Loading Facebook’s “Like” Button Sends Personal Information Even If Not Clicked, and That Alone Could Violate the Video Privacy Protection ActWhen we last visited the Hulu Privacy Litigation, the Video Privacy Protection Act’s (the VPPA’s) prohibitions on “video tape service” providers from knowingly disclosing a viewer’s personally identifiable information (PII) to third parties, except in limited circumstances, had been extended to online streaming video services; and that in order for plaintiffs to recover statutory damages, no showing of actual injury is required, only a wrongful disclosure. As we return to our story, Judge Beeler is grappling with what constitutes a “knowing” disclosure of “personally identifiable information.”
Recently, a magistrate judge in the Northern District of California confirmed what many already believed: that information disclosed to third parties without appropriate consent or pursuant to a permitted exception “must identify a specific person and tie that person to video content that the person watched in order to violate the [Video Privacy Protection Act].” But Magistrate Judge Beeler did not stop there and clarified that the VPPA “does not say ‘identify by name’ and thus plainly encompasses other means of identifying a person.” So what could have been a sigh of relief in the Hulu Privacy Litigation may now affect numerous websites that contain streaming video clips or programs and which allow users to “like” those pages on Facebook or plug-in to other social media sites and applications. The court granted Hulu’s summary judgment motion with respect to its disclosures to comScore disclosures, but denied it with respect to Hulu’s Facebook disclosures, finding that material issues of fact remain and more information was needed to determine whether such disclosures were “knowing” or whether users had consented.
Plaintiffs’ claims had already been limited to Hulu’s disclosures to data metrics provider comScore and Facebook. It was undisputed that when a Hulu user loaded a page to view content, certain user information was sent to both companies without any additional interaction by the user. In the case of comScore, a “beacon” was transmitted from the Hulu page to comScore that included, among other things, a Hulu User ID and information about the video associated with that page. In the case of Facebook, certain information was transmitted from the Hulu page to Facebook by virtue of the “like” button being loaded on the watch page, including the referrer URL that, for some period of time, identified the video associated with that page, but it did not include the Hulu User ID. If the user loading the Hulu page was logged in to Facebook, then the Facebook cookies that had been loaded into the browser would also reveal the user’s Facebook ID and other user information, as clearly explained by Facebook in its “Privacy for Apps” FAQs.
Judge Beeler determined that even though it was hypothetically possible that, for some period of time, comScore could use a Hulu ID to access that user’s profile page to obtain that user’s name, there was no evidence that comScore did this. Instead, the evidence focused on comScore’s “role in measuring whether users watched the advertisements” (which apparently do not fall within the definition of video programming) and “it does not suggest any linking of a specific, identified person and his video habits.” The Facebook disclosures, on the other hand, included a process that transmitted the Hulu user’s actual identity on Facebook and the video that the Facebook/Hulu user was watching, whether or not the user clicked the “Like” button. The court rejected Hulu’s argument that an actual name was required, finding “[t]hat position paints too bright a line. One could not skirt liability under the VPPA … by disclosing a unique identifier and a correlated look-up table.” Judge Beeler instead held that the Facebook ID is more than a unique, anonymous identifier in the hands of Facebook—it personally identifies a Facebook user. And while there was similarly no evidence that Facebook took any actions with the cookies after receiving them, Judge Beeler found that “[i]n contrast to comScore, where the user was not tied to the video in one transmission, the transmission to Facebook included the video name and Facebook user cookies. Thus the link between user and video was more obvious.”
What remains to be seen is whether Hulu made the disclosures “knowingly.” It may have come as a shock to some that all of this information was transmitted simply by a user loading a page. A user did not have to actually click the “like” button for the Facebook cookie to transmit the user’s Facebook ID. Judge Beeler indicated that would have presented a different analysis.
The good news is that Judge Beeler rejected plaintiffs’ argument that “someone who possesses a unique identifier for an individual ‘requires no further information to distinguish the individual from the rest of the population’” and clearly stated that the disclosure of a unique identifier, without more, does not violate the VPPA. This is entirely consistent with other case law. The court went on to reject plaintiffs’ analogies to the definition of personal information under the Children’s Online Protection Act, which includes persistent identifiers, stating that the “[p]rotection of children online implicates different privacy concerns and resulted in broader definitions of personal information.” But this case reminds us that persistent identifiers which can be easily re-identified, such as by putting the otherwise anonymous identifier in the hands of a third party who has the “code” to re-identification, may be problematic. Similarly, providing enough information about a person that would easily permit identification (e.g., the man at the north pole who wears a red suit), will not withstand scrutiny.
What you should do:
- Assess the information that is transmitted to third parties through your websites and other online applications
- Determine whether third-party resources, such as the Facebook “like” button and other social media plug-ins, are automatically included when users load your websites
- Consider restricting such access and dynamically loading such resources after giving users the chance to opt-in on pages where video content resides
- Consider limiting the information in the referring URL to a video index page on the site, without disclosing the specific title that the user viewed
- Determine whether such information could be easily linked to an individual
- Does the unique identifier, in and of itself, identify a specific person?
- Can the unique identifier be easily linked to a specific, identified person by the third party?
- Does the information provide so much information that, when combined, easily reveals the individual’s identity?
- Contractually limit third parties’ use of the data collected from your site and prohibit the re-identification of anonymous, unique identifiers
Just as laws do not keep up with technology, it appears that they do not keep up with social norms, either. Many website owners will balk at the thought of requiring a user that has chosen to remain logged in on Facebook to re-affirm that choice to “like” a page or specific content. Similarly, many users may not take the time to re-authenticate in order to “like” a page. Unfortunately, the alternative could result in a not-so-friendly “poke” from a plaintiff’s lawyer.