Online Consumer Privacy

The Hulu plaintiffs sought to represent registered users of Hulu.com, alleging that Hulu had violated the Video Privacy Protection Act (VPPA) by engaging third parties such as Scorecard and Google Analytics to perform Web analytics on Hulu's website, and sharing users' identifying information with Facebook.

The VPPA prohibits the unauthorized disclosure of “personally identifiable information” (PII) to third parties. Plaintiffs argue that their video-streaming habits are shared with third-parties along with “personally identifiable information” without their permission or consent. The plaintiffs argued that the code that loads and operates the “Like” button on Hulu's Web page causes the user's browser to send to Facebook a URL of the user's watch page (which would indicate the name of the video that the user accessed) and, under certain circumstances, a cookie that enables Facebook to link information identifying the Hulu user with that user's video choices.

In April, Beeler ruled that cookies used to send data to Facebook were covered by the statute because they contained information about users' actual identity (such as a user's IP address and Facebook ID), but unique IDs that were presented in a generalized way to the web analytics companies were not, because such data was linked to a device rather than a user.

Following that ruling (which was made on a motion to dismiss), in June Beeler declined to certify a class around the Facebook cookie sharing allegations, finding it difficult to prove whether any particular user's cookie information was shared with Facebook in a way that disclosed the user's viewing habits. If users took steps to block tracking ' such as by using ad-blocking software, clearing their cookies, logging out of Facebook, or using different browsers for Facebook and Hulu ' their movie-viewing history would not have been shared. Beeler said in her ruling that there didn't appear to be a good way to distinguish between the users who took those kinds of measures and the ones who did not.

Beeler's rulings dovetailed with those of Cheslar in CAF and CTF v. MP et. al. ' the case that involves Google and Viacom. In July, Cheslar found that information concerning anonymous user IDs, a child's gender and age, and information about the computer used to access video-streaming websites did not amount to personally identifiable information under the VPPA. Instead, Cheslar reasoned that the information must be “akin to a name.”

PII

The scope of the VPPA and other statutes that cover personally identifiable information has been trimmed in recent months, but not so much that organizations and online service providers can avoid considering whether “anonymous” IDs can be used to identify a specific person in particular contexts. This is especially true for companies with business models that involve collecting and using information about users' viewing habits and online activities.

Yet, the line between PII covered by the statute and data that is too far removed from a user to invoke the statute is not yet drawn. Thus, the definition and scope of personal information is still subject to interpretation. For example, while Beeler rejected the argument that disclosures that violate the VPPA had to be a person's actual name, she did rule that the context in which a unique (and sometimes “anonymous”) identifier is disclosed to a third party could render the information nonanonymous (say, where the cookies shared with Facebook contain the Facebook profile names or could otherwise be tied to a Facebook account holder). In addition, Cheslar reasoned that the disclosed information can potentially be covered under the VPPA if it is akin to a name and provides a “tangible, immediate link.”

Analysis

Because of the limits of the applicability of privacy statutes such as the VPPA and Stored Communications Act (SCA) to Internet service providers (e.g., in addition to the limits on PII, the VPPA only covers “video tape service providers”), and the hurdles to class certification under the VPPA as demonstrated in Hulu, plaintiffs have increasingly been looking to breach of contract, common law fraud and state consumer fraud statutes for recovery.

Case in point: Google recently was sued in California for breach of contract and unfair competition arising out of alleged sharing of private customer data to third-party app developers, in connection with Google's Wallet and Play services. While California Federal Judge Beth Labson Freeman dismissed the claims for failure to show damages, other courts may not be so quick to toss out such suits. For example, for claims arising out of alleged violations of consumer fraud statutes (which prohibit general misleading and deceptive practices), courts may find that a plaintiff's allegation that he relied on the company's privacy policy to purchase an app passes muster on a motion to dismiss. Recent cases filed against Gamestop and others allege common law fraud theories of liability, and soon we should see whether these alternative theories can survive motions to dismiss or motions for summary judgment.

Thus, online service providers would do well to have a thorough understanding of the user information they are collecting and disclosing to third parties, as well as the adequacy of their privacy policies and disclosures. Companies should also explore methods for obtaining consent for use of personal data, as the potential exposure under the VPPA and SCA are $2,500 and $1,000 per violation, respectively.

Ana Tagvoryan and Joshua Briones head Blank Rome's privacy class action practice out of Los Angeles. In addition to representing clients across the nation, their team also provides compliance counseling and related advice on privacy, social media and cybersecurity. This article originally appeared in Corporate Counsel, an ALM sibling of Internet Law & Strategy.

Online service providers often collect user data for marketing, which frequently includes sharing the information with third parties. For example, a company that hosts videos or blogs on its website usually includes a “like” button or other social networking plug-in that transmits data from user cookies to those social networking sites. Consumers and web users who find this transmission of data an invasion of privacy can, with the help of the plaintiffs' bar, sue under various privacy statutes for alleged damages arising out of this practice.

