If you’ve ever subscribed to Netflix, you’re probably aware that they use your movie watching history to suggest other movies that you might like. Sounds pretty innocuous, right? But according to a lawsuit filed in the Northern District of California March 11th, Netflix also retains its subscribers’ viewing histories indefinitely (even long after they’ve discontinued their subscriptions), and sells the data to third parties. As reported in the Privacy & Information Security Law Blog last week, the suit alleges that Netflix’s actions violate the Video Privacy Protection Act of 1988, which Congress passed in the wake of public disclosure of Supreme Court nominee Robert Bork’s video rental history.

Although the VSSP is very consumer friendly in terms of the breadth of conduct it prohibits, the plain text of the law says it applies to “video tape rentals,” i.e. says nothing about DVDs, or downloaded/streaming movies. Since there is no case law (that I’m aware of) giving a broader construction to the term “video tape rentals,” I would expect Netflix to file a motion to dismiss, which the court may grant. If the federal claim is dismissed, however, the case could continue anyway, based on additional claims that Netflix’s practices violate the California Customer Records Act, and state unfair competition law.

This is not the first time that Netflix has been sued for these specific business practices. In January of this year, an identical suit was filed in the same California district court, and a previous class-action suit prompted an investigation by the Federal Trade Commission, which issued this letter to Netflix’s outside counsel on March 12, 2010:

Netflix’s intention to release a second data set one containing a richer portfolio of consumer information—raised serious concerns about the risk that Netflix’s customers would be re-identified and associated with their potentially sensitive movie viewing histories and preferences. Due to advances in technology that allow for vast amounts of data to be collected, stored, accessed, and combined, [the FTC] encourages companies to be cautious when releasing data presumed to be ‘anonymous’ or ‘not personally identifiable,’ especially when those representations are made to consumers.
Perhaps a coincidence, Senators John Kerry and McCain are reportedly drafting new bi-partisan legislation that would, among other things, establish a “commercial privacy bill of rights,” which will likely be supported by the Obama Administration. In December, the Department of Commerce Internet Policy Task force released this 74-page green paper setting forth recommendations for the implementation of sweeping federal legislation aimed at protecting consumer privacy.