Broadening the Scope of Privacy Under the Video Protection Statute

A recent case from the District of Massachusetts, Yershov v. Gannett Satellite Information Network, No. CIV. A. 14-13112-FDS, 2015 WL 2340752 (D. Mass. May 15, 2015), suggests a broadening of the view of subscriber privacy in the context of the delivery of video content over online platforms. The Video Privacy Protection Act (VPPA), 18 U.S.C. '2710 (2013), is the federal statute that governs the sharing of personally identifiable information (PII) in this context. Providers of online video need to understand the implications of the VPPA, and the associated case law, in order to conduct their businesses in a compliant manner. Providers that may be impacted include not only businesses that deliver video as part of their core services (e.g., Hulu, Netflix, etc.), but also publishers, social media platforms, and blogs, to the extent that they provide video content as part of a broader array of media offerings.

Digital technologies have dramatically changed the way we consume video content. But while we watch, we are being watched. Data collection and analytics have become integral parts of online video delivery business models. Ironically, while the technology allowing digital access to video has developed rapidly over the past few years, the law addressing the privacy of the information collected through these new technologies ' the VPPA ' has not. It is, in most part, unchanged from its enactment in 1988, when we were still largely living in an analog world.

The VPPA prohibits a “video tape service provider” from knowingly disclosing a consumer's PII to third parties absent the consumer's permission. 18 U.S.C. '2710(b)(1). At this point, it is uncontested that the term “video tape service provider” includes providers of online video. What is still subject to debate, however, is what constitutes PII for purposes of the VPPA. The statute defines PII as “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 18 U.S.C. '2710(a)(3). The dramatic changes in technology and analytics associated with video delivery have made it particularly difficult for courts to apply this “pre-digital” definition to new, technologically-innovative applications. As a result, the contour of the VPPA as applied to these new contexts is still being shaped. This is illustrated by the recent decision in Yershov and its marked divergence from the rationale of prior decisions.

The Pre-Yershov Trend

Until Yershov, it seemed that the trend was for courts to generally define PII for purposes of the VPPA quite narrowly. The cases of Locklear v. Dow Jones, In re Hulu Privacy Litigation, and Eichenberger v. ESPN, discussed below, all generally follow the reasoning that in order for data to be classified as PII it must be knowingly transmitted from a video tape service provider to a third party and must be sufficient on its own (or with other data sent bundled together from the same video tape service provider in the same exchange) to identify the individual and his/her viewing transaction history.

In Locklear, the plaintiff brought an action claiming that after “she downloaded and began using the WSJ Channel on her Roku media-streaming device to watch video clips and news stories ' Dow Jones disclosed her Roku device serial number and video viewing history to mDialog, an analytics and advertising company” without the plaintiff's consent. Locklear v. Dow Jones, No. 1:14-CV-00744-MHC, 2015 WL 1730068, (N.D. Ga. Jan. 23, 2015) at 1. The court determined that because mDialog “had to take further steps, i.e., turn to sources other than Dow Jones, to match the Roku number to [the] [p]laintiff,” the Roku number did not qualify as PII.

In Hulu, the plaintiff brought a VPPA action against Hulu claiming that Hulu knowingly disclosed PII to ComScore and Facebook without the consent of its subscribers. See, Hulu, No. C 11-03764 LB, 2014 WL 1724344, (N.D. Cal. April 28, 2014) at 1. In April 2014, the court granted summary judgment in relation to the disclosure of information to ComScore, accepting Hulu's position that an anonymous user ID coupled with a linked video viewing history does not, on its own, constitute PII because it requires the third party to “reverse engineer” the data to uncover the identification of the subscriber.

In March 2015, the court determined that Hulu did not knowingly disclose PII to Facebook because while the data was sent simultaneously, Facebook would have to independently combine it to uncover the identity of the Hulu subscriber and Hulu had no actual knowledge that Facebook was engaging in such activity. In re Hulu Privacy Litig., No. 11-cv-03764-LB, at 2 (N.D. Cal. March 31, 2015).

A recent decision in Eichenberger v. ESPN, expounded a similar understanding of PII. See, Eichenberger, No. C14-463 TSZ (W.D. Wash. May 7, 2015) (order at http://bit.ly/1LBnIfM via Keller and Heckman, LLP). In Eichenberger, the plaintiff used his Roku device to download the WatchESPN app in order to stream ESPN programming. Chad Eichenberger then sued ESPN for disclosing his “unique Roku device serial number, along with the videos he viewed to a third party, Adobe Analytics” without his consent, claiming that this constituted prohibited sharing of PII under the VPPA. The court disagreed.

Looking to the decision in Locklear where an almost identical argument was made and rejected, the U.S. District Court for the Western District of Washington in Eichenberger also determined that a Roku device unique serial number did not constitute PII. According to the court in Eichenberger, anonymous identifiers, such as Roku device serial numbers do not identify specific individuals and therefore are not personally identifiable information under the VPPA.

The court in Eichenberger also rejected the claim made by the plaintiff that Adobe Analytics could combine the information gleaned from the plaintiff's Roku serial number and the record of watched videos, with other data and thus specifically identify him, transforming this anonymous identifier into PII. The court in Eichenberger looked to the reasoning of Locklear where the court “rejected the plaintiff's argument that the actions of a third-party recipient could convert a user's anonymous Roku device serial number into PII upon which a VPPA claim could be based.” PII, according to the Eichenberger court, must be PII on its own. As a result, the court dismissed the complaint with prejudice for failure to state a claim upon which the plaintiff could recover.

The Yershov Decision

The decision in Yershov has reopened the debate over what constitutes PII as the basis of a violation of the VPPA in the online video-streaming context. See, No. CIV. A. 14-13112-FDS, 2015 WL 2340752 (D. Mass. May 15, 2015). In Yershov, decided this past May, the Massachusetts district court offered a conflicting interpretation from that of the courts in Locklear, Hulu, Eichenberger and other cases of what constitutes PII. Moreover, the court, in unusually strong language, was highly critical of these previous VPPA decisions, suggesting they were “flawed” and based on an “unrealistic” understanding of PII. The Yershov understanding of PII has important implications for providers of video streaming services, particularly with respect to customers who may use mobile devices to access their content.

In Yershov, the plaintiff installed the USA Today app created by Gannett Satellite Information Network, onto his Android smartphone and proceeded to use it “to access news and entertainment media content.” The app is free and does not require registration. The record indicates that through the app, and without the express permission of the user, “Gannett discloses three kinds of information [to a third party]: 1) a record of the transaction (presumably, information concerning the precise video selected for viewing); 2) the user's GPS coordinates (that is, the precise location of the user); and 3) the [unique] Android ID of the user's smartphone or other device.” The plaintiff contended Gannett “discloses 'personally identifiable information' every time a person uses the USA Today App to watch video clips” to Adobe Systems.

The complaint alleged that because Adobe has access to a variety of different data sources, once “Adobe receives an individual's Android ID and the record of the video transaction from the USA Today app, it is able to connect that information with information collected from other sources to personally identify users and associate their video viewing selections with a personalized profile in its databases.” Essentially, Adobe could combine data to uncover the identity of the person linked to the Android ID and video transaction history.

In Eichenberger, and the lineage of cases that it cited to, the court determined that information which needed to be aggregated with other information from outside sources or separate transmissions did not constitute PII on its own. The court in Yershov disagreed, determining that “a person's name, social security number, and date of birth are PII. ' Similarly, a person's home address is PII.” The court then expanded the definition of PII further, arguing that:

[s]imilar types of information, such as a place of birth, a mother's maiden name, an automobile license plate number, or a home telephone number, could also be PII under at least some circumstances. ”It requires no great leap of logic to conclude that the unique identifier of a person's smartphone or similar device ' its 'address,' so to speak ' is also PII. A person's smartphone 'address' is an identifying piece of information, just like a residential address.

Gannett argued that “the Android ID cannot be PII because that information cannot be linked to a specific person without access to certain additional information ' specifically, the information that a particular phone is used by a particular person.” While this argument would have likely been accepted by the court in Eichenberger, the court in Yershov rejected it. Instead, the court reasoned that if Social Security numbers, birthdays and home addresses are all examples of PII and yet all require extra information in order to identify a specific person, then the argument that Android IDs cannot be PII because they too require extra information in order to identify a specific person is unpersuasive.

The lack of a public database linking Android IDs with specific individuals was not a problem for the court in Yershov. The court analogized Android IDs and their lack of a public database to social security numbers. The court explained: '[A] social security number or a date of birth, in isolation, is anonymous. However, it would be absurd to conclude that a Social Security number is not PII, simply because there is no publicly-available database linking those numbers with names.'

The court also noted that “Gannett transmits the GPS coordinates of the user along with the Android ID.” This means that Gannett is simultaneously transmitting specific GPS coordinates, the Android ID, and transaction history. While the court states that this combination functions as PII, it is not clear if Android IDs themselves would be viewed as such.

In reaching its conclusion, the court used uncharacteristically harsh language in distinguishing the prior opinions, stating that they “seem to take an unrealistic view of the nature of personal identifiers, and how readily different databases or pieces of information can be linked together. The courts appear to frame the issue in large part by referring to these identifies as 'anonymous identifiers,' which is unhelpful and possibly misleading.”

In Yershov, the court nevertheless found that the plaintiff was not protected by the VPPA. The issue of whether the plaintiff was a subscriber and thus a “consumer” under the VPPA actually determined the outcome of the case. Looking to the specifics of the USA Today app, the court in Yershov determined that because the app is only downloaded, provides no special access to restricted content, and in order to use it “an individual does not have to pay any money; does not have to register; and does not have to make any commitment of any kind,” individuals engaging with the USA Today app are “users,” not subscribers and therefore not protected by the VPPA.

Publishers, social media platforms, blogs and other content distributors who offer video must be aware of the evolving nature of VPPA jurisprudence in order to remain in compliance with the law. Publishers, social media platforms, blogs and other content distributors who offer video should also be aware of correlating state statutes governing the sharing of PII in the video context, e.g., Michigan's Video Rental Privacy Act (1988), Mich. Comp. Laws '445.1712. They should also be aware of what information is being harvested from users, and with whom it is being shared. Often a detailed technical analysis may be needed. To the extent PII ' as interpreted for purposes of the VPPA ' is being shared, user consent may be needed. The VPPA has specific provisions relating to how consent must be obtained which are beyond the scope of this article, but suffice it to say that it cannot be buried in the terms of use or the privacy policy. (See, 18 U.S.C. '2710(b)(2)(B) for specifics about how consent can be given.) Further, the broadening of the definition of PII articulated in Yershov may also have implications for how PII is defined in other contexts in an ever-evolving digital age.

Jeffrey D. Neuburger is a partner at Proskauer Rose and a member of the Board of Editors of our sister newsletter, e-Commerce Law & Strategy. Ava L. Childers, a summer associate at the firm, assisted in the preparation of this article.

A recent case from the District of Massachusetts, Yershov v. Gannett Satellite Information Network, No. CIV. A. 14-13112-FDS, 2015 WL 2340752 (D. Mass. May 15, 2015), suggests a broadening of the view of subscriber privacy in the context of the delivery of video content over online platforms. The Video Privacy Protection Act (VPPA), 18 U.S.C. '2710 (2013), is the federal statute that governs the sharing of personally identifiable information (PII) in this context. Providers of online video need to understand the implications of the VPPA, and the associated case law, in order to conduct their businesses in a compliant manner. Providers that may be impacted include not only businesses that deliver video as part of their core services (e.g., Hulu, Netflix, etc.), but also publishers, social media platforms, and blogs, to the extent that they provide video content as part of a broader array of media offerings.

Digital technologies have dramatically changed the way we consume video content. But while we watch, we are being watched. Data collection and analytics have become integral parts of online video delivery business models. Ironically, while the technology allowing digital access to video has developed rapidly over the past few years, the law addressing the privacy of the information collected through these new technologies ' the VPPA ' has not. It is, in most part, unchanged from its enactment in 1988, when we were still largely living in an analog world.

The VPPA prohibits a “video tape service provider” from knowingly disclosing a consumer's PII to third parties absent the consumer's permission. 18 U.S.C. '2710(b)(1). At this point, it is uncontested that the term “video tape service provider” includes providers of online video. What is still subject to debate, however, is what constitutes PII for purposes of the VPPA. The statute defines PII as “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 18 U.S.C. '2710(a)(3). The dramatic changes in technology and analytics associated with video delivery have made it particularly difficult for courts to apply this “pre-digital” definition to new, technologically-innovative applications. As a result, the contour of the VPPA as applied to these new contexts is still being shaped. This is illustrated by the recent decision in Yershov and its marked divergence from the rationale of prior decisions.

The Pre-Yershov Trend

Until Yershov, it seemed that the trend was for courts to generally define PII for purposes of the VPPA quite narrowly. The cases of Locklear v. Dow Jones, In re Hulu Privacy Litigation, and Eichenberger v. ESPN, discussed below, all generally follow the reasoning that in order for data to be classified as PII it must be knowingly transmitted from a video tape service provider to a third party and must be sufficient on its own (or with other data sent bundled together from the same video tape service provider in the same exchange) to identify the individual and his/her viewing transaction history.

