Google and Viacom’s Nick.com, Nickjr.com, and Neopets.com off the hook – for now
On July 2, 2014, New Jersey Federal District Judge Stanley R. Chesler dismissed six consolidated MDL class actions challenging Viacom’s and Google’s practice of installing cookies on personal computers that were used by children to access three Nickelodeon websites. According to Plaintiffs, Viacom allegedly used its cookies to collect personally identifiable information (PII) on the children in an anonymized format without user or parental consent. Viacom then allowed Google to access the data in Viacom’s “first-party” cookies, and also allowed Google to install its own “third-party” cookies. Plaintiffs—all of whom were under thirteen years of age—alleged this data collection and sharing violated federal, California, and New Jersey law, including the federal Video Privacy and Protection Act (VPPA), Wiretap Act, and Stored Communications Act (SCA), as well as the California Invasion of Privacy Act (CIPA) and the New Jersey Computer Related Offenses Act (CROA).
Judge Chesler dismissed most of plaintiffs’ counts against Viacom and Google with prejudice, but gave the plaintiffs leave to file an amended complaint against Viacom to address the few claims that remain, including the claim that Viacom violated the VPPA. That may be little solace to plaintiffs, however, as Judge Chesler found that PII has little-to-no monetary value for individuals, and that anonymized information collected from users that does not directly identify an individual or the contents of their communications can be shared.
Plaintiffs alleged that as part of the registration process for access to the Nickelodeon websites, plaintiff children created user profiles that included a user name, age and gender, to which Viacom then assigned a unique “Rugrat Code.” Plaintiffs further alleged that Viacom placed a cookie associated with the Rugrat Code on the children’s computers without consent, and collected information about their online activities and other information, such as IP addresses, computer and browser settings, and URL requests that contained names of video materials requested and obtained from Viacom’s websites. Viacom permitted Google to access the Viacom cookie information, as well as place its own third-party cookies on plaintiffs computers that assigned a separate unique identifier that collected similar information and “connected that information to” the Viacom cookie. While plaintiffs alleged Viacom and Google also were able to link online activity and information with offline activity and information, the court did not factor this allegation into its decision, as there were “simply no facts pleaded…which indicate when or how either Defendant linked the online information it collected with extra-digital information about the Plaintiffs.”
Standing and Injury
In addressing standing, the district court was skeptical that the collection of such user information had caused economic injury because “the [complaint] presupposes the proposition that Plaintiffs could sell their personal information if they wanted to because Viacom and Google might already do so. In the parlance of standing, this theory is ‘abstract or conjectural or hypothetical’ and therefore not ‘legally . . . cognizable.’” The court nonetheless allowed the suit to go forward because plaintiffs properly alleged a violation of a statutory right that protected user privacy, rendering the issue of monetary harm “superfluous.” This concept has been adopted by other courts that determined a violation of a statutory proscription on sharing information is itself sufficient to confer standing without the need to show actual injury, making the VPPA’s statutory damages an attractive target for the plaintiffs’ class action bar.
Video Protection and Privacy Act
Plaintiffs alleged that Viacom and Google violated the VPPA by knowingly disclosing PII concerning an “aggrieved” person within the meaning of the statute. The court disagreed with plaintiffs’ argument that the VPPA applies to anyone “in possession of personally identifiable information as a direct result of the improper release of such information.” Instead, the court found the plain reading of the VPPA makes clear that only video tape service providers (VTSPs) can be liable for violations of the VPPA. The court also held the VPPA contemplates civil actions only against VTSPs from which customers request “specific video materials or services.”
The court dismissed the VPPA claims against Google because plaintiffs did not (and could not) allege that Google is a VTSP. Instead Google was alleged to be “the global epicenter of Internet search and browsing activity” and “an enterprising online marketer.” The court also rejected a separate argument that Google’s ownership of YouTube made it a VTSP because “[t]he VPPA’s legislative history confirms that Google’s ownership of YouTube does not bring Google within the Act’s ambit in this case.”
With regard to the VPPA claims against Viacom, the court held that the information gathered by Viacom on its users—“anonymous user IDs, a child’s gender and age, and information about the computer used to access Viacom’s websites” – does not fit the VPPA’s definition of PII because “PII is information which must, without more, itself link an actual person to actual video materials.” As a consequence, PII does not include “anonymous information which may after investigation lead to the identification of a specific person’s video viewing habits.” Because none of the information Viacom collected—age, sex, anonymous username, IP address or the type of computer used—could, “without more” identify an actual, identifiable person, no PII was shared.
Importantly, the court did note that “this type of information might one day serve as the basis of personal identification after some effort . . . but the same could be said for nearly any type of personal information;” therefore the Court read the VPPA to presently “require a more tangible, immediate link” between the information collected and an actual, identifiable person. The fact that plaintiffs were minors was irrelevant, as VPPA’s provisions apply regardless of age. Because the plaintiffs did not allege violations of the federal Children’s Online Privacy Protection Act, a statute that does not include a private right of action, the FTC’s implementing rules and broad definition of “personal information,” which includes device identifiers, did not apply in the context of the VPPA.
