A federal circuit court recently rules that there was no actionable violation of the Video Privacy Protection Act (VPPA) when ESPN shared a user’s movie streaming device serial number with a third party.

A three judge panel of the U.S. Court of Appeals of the 9th Circuit unanimously affirmed a district court decision dismissing a claim alleging a violation of the VPPA, holding that the serial number of a Roku movie streaming device is not “personally-identifiable information” under the statute in Eichenberger v. ESPN, Inc., No. 15-35499 (9th Cir.). In so doing, however, the Ninth Circuit also joined the Third and Eleventh Circuits in holding that, when alleging a violation of the VPPA, allegations of additional consequences stemming from the violation are not necessary to meet Article III’s standing requirement.

ESPN’s argument and the standing requirement under Spokeo

Plaintiff Chad Eichenberger sued ESPN for allegedly disclosing without consent his video viewing history to a third party, Adobe Analytics. Eichenberger alleged that ESPN made this disclosure by enabling Adobe to access data linking video viewing histories to particular serial numbers associated with individual Roku devices. According to the complaint, Adobe then allegedly combines the information with other data about an individual obtained from other sources, and returns aggregated demographic information back to ESPN to help ESPN understand its viewers and their interests.

Eichenberger argued that although ESPN did not directly identify the serial number as being associated with him, ESPN nevertheless violated the VPPA because ESPN knew that Adobe would use the serial number information to identify him.

The panel started by addressing ESPN’s argument that the harms alleged by Eichenberger were not sufficiently concrete and particularized to confer standing under the Supreme Court’s decision in Spokeo v. Robins. In Spokeo, the court concluded that the mere allegation of a statutory violation is not, as a matter of law, sufficient to provide standing unless conduct constituting the statutory violation independently represents a concrete and particularized injury.

The panel rejected ESPN’s argument, finding that whereas Spokeo “concerned procedural violations of the [Fair Credit Reporting Act] that would not invariably injure a concrete interest,” “the VPPA provision at issue here[] codifies a context-specific extension of the substantive right to privacy.”

Thus, according to the panel, “every disclosure of an individual’s ‘personally identifiable information’ and video-viewing history offends the interests that the statute protects.” Thus, the panel held that a plaintiff need not identify any “further harm” arising from the alleged violation in order to have standing. In so holding, the panel agreed with the decisions in Perry v. Cable News Network, Inc., 854 F.3d 1336 (11th Cir. 2017) and In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3rd Cir. 2016).

Court applies “ordinary person” standard

The plaintiff’s victory was short-lived, however: having found that Eichenberger had standing to assert a claim, the panel agreed with the district court that he had failed to actually state a claim because the information allegedly disclosed by ESPN was not “personally identifiable information” within the meaning of the VPPA.

The panel started its analysis seeming to agree with the plaintiff: by acknowledging that the definition of personally identifiable information under the VPPA includes more than just information which, by itself, can identify an individual as having watched certain programming, and includes information “that can be used to identify an individual.”

The panel thus posed the key question: “Under the VPPA, what information did Congress intend to cover as ‘capable of’ identifying an individual?” The panel weighed two alternatives, the “reasonably and foreseeably likely” standard adopted by the First Circuit and the “ordinary person” standard adopted by the Third Circuit, and adopted the latter.

The panel provided two main reasons for its decision. First, the panel explained that the ordinary person standard better informs providers of their obligations because it focuses on what information a provider discloses, not what a recipient decides to do with it. Second, the panel explained that the ordinary person standard fits within the framework that Congress had in mind in 1988 when it enacted the VPPA—a pre-internet time when companies did not have access to big data.

Applying that standard, the panel agreed with the district court that Eichenberger’s complaint had failed to state an actionable violation of the VPPA, because, as Eichenberger conceded, ESPN’s disclosure of his Roku device’s serial number and the videos he watched “cannot identify an individual unless it is combined with other data in Adobe’s possession—data that ESPN never disclosed and apparently never even possessed.”

The decision is a mixed bag for video streaming companies and other firms that process online video viewership data. While the adoption of the “ordinary person” standard provides greater certainty regarding what information can be shared without risking a VPPA suit, the panel’s standing analysis creates a very low bar for satisfying Article III.