The Video Privacy Protection Act of 1988 (“VPPA”) bars a “video tape service provider” from knowingly disclosing “personally identifiable information concerning any consumer of such provider.” 18 U.S.C. § 2710(b)(1). Congress passed the VPPA after Robert Bork’s video rental history was published during his Supreme Court nomination. While the VPPA was originally intended to apply to physical video rentals, creative plaintiffs have used the statute to sue new media companies in connection with data sharing practices.
On November 27, 2017, the Ninth Circuit affirmed the dismissal of one such complaint against ESPN. Eichenberger v. ESPN, Inc., No. 15-35449, 2017 WL 5762817 (9th Cir. Nov. 29, 2017). The Eichenberger case concerned ESPN’s Roku channel. The plaintiff alleged ESPN would send the consumer’s Roku device serial number along with viewing data to Adobe Analytics. ESPN used the Adobe service to gain insights into its viewership and hence to produce more engaging content and increase ad sales. Plaintiff alleged that Adobe had the ability to match up the data provided by ESPN with other data from a broad spectrum of sources to enable it to identify him personally.
ESPN moved to dismiss the VPPA claim on two grounds. First, ESPN argued the plaintiff lacked Article III standing under Spokeo because the allegedly offending data was never used for any harmful purpose. And second, ESPN argued the data it provided to Adobe was not “personally identifiable information” as that term is used in the VPPA.
The court easily rejected ESPN’s standing argument. The VPPA created a substantive right to be free from unwarranted disclosure of one’s video viewing habits. The court held Article III standing to exist any time data was disclosed in violation of the VPPA; “every disclosure of an individual’s [PII] and video-viewing history offends the interests that the statues protects.” Id. at *2 (court’s emphasis). The VPPA was not a mere procedural mechanism that could be violated without impinging on any substantive rights of the consumer, such as the FCRA. See Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 194 L.Ed.2d 635 (2016). The court pointed out that if a VPPA plaintiff had to demonstrate a grievance over and above the mere fact of disclosure (embarrassment, or other negative repercussions) then the statute would not even apply to the episode the VPPA was enacted in response to – the disclosure of Robert Bork’s utterly harmless video rental viewing history. Id. at n. 2.
The more interesting issue in the case was whether the plaintiff could allege that ESPN had disclosed “personally identifiable information.” ESPN argued that the Roku device number and the viewing history, standing alone, could not service to personally identify anyone. The Ninth Circuit first noted that the term must include more information than that which, by itself, identifies an individual as having watched certain videos. Instead, “personally identifiable information” “covers some information that can be used to identify an individual.” Id. at *4 (court’s emphasis).
But that left open the question of what Congress intended to cover as “capable of” identifying an individual.” Id. at *4. The court adopted the Third Circuit’s “ordinary person” test, to wit: the term PII includes only information that “readily permit[s] an ordinary person to identify a specific individual’s video-watching behavior.” Id. at *4 (quoting In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262, 284 (3rd Cir. 2016)). The court found this test to offer better guidance to firms than the First Circuit’s definition of PII as “information reasonably and foreseeably likely to reveal which videos a person has obtained.” Id. at *3 (quoting Yershov v. Gannet Satellite Info. Network, Inc., 820, F. 3d 482 (1st Cir. 2016)). When the VPPA was enacted in the 80s, there was no real question what data was “personally identifiable information.” Due to the complexity of the internet, the dazzling array of tools available for data analytics, and the vast scope of online data available, there are now endless ways that a firm could use data analytics to personally identify someone. Thus, it would be inconsistent with the statute’s ban on “knowing[ ] disclos[ure]” of PII to allow the definition of that term to turn on what another party could potentially do with that data. “[T]he statute views disclosure from the perspective of the disclosing party. It looks to what information a video service provider discloses, not to what the recipient of that information decides to do with it. As a result, ‘personally identifiable information’ must have the same meaning without regard to its recipient’s capabilities. Holding otherwise would make the lawfulness of a disclosure depend on circumstances outside of a video service provider’s control.” Id. at *4 (citation and quotations omitted). This, the court held, would deprive firms of any real guidance on how to comply with the VPPA.
The “ordinary person” test for PII makes good sense and the Ninth Circuit was wise in adopting it. The test helps prevent the VPPA from prohibiting technologies that do not involve any risk of an actual human learning of a consumer’s viewing history. The standard also prevents the VPPA from unduly interfering with data-intensive businesses. If the test for PII turned on a third-party’s use of data, the threat of VPPA liability could create significant new transactions costs while parties negotiated the manner in which the data could be utilized. The end result could stifle the creative use of data with less relevant content for consumers. At the same time, the test also has the flexibility to assess technologies that “ordinary” people could use to personally identify a consumer – GPS data specifying the location of someone’s home or office – even though those technologies did not exist at the time Congress enacted the VPPA.