The Video Privacy Protection Act (VPPA) is designed in part to protect consumers against the disclosure of certain personal information by video providers. The basic provisions of the Act provide:
- A prohibition against knowing disclosure of “personally identifiable information” of a “consumer” who rents or otherwise obtains video materials.
- Liability for a breach and the ability for an “aggrieved person” to bring a civil action.
- Statutory damages of not less that $2500 per violation as well as punitive damages.
- Recovery of attorneys fees and other litigation costs.
The Act also requires the “timely” destruction of personally identifiable information.
The Act was passed in response to the publication of a newspaper profile of Robert Bork, a then U.S. Supreme Court nominee, based on the titles of movies he had rented from a local video store.
Given the statutory damages imposed by the Act that could lead to a significant recovery if compounded over a relatively large class and number of violations, the Act is similar to the Telephone Consumer Protection Act (TCPA) in that it appears to provide class actions opportunities that could pose significant financial risks to video providers. However, in a plethora of federal district court opinions, the ability to prosecute such actions has for the time being at least been constrained.
In In re Hulu Privacy Litigation, 2014 WL 1724344, (N.D.Cal. Apr.28, 2014), for example, the federal district court for the Northern District of California held that the personally identifiable information contemplated by the Act must be easily linked to “a specific, identifiable person and his video habits” to be actionable. Thus the released information must be “akin” to a name.
Hulu was accused of wrongfully disclosing video viewing selections of its customers as well as personal information to third party metric companies that would track data. Hulu provided its customers free access to TV shows, movies and other video content. Hulu’s income was derived from advertisers who demanded certain metric information to justify paying the Hulu costs. Hulu relied on a metrics company, comScore, to collect this data.
While Hulu did not provide the names of its customers to comScore, it did provide sufficient information for comScore itself to readily determine the identity of Hulu customers. While stating that the Act could be violated by providing information short of a name, by labeling “personally identifiable information” as being akin to a name, it might as well have. Providing a “unique identifier” without more does not constitute a violation of the Act.
Similarly, in In re Nickelodeon Consumer Privacy Litigation, 2014 WL 3012873 (D N.J. July 2, 2014), which involved claims against Google and Viacom, the New Jersey District Court held that the disclosure to a third party of information such as user names, IP address, browser settings, listings of video materials obtained from Viacom websites would not violate the Act since the information either individually or aggregated together without more could not be used to indentify anyone. This despite the fact that such things as IP addresses could be easily used to determine geolocation information that could then be used to determine identify.
In Nickelodeon, Viacom, which owned Nickelodeon, registered children who sought to view video content by requiring the creation of a unique profile. Viacom would then create an online record of any video viewed and provide that record to Google for collection and compilation. Viacom also utilized cookies to obtain additional information such as IP addresses and browser settings that was also provided to Google. Again, such activity did not violate the VPPA.
More recently the U.S District Court for Georgia dismissed a class action complaint brought under the VPPA on the grounds that plaintiff did not allege sufficient violation of the Act. Locklear v. Dow Jones & Company No. 1:14-CV-00744-MHC (N.D. Ga. January 1, 2015).
In this case, Plaintiff had downloaded and used the Wall Street Journal Channel to her Roku media-streaming device to watch video clips and new stories. Plaintiff did not at any point consent or agree that Dow Jones, the owner of the Channel could disclose any personally identifiable information to any third party. Despite this lack of consent, each time plaintiff viewed a clip or story, Dow Jones disclosed her Roku serial number and viewing history to a third party advertising company. The advertising company then, by using demographic data linked to the Roku serial number and data obtained from other sources, was able to attribute the serial number to an actual individual.
Plaintiff claimed that by doing so, Dow Jones violated the VPPA’s prohibition against disclosure of personally identifiable information and sought both monetary and injunctive relief for herself and the putative class. The Court was not willing to accept plaintiff’s argument that a violation of the Act had occurred by Dow Jones’ practices.
While the Court believed plaintiff became a “consumer” for purposes of the Act by subscribing to the channel even though she paid nothing for it, the Court did not find that Dow Jones had disclosed any personally identifiable information by its practices.
Citing federal district court opinions in Hula and Nickelodeon and a case decided by another Georgia federal district court judge, Ellis v. Cartoon Network, Inc., 2014 WL 5023535 (N.D. Ga., 2014), the Court defined personally identifiable information as information which must without more link a person to actual video materials. Because the third party advertiser here, as in Hula and Nickelodeon, had to take extra steps to connect the serial number with a person’s identity, there could be no violation of the Act.
Since the concept of personally identifiable information is found not only in the VPPA, but in any number of other laws and regulation, the federal court treatment in Dow Jones and other cases could have a significant impact on privacy litigation. Despite these opinions, however, we believe that the VPPA still holds risks for video providers and data collectors.
First, no appellate court has yet addressed the issue. And there is contrary authority. Not surprisingly, the California Supreme Court has taken a different tack under its statute involving the collection of information by merchants from consumers. The California Court was concerned that not treating such information as zip codes as personally identifiable information would allow companies to make an end run around the statute and obtain such information by using other data. Pineda v. Williams-Sonoma Stores Inc., 51 Cal. 4th 524 (2011).
Moreover we suspect that given the right set of circumstances, a federal court might be convinced to follow the reasoning of the California Supreme Court. Indeed, depending on how difficult for a third party to obtain the actual identity of an individual, it’s not farfetched that a court might conclude such things as serial numbers and the like are sufficient to constitute personally identifiable information. This is particularly true if -- or when-- such linkage becomes even more technically easier than now.
At some point, information that we previously considered anonymous may become personally identifiable information where the link is little more than looking up a name online (or in a phonebook for those of us who grew up with such thing). (Certainly one could argue that the linking in Hula, Nickelodeon and Dow Jones amounted to little more than that!)
Finally, the federal courts analyzing the Act have swept by other protections that could preclude large-scale class actions under the VPPA. For example, in Dow Jones, Plaintiff successfully argued that the VPPA conferred a right to privacy in viewing video clips and stories and that, in the absence of an otherwise judicially cognizable injury, the mere violation of that statutory right conferred standing citing Warth v. Seldin, 422 U.S. 490, 514 (1975).
Similar results were reached in Hula and Nickelodeon. Since the VPPA provides that any person “aggrieved” by a violation could bring a civil action, the Act thus conveys a very broad net of standing beyond that which common law traditional provided and that plaintiffs allegations were sufficient. Courts have also rejected any limit on the term “consumer” under the Act, holding that a consumer can be a subscriber to a service even if the subscription is free.
Thus, should a more liberal view of what constitutes impermissible disclosure under the Act take hold, the VPPA could become the TCPA of the video industry.