Overview
The Video Privacy Protection Act (VPPA) requires that Passport members who use PBS Video apps explicitly grant PBS permission to share the user’s personal data (viewing history, favorites, etc.) with the station. To be clear, the agreement is between the user and PBS, not the user and the station. That is why it is contained in an authentication flow managed by PBS.
PBS Account, the OAuth2 authentication service from PBS Digital, supports the ability for stations to request, on PBS’s behalf, that Passport users accept VPPA.
There are three supported use cases: users who have activated passport but have never accepted VPPA, users who accepted VPPA has expired, and users in the process of activating Passport.
The first two cases are covered by adding “vppa” as a scope to PBS Account. When combined, “scope=account+vppa” instructs PBS Account to check a user’s VPPA acceptance. If the user is an MVOD member and has not accepted VPPA, they will be required to accept VPPA to continue using Passport. If the user’s VPPA is expired, meaning the last assent was more than two years ago, they will also be prompted to accept VPPA.
How to implement VPPA
If the VPPA check is being done during activation, there is a separate query parameter -- “&activation=true” -- that forces the VPPA assent modal. It needs to be used in conjunction with the aforementioned “vppa” scope.