The Video Privacy Protection Act (VPPA), passed by Congress in 1988, is intended to prevent a “video tape service provider” from “knowingly” disclosing an individual’s “personally identifiable information” (PII) to third parties where that individual “requested or obtained … video materials,” such as “prerecorded video cassette tapes or similar audio visual materials.” At the time the law was passed, Congress had providers such as Blockbuster and visual materials such as VHS tapes in mind. The VPPA may now seem outdated, yet the law’s general language has led to several lawsuits over PII linked to digital video materials, such as online video-streaming services, forcing courts to struggle with the application of old law to new technology.
In late November 2017, the Ninth Circuit made a ruling in Eichenberger v. ESPN, Inc., 876 F.3d 979 (9th Cir. 2017) that would affect the privacy world in two ways: by furthering a distinct interpretation of the term “personally identifiable information” and by attempting to solidify the meaning of “concrete injury” for purposes of standing to bring privacy actions. However, both issues remain subject to differing treatment by the courts. Those facing potential VPPA lawsuits will have to keep one eye on what courts consider PII under the VPPA and one eye on how courts construe concrete injury when it comes to legal standing. In the meantime, a conservative approach to VPPA compliance would be prudent.
Definition Interpretation: Personally Identifiable Information
The VPPA defines PII as “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” The VPPA’s definition of PII is far narrower than the definitions of PII set forth in many other laws. For example, the Children’s Online Privacy Protection Act (COPPA), passed more recently than the VPPA, in 1998, and then amended in 2013, explicitly defines PII rather broadly, including persistent identifiers such as cookies that can be used to recognize a user across different platforms, with the caveat that such PII must be about a child under the age of 13. Unlike under COPPA, where Congress authorized the Federal Trade Commission to promulgate regulations refining what the statute means and prohibits, the meaning of PII under the VPPA has been left to the courts to determine.
In its recent ruling, the Ninth Circuit takes into consideration the standards set forth by the First and Third circuits as to what information constitutes PII under the VPPA. The Third Circuit has held that PII in the context of the VPPA is information that would “readily permit an ordinary person to identify a specific individual’s video-watching behavior.”
The Ninth Circuit adopts the Third Circuit’s standard, coining the term the “ordinary person standard,” and concludes that an ordinary person could not use a device’s serial number and video-viewing history disclosed to a third party to identify a specific individual’s video-watching behavior. The court came to this conclusion even though the third-party recipient of the information may have been able to identify a specific individual’s video-watching behavior by linking the information it received to data it had collected elsewhere. The court also considered that the VPPA requires that PII be disclosed “knowingly” in order to constitute a violation the statute, and therefore the statute views disclosure from the perspective of the disclosing party. Therefore, the Ninth Circuit concluded that PII “must have the same meaning without regard to its recipient capabilities[,]” at least absent knowledge thereof.
The District Courts have similarly held that encrypted digital media devices’ serial numbers, which would have to be decrypted in order to be read, are not PII. This has been the District Courts’ interpretation even when a company shares such information with a third party and the third party may be able to identify a specific individual by linking this type of information to data it had collected elsewhere.
This is not to say that all circuit courts have articulated the same standard for what constitutes PII under the VPPA, and online publishers and advertisers should not rely too heavily on the Ninth and Third circuits’ approaches. In the standard set forth by the First Circuit, PII encompasses “information reasonably and foreseeably likely to reveal which … videos [a person] has obtained.” Yershov v. Gannett Satellite Info. Network, Inc., 820 F.3d 482 (1st Cir. 2016).
The First Circuit applied this standard in holding that an app user’s GPS coordinates together with his or her unique device identifier and video-viewing history were PII under the VPPA. This could potentially present problems if publishers that share video-consumption data tied to device IDs or other unique identifiers with ad servers and advertisers build interest-based advertising profiles based on viewing behaviors absent the type of consent required under the VPPA. While the Ninth Circuit characterized the First Circuit’s holding as “quite narrow,” noting that the First Circuit stated in its reasoning that it relied in part on the nature of GPS location data enabling “most people to identify [an individual’s home and work addresses]” in coming to its ruling, the decision can be read far more broadly.
The Ninth Circuit’s holding that device identifiers along with video-viewing history do not amount to PII under the VPPA narrows the scope of what constitutes PII in the Ninth Circuit. However, the precise scope of what is PII under the statute is still far from certain and is left to further interpretation by the courts.
Legal Standing: Concrete Injury
The Ninth Circuit also weighed in on the Supreme Court’s clarification in Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 194 L. Ed. 2d 635 (2016), as revised (May 24, 2016), of what constitutes sufficient Article III constitutional “concrete injury” for legal standing when filing a lawsuit in federal court. When filing a lawsuit, plaintiffs must show that sufficient injury has occurred in order for the lawsuit to move forward. In 2016, the Supreme Court ruled in Spokeo that a company publishing an individual’s incorrect personal information may constitute sufficient “concrete injury” under the Fair Credit Reporting Act (FCRA). This arguably broadened the scope of what may constitute concrete injury when an intangible injury such as the misuse of personal information is involved. A limited number of cases since Spokeo have used Spokeo’s holding to assess privacy-centric allegations, though results have been mixed, and only a couple of cases have examined Spokeo in relation to the VPPA.
The Ninth Circuit’s recent holding that disclosure to third parties of PII in the form of device identifiers and identity of videos is sufficient to demonstrate concrete injury may leave many companies open to further private action lawsuits, including under the VPPA. In order for there to be concrete injury, the plaintiff must have suffered or be in imminent risk of suffering a concrete and particularized injury. In Spokeo, the Ninth Circuit originally ruled that there was no injury because disclosing incorrect PII did not seem to place the plaintiff in danger of an injury, and even if there were a danger of injury, it would not be imminent. The Supreme Court, however, disagreed with the Ninth Circuit’s analysis. The Supreme Court ruled that under the FCRA, disclosing incorrect PII, depending on the situation, could lead to imminent injury such as the loss of a job opportunity if a potential employer were to run a credit check with the incorrect public information it found. The Supreme Court distinguished the facts in the Spokeo case, which involved incorrect personal information that the Supreme Court considered could affect employment opportunities, from a situation where incorrect PII, such an incorrect ZIP code, may not lead to an imminent injury. The Supreme Court kicked Spokeo back to the Ninth Circuit to reconsider, and the Ninth Circuit concluded that the defendant’s holding and sharing incorrect personal information was, under the circumstances, sufficient for a plaintiff to show Article III standing.
In the recent Ninth Circuit case involving the VPPA, the Ninth Circuit continued this reasoning by holding that the defendant in the VPPA case had sufficient standing because the defendant was holding personal information that could cause imminent injury. Despite holding that the personal information involved, device identifiers, were not covered by the VPPA, the Ninth Circuit’s holding regarding standing demonstrates how plaintiffs may find it easier to bring forth privacy-related federal lawsuits in the Ninth Circuit.