Two significant decisions under the Video Privacy Protection Act (VPPA) in recent weeks have provided new defenses to companies alleged to have run afoul of the statute. Bringing the long-running litigation against Hulu to a close—at least pending appeal—the court in In re: Hulu Privacy Litigation granted summary judgment in favor of Hulu, holding that the plaintiffs could not prove that Hulu knowingly violated the VPPA. A week later in a more recently filed case, Austin-Spearman v. AMC Network Entertainment, LLC, the court dismissed the complaint on the basis that the plaintiff was not a “consumer” protected by the VPPA. Both rulings provide comfort to online content providers, while also raising new questions as to the scope of liability under the VPPA.
In re: Hulu Privacy Litigation
In a decision with wide-ranging implications, the Hulu court granted summary judgment against the plaintiffs, holding that they had not shown that Hulu knowingly shared their video selections in violation of the VPPA. The plaintiffs’ allegations were based on Hulu’s integration of a Facebook “Like” button into its website. Specifically, the plaintiffs alleged that when the “Like” button loaded on a user’s browser, Hulu would automatically send Facebook a “c_user” cookie containing the user’s Facebook user ID. At the same time, Hulu would also send Facebook a “watch page” that identified the video requested by the user. The plaintiffs argued that Hulu’s transmission of the c_user cookie and the watch page allowed Facebook to identify both the Hulu user and that user’s video selection and therefore violated the VPPA.
The plaintiffs’ case foundered, however, on their inability to demonstrate that Hulu knew that Facebook’s linking of those two pieces of information was a possibility. According to the court, “there is no evidence that Hulu knew that Facebook might combine a Facebook user’s identity (contained in the c_user cookie) with the watch page address to yield ‘personally identifiable information’ under the VPPA.” Without showing that Hulu had knowingly disclosed a connection between the user’s identity and the user’s video selection, there could be no VPPA liability.
The court’s decision, if upheld on appeal, is likely to provide a significant defense to online content providers sued under the VPPA. Under the decision, plaintiffs must now be able to show not only that the defendant company knew that the identity and video selections of the user were disclosed to a third party, but also that the company knew that that information was disclosed in manner that would allow the third party to combine those pieces of information to determine which user had watched which content. While Hulu prevailed only at the summary judgment stage after four years of litigation, other companies could likely make use of this same rationale at the pleadings stage, insisting that plaintiffs set out a plausible case in their complaint that the defendant had the requisite level of knowledge.
Austin Spearman v. AMC Network Entertainment
The AMC decision turned on the VPPA’s definition of the term “consumer” and illustrated how that seemingly innocuous definition could limit the scope of the statute. The VPPA provides liability only for disclosing the personally identifiable information of a “consumer,” which the statute defines as “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” The plaintiff, who had not paid AMC for any of the content she had viewed (and thus presumably did not qualify as a “renter” or “purchaser”) argued that she qualified as a “subscriber” and thus fell within the VPAA’s protections. The court disagreed, holding that the term “subscriber” requires “a deliberate and durable affiliation with the provider.” The plaintiff, who had not signed up, registered an account, established a user ID, downloaded an app or “taken any action to associate herself with AMC,” failed to qualify according to the court.
In so holding, the court rejected the plaintiff’s argument that her use of AMC’s streaming service, thereby providing AMC with “access to the cookies installed on her computer,” made her a “subscriber” and therefore a “consumer” under the VPPA. The court reasoned that such a broad meaning of “subscriber” would render meaningless the statute’s limitation that only the disclosure of information about “consumers” is restricted.
If followed by other courts, the AMC court’s reasoning has the potential to narrow the scope of VPPA liability for online content providers. Viewers who have not registered for the provider’s service, downloaded the provider’s app or taken similar actions would be excluded from the ranks of potential VPPA plaintiffs. As noted by the court in allowing the plaintiff to amend her complaint, however, the definition of what it means to be a subscriber is by no means firmly established: the plaintiff was given leave to amend on the basis that she had subscribed to an AMC newsletter that was completely unrelated to her online video viewing. Given this uncertainty, online content providers should continue to treat every user as a “consumer” and a potential VPPA plaintiff.