By Katie W. Johnson
May 1 --Material issues of fact preclude summary judgment for online video content provider Hulu LLC on putative class claims that it disclosed consumers' personal identification information and video viewing selections to social network Facebook Inc. in violation of the Video Privacy Protection Act, the U.S. District Court for the Northern District of California ruled April 28.
It is unclear “whether the disclosure of the video name was tied to an identified Facebook user such that it was a prohibited disclosure under the VPPA,” Magistrate Judge Laurel Beeler said.
But Hulu's disclosures to metrics company comScore Inc. “were anonymous disclosures that hypothetically could have been linked to video watching,” which “is not enough to establish a VPPA violation,” the court said.
In light of this ruling, on any Web pages where a company has videos, it needs to understand what information is being shared, Christin McMeley, a partner at Davis Wright Tremaine LLP, in Washington, told Bloomberg BNA May 1. If information is being shared with third parties, the company should establish contractual limitations about the use of the information, she said.
“The device or user identifier linked to content should not be easily re-identifiable by the third party, in addition to use restrictions,” she added.
In 2011, consumers filed a complaint on behalf of a proposed class against Hulu and its Web analytics partner, alleging that the companies secretly tracked consumers' Web browsing activities . The plaintiffs later voluntarily dismissed their claims against the Web analytics company, which ultimately settled similar claims in separate case .
The court dismissed all but the plaintiffs' VPPA claims against Hulu in June 2012 and several months later denied Hulu's motion to dismiss after concluding that the VPPA covers online video streaming services .
In December 2013, the court denied Hulu's motion for summary judgment, ruling that Hulu customers don't need to show an additional injury beyond the company's alleged wrongful disclosure of their personal information to third parties .
Hulu again moved for summary judgment. The court granted the motion as to the comScore disclosures but denied it as to the Facebook disclosures.
The VPPA, 18 U.S.C. § 2710, prohibits a “video tape service provider” from knowingly disclosing a consumer's personally identifiable information, which “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.”
According to the plain language of the VPPA and its legislative history, “the statute protects personally identifiable information that identifies a specific person and ties that person to particular videos that the person watched,” the court concluded. The VPPA doesn't require a name, it added.
The statute, its legislative history and case law also “support the conclusion that a unique anonymized ID alone is not PII but context could render it not anonymous and the equivalent of the identification of a specific person,” the court said.
But a unique identifier alone doesn't violate the VPPA, the court held.
According to the ruling, a unique identifier doesn't “necessarily” violate the VPPA, but it can violate the VPPA if it is “easily re-identifiable,” McMeley said.
Hulu allegedly disclosed to comScore a “watch page” URL, which contained the video name and the user's unique Hulu user ID. But there is no evidence that comScore used that information to look up a user's Hulu profile page, the court said.
Hulu also allegedly sent comScore a “comScore ID” or cookie that was unique to each user, which might allow the metrics company to combine a Hulu user's information with information gathered from other websites, the court said.
Although “substantial tracking” of users may have occurred with these cookies, there is no genuine issue of material fact that the tracking revealed a specific person and the videos he or she watched, the court said.
To load a Facebook Like button on Hulu's website, Hulu allegedly sent Facebook the watch page with the video name embedded, a user's IP address, a cookie that identified the browser and two cookies that identified the Facebook user. This information was sent to Facebook at the request of Hulu and not the Hulu user, the court clarified.
Although the transmission of this information together might reveal what the Hulu user watched and who he or she is on Facebook, there are material issues of fact concerning whether the information sent to Facebook was adequate to identify a consumer and constituted PII, the court said.
“In addition, the record is not developed enough for the court to determine as a matter of law whether Hulu knowingly disclosed information or whether Hulu users consented to the disclosures,” the court said.
Parisi & Havens LLP; Azita Moradmand in Woodland Hills, Calif.; KamberLaw LLC; Strange & Carpenter; and Joseph H. Malley in Dallas represented the named plaintiffs. O'Melveny & Myers LLP and Covington & Burling LLP represented Hulu.
To contact the reporter on this story: Katie W. Johnson in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
Full text of the court's opinion is available at http://www.bloomberglaw.com/public/document/In_re_Hulu_Privacy_Litig_No_311cv03764LB_2014_BL_120236_ND_Cal_Ap.
To view additional stories from Privacy & Security Law Report® register for a free trial now