Denial of Hulu’s Motion for Summary Judgment Paves Way for More Lawsuits Under the Video Privacy Protection ActMonday, May 5th, 2014
A lawsuit filed in 2011 against Hulu, an on-line video content provider, claims the company violated the Video Privacy Protection Act (“VPPA”) by wrongfully disclosing users’ video viewing selections and personally identifiable information (PII) to third parties, comScore and Facebook. On April 24, 2014, a federal court in the Northern District of California ruled that Hulu may have violated the VPPA by sharing user identifiers with Facebook. Facebook could combine those user identifiers from Hulu with other information provided by cookies from a Facebook “like” button on Hulu’s web page that could reveal a user’s Facebook identity, as well as a user’s viewed video content on Hulu. The court’s decision paves the way for privacy plaintiffs to bring suit against businesses who derive information from users’ viewing histories, with costly consequences given statutory damages of up to $2,500 per violation.
The VPPA prohibits a video service provider from knowingly disclosing PII of a consumer of the provider to third parties. Under the VPPA, PII includes information that identifies a person as having requested or obtained specific video materials or services from a provider. The VPPA prohibits disclosures that tie specific people to the videos they view. The court found that disclosure of PII is not limited to a person’s actual name, but also consists of information that can identify a specific person and a specific transaction. The court affirmed that a unique, anonymized ID alone is not PII, but “context could render it not anonymous and the equivalent of the identification of specific person.”
Hulu’s Facebook disclosures included sufficient facts to potentially link the disclosure of a video name to an identified Facebook user to result in a violation of the VPPA. A Facebook “like” button on Hulu’s web page sent Facebook the title of the video watched by the user, the IP address of the registered user’s computer, and cookies which could contain the Facebook user’s ID. Hulu did not send Facebook the Hulu user’s ID or name when the user’s browser executed code to load the Facebook “like” button. Nevertheless, the information provided to Facebook revealed information about what the Hulu user watched and the Hulu user’s name on Facebook.
In contrast with Hulu’s Facebook disclosures, Hulu’s disclosures to comScore did not potentially violate the VPPA because comScore could only have “hypothetically” linked to a user’s name or user’s viewing history. Hulu provided comScore with users’ unique Hulu user ID, an alphanumeric string to differentiate between web browsers that Hulu assigned at random to a browser, a Hulu Ad ID identifying an advertisement, and the name of the video content program and any season or episode number. Because comScore had the Hulu user ID, it possessed the “key” to locating user’s names, but there was no evidence it did so.
This ruling is significant because it further opens the door for class actions alleging violations of the VPPA because “anonymous” data may be considered PII under the statute when viewed in the context of other data points. Privacy plaintiffs will undoubtedly seek to apply this more narrow interpretation of what constitutes “anonymous” data in other lawsuits implicating different state and federal privacy laws.
See Order here.