Viewers are streaming more online video content than ever before.  Whether visiting a website, downloading an app, or watching on a “smart” TV, viewers want access to content anywhere, at any time, on any device.  In turn, major networks, cable channels, and online content providers are racing to keep this digital stream flowing.

When video content is transmitted over the Internet, however, lots of other data can go with it.  Companies now have the ability to collect and transmit information about the viewing habits of their streaming video users, and this increasingly is resulting in challenges by consumers.

Several viewers have brought their cases to court, suing under the Video Privacy Protection Act (“VPPA”) 18 U.S.C § 2710.  While these cases are mainly favorable for streaming services, they offer a number of valuable lessons about the importance of viewer privacy and the information a streaming service may share with social media networks, third party advertisers or analytics companies.

With the rise of online content and big data, courts are beginning to define streaming media companies’ obligations under the Video Privacy Protection Act (“VPPA”).

Passed in 1988, the VPPA prohibits a “video tape service provider” from “knowingly” disclosing a consumer’s “personally identifiable information” (“PII”) to third parties without his or her consent. The VPPA defines a “video tape service provider,” in part, as any person “engaged in the business . . . of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.” A “consumer” under the statute includes a renter, purchaser or subscriber of goods or services, while PII is “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” Notably, the VPPA creates a private right of action and allows a court to award statutory damages upwards of $2,500 per violation (as well as attorney fees).

Three recent cases illustrate how the VPPA, a law designed for video tapes, may apply to digital video or online streaming services:

The VPPA requires a “knowing” disclosure. In a class action against Hulu, plaintiffs alleged that Hulu was disclosing user identities and viewing selections to Facebook when a user clicked Facebook’s “Like” button in their browser from the Hulu site. Once a Hulu user clicked the “Like” button, Hulu automatically sent user data to Facebook using a “c_user” cookie which contained that user’s Facebook ID. In a separate transmission, Hulu also sent URLs of a user’s “watch pages” that identified the user’s video requests. The main purpose of this data was to tell Facebook where to send code related to its “Like” button. Without Hulu’s knowledge, Facebook combined the two sets of information, allowing Facebook to piece together a user’s identity and viewing history. Hulu argued that it did not violate the VPPA because it did not “knowingly” send Facebook any information that could identify Hulu users and wasn’t aware that Facebook might combine the two streams of data. On March 31, 2015, a district court in the Northern District of California agreed with Hulu on this basis. The plaintiffs have appealed the decision. (In Re Hulu Privacy Litigation)

Non-Registered online viewers are not “consumers”/”subscribers.” Plaintiff Austin-Spearman alleged that the TV network AMC violated the VPPA because it disclosed PII to Facebook when Austin-Spearman watched the “Walking Dead” on AMC’s website. Since Austin-Spearman did not pay AMC for the online content, register for an account, create a user ID/password for the site, or download an app or program to view the content, the court found that Austin-Spearman did not fit the VPPA’s definition of a “consumer” or “subscriber.” On April 7, 2015, a district court in the Southern District of New York granted AMC’s motion to dismiss but also granted Austin-Spearman leave to amend, providing her with an opportunity to prove that she should be considered a “subscriber” under the VPPA. Last month, Austin-Spearman informed AMC that she would not file an Amended Complaint and does not intend to pursue her claim. (Austin-Spearman v. AMC Network Entertainment)

Unique device identification numbers are not PII. Using a Roku device, plaintiff Eichenberger downloaded the “WatchESPN Channel.” His unique Roku device serial number and video history were then sent to a third party, Adobe Analytics, which Eichenberger argued was a violation of the VPPA. Adobe then combined Eichenberger’s Roku device information with other existing user information including his Facebook and email accounts. Similar to the Hulu litigation, this allowed Adobe to identify the plaintiff as having watched specific videos. On May 7, 2015, a district court in the Western District of Washington found that ESPN did not violate the VPPA when it sent Adobe Eichenberger’s Roku device serial number because the device’s serial number (as well as any viewing records) were not PII under the law. The court’s decision is in line with Locklear v. Dow Jones & Co. where a district court dismissed a VPPA claim that had alleged that a Roku serial number, in and of itself, constituted PII. (Eichenberger v. ESPN, Inc.)

While the outcomes of these cases are largely favorable for online streaming services under the VPPA, this area of the law continues to evolve. There are also other privacy laws that may apply to a given streaming service. We will continue to track these and related developments.