In a decision that clarified aspects of the video privacy landscape, the Ninth Circuit affirmed the dismissal of an action alleging a violation of the Video Privacy Protection Act (VPPA) based on an assertion that ESPN’s WatchESPN Roku channel had shared a user’s Roku device number and video viewing history with a third-party analytics company for targeted advertising purposes. (Eichenberger v. ESPN, Inc., No. 15-35449 (9th Cir. Nov. 29, 2017)). The appeals court found that such a disclosure of a device identifier did not constitute “personally identifiable information” (PII) under the VPPA. In doing so, the court declined to take a broad interpretation of the 1980s era statute originally aimed at video stores, but which in recent years has been applied to online video streaming services and mobile and video streaming apps.

What makes this decision particularly noteworthy is that it provides some additional stability to the unsettled legal landscape surrounding the scope of liability under the VPPA. For example, the First Circuit has held that PII extends beyond a person’s name to include “information reasonably and foreseeably likely to reveal which . . . videos [the plaintiff] has obtained”; on the other hand, the Third Circuit has held that PII means the kind of information that would “readily permit an ordinary person to identify a specific individual’s video-watching behavior,” but should not be construed so broadly as to cover the static digital identifiers. The Ninth Circuit was persuaded by the Third Circuit’s more narrow construction – focusing on what is actually being disclosed by the provider and whether an ordinary person could use it to identify an individual, as opposed to whether a third party could take such data and identify an individual using outside resources. The ruling likely gives some solace to media companies in the OTT and streaming video space that subsidize video content with targeted ads.

In Eichenberger, the plaintiff alleged that the defendant disclosed to a third-party analytics company his Roku device ID and video viewing history related to sports content streamed on the WatchESPN Channel. In bringing a claim under the VPPA, plaintiff argued that defendant disclosed his PII because ESPN allegedly knew that the analytics company could and would use that information to identify him for data profiling and targeted advertising purposes. Defendant countered that the viewer data disclosed to third parties was merely device identifying information and could not be considered PII. The lower court agreed and dismissed the action, and this past week, although finding the plaintiff had standing under Spokeo, the Ninth Circuit affirmed.

For companies involved in streaming video content, the Eichenberger decision places an important limitation on the scope of VPPA liability. However, before operators of streaming apps rest too easily, the court’s brief opinion noted important potential boundaries that could be crossed in future disputes. First, as noted above, other Circuits have taken a broader view of the issue than the Ninth Circuit. Also, while the Eichenberger court deemed the collected data in this case not PII, it is not clear under the current state of the law when certain disclosures of consumer PII cross the line under the VPPA – every case is different, depending on the technologies and data collection practices at issue. Indeed, as the Ninth Circuit noted in dicta, “modern technology may indeed alter—or may already have altered—what qualifies under the statute” and one could imagine other disclosures beyond a consumer’s name and address that may also count as PII, such as an individual’s name and birthday, email address or, as previously litigated in the First Circuit, data including mobile GPS coordinates.

Regardless, with the growth of programmatic advertising and dynamic ad insertion during OTT viewing, there will likely be future video privacy disputes involving streaming devices, smart televisions or even new generation set-top boxes.