestic and international data privacy and cybersecurity laws and regulations, litiga- tion risk and best practices. Prior to joining Dentons, Dalton was a privacy analyst at a large public university. Ameena Khan Per is an Associate of McBrayer PLLC, practicing in the firm’s Louisville office. Her practice primarily focuses on data privacy and security, intellectual property and trade- marks. Her primary expertise is in data privacy and cybersecurity law, where she advises clients on a variety of privacy matters, including com- pliance with privacy and data security laws and drafting privacy policies. Ameena has hands-on experience with technol- ogy-related issues, which brings a unique and vital perspective in successful- ly negotiating agreements involving personal data and developing creative governance solutions that blend well with exist- ing business practices. n (Continued from previous page) Cline Per Administrative Law AI/IP/Privacy Law Section ADR/Mediation Appellate Law Bankruptcy Law Corporate Law Criminal Law Environmental Law Family Law Federal Practice Health Law Human Rights Law In-House Counsel Labor & Employment Law Litigation Probate & Estate Law Public Interest Law Real Estate Law Solo & Small Practice Taxation Law Tort & Insurance Law Practice Young Lawyers YOUR PROFESSION. YOUR ASSOCIATION. YOUR IMPACT. More Information contact: Lisa M. Murray at [email protected] Professional development thrives on shared effort. The LBA's 22 practice sections are more than groups. They are active spaces for growth, connection and service. If you want to shape your practice, strengthen your network or give back to the legal community, this is your moment. Section leadership needs new voices. CLE programs need presenters. Bar Briefs needs thoughtful articles. Public service projects need steady hands. Networking events need planners and participants. For more information, contact: Lisa M. Murray at [email protected]
