District court rejects Video Privacy Protection Act claim against video streaming provider Hulu, finding insufficient evidence that Hulu knowingly disclosed to Facebook information identifying its users as having requested or obtained specific video materials through Hulu’s embedded “Like” button feature.

Defendant Hulu, LLC, provides online access to video content (e.g., television shows, movies, and other prerecorded videos from networks and studios) through its website. Plaintiffs, viewers of the online content provided by Hulu, brought suit alleging that Hulu wrongfully disclosed their video viewing selections and personal identification to Facebook, in violation of the Video Privacy Protection Act.

Video content on Hulu.com is displayed on a video player that appears on a webpage called a “watch-page.” After Facebook launched its “Like” button in April 2010, Hulu coded the Facebook “Like” button onto its watch-pages. The “Like” button code was written such that, when a Hulu user loaded a watch-page, the user’s web browser sent a request to Facebook to load the “Like” button onto that watch-page. This request would include the URL of the watch-page, which, until June 2012, contained the title of the video content. Additionally, if the Hulu user had logged into Facebook using certain settings during the previous four weeks, the “Like” button would cause a cookie to be sent to Facebook, which contained, among other things, the user’s Facebook user ID number. Facebook can identify this number as a particular Facebook user. When a Hulu watch-page loaded with the Facebook “Like” button, the user’s web browser would automatically send to Facebook both the user’s numeric Facebook ID (through the cookie) and the title of the video the user was watching (contained in the Hulu watch-page URL).

The VPPA reads, in relevant part: “A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person . . . .” The statute defines “personally identifiable information” as “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” The district court granted Hulu’s motion for summary judgment, finding no evidence that Hulu knew that Facebook might combine a Facebook user’s identity with the watch-page address to yield personally identifiable information under the VPPA.

The court distinguished this case from the incident that prompted the VPPA’s enactment, in which a news reporter obtained access to a list of the videos that Circuit Judge Robert Bork had rented. In that scenario, the viewing history of an individual—Judge Bork—was deliberately revealed. Here, by contrast, Hulu’s coding allowed Facebook to pair an individual user with the user’s viewing information, but Hulu did not provide that information in a single packet, with the intention that Facebook would know that a Hulu user had requested or obtained specific video materials.

The court also rejected plaintiffs’ argument that Hulu’s coding for “show_faces,” a feature embedded within the “Like” button, actually sent personally identifiable information to Facebook, finding that plaintiffs’ own expert had failed to show how the coding for the feature caused Hulu to send Facebook personally identifiable information. Moreover, even if plaintiffs had been able to establish this, the court concluded there was insufficient proof that Hulu knew its coding would disclose that a specific user had watched a specific video.

Plaintiffs also offered evidence of Hulu’s internal testing, its agreement with the Nielsen Company for services to measure the effectiveness of Hulu’s ad delivery, and Hulu’s privacy policy to argue that Hulu knowingly disclosed its users’ personally identifiable information to Facebook. The court rejected each of these arguments, concluding that plaintiffs had failed to create a triable issue of material fact.