A Growing Chorus of Federal Courts Finds User IDs, by themselves, Do Not Count as Personally Identifiable Information under the VPPA
Recently, a federal district judge joined a number of his colleagues around the country who have told plaintiffs looking to bring a claim under the Video Privacy Protection Act (“VPPA”) that if the data plaintiffs allege was improperly shared cannot, “without more,” personally identify particular persons, then the claim fails.
On January 23, Georgia Federal District Judge Mark H. Cohen dismissed with prejudice a putative class action against Dow Jones & Company, Inc. (“Dow Jones”), where the plaintiff alleged the media company violated the VPPA by sharing the serial number of her Roku streaming media player and video viewing history with mDialog, a third party analytics and advertising company. In dismissing Locklear v. Dow Jones & Co., Judge Cohen echoed other courts that have recently addressed what qualifies as personally identifiable information (“PII”) under the VPPA, finding that “the Roku serial number, without more, does not constitute PII under the statute.” The plaintiff’s case centered around her use of her Roku media player to download and access content from Dow Jones’ free and on-demand Wall Street Journal Live Channel (“WSJ Channel”). The plaintiff objected to Dow Jones’ practice of sharing her Roku device’s serial number and her video viewing history with mDialog each time she viewed content on the WSJ Channel, alleging that mDialog was later able to use this information in combination with demographic data it obtained elsewhere to identify her specifically, and the videos she watched.
Judge Cohen gave the plaintiff’s argument short shrift and ruled that the information that Dow Jones shared with mDialog is not, by itself, PII. Judge Cohen’s decision looked to the recent rulings in In re Hulu Privacy Litig., In re Nickelodeon Privacy Litig., and Ellis v. Cartoon Network, Inc., echoing those courts in concluding that PII “must, without more, itself link an actual person to actual video materials.” Judge Cohen ultimately concluded that the plaintiff’s action was indistinguishable from the facts in Ellis, where the court held that the disclosure of Android IDs to a third party, who had to collect information from other sources to personally identify specific individuals, “did not violate the VPPA because the third party had to take extra steps to connect the disclosure to an identity.”
Accordingly, Judge Cohen ruled that a Roku serial number, “without more” is not PII. The court referenced Hulu to note that a defendant could be found liable under the VPPA if it disclosed a unique identifier along with a means to discover what person corresponds with an particular identifier, like a correlated look-up table; however, the record did not establish any basis to find that the information mDialog obtained from Dow Jones identified particular persons. The plaintiff’s admission that mDialog had to take additional steps to discover her identity using the data from Dow Jones and other sources was, in the court’s judgment, fatal to her claim.
“Without More,” VPPA Claims May Have Nowhere to Go
“Without more” has become a familiar refrain in VPPA cases, as more courts are telling plaintiffs and their attorneys that not every sharing of information attributable to individuals and their viewing habits violates the VPPA. Instead, courts are repeatedly reminding plaintiffs that, under the VPPA, there must be more to associate a particular person with the videos they watch rather than just user IDs, device serial numbers, or other types of information that do not by themselves identify a specific individuals. To date, that analysis does not change simply because a defendant shares that non-PII with a third party, who then goes the extra mile to reverse engineer a person’s identity. However, recent FTC guidance reminds companies to not only limit disclosures to non-PII, but to contractually prohibit third parties from attempting to re-identify the data.
Even “With More,” What Can Constitute a Prohibited “Knowing” Disclosure?
While Judge Cohen’s decision permanently ended plaintiff’s action in Dow Jones, the VPPA dispute in Hulu still has the parties squaring off over what qualifies as “knowingly” disclosing PII under the VPPA. Specifically, the plaintiffs’ last surviving claim concerns whether Hulu had knowledge that by placing a Facebook “Like” button on its webpages, the cookie associated with the button (even if the “Like” button is not clicked) would transmit Hulu users’ Facebook identities and information on the video pages they access to the social media company.
Back in August, Hulu argued in its summary judgment motion that it had no actual knowledge that simply adding the “Like” button to its pages would trigger a cookie that would automatically obtain a Hulu user’s Facebook ID and share their access or viewing history with Facebook. Instead, Hulu maintained it did not know the contents of any of the cookies Facebook created or what Facebook would do with the information transmitted, and that the only control Hulu had in the process was where it placed the “Like” button on Hulu webpages, and where it obtained the code that loads and operates the button.
Plaintiffs countered Hulu’s assertions in a filing last week, claiming that in order to satisfy the VPPA’s “knowingly” requirement all they need to allege is that “Hulu voluntarily provided user-specific information and videos watched to a third party[.]” Moreover, plaintiffs disputed Hulu’s claim that plaintiffs needed to demonstrate Hulu had actual knowledge. Instead, the plaintiffs asserted that “actual knowledge is not a requirement under the plain language of the VPPA” and that the “common and ordinary meaning of the word ‘knowingly’ is merely that the actor must be aware of what he or she is doing and does not act because of some mistake or accident.”
The Hulu court is scheduled to take up parties’ competing “knowingly” arguments on February 26.