Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Christin S. McMeley and John D. Seiver
Christin S. McMeley is a partner in Davis Wright Tremaine LLP's Washington office and chair of the firm's Privacy and Security practice. She advises companies in various industries in privacy compliance, information governance, data security, public policy and regulatory matters. Prior to her work at Davis Wright Tremaine, McMeley was the chief privacy officer and deputy general counsel at Charter Communications Inc.
John D. Seiver is of counsel in Davis Wright Tremaine's Washington office, where he practices communications law. His work in the privacy arena includes drafting, counseling and litigating online and video advertising privacy policies; Video Privacy Protection Act compliance; subscriber agreements; acceptable use; customer proprietary network information; and privacy policies for Internet access services and websites.
The Video Privacy Protection Act (the VPPA or the Act) was enacted in 19881 in response to a newspaper profile in the Washington City Paper about Judge Robert H. Bork, nominee to the U.S. Supreme Court. In researching his article, the City Paper reporter walked into a local videotape rental store and asked the clerk for a list of the titles that the Bork family had rented. The article listed the titles (nothing shocking or possibly significant) but concluded by wondering what some other well-known politicians—such as former Sen. Ted Kennedy (D-Mass.), Vice President Joe Biden, former Sen. Bob Dole (R–Kan.) and former New York Governor Mario Cuomo (D)—were watching.2 In short order, Senator Biden authored and Congress passed the new privacy legislation, which resembled other recently enacted privacy statutes of the time.3 Yet the VPPA bore marked differences as well, including a more narrow exception for permitted disclosures and higher statutory damages than were available through the private rights of action in those other privacy laws. Today, these provisions have become the fodder for a number of class action suits, with the plaintiffs' class action bar twisting a statute drafted in the context of VHS cassette tapes into something of a digital media quagmire. Here, we take a look at the statute in its entirety, the challenges it presents in today's online video environment, the cases that have addressed these challenges and the issues that have yet to be resolved.
The VPPA prohibits any “video tape service provider” (VTSP) from “knowingly” disclosing “personally identifiable information” of a “consumer of such provider” except in narrow and clearly defined circumstances, which may include disclosures made with the affected consumer's consent or in the “ordinary course of business.”4 The VPPA provides a civil cause of action to “[a]ny person aggrieved” by a violation.5 A successful plaintiff is entitled to recover liquidated damages in an amount of $2,500 or actual damages that exceed $2,500, as well as punitive damages and reasonable attorney's fees.6 The combination of a broad VTSP definition with narrow disclosure exceptions and strict consent requirements, coupled with significant statutory damages and an ever-increasing amount of online videos, has led to a dramatic increase in VPPA class action litigation.
In early 2013, President Barack Obama signed the VPPA Amendments Act of 2012 (the VPPA Amendments), which was designed to streamline the process for consumers to share data regarding their video viewing activities.7 Prior to the VPPA Amendments, the statute required VSTPs to obtain the informed, written consent of consumers at the time each disclosure of their personally identifiable information (PII) was to be made. As such, providers such as Netflix Inc. lobbied that they were largely unable to secure the type of ongoing customer consent necessary to provide certain social media features—such as Facebook integration—that were available to users outside the U.S.
The VPPA Amendments were intended to make obtaining the requisite customer consent much easier by allowing consumers to consent to disclosures via electronic means over the Internet, such as by clicking on a “like” button; and, if the consumer so chooses, to grant consent for all disclosures in advance for up to two years. Despite the changes to make consent easier to obtain in the online environment, one of the more prominent and ongoing VPPA cases directly relates to the online sharing of Internet uniform resource locators that contain the titles of video clips and are shared through social media plug-ins.
As this case and others progress, we gain insight into how far some judges are willing to extend the statute. But we also get a sense of how judges may balance the broader application of the statute with new methods of business support and operations that are required in the ordinary course of business. Below are some of the issues that have been identified and addressed, as well as some thoughts as to what we can expect to see in the future and steps online publishers can take to protect themselves from liability under the expanding statute.
