Litigation threat from Video Privacy Protection Act ebbs as circuit courts weigh in

Video Tape

8 December2017. By Mike Swift.

Just a little more than two years ago, mobile apps and online platforms that share personal information about the video-watching history of users were facing litigation peril from a pre-Internet law written to protect the privacy of people who rented movies at the neighborhood video store.

That litigation threat, however, appears to have ebbed. Several appellate court decisions across the country have declined to allow the 1988 Video Privacy Protection Act to be invoked against 2017-vintage digital technology, saying that to constitute a violation, the personal information disclosed must be specific enough to allow “an ordinary person” to identify an individual’s video-watching history.

A decision last week by the US Court of Appeals for the Ninth Circuit caps a round of losses for plaintiffs in which appeals courts have affirmed lower court dismissals of VPPA lawsuits. The suits had challenged the Internet-based collection of personal information about consumers’ video watching history by media giants including ESPN, Google, Viacom, Hulu, and Cartoon Network.

The recent Ninth Circuit decision may also make it easier for Internet-connected television-maker Vizio to defend VPPA claims in litigation over its alleged sharing of the video-watching history of people who bought its Internet-connected televisions.

Indeed, the Ninth Circuit warned its ruling was not intended to completely defang the VPPA and that the law could still be a risk for digital platforms that collect and share very specific information about their users’ video-watching behavior.  The substantial statutory damages available for a VPPA violation means it is likely plaintiffs will continue to try to assert the law.

'Ordinary person' standard

In affirming a decision by a federal judge in Seattle to dismiss VPPA allegations brought against ESPN, the Ninth Circuit said on Nov. 29 that plaintiff Chad Eichenberger had standing to sue the sports network. However, the Ninth Circuit found that the information shared by ESPN with its advertising partner Adobe Analytics — Eichenberger’s watching history and the serial number of his Roku streaming device — fell short of the VPPA’s definition of “personally identifiable information.” 

Adopting the reasoning of the US Court of Appeals for the Third Circuit in a 2016 decision in litigation against Viacom’s Nickelodeon mobile app, “we hold that ‘personally identifiable information’ means only that information that would ‘readily permit an ordinary person to identify a specific individual’s video-watching behavior,’ “ the Ninth Circuit panel said.

That “ordinary person” standard means that the combination of a list of videos watched and a device serial number “cannot identify an individual unless it is combined with other data in Adobe’s possession — data that ESPN never disclosed and apparently never even possessed,” said the opinion written by US Circuit Judge Susan P. Graber.

Graber and fellow panel members,  US Circuit Judges Mary H. Murguia and Morgan Christen, also questioned whether Eichenberger was trying to stretch a 1980s-era law too far to apply easily to the digital privacy issues of the early 21st century.

“It is true that today’s technology may allow Adobe to identify an individual from the large pool by using other information — as Plaintiff alleges. But the advent of the Internet did not change the disclosing-party focus of the statute. And we are not persuaded that the 1988 Congress intended for the VPPA to cover circumstances so different from the ones that motivated its passage,” Graber wrote.

Those circumstances were the disclosure of the video-rental history of Judge Robert Bork, a former nominee for the US Supreme Court whose rental history was published by a newspaper during his contentious confirmation hearings.

At the time, the publication of Bork’s video rental history struck a nerve in Congress, which subsequently passed the VPPA.

In early 2015, plaintiff lawyers who were bringing a series of VPPA cases around the country said they weren’t fazed by a string of losses in district courts from Boston to Seattle, saying they were confident of victories before the appellate courts.

But three appeals courts have disagreed. In late 2015, the US Court of Appeals for the Eleventh Circuit upheld a lower court ruling dismissing a proposed class action claiming that Cartoon Network violated the VPPA when it shared consumers’ Android IDs and app-use history with an online behavioral advertising company.

First Circuit standard

Plaintiffs did notch a temporary victory in early 2016 at the US Court of Appeals for the First Circuit in a case targeting the USA Today app owned by Gannett.

But in that case, the First Circuit’s definition for “personally identifiable information” -- "information reasonably and foreseeably likely to reveal" a person’s video watching history -- was still too demanding for the plaintiffs to meet. Earlier this year, plaintiff Alexander Yershov dropped the case, acknowledging a lack of evidence that his personal information was shared with digital advertisers.

Graber said the Ninth Circuit’s decision did not necessarily conflict with the First Circuit, because the Gannet app also collected GPS location data through Yershov’s iPhone. The use of GPS location data, Graber noted, “would enable most people to identify [an individual’s home and work addresses].”

The stakes in any VPPA case are significant, particularly for an Internet platform that can have millions of users. The VPPA allows courts to award up to $2,500 per violation in statutory damages. Hulu had referred in court filings to its potential “multibillion-dollar liability” if the plaintiffs’ VPPA claims succeeded.

Vizio is facing that kind of risk over the alleged collection of data through software embedded in its “smart TVs.” That case has already passed the motion to dismiss stage, and US District Judge Josephine Staton recently rejected Vizio’s motion to appeal her denial of its motion to dismiss the VPPA claims.

Graber said the Ninth Circuit’s ruling does not “make the statute powerless.” If a company decided to a collect and share very specific information — names, phone numbers or location, for example — the VPPA could very well apply, the judge said.

“It is not difficult to imagine other examples that may also count — for example, an individual’s name and telephone number or an individual’s name and birthday or, as in Yershov, the GPS coordinates of a particular device,” Graber said. “And modern technology may indeed alter — or may already have altered— what qualifies under the statute. A Facebook link or an email address may very well readily enable an ‘ordinary person’ to identify an individual.”

In other words, if the VPPA risk has decreased, it certainly has not completely faded to black.

Countdown to the GDPR