Another court has contributed to the ongoing debate over the scope of the term “personally identifiable information” under the Video Privacy Protection Act – a statute enacted in 1988 to protect the privacy of consumers’ videotape rental and purchase history but lately applied to the modern age of video streaming services and online video viewing. Generally speaking, the term “personally identifiable information” (or PII) is not limited to only disclosure of a consumer’s name, but courts and litigants have wrestled over how to define the scope, particularly with respect to the disclosure of digital identifiers such as Android or Roku device IDs or other tracking information stored by website cookies. This past week, the Third Circuit ruled that certain digital identifiers collected from web users did not qualify as PII under the statute.
In In re: Nickelodeon Consumer Privacy Litig., No. 15-1441 (3d Cir. June 27, 2016), the plaintiffs alleged, among other things, that Viacom and Google unlawfully used cookies to track children’s web browsing and video-watching habits on Nickelodeon websites for the purpose of selling targeted advertising. More specifically, the plaintiffs asserted that Viacom disclosed to Google URL information that effectively revealed what videos minor users watched on Nickelodeon’s websites, and static digital identifiers (i.e., IP addresses, browser fingerprints, and unique device identifiers) that purportedly enabled Google to link the watching of those videos to the users’ real-world identities. In short, the PII at issue in this case was a user’s IP address, browser fingerprint (i.e., a user’s browser and operating system settings that can present a relatively distinctive digital “fingerprint” for tracking purposes), and a unique device identifier (i.e., an anonymous number linked to certain mobile devices). Using these points of data, the plaintiffs claim that Google and Viacom could link online and offline activity and identify specific users.
The Third Circuit affirmed the dismissal of the VPPA claims against Google and Viacom (but allowed a state privacy claim to continue against Viacom, ruling that such a claim was not preempted by the Children’s Online Privacy Protection Act (COPPA)).
The appeals court made two important holdings regarding VPPA liability:
- Plaintiffs may sue only a person who discloses PII, not an entity that receives such information; and
- The VPPA’s prohibition on the disclosure of personally identifiable information applies only to the kind of information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior. As such, the kinds of disclosures at issue in the case, including digital identifiers like IP addresses and browser fingerprints, fall outside the Act’s protections.
Subject to certain exceptions, the VPPA prohibits “video tape service providers” from knowingly disclosing, to a third-party, “personally identifiable information concerning any consumer.” 18 U.S.C. §2710(b). Video tape service provider means “any person, engaged in the business… of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.” 18 U.S.C. § 2710(a)(4). The term “personally identifiable information” includes “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 18 U.S.C. §2710(a)(3).
As to the claim against Google, the plaintiffs abandoned their earlier argument that Google was a “video tape service provider” and instead contended that the VPPA extends liability to both providers who disclose personally identifiable information and the person who receives that information. Despite some statutory ambiguity, the Third Circuit agreed with sister courts in stating that liability is limited to the prohibition against disclosure of PII, not to the receipt of PII. Thus, since Google is not alleged to have disclosed any information, the court affirmed dismissal of the VPPA claim against it.
The core of the opinion discusses the claim against Viacom and whether the definition of PII extends to the kind of static digital identifiers allegedly disclosed by Viacom to Google. Numerous district courts have grappled with the question of whether the VPPA applies to certain anonymous digital identifiers. The plaintiffs urged a broad interpretation akin to the recent interpretation of the VPPA by the First Circuit, which held that the disclosure of a user’s Android ID + GPS data + video viewing information qualified as PII under the VPPA. Viacom, by contrast, argued that static digital identifiers, such as IP addresses or browser fingerprints, are not PII because such data, by itself, does not identify a particular person. The parties’ contrary positions reflect a fundamental disagreement heard in courts across the country over what kinds of information are sufficiently “personally identifying” for their disclosure to trigger liability under the VPPA.
While admitting that the phrase “personally identifiable information” in the statute is not straightforward, the court agreed with Viacom’s narrower understanding and followed the majority view in holding that the Act protects personally identifiable information that identifies a specific person and ties that person to particular videos that the person watched:
“The allegation that Google will assemble otherwise anonymous pieces of data to unmask the identity of individual children is, at least with respect to the kind of identifiers at issue here, simply too hypothetical to support liability under the Video Privacy Protection Act.”
In the court’s view, PII means the kind of information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior, but should not be construed so broadly as to cover the kinds of the static digital identifiers at issue. The court recognized that other, more concrete disclosures based on new technology, such as geolocation data or social media customer ID numbers, can suffice, in certain circumstances, to qualify under the statute, but that the digital identifiers in the instant case were simply “too far afield” to trigger liability.
The court recognized that its holding failed to provide an easy test for other courts to apply in subsequent cases:
“We recognize that our interpretation of the phrase ‘personally identifiable information’ has not resulted in a single-sentence holding capable of mechanistically deciding future cases. We have not endeavored to craft such a rule, nor do we think, given the rapid pace of technological change in our digital era, such a rule would even be advisable.”
Despite the appeals court’s narrow reading of the scope of liability under the VPPA, the decision leaves some unanswered questions about what kinds of disclosures violate the statute. The question over what combination of digital identifiers crosses the line into PII under the statute remains an emerging issue. Companies that deliver video to users via online or mobile platforms should continue to be vigilant about knowing what kinds of personal information and tracking data they collect and what is shared with third parties, including ad networks or data analytics companies. Indeed, the court cautioned companies in the business of streaming digital video “to think carefully about customer notice and consent.”