The VPPA defines a VTSP, in relevant part, as any “person engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials . . . .”8 Now that video cassette tapes have become essentially obsolete in contemporary America, courts have consistently interpreted “similar audio visual materials” to include not just the video cassette replacement—DVDs—but online, streaming video services.9 Indeed, the VPPA Amendments were passed to allow consumers to share their video “likes” with social networks in compliance with the Act, and the accompanying House and Senate reports recognized that “the Internet has revolutionized how consumers rent and watch movies and television programs.”10
If we concede that the VPPA does apply to online video, still to be decided is: How far does this extend? While movies and television programs are clearly referenced in the legislative history, will courts find that covered “audio visual materials” also include movie trailers, video advertisements and home videos? Plaintiffs have already targeted the Wall Street Journal and CNN, alleging VPPA violations related to the sharing of video clips. While both defendants have moved to dismiss on a variety of bases—including arguments that no PII was shared, that the plaintiffs are not “consumers” and the failure of plaintiffs to allege actual injury—it is clear that plaintiffs will assert an expansive reading of “audio visual materials.”11
Any online publisher who displays video of any type should take care to limit the information shared with third parties.
Any online publisher who displays video of any type should take care to limit the information shared with third parties. If possible, only share de-identified information with such third parties. If PII is shared, only share with business service providers who fall within the VPPA's limited “ordinary course of business” exception or one of the VPPA's other permissible uses. Finally, when sharing any information with service providers or business partners, contractually limit their use of the data collected from the publisher's site or application and, if de-identified, prohibit the re-identification of any unique identifiers.
If the definition of consumers under the VPPA was limited to those individuals who subscribed to and paid for services, it would arguably be a universe more within a company's control. However, under at least one interpretation of the term, “consumer” has been defined to include any visitor to a website who viewed video content, when cookies tracked their information, regardless of whether they were logged in as a registered user.12 Furthermore, it was not necessary for the “consumer” to pay for service.13
It is unclear whether all courts will adopt this expansive definition, but it may not matter if a publisher can successfully argue it didn't collect PII or “knowingly” disclose it to third parties without the appropriate consent14 or for one of the permissible uses. Further, problems associated with ascertaining a class of online users may be insurmountable, as discussed below.
The VPPA defines “personally identifiable information” as “includ[ing] information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.”15 Based on the use of the word “includes” in the definition, plaintiffs continue to argue for an expansive reading of this definition and cite to definitions of PII in other contexts, such as standards set for federal government agencies and contractors in the National Institute of Standards and Technology guidelines or the definition of “personal information” as set forth in the Children's Online Privacy Protection Act (COPPA).16 Plaintiffs' complaints often try to obfuscate the PII issue by referring to standard online advertising mechanisms that may be able to link to or track the user of a device, but that do not actually identify who the user is. Moreover, plaintiffs often confuse terms, such as “anonymous” and “de-identified,” that are drawn from online privacy policies, again failing to recognize that de-identified data can reveal a detailed profile without actually identifying who the user is, such that re-identification of an individual requires additional effort.
To date, plaintiffs' analogies to the definition of personal information under COPPA—a definition that includes persistent identifiers—have been rejected, with the explanation that the “[p]rotection of children online implicates different privacy concerns and resulted in broader definitions of personal information.”17 Moreover, courts have maintained a fairly restrictive view that PII “must identify a specific person and tie that person to video content that the person watched in order to violate the VPPA,” and that the disclosure of a unique identifier, without more, does not violate the VPPA.18 However, federal district courts in the Northern District of California, the District of New Jersey and the Northern District of Georgia have found that PII can be more than just names and addresses; providing enough information about a person that would easily permit identification may not withstand scrutiny (such as a picture or the log-in credentials for a user's account that is maintained by the third party).19 The In re Nickelodeon Consumer Privacy Litig. court, however, applied a more limiting view, and held that PII does not include “anonymous information which may after investigation lead to the identification of a specific person's video viewing habits,” intimating that even if the third party could have ultimately re-identified an individual, there could be no actionable disclosure of PII without evidence (or at least allegations) that the disclosed information provides “a tangible, immediate link” to “an actual, specific human being.”20 This battle may be escalating to a U.S. Court of Appeals now, as the plaintiff in Ellis v. Cartoon Network, Inc. has asked the U.S. Court of Appeals for the Eleventh Circuit to revive his dismissed class action against the Cartoon Network.21
Without a bright line for determining exactly what constitutes PII, online publishers will have to determine whether non-aggregated consumer information could be easily linked to an individual before sharing with third parties.
