Long after the disappearance of most video rental stores, the issue of the applicability of the Video Privacy Protection Act (VPPA) in the digital age is not going away. On January 9, the Supreme Court denied certiorari in C.A.F. v. Viacom, Inc., declining to address the Third Circuit's June 2016 ruling that internet protocol (IP) addresses were not personally identifiable information (PII) protected under the VPPA and settle what some have characterized as a split with the First Circuit.

The VPPA was passed in 1988, following the publication of Supreme Court nominee Robert Bork's video rental records. It imposes civil liability on any "video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider." 18 U.S.C. 2710(b)(1). In re Hulu Privacy Litigation, a case before the Northern District of California, made it clear in 2012 that the VPPA applies in the digital realm and in the world of online content delivery such as the website Hulu.com.

Last year, in Yershov v. Gannett Satellite Information Network, Inc., the First Circuit concluded that the plaintiff had plausibly alleged a violation of the VPPA. The complaint alleged that when Gannett disclosed to Adobe the title of the videos viewed on Gannett's "USA Today Mobile App," GPS coordinates at the time of viewing, and unique identifiers associated with a device, Gannett knew that Adobe had the ability to link that information to a certain name by name, address and telephone number, and the disclosure of information was "reasonably and foreseeably likely to reveal" which videos the plaintiff had viewed. In other words, the First Circuit found GPS coordinates and unique device identifiers were PII under the VPPA based on the facts alleged.

Two months later, in June 2016, the Third Circuit addressed the VPPA for the first time and weighed in on the definition of PII. The plaintiffs are children under 13 years old who alleged that Viacom collected information about them when they used Nick.com, the website for children's television station Nickelodeon (owned by Viacom), and then provided the information to Google. The plaintiffs claimed that Viacom disclosed three data points about children who used Nick.com, which the court found central to the VPPA claim: IP address, browser settings and unique device identifier.

The Third Circuit concluded that "static digital identifiers" such as IP addresses were not PII under the VPPA and held that the statute's prohibition on the disclosure of PII applied only to "the kind of information that would readily permit an ordinary person to identify a specific individual's video-watching behavior." The court viewed the likelihood that Google would use anonymized data to identify individual children as "simply too hypothetical" and upheld the dismissal of the plaintiffs' complaint.

In the Third Circuit's view, its decision did not create a split with the First Circuit, and it distinguished Yershov as involving GPS coordinates, which it reasoned would more easily identify a specific person than an IP address, device identifier or browser fingerprint. Even if no true circuit split exists, the First and Third Circuits nevertheless appear to have divergent views on the scope of the PII. For example, the Third Circuit latched onto the language in the statute and its legislative history to support its conclusion that the VPPA could not be read to reach a "contemporary understanding of Internet privacy". In contrast, the First Circuit, after engaging in the same type of analysis, concluded that the definition of PII is arguably broader, noting that the definition of PII began with the word "includes"-implying a broader meaning- and also pointing to legislative history indicating that the "drafters' aim was ' to establish a minimum, but not exclusive, definition of personally identifiable information.'"

Both Circuits studiously avoided setting forth any bright-line rules. Notably, the Third Circuit included in a footnote that "even a numeric identifier might qualify as personally identifiable information, at least in certain circumstances." And for its part, the First Circuit acknowledged in Gannett that it remained to be seen whether the plaintiff could ultimately show that Adobe could foreseeably identify him. The Circuit explained that discovery would "enable a more refined, and possibly different, conclusion on the ultimate question of whether Gannett has violated the VPPA." Discovery is currently ongoing in the district court.

In the absence of a definitive Supreme Court ruling, the application of the VPPA's protections of PII will continue to evolve in the lower courts. In such circumstances, distributors of video content will be well served to continue to monitor legal developments, to ensure that they have systems in place that enable them to stay on top of the data collected and shared with third parties and, where necessary, to implement consent protocols. Third parties that receive PII and/or video viewing information similarly should determine whether VPPA is invoked by such sharing.