After over four years of litigation on the cutting edge of modern Video Privacy Protection Act (“VPPA” or the “Act”) litigation, Magistrate Judge Laurel Beeler of the United States District Court for the Northern District of California dismissed a VPPA class action complaint against Hulu LLC on March 31, 2015.  The complaint alleged that Hulu had knowingly communicated to Facebook both its users’ personally identifiable information and the titles of videos its users watched on its website.  If the plaintiffs’ claims had been vindicated, Hulu potentially would have faced a staggering exposure under the VPPA of up to $2,500 per violation, with violations possibly occurring millions of times per day during the class period.

The VPPA prohibits a “video tape service provider” from “knowingly” disclosing “personally identifying information,” including “information that identifies a person as having requested or obtained specific video materials or services from a video tape service provider.”  18 U.S.C. § 2710.  The Act was passed in 1988 after a Washington Post journalist secured a list of movies then-Supreme Court Justice nominee Robert Bork had rented from a video store clerk.  The brick-and-mortar, video-store-era VPPA, however, has proven troublesome for both courts and businesses in the modern era of online video-streaming.

Judge Beeler defined an actionable VPPA violation as requiring a video provider to knowingly disclose (1) a consumer’s identity; (2) the identity of specific video materials; and (3) the connection between these two bits of information--that is, that the person identified “requested or obtained” the specific video material.

Judge Beeler held that the plaintiffs had failed to present a material issue of fact that Hulu had communicated the third required element to Facebook.  The crux of the court’s decision rested on the fact that, although Hulu had separately sent cookies containing a user’s Facebook ID and a web address containing the title of a specific video, the plaintiffs had presented no direct evidence that Hulu knew that Facebook could or would use those two bits of information to match a specific Facebook user with a specific video he or she had viewed or requested.

Accordingly, it is not enough under the In re Hulu Privacy Litigation rationale for a video service provider to communicate, in separate acts, the raw data that a third party could use to synthesize what otherwise would constitute “personally identifiable information” under the VPPA.  Rather, a plaintiff must prove that the video service provider actually knew the third party would use the user identity and the separately communicated video title to create a new single bit of information linking a user to video materials that the user obtained or requested. 

Judge Beeler’s full opinion can be found here.