Without a bright line for determining exactly what constitutes PII, online publishers will have to determine whether non-aggregated consumer information could be easily linked to an individual before sharing with third parties. The first step is to ask whether the unique identifier, in and of itself, identifies a specific person: Can the unique identifier be easily linked to a specific, identified person by the third party, such as a user name? Or, does the shared information provide so much detail that, when combined, it will easily reveal an individual's identity? If so, the publisher must ensure that the disclosure meets one of the VPPA's permissible disclosures.
In order to succeed in any VPPA claim, plaintiffs must prove that a defendant “knowingly” made an impermissible disclosure of PII. While this issue had not been ruled upon at the time this article went to publication, it was fully briefed by the parties in the In re Hulu Priv. Litig. case. Although the VPPA does not define “knowingly,” Hulu LLC argues that the court should adopt the same standard used in Electronic Communications Privacy Act cases: “proof that a defendant is actually aware of all of the facts that give rise to the statutory violation.”22 Hulu further contends it should not be liable because it was not aware that its transmission through Facebook cookies contained data that could conceivably identify an individual; nor was it aware of what, if anything, Facebook did with the data to personally identify individual users.23
If the publisher de-identifies PII prior to sharing with third parties and contractually restricts third-party use of the information, it will be difficult for any plaintiff to prove a publisher “knowingly” violated the VPPA.
If the publisher follows the practical steps outlined with respect to (1) de-identifying PII prior to sharing with third parties and (2) contractually restricting third-party use of the information, it will be difficult for any plaintiff to prove a publisher “knowingly” violated the VPPA.
The VPPA permits disclosure of PII to third parties in the “ordinary course of business,” which “means only debt collection activities, order fulfillment, request processing, and the transfer of ownership.”24 Magistrate Judge Laurel Beeler has clearly stated that any disclosure of PII in the transmission of the cookie data for analytics would not be “incident to [a company's] ‘ordinary course of business' as that term is defined in the statute.”25 Beeler's conclusory statement in her April 28 order, however, cites to her prior Aug. 10, 2012, order , where she simply found that “[w]hatever the merits are to Hulu's contentions that it uses the challenged services to deliver targeted advertisements to its users, Plaintiffs alleged unauthorized tracking of Plaintiffs' data (including video content information). The court cannot resolve this factual issue in a motion to dismiss.”26 This issue was not substantively addressed in any other Hulu order or any other recent VPPA decision. In any event, it is common practice for companies to only disclose de-identified, unique identifiers to third-party Web analytics companies, which would not result in the disclosure of PII under current case law.
Despite Beeler's reluctance, the VPPA's legislative history, cited by Hulu, states:
[Subsection (b)(2)(E)] takes into account that video tape service providers may use third parties in their business operations. . . . This subsection also allows disclosure to permit video tape service providers to use mailing houses, warehouses, computer services, and similar companies for marketing to their customers. These practices are called “order fulfillment” and “request processing.”27
While sharing information with social networks may not fall within this permissible use, a company's sharing of information with third parties who provide “computer services” and “similar companies” that provide analytics and other research to enable the advertising support required to deliver free content arguably should fall within the VPPA's permitted disclosures, if tested.
Unfortunately, there is no current case law to support this theory, but a recent U.S. Court of Appeals for the Seventh Circuit case gives us hope that when courts apply the statute to new methods of video delivery, they will also recognize the new business operations and support that are required to facilitate such delivery. In the most recent iteration of Sterk v. Redbox Automated Retail, LLC, Plaintiffs argued that Redbox Automated Retail LLC violated the VPPA when it outsourced certain “back office” functions to various service providers, including those third parties that provided customer service support and off-site record storage services.28 Taking a common sense approach, the appellate court affirmed the district court's dismissal of the case, analogizing today's automated video rental kiosks and virtual customer service with the brick-and-mortar video store and the clerk behind the counter in 1988 and finding that “when the VPPA was enacted, we can safely assume that Congress contemplated customer service as part and parcel of the ordinary rental experience.”29
This is the issue that drives the VPPA class actions, because if plaintiffs can prevail in showing a violation of the statute, then they argue that the minimum $2,500 per violation statutory damage provision in the VPPA kicks in and gives them the standing they need to bring their class actions and collect their windfall, even if there was no actual harm.