Plaintiffs also alleged violations of the Wiretap Act – namely, that Viacom procured Google to intercept plaintiffs’ communications, that Google intentionally intercepted plaintiffs’ electronic communications via its third-party cookies, and that Viacom profited from the arrangement.
The court held these claims failed as a matter of law for two reasons. First, the Wiretap Act, as a “one-party consent” statute, allows a person to intercept electronic communications if he or is “is  a party to the communication or  where one of the parties has given prior consent to such interception.” The court found that all the communications were either directly between the defendants (or their cookies) and Plaintiffs’ computers, or intercepted with the express consent of websites like Viacom. Along these lines, plaintiffs’ contention that the Wiretap Act’s “criminal or tortious act” exception to the one-party consent rule must also fail, as courts have repeatedly found the exception applies “only where a defendant has ‘the intent to use the illicit record to commit a tort or crime beyond the act of recording itself.”
Second, the communications allegedly intercepted did not constitute the “contents” of communications, as the Act requires. The court found that “contents” are defined as “information the user intended to communicate, such as the spoken words of a telephone call.” Conversely, PII “that is automatically generated by the communication is not ‘contents’ for purposes of the Wiretap Act.’” As a result, an individual’s IP address or the URL he or she inputs “have less in common with ‘the spoken words of a telephone call’ than they do with the telephone number dialed to initiate the call.” Indeed, the court drew a distinction between a video title spoken over the phone as constituting the “‘substance, purport, or meaning’ of the call itself” and the physical location of the video contained in an intercepted URL. In the latter instance, the file path and video location information is less like content and “more akin to ‘identification and address information.’”
Stored Communications Act
Plaintiffs further claimed that defendants violated the Stored Communications Act (SCA), which permits suit against individuals who “intentionally accesses without authorization. . .a facility through which an electronic communication service is provided. . .and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while . . . [stored] in such a system.” Plaintiffs asserted that their personal computers should be regarded as “facilities” under the SCA, which the defendants unlawfully accessed by dropping cookies. Yet the District Court found that plaintiffs’ interpretation of the term cuts against the vast body of law that holds an individual’s PC does not constitute a “facility” under the SCA. Further, the court found plaintiffs’ SCA interpretation “does violence to the SCA’s user/provider dichotomy.” Further, if the plaintiff’s asserted meaning of “facilities” were read in conjunction with other provisions of the law allowing ISPs to access facilities, such a reading “would empower service providers to grant access to their users’ personal computer’s [sic] without such users’ authorization.”
State Law Claims
Plaintiffs also alleged violations of California and New Jersey state law, all of which were dismissed by the district court. Plaintiffs first alleged that defendants violated the California Invasion of Privacy Act (CIPA), which makes it a crime to “learn the contents or meaning of any message, report, or communication while the same in transit or passing over any wire, line or cable” without the consent of all the parties to the communication, and allows for injured parties to bring a civil action. Plaintiffs alleged Google and Viacom violated CIPA when Viacom served as the conduit for Google to place its third-party cookies and intercept plaintiffs’ communications. Turning back to its Wiretap Act analysis, the District Court concluded that “URLs and IP address are not properly considered ‘contents’ in the wiretapping context.” As a consequence, “whatever Google or Viacom allegedly do with the Plaintiffs’ online information after it is intercepted has no bearing upon the question of whether that information could properly be considered ‘contents’ at the time of interception.”
The court also rejected plaintiffs’ unjust enrichment claim holding that it is not an independent cause of action. Although plaintiffs further alleged that defendants received a benefit from the information gathered from plaintiffs, the court noted that “receipt of a benefit by a defendant and conferral of a benefit by a plaintiff are two different things, and it is simply not reasonable for a consumer – regardless of age – to use the [I]nternet without charge and expect compensation because a provider of online services has monetized that usage.”
Finally, the court dismissed, without prejudice, plaintiffs’ claims relating to the New Jersey Computer Related Offenses Act, and the common law claim of “intrusion upon seclusion,” giving plaintiffs 45 days to amend their complaint.
To overcome the deficiencies in their state law claims, plaintiffs will have to allege facts that demonstrate some business or property damage caused by defendants’ actions, and an intrusion that would be “highly offensive to a reasonable person.” But it is unlikely that they will bother with state law claims that don’t afford any statutory damages. Instead, plaintiffs will have to allege facts that support Viacom’s disclosure of “identifiable” information under this court’s guidance, or hope that an appellate court buys plaintiffs’ broad definition of “personally identifiable information.” While neither seems likely today, based on existing caselaw, the pot of gold at the end of the rainbow that statutorily affords $2,500 per violation will likely keep the plaintiffs’ bar trying.