Roku Number, ESPN Viewing History Not Protected Data: Ninth Cir.

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

ESPN Inc.'s sharing of an individual’s Roku Inc. device serial number and a list of the ESPN videos watched doesn’t violate federal video privacy law, the U.S. Court of Appeals for the Ninth Circuit affirmed.

An individual’s streaming device ID number and videos watched isn’t personally identifiable information (PII) protected by the Video Privacy Protection Act, the appeals court held Nov. 29 ( Eichenberger v. ESPN, Inc. , 2017 BL 427074, 9th Cir., No. 15-35449, 11/29/17 ).

Under the statute, PII includes information that can be used to identify an individual, Judge Susan P. Graber wrote for the court. She agreed with other courts’ definition of PII as “only that information that would ‘readily permit an ordinary person to identify a specific individual’s video-watching behavior.’”

This is Ninth Circuit’s adoption of the majority view that such data isn’t PII, Ani Gevorkian, data privacy and cybersecurity associate at Covington & Burling LLP in Washington, told Bloomberg Law. It “further isolates the First Circuit’s decision in Yershov v. Gannettas an outlier,” she said. In Yershov, the First Circuit held that an app user’s mobile device identifiers could constitute PII under the VPPA, particularly when collected in conjunction with geolocation data.

The “ordinary person” standard informs video service providers of their obligations under the VPPA not to share or do certain things with consumer information, Graber said.

The appeals court’s definition of PII is “more consistent with the VPPA than a definition based on the knowledge or capabilities of the party receiving the information,” Jeff Landis, litigation counsel at ZwillGen in Washington, told Bloomberg Law Nov. 30. It creates a more “workable standard for companies to follow.”

The movement to exclude basic viewing information from the VPPA’s prohibitions may be a boon to innovation.

“By reducing ambiguity around what qualifies as PII, this decision permits content and video providers, especially small or early-stage companies, to continue innovating in this space,” Gevorkian said.

Harm Standard

Plaintiff Chad Eichenberger’s allegation that the service provider disclosed private information was sufficient to demonstrate harm consistent with the U.S. Supreme Court’s ruling in Spokeo, Inc. v. Robins, which held that a plaintiff must allege a concrete and particularized injury to have legal standing to sue, the court said. The VPPA allows consumers to collect damages for a violation of the statute “without showing consequential harm.”

Other courts have applied Spokeo the same way in VPPA cases, Landis said.

But the finding that Eichenberger had standing to sue based on the assertion of mere procedural violations was undercut by the court’s ruling that the information at issue in the case doesn’t qualify for VPPA protection.

Judges Mary H. Murguia and Morgan Christen joined the opinion.

Edelson PC represented the plaintiff. Munger, Tolles & Olson LLP represented ESPN.

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editor responsible for this story: Donald Aplin at

For More Information

Full text of the opinion is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security