It is still far from clear what techniques are permitted and which ones cross the line. But recent rulings, by U.S. Magistrate Judge Laurel Beeler in an important lawsuit in California, In re Hulu Privacy Litigation, 2014 WL 2758598 (N. D. Cal.), and by New Jersey Federal Judge Stanley Cheslar in a case involving Viacom and Google, have provided some guidance.

Background

The Hulu plaintiffs sought to represent registered users of Hulu.com, alleging that Hulu had violated the Video Privacy Protection Act (VPPA) by engaging third parties such as Scorecard and Google Analytics to perform Web analytics on Hulu's website, and sharing users' identifying information with Facebook.

The VPPA prohibits the unauthorized disclosure of “personally identifiable information” (PII) to third parties. Plaintiffs argue that their video-streaming habits are shared with third-parties along with “personally identifiable information” without their permission or consent. The plaintiffs argued that the code that loads and operates the “Like” button on Hulu's Web page causes the user's browser to send to Facebook a URL of the user's watch page (which would indicate the name of the video that the user accessed) and, under certain circumstances, a cookie that enables Facebook to link information identifying the Hulu user with that user's video choices.

In April, Beeler ruled that cookies used to send data to Facebook were covered by the statute because they contained information about users' actual identity (such as a user's IP address and Facebook ID), but unique IDs that were presented in a generalized way to the web analytics companies were not, because such data was linked to a device rather than a user.

Following that ruling (which was made on a motion to dismiss), in June Beeler declined to certify a class around the Facebook cookie sharing allegations, finding it difficult to prove whether any particular user's cookie information was shared with Facebook in a way that disclosed the user's viewing habits. If users took steps to block tracking ' such as by using ad-blocking software, clearing their cookies, logging out of Facebook, or using different browsers for Facebook and Hulu ' their movie-viewing history would not have been shared. Beeler said in her ruling that there didn't appear to be a good way to distinguish between the users who took those kinds of measures and the ones who did not.

Beeler's rulings dovetailed with those of Cheslar in CAF and CTF v. MP et. al. ' the case that involves Google and Viacom. In July, Cheslar found that information concerning anonymous user IDs, a child's gender and age, and information about the computer used to access video-streaming websites did not amount to personally identifiable information under the VPPA. Instead, Cheslar reasoned that the information must be “akin to a name.”

PII

The scope of the VPPA and other statutes that cover personally identifiable information has been trimmed in recent months, but not so much that organizations and online service providers can avoid considering whether “anonymous” IDs can be used to identify a specific person in particular contexts. This is especially true for companies with business models that involve collecting and using information about users' viewing habits and online activities.

Yet, the line between PII covered by the statute and data that is too far removed from a user to invoke the statute is not yet drawn. Thus, the definition and scope of personal information is still subject to interpretation. For example, while Beeler rejected the argument that disclosures that violate the VPPA had to be a person's actual name, she did rule that the context in which a unique (and sometimes “anonymous”) identifier is disclosed to a third party could render the information nonanonymous (say, where the cookies shared with Facebook contain the Facebook profile names or could otherwise be tied to a Facebook account holder). In addition, Cheslar reasoned that the disclosed information can potentially be covered under the VPPA if it is akin to a name and provides a “tangible, immediate link.”

Analysis

Because of the limits of the applicability of privacy statutes such as the VPPA and Stored Communications Act (SCA) to Internet service providers (e.g., in addition to the limits on PII, the VPPA only covers “video tape service providers”), and the hurdles to class certification under the VPPA as demonstrated in Hulu, plaintiffs have increasingly been looking to breach of contract, common law fraud and state consumer fraud statutes for recovery.

Case in point: Google recently was sued in California for breach of contract and unfair competition arising out of alleged sharing of private customer data to third-party app developers, in connection with Google's Wallet and Play services. While California Federal Judge Beth Labson Freeman dismissed the claims for failure to show damages, other courts may not be so quick to toss out such suits. For example, for claims arising out of alleged violations of consumer fraud statutes (which prohibit general misleading and deceptive practices), courts may find that a plaintiff's allegation that he relied on the company's privacy policy to purchase an app passes muster on a motion to dismiss. Recent cases filed against Gamestop and others allege common law fraud theories of liability, and soon we should see whether these alternative theories can survive motions to dismiss or motions for summary judgment.

Thus, online service providers would do well to have a thorough understanding of the user information they are collecting and disclosing to third parties, as well as the adequacy of their privacy policies and disclosures. Companies should also explore methods for obtaining consent for use of personal data, as the potential exposure under the VPPA and SCA are $2,500 and $1,000 per violation, respectively.

Ana Tagvoryan and Joshua Briones head Blank Rome's privacy class action practice out of Los Angeles. In addition to representing clients across the nation, their team also provides compliance counseling and related advice on privacy, social media and cybersecurity. This article originally appeared in Corporate Counsel, an ALM sibling of Internet Law & Strategy.