In Locklear, the plaintiff brought an action claiming that after “she downloaded and began using the WSJ Channel on her Roku media-streaming device to watch video clips and news stories ' Dow Jones disclosed her Roku device serial number and video viewing history to mDialog, an analytics and advertising company” without the plaintiff's consent. Locklear v. Dow Jones, No. 1:14-CV-00744-MHC, 2015 WL 1730068, (N.D. Ga. Jan. 23, 2015) at 1. The court determined that because mDialog “had to take further steps, i.e., turn to sources other than Dow Jones, to match the Roku number to [the] [p]laintiff,” the Roku number did not qualify as PII.

In Hulu, the plaintiff brought a VPPA action against Hulu claiming that Hulu knowingly disclosed PII to ComScore and Facebook without the consent of its subscribers. See, Hulu, No. C 11-03764 LB, 2014 WL 1724344, (N.D. Cal. April 28, 2014) at 1. In April 2014, the court granted summary judgment in relation to the disclosure of information to ComScore, accepting Hulu's position that an anonymous user ID coupled with a linked video viewing history does not, on its own, constitute PII because it requires the third party to “reverse engineer” the data to uncover the identification of the subscriber.

In March 2015, the court determined that Hulu did not knowingly disclose PII to Facebook because while the data was sent simultaneously, Facebook would have to independently combine it to uncover the identity of the Hulu subscriber and Hulu had no actual knowledge that Facebook was engaging in such activity. In re Hulu Privacy Litig., No. 11-cv-03764-LB, at 2 (N.D. Cal. March 31, 2015).

A recent decision in Eichenberger v. ESPN, expounded a similar understanding of PII. See, Eichenberger, No. C14-463 TSZ (W.D. Wash. May 7, 2015) (order at http://bit.ly/1LBnIfM via Keller and Heckman, LLP). In Eichenberger, the plaintiff used his Roku device to download the WatchESPN app in order to stream ESPN programming. Chad Eichenberger then sued ESPN for disclosing his “unique Roku device serial number, along with the videos he viewed to a third party, Adobe Analytics” without his consent, claiming that this constituted prohibited sharing of PII under the VPPA. The court disagreed.

Looking to the decision in Locklear where an almost identical argument was made and rejected, the U.S. District Court for the Western District of Washington in Eichenberger also determined that a Roku device unique serial number did not constitute PII. According to the court in Eichenberger, anonymous identifiers, such as Roku device serial numbers do not identify specific individuals and therefore are not personally identifiable information under the VPPA.

The court in Eichenberger also rejected the claim made by the plaintiff that Adobe Analytics could combine the information gleaned from the plaintiff's Roku serial number and the record of watched videos, with other data and thus specifically identify him, transforming this anonymous identifier into PII. The court in Eichenberger looked to the reasoning of Locklear where the court “rejected the plaintiff's argument that the actions of a third-party recipient could convert a user's anonymous Roku device serial number into PII upon which a VPPA claim could be based.” PII, according to the Eichenberger court, must be PII on its own. As a result, the court dismissed the complaint with prejudice for failure to state a claim upon which the plaintiff could recover.

The Yershov Decision

The decision in Yershov has reopened the debate over what constitutes PII as the basis of a violation of the VPPA in the online video-streaming context. See, No. CIV. A. 14-13112-FDS, 2015 WL 2340752 (D. Mass. May 15, 2015). In Yershov, decided this past May, the Massachusetts district court offered a conflicting interpretation from that of the courts in Locklear, Hulu, Eichenberger and other cases of what constitutes PII. Moreover, the court, in unusually strong language, was highly critical of these previous VPPA decisions, suggesting they were “flawed” and based on an “unrealistic” understanding of PII. The Yershov understanding of PII has important implications for providers of video streaming services, particularly with respect to customers who may use mobile devices to access their content.

In Yershov, the plaintiff installed the USA Today app created by Gannett Satellite Information Network, onto his Android smartphone and proceeded to use it “to access news and entertainment media content.” The app is free and does not require registration. The record indicates that through the app, and without the express permission of the user, “Gannett discloses three kinds of information [to a third party]: 1) a record of the transaction (presumably, information concerning the precise video selected for viewing); 2) the user's GPS coordinates (that is, the precise location of the user); and 3) the [unique] Android ID of the user's smartphone or other device.” The plaintiff contended Gannett “discloses 'personally identifiable information' every time a person uses the USA Today App to watch video clips” to Adobe Systems.

