Netflix To Revise Data Retention Practices

Netflix-Envelope-A2

Netflix has agreed to change the way it retains information about customers in order to settle a class-action privacy lawsuit, according to court papers filed on Friday. The settlement, which is still awaiting approval, also requires Netflix to pay around $6.75 million to various privacy organizations and up to $2.25 million to the lawyers who sued the company.

Netflix said in a February SEC filing that it had agreed to settle the privacy lawsuit for $9 million, but didn't reveal further details at the time.

The agreement specifically calls for Netflix to "decouple" former customers' movie-rental history from their personal information by one year after they cancel their accounts. In the past, Netflix allegedly stored the information for up to two years after cancellation.

If approved by U.S. District Court Judge Edward Davila, the deal will resolve a lawsuit filed in 2011 by former customers who accused Netflix of violating the Video Privacy Protection Act. That law was enacted in 1988, after a Washington newspaper obtained and printed the movie rental records of Supreme Court nominee Robert Bork. The VPPA bans movie rental services from disclosing customers' records without their written consent. It requires video rental services to destroy users' personal information “as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected.”

Former Netflix users alleged in their lawsuit that they continued to receive marketing emails after canceling their Netflix subscriptions. "From these e-mails, it became apparent that Netflix retained its former customers’ personal contact information," their lawyers say in a motion seeking preliminary approval of the settlement. "Former customers who logged back into their canceled accounts were able to view all of the video materials they had watched as Netflix customers ... This strongly suggested that Netflix also maintained its former customers’ video programming selections."

Davila scheduled a hearing for June 29 on the request for preliminary approval of the settlement.

Like some other recent settlements of privacy lawsuits, one notable feature of the deal is that it doesn't provide for monetary compensation to users (other than $30,000 total to a handful of users who were named in the complaint). For that reason, the settlement could be vulnerable to challenge, says Internet legal expert Venkat Balasubramani.

"Courts have increasingly scrutinized settlements without a monetary component," he says.

In one recent case, the 9th Circuit Court of Appeals (which encompasses the Northern District of California, where the suit against Netflix was brought) rejected a proposed class-action settlement involving Motorola. Consumers in that lawsuit alleged that Motorola didn't disclose the risk of hearing loss posed by Bluetooth headsets. The proposed settlement would have required Motorola to donate $100,000 to various health-related organizations, while the attorneys who sued would have received $800,000.

In its order rejecting the settlement, the 9th Circuit said one sign of a questionable deal is "when the class receives no monetary distribution but class counsel are amply rewarded."

That court is still considering whether to uphold Facebook's Beacon settlement, which calls for the company to pay more than $6 million to launch a new privacy foundation, and for the lawyers who sued to split around $2.3 million. That deal doesn't provide for monetary damages to the users (except for the 19 who were named in the complaint).

Even though Netflix agreed to settle this lawsuit, the company might have had enough legal ammunition to win at trial. That's because the 7th Circuit Court of Appeals ruled in a separate lawsuit against Redbox that consumers don't have the right to sue for violations of the portion of the video privacy law that deals with retaining records, as opposed to disclosing them.

Next story loading loading..