Photo: Sheila Fitzgerald (Shutterstock)
While Chick-fil-A served you sandwiches, it also provided data to Meta, Facebook’s parent company. The fast-food chain did so in a way that violates one of the few federal privacy laws in the United States, according to a new lawsuit filed Sunday.
Chick-fil-A has been rolling out bizarre animated videos titled “The Stories of Evergreen Hills” during the holiday season for the past four years. We’ve posted a seven-minute example below for you to check out if you’re crazy. These low-budget holiday masterpieces are available on YouTube, or you can watch them on Chick-fil-A’s dedicated site, evergreenhills.com. This site caught the attention of privacy advocates because of the way it tracks and shares data.
Like hundreds of millions of other websites, evergreenhills.com has an embedded meta-pixel, a tracker that sends data to the social media company about who visits the website. Companies like Chick-fil-A use this information to retarget people with ads and measure how well ad campaigns are performing. The plaintiffs allege Chick-fil-A violated a law called the Video Privacy Protection Act (VPPA), which says you can’t share personally identifiable information about people’s viewership without their consent.
The meta pixel doesn’t typically collect your name, phone number, or home address, but it does collect unique ID numbers that the social media company uses to identify you and target you with ads. According to privacy advocates, this obviously meets the criteria for personal data, as it is information that identifies you individually. But the aggrieved Chick-fil-A customers must bring that argument to the judge.
The Snow Globe | Tales of Evergreen Hills | Created by Chick-fil-A
Chick-fil-A did not immediately respond to a request for comment. evergreenhills.com’s privacy policy states that the company collects information about its visitors and may share that information with Facebook and other social media companies.
G/O Media may receive a commission
Up to $100 credit
Samsung backup
Reserve the next generation Samsung device
All you have to do is sign up with your email address and boom: credit your pre-order on a new Samsung device.
Contrary to popular belief, the United States has essentially no privacy laws, especially at the federal level. The few federal privacy laws, like the California Consumer Privacy Act, give you some rights after the data is collected, but they generally require companies to obtain your consent.
But when it comes to video, you’re entering a legal gray area.
The VPPA is an obscure 1988 law designed to protect information about people’s video rentals, called the Video Privacy Protection Act (VPPA), which was written after the press leaked a list of the failed colonel candidate’s filming habits Court of Justice, Robert Bork, leaked.
Three and a half decades later, that law could end up Chick-fil-A in the fryer, along with a growing list of virtually every company on the planet showing video online.
The VPPA says that “videotape service providers” (or anyone offering similar services) cannot disclose personally identifiable information about what videos you watch without your informed, written consent. If a company discloses your information in violation of the law, they owe you $2,500, not counting potential punitive damages and attorneys’ fees. When it comes to a class action lawsuit involving thousands or millions of potential victims, the money quickly adds up.
However, it is not clear whether the structure of the Internet falls within the scope of Reagan-era privacy law. The multi-million dollar question is how courts will define “personal data”.
Chick-fil-A is in good company. Over the last year there has been an absolute explosion of class action lawsuits alleging alleged VPPA violations. In October, Bloomberg Law identified 47 separate lawsuits, a number that has only increased since then, and filed lawsuits against companies including the NBA, GameStop, CNN, BuzzFeed and Dotdash Meredith, owner of People Magazine. It almost seems like lawyers are scouring the internet looking for more sites to sue. It’s like a meme for lawyers.
Reading the text of the law, it seems clear that sending video viewing data that would allow a company to identify you is what Congress wanted to protect in the 1980s. But if that’s true, the chicken will hit the fan. This type of data sharing is just how the internet works (which is unfortunate for anyone who’s a fan of not being spied on). There are metapixels and similar tracking tools on virtually every website you visit. If each of these websites containing videos broke the law, companies could be on the hook for tens or even hundreds of billions of dollars.