On November 29, 2017, the U.S. Court of Appeals for the Ninth Circuit joined the Third Circuit in narrowly defining “personally identifiable information” under the Video Privacy Protection Act (VPPA), holding in Eichenberger v. ESPN that the disclosure of a unique device identifier does not violate the act.1
The VPPA was passed in 1988 in response to the Washington City Paper obtaining and publishing the video rental history of U.S. Supreme Court nominee Robert Bork.2 The act was intended “to preserve personal privacy with respect to the rental, purchase or delivery of video tapes or similar audio visual materials.”3 To that end, the VPPA creates a private cause of action against a “video tape service provider”4 who “knowingly discloses … personally identifiable information.”5 The statute defines “personally identifiable information,” as “information which identifies an individual as having requested or obtained specific video materials or services from a video tape service provider.” Violators can be subject to statutory damages, punitive damages, and other penalties.6
Since the law’s enactment, Congress has recognized that “the Internet has revolutionized the way that American consumers rent and watch movies and television programs.”7 Indeed, innovations in video technology have rