Two recent federal district court rulings regarding the Video Privacy Protection Act (VPPA) follow the emerging trend of decisions indicating that courts are reluctant to find violations of the VPPA for sharing anonymous identification markers with third parties (see May 5, 2014 blog post; June 20, 2014 blog post).
On January 20, 2015, a district court judge in New Jersey dismissed with prejudice a VPPA action against Viacom, Inc. (“Viacom”), holding that disclosure of anonymous user information to Google, Inc. (“Google”) was not actionable because such information did not constitute “personally identifiable information” (“PII”) as defined under the VPPA.
In In re Nickelodeon Consumer Privacy Litigation, plaintiffs alleged that Viacom operated websites for children, and encouraged users to create personal profiles on them. Viacom then assigned each user a code name, and collected certain information about each user, including gender and birthday. Viacom also placed cookies on a user’s computer, and allowed Google to place similar cookies, that collected further information, such as IP address, device and browser settings, and web traffic. On these websites, users were able to stream videos and play games, and a record was created of the name of each video each user played. Plaintiffs alleged that Viacom shared this information with Google, and both Viacom and Google used the information to target advertising at the user. Plaintiffs claimed that this practice of sharing information without users’ consent violates the VPPA.
The court found that nothing in the VPPA or its legislative history suggested that PII included anonymous user IDs, gender and age, or data about a user’s computer. Plaintiffs argued that Google, because it already had so much general information at its disposal, could use the information garnered from Viacom to ascertain personal identities. The court disagreed, confirming that PII is information which must, without more, itself link an actual person to actual video materials. Because the user information Viacom disclosed was not PII, no violation of the VPPA occurred, and the court dismissed the claim with prejudice.
Similarly, on January 23, 2015, a district court judge in Georgia dismissed with prejudice a VPPA action against Dow Jones & Company, Inc. (“Dow Jones”), holding that the disclosure of the plaintiff’s Roku device serial number was not actionable because the Roku device serial number did not qualify as PII.
In Locklear v. Dow Jones & Company, Inc., the plaintiff alleged that she downloaded and began using the Wall Street Journal Live Channel (“WSJ Channel”), offered by Dow Jones & Company, Inc. (“Dow Jones”), on her Roku device. Each time plaintiff viewed a video clip using the WSJ Channel, Dow Jones disclosed without her consent her anonymous Roku device serial number and video viewing history to mDialog, a third-party analytics and advertising company. mDialog, using demographic data from Roku and other such entities, was able to identify plaintiff and attribute her video records to her. Plaintiff alleged that this practice violated the VPPA.
The court dismissed the case with prejudice, finding that the Roku device serial number did not qualify as PII. Declaring the fact pattern indistinguishable from that presented in Ellis v. Cartoon Network, Inc. (see October 13, 2014 blog post), the court again defined PII as information which must, without more, itself link an actual person to actual video materials. Because mDialog had to take further steps, by turning to other sources beyond Dow Jones, to identify the user, Dow Jones’s disclosure of plaintiff’s anonymous Roku device serial number did not constitute a violation of the VPPA.
These rulings continue to demonstrate that courts are unwilling to enlarge the scope of the VPPA to include sharing anonymous identification numbers or code names alone. Nevertheless, companies utilizing unique device identifiers in connection with video materials should use caution it what information it shares with others.