The Video Privacy Protection Act (“VPPA”) came into existence in the wake of a Washington Post report of Supreme Court nominee Robert Bork’s video rental history. Although the days of renting VHS tapes are now gone, the VPPA endures. Over the last several years a number of high profile lawsuits have been filed against online video and service providers for alleged violations of the VPPA. With the explosion of streaming and other forms of digital content—forms of media that the 1980s-era statute could not have anticipated—these suits have caused anxiety among content providers of all stripes.

However, two recent decisions, In re: Hulu Privacy Litig.[1] and Austin–Spearman v. AMC Network Entertainment LLC,[2] perhaps point to an emerging sense among courts that some limitations on the statute’s application to these new circumstances are warranted. The two decisions collectively

  • limit the scope of information that is considered “personally identifiable” for purposes of the statute;
  • reinforce the requirement that any disclosure by a content provider be “knowing[]”; and
  • provide meaning to the scope of “consumer” entitled to protection under the law by excluding the casual visitor to a site with whom that site has no ongoing or deliberate relationship.

Personally Identifiable Information

Liability under the VPPA requires the disclosure of “personally identifiable information.” Personally identifiable information is “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.”[3] Previous decisions interpreting the VPPA have held that information shared with third parties does not qualify as “personally identifiable” unless it “serve[s] to identify an actual, identifiable Plaintiff and what video or videos that Plaintiff watched.”[4] This was true even if a “user identification” was transmitted along with the video history.[5]

In Hulu, the district court considered whether the website hulu.com was wrongfully disclosing “personally identifiable information” to Facebook. The plaintiffs were registered Hulu users who watched Hulu video content. Information regarding the plaintiffs was transmitted from Hulu to Facebook via Facebook’s “Like” button, even if the user did not click the Like button. The information was transmitted in two ways. First, Hulu would send Facebook a watch page address that would include the title of the video displayed on that watch page. This would allow Facebook to send Hulu the code for the Like button so that it could be downloaded and used on the watch page. Second, if a Hulu user had logged into Facebook using certain settings within the prior four weeks, the Like button would transmit a “c_user” cookie to Facebook. The “c_user” cookie contained the user’s Facebook user ID in a numeric format. In sum then, “when a Hulu watch page loaded with the Facebook Like button, the page prompted a user’s web browser to transmit the watch page address and Facebook c_user cookie to Facebook-controlled servers.”[6]

In granting summary judgment to Hulu, the court found that there was no evidence that the website disclosed “personally identifiable information” as defined under the statute. The basis for this conclusion was that Hulu transmitted separately the user’s identity and the video material selected—there was no connection made by Hulu between the video information and the user’s identity. As the court observed:

This means that, even if both elements were sent to Facebook, they did not necessarily disclose a user ‘as having requested or obtained specific video materials’ unless Facebook combined the two pieces of information. Without Facebook forging that connection there is no ‘disclosure’ of ‘personally identifiable information’ under the terms of the VPPA.[7]

In reaching this result, the district court distinguished the Hulu fact pattern from that of Judge Bork. In the Judge Bork case, the list provided an “obvious” connection between a specific user and the material “requested or obtained.” In contrast, Hulu sent the information separately such that “[u]nlike in the paradigmatic Judge Bork case, the connection … would be established, if at all, by an act of the recipient.”[8]

A Knowing Disclosure

The VPPA also requires that the disclosure of “personally identifiable information” be made “knowingly.” Previously, one court that addressed this issue held that Netflix could not violate the VPPA by allegedly displaying a list of a subscriber’s recently watched video titles on the subscriber’s television. The court reasoned that Netflix could not “knowingly” violate the statute under these circumstances because Netflix would have no way of knowing if people other than the subscriber were present in the room when the transmission of “personally identifiable information” occurred.[9]

In Hulu, the court reached a similar result. The Hulu court held that in addition to there being no connection made by Hulu between its users and videos those users watched, there was no credible evidence that Hulu knew that Facebook might connect the information in the c-user cookie and watch page address:

[T]here is no evidence that Hulu knew that Facebook might combine a Facebook user’s identity (contained in the c_user cookie) with the watch-page address to yield ‘personally identifiable information’ under the VPPA. There is consequently no proof that Hulu knowingly disclosed any user ‘as having requested or obtained specific video materials or services.’[10]

As such, the plaintiffs could not satisfy the VPPA standard that a defendant must “knowingly” transmit “personally identifiable information” to others to be held liable. The court also rejected plaintiffs’ citation to various other facts that purportedly showed that Hulu knew that the Facebook “c_user” cookie sent user-identifying information to Facebook because the facts were either not connected to the Like button, were too general to raise an issue of fact, or did not show that Hulu knew what specific information would be sent to Facebook.[11]

Qualifying as a Consumer

The VPPA allows recovery for those individuals who are consumers of video tape service providers. The VPPA defines “consumer” as a “renter, purchaser or subscriber of goods or services from a video tape service provider.”[12] Courts have generally set a very low threshold for qualifying as a “renter, purchaser or subscriber” under the statute. Activities that courts have found previously qualified someone for consumer status include signing up for an account, registering on a website, or downloading a network application.[13]

The Southern District of New York in Austin-Spearman, however, dismissed without prejudice a recent VPPA claim where the plaintiff alleged that she was a subscriber of a television network’s website that, like Hulu, allegedly transmitted “personally identifiable information” via Facebook’s “c_user” cookie.[14]Although the plaintiff did not register with or pay for any content on the defendant’s website, she argued that she was a subscriber because she used the defendant’s streaming services to watch video clips.[15]The court found this argument unpersuasive, finding that to be a subscriber a plaintiff must allege that he or she is “engaged in an ongoing relationship with the provider initiated by the plaintiffs’ own actions.”[16] In this case “casual consumption of web content, without any attempt to affiliate with or connect to the provider,” was insufficient to establish that there was an ongoing relationship between the plaintiff and the content provider to establish the plaintiff as a “subscriber” under the VPPA.[17] The plaintiff, however, was granted with “great reluctance” leave to amend to add allegations that she registered for a newsletter via the website, although the court viewed with strong skepticism whether this would salvage the plaintiff’s claim.[18]

Ramifications

As these recent decisions illustrate, courts will continue to grapple with applying a 1980s era privacy statute to evolving technology and information sharing mechanisms. The cases do suggest that courts will not entertain VPPA claims absent demonstrable evidence that those providing online services are knowingly transmitting personally identifiable data that connect specific users to specific videos. Moreover, while a plaintiff need not pay to be deemed a “consumer” under the VPPA, sporadic interaction with a website or similar online service provider is likely insufficient unless the plaintiff can point to specific actions that show a “desire to forge ties” with the provider.[19]