Privacy litigation continues to expand and courts are allowing more cases to gain traction.  An example is HULU’s efforts to defeat claims regarding its knowing disclosure of user information to Facebook, the In re HULU Privacy Litigation case, which is now entering its fourth year.  HULU’s exposure is consistent with many companies which commonly utilize Facebook as part of their online social media advertising strategy.

HULU, a well-known online video streaming service, has been engaged in litigation with users claiming that HULU violated its users’ privacy rights and federal privacy law by sharing information about the titles they viewed without consent. The HULU court narrowed the initial complaint by dismissing allegations, other than those that HULU transmitted user information to another website and denied the plaintiffs’ request for class-action status. Despite these wins, HULU was unable to persuade the court that the federal law – the Video Privacy Protection Act, a 1988 law prohibiting movie rental companies from disclosing information about which videos people watched – applied to online video streaming services.

The HULU case sets the stage for the court to decide whether HULU violated users’ privacy rights by transmitting information about users to Facebook via the “Like” button. The plaintiffs’ claims include the allegation that between April 2010 and June 2012, the Like button was configured so that it transmitted the titles of the videos users watched to Facebook’s servers regardless of whether the user clicked the Like button indicating that the user liked the clip.

U.S. District Judge Laurel Beeler tossed most of those claims in April of last year, while leaving intact the current disagreement because “the information provided to Facebook was not anonymous and could identify the users.” In its pleadings, “HULU does not dispute that its (1) placement of the Like button, Facebook cookies, and its routine requests for Facebook to determine users’ logged-in status; and (2) subsequent transfer of personally identifiable information to Facebook, were voluntary.” HULU thus far has unsuccessfully argued that any identifying information accessed through the presence of the Like button on the Facebook site is all on Facebook, who control the end use of the data.  Although HULU said Facebook controls the content and the function of the cookie while HULU’s only input involves where the button is placed and where it obtains the code, those points have not carried the day to date.

HULU’s battle with its users over privacy of their information illustrates the challenges and risks associated with new media and why all companies must understand the information they may transmit to third parties.  The teaching point here is that companies should be aware that privacy laws enacted to resolve issues related to the transmission of information in older mediums may be applied to transmission of the information in new media formats.

Courts, like in the HULU case, are interpreting the applicability of privacy laws more broadly. Accordingly, companies should audit their systems regularly and implement privacy and security policies that protect user information. Companies without comprehensive privacy and security programs should work to create and implement policies and procedures. Industries should also try, through trade organizations, to establish recognized standards of care regarding protection of personally identifiable information.