In its first motion for summary judgment, Hulu argued that in order for a person to be “aggrieved” under the VPPA, the plaintiff must suffer an actual injury beyond a statutory violation. In addressing these arguments, Beeler held that although the VPPA provides a remedy to “aggrieved” persons, no showing of actual injury is required, only a wrongful disclosure. This is consistent with the Seventh Circuit's position in Redbox, where it reiterated its position that “Congress does have the power to ‘enact statutes creating legal rights, the invasion of which creates standing, even though no injury would exist without the statute.' ”30 Similarly, the rulings in Nickelodeon add to the growing trend among federal courts to find that an alleged statutory violation, especially where the violation relates to consumer privacy or protection, is enough to confer Article III standing when there is no actual injury.31
While the Supreme Court may address this exact issue in its next session,32 for now, businesses should assume that plaintiffs will be able to find a court that supports the position that a violation of the VPPA is enough to create Article III standing, and therefore enables plaintiffs to recover statutory damages, even in the absence of any actual damages caused by the VPPA violation.
One of the driving forces behind this uptick in litigation is surely the big payoff expected by the plaintiffs' class action bar. To date, however, this has been a losing gamble. Plaintiffs so far have been unable to successfully prove that information disclosed to third parties was either (1) knowing, (2) PII or (3) disclosed outside of one the permitted exceptions to the VPPA. But in addition to these substantive hurdles, plaintiffs have not been able to meet the requirements for class certification.
When one considers how many online videos can be downloaded and viewed in a short period of time by users of digital media, $2,500 per statutory violation may seem like a gold mine worth digging for to assemble a class and find a technical violation. But online publishers can take some solace in Beeler's ruling that such a class is not ascertainable.33 While it may be technically possible for named defendants to cull system logs and cross-reference user IDs or other unique identifiers to identify a proposed class, Beeler concluded that in the Hulu-Facebook fact pattern, “the only way [to ascertain who is in the class] is self-reporting.”34 Because the claims at issue would not be “amenable to ready verification,” and because “at $2,500 per class member, they are not small,” Beeler ruled that the plaintiffs had not defined an ascertainable class.35 While this type of analysis will be specific to each case's set of facts, we at least see the judiciary taking note of the incentives large statutory damage awards can create for plaintiffs and offering some protection against it.
Although the VPPA was drafted to protect the privacy of consumers who purchased or rented video materials from a now-defunct brick-and-mortar store, courts have now extended the Act's protections to consumers who access digital media online. Regardless of whether a company considers itself a “video tape service provider,” if there is video on your website/application, it is likely subject to the VPPA. The sheer volume of videos that a single consumer can download and watch in just a matter of hours can implicate thousands of dollars of statutory damages for an individual, and hundreds of millions for a class of consumers. But, online publishers can take several steps to protect themselves from VPPA liability. If an online publisher's website or mobile application has video titles, the publisher should only share non-personally identifiable information with third parties. However, in some instances, such as the Redbox case where customer service was outsourced, sharing personally identifiable information that is associated with video titles is required. In those instances, publishers should ensure that the disclosure is made either with the consumer's consent, or pursuant to one of the limited VPPA's exceptions, and subject to continued confidential treatment. Unfortunately, the image of a large pot of gold at the end of the rainbow is likely to keep plaintiffs searching for ways to enlarge the scope of the VPPA's definition of “personally identifiable information” or narrow the scope of permissible disclosures. Changes in technology are likely to leave some of these issues unresolved for the foreseeable future; in the meantime, we hope judges will continue to balance their broad application of the VPPA to new video distribution models with practical considerations for the new ways businesses support their operations in a digital world.
S. Rep. 100-599, 100th Cong., 2nd Sess. 1988, 1988 U.S.C.C.A.N. 4342-1, 1988 WL 243503, *7 (Leg. Hist.).
Michael Dolan, The Bork Tapes, The City Paper, Sept. 25–Oct. 1, 1987, at 1, reproduction available athttp://www.theamericanporch.com/bork5.htm.
For example, the VPPA reflects the structure of and shares similar terms (and statutory damages provisions) with both the Cable Communications Policy Act of 1984, 47 U.S.C. § 551, and the Electronic Communications Privacy Act, also enacted in 1986 at 18 U.S.C. § 2510, et seq.
18 U.S.C. § 2710. Section (a)(2) limits “ordinary course of business” to “only debt collection activities, order fulfillment, request processing, and the transfer of ownership.” Id. § 2710(a)(2).
Id. § 2710(c)(1).
Id. § 2710(c)(2).
The Video Privacy Protection Act Amendments of 2012, Pub. L. No. 112-258 (2013).