The complaint alleged that because Adobe has access to a variety of different data sources, once “Adobe receives an individual's Android ID and the record of the video transaction from the USA Today app, it is able to connect that information with information collected from other sources to personally identify users and associate their video viewing selections with a personalized profile in its databases.” Essentially, Adobe could combine data to uncover the identity of the person linked to the Android ID and video transaction history.

In Eichenberger, and the lineage of cases that it cited to, the court determined that information which needed to be aggregated with other information from outside sources or separate transmissions did not constitute PII on its own. The court in Yershov disagreed, determining that “a person's name, social security number, and date of birth are PII. ' Similarly, a person's home address is PII.” The court then expanded the definition of PII further, arguing that:

[s]imilar types of information, such as a place of birth, a mother's maiden name, an automobile license plate number, or a home telephone number, could also be PII under at least some circumstances. ”It requires no great leap of logic to conclude that the unique identifier of a person's smartphone or similar device ' its 'address,' so to speak ' is also PII. A person's smartphone 'address' is an identifying piece of information, just like a residential address.

Gannett argued that “the Android ID cannot be PII because that information cannot be linked to a specific person without access to certain additional information ' specifically, the information that a particular phone is used by a particular person.” While this argument would have likely been accepted by the court in Eichenberger, the court in Yershov rejected it. Instead, the court reasoned that if Social Security numbers, birthdays and home addresses are all examples of PII and yet all require extra information in order to identify a specific person, then the argument that Android IDs cannot be PII because they too require extra information in order to identify a specific person is unpersuasive.

The lack of a public database linking Android IDs with specific individuals was not a problem for the court in Yershov. The court analogized Android IDs and their lack of a public database to social security numbers. The court explained: '[A] social security number or a date of birth, in isolation, is anonymous. However, it would be absurd to conclude that a Social Security number is not PII, simply because there is no publicly-available database linking those numbers with names.'

The court also noted that “Gannett transmits the GPS coordinates of the user along with the Android ID.” This means that Gannett is simultaneously transmitting specific GPS coordinates, the Android ID, and transaction history. While the court states that this combination functions as PII, it is not clear if Android IDs themselves would be viewed as such.

In reaching its conclusion, the court used uncharacteristically harsh language in distinguishing the prior opinions, stating that they “seem to take an unrealistic view of the nature of personal identifiers, and how readily different databases or pieces of information can be linked together. The courts appear to frame the issue in large part by referring to these identifies as 'anonymous identifiers,' which is unhelpful and possibly misleading.”

In Yershov, the court nevertheless found that the plaintiff was not protected by the VPPA. The issue of whether the plaintiff was a subscriber and thus a “consumer” under the VPPA actually determined the outcome of the case. Looking to the specifics of the USA Today app, the court in Yershov determined that because the app is only downloaded, provides no special access to restricted content, and in order to use it “an individual does not have to pay any money; does not have to register; and does not have to make any commitment of any kind,” individuals engaging with the USA Today app are “users,” not subscribers and therefore not protected by the VPPA.

Publishers, social media platforms, blogs and other content distributors who offer video must be aware of the evolving nature of VPPA jurisprudence in order to remain in compliance with the law. Publishers, social media platforms, blogs and other content distributors who offer video should also be aware of correlating state statutes governing the sharing of PII in the video context, e.g., Michigan's Video Rental Privacy Act (1988), Mich. Comp. Laws '445.1712. They should also be aware of what information is being harvested from users, and with whom it is being shared. Often a detailed technical analysis may be needed. To the extent PII ' as interpreted for purposes of the VPPA ' is being shared, user consent may be needed. The VPPA has specific provisions relating to how consent must be obtained which are beyond the scope of this article, but suffice it to say that it cannot be buried in the terms of use or the privacy policy. (See, 18 U.S.C. '2710(b)(2)(B) for specifics about how consent can be given.) Further, the broadening of the definition of PII articulated in Yershov may also have implications for how PII is defined in other contexts in an ever-evolving digital age.

Jeffrey D. Neuburger is a partner at Proskauer Rose and a member of the Board of Editors of our sister newsletter, e-Commerce Law & Strategy. Ava L. Childers, a summer associate at the firm, assisted in the preparation of this article.