18 U.S.C. § 2710(a)(4) (emphasis added). The definition goes on to include “any person or other entity to whom a disclosure is made under [the permitted mailing list and ordinary course of business exceptions] of subsection (b)(2), but only with respect to the information contained in the disclosure.” Id.
Even prior to the VPPA Amendments that were designed to accommodate online compliance for disclosing video titles watched, Magistrate Judge Laurel Beeler easily extended the VPPA to online video providers when considering the Act's 1988 legislative history that “discusses extensively the concept of privacy in an evolving technological world.” In re Hulu Privacy Litig., No. C 11-03764 LB, 2012 BL 204579 at *6–7 (N.D. Cal. Aug. 10, 2012).
H.R. Rep. 112-312 at 2 (2011), available athttp://www.gpo.gov/fdsys/pkg/CRPT-112hrpt312/pdf/CRPT-112hrpt312.pdf; S. Rep. 112-258 at 2 (2012), available athttp://www.gpo.gov/fdsys/pkg/CRPT-112srpt258/pdf/CRPT-112srpt258.pdf.
See Perry v. Cable News Network, Inc., No. 14-cv-02926 (N.D. Ga. filed Sept. 12, 2014); Locklear v. Dow Jones & Co., Inc., No. 14-cv-00744 (N.D. Ga. filed Mar. 13, 2014).
In re Hulu, 2012 BL 204579 at *8.
Id. § 2710(a)(3) (emphasis added).
5 U.S.C. §§ 6501–6505.
In re Hulu Privacy Litig., No. 11-cv-03764, 2014 BL 120236 at *14 (N.D. Cal. Apr. 28, 2014) .
Id. at *7, *13 (emphasis added); see alsoIn re Nickelodeon Consumer Privacy Litig., MDL No. 2443, 2014 BL 186702 (D.N.J. Jul. 2, 2014).
Id.; see alsoEllis v. Cartoon Network, Inc., No. 1:14-cv-484-TWT, 2014 BL 283139 (N.D. Ga. Oct. 8, 2014).
Nickelodeon, 2014 BL 186702 at *11–12 (emphasis added); see alsoEichenberger v. ESPN, Inc., No. 14-cv-00463 (W.D. Wash. Nov. 24, 2014), holding that the serial number of a Roku device accompanied by viewing records alone does not constitute PII as defined in the VPPA and citing to Hulu, finding it “speculative to state that [the third party] can, and does, identify specific persons as having watched or requested specific videos” from ESPN.
Ellis v. The Cartoon Network, Inc., No. 14-15046 (11th Cir. appeal docketed Nov. 6, 2014). On Oct. 8, U.S. District Court for the Northern District of Georgia Judge Thomas W. Thrash Jr. dismissed with prejudice a putative class action against The Cartoon Network Inc., after holding that the plaintiff's anonymous Android mobile device IDs did not qualify as PII under the VPPA. Cartoon Network, 2014 BL 283139, at *2–*4.
Summary Judgment Motion by Defendant re: “Knowingly” at 5, Hulu, No. 11-cv-03764 (N.D. Cal. Aug. 26, 2014).
18 U.S.C. § 2710(a)(2).
Hulu, 2014 BL 120236, at *8.
Hulu, 2012 BL 204579, at *7.
S. Rep. 100-599, supra note 1.
Sterk v. Redbox Automated Retail, LLC, 770 F.3d 618 (7th Cir. 2014).
Id. at 625.
Id. at 623.
See Nickelodeon, 2014 BL 186702, at *4–5.
Robins v. Spokeo, Inc., 742 F.3d 409 (9th Cir. 2014), petition for cert. filed, No. 13-1339 (U.S. May 1, 2014). The U.S. Supreme Court has granted certiorari on this issue before, in First American Corp. v. Edwards. In that case, the Court also asked the solicitor general's opinion. In response, U.S. Solicitor General Donald Verrilli filed an amicus brief, arguing that the deprivation of statutory rights is all that is required for standing under another federal statute with defined statutory damages. Brief for the United States as Amicus Curiae, First American Financial Corp. v. Edwards, 132 S. Ct. 2536 (U.S. 2012). Ultimately, however, the Supreme Court did not address the merits of the issue in Edwards, but instead dismissed the writ simply as “improvidently granted.” Edwards, 132 S. Ct. at 2537.
In re Hulu Privacy Litig., No. 11-cv-03764, 2014 BL 167655 (N.D. Cal. June 17, 2014).
Id. at *18.
Id. at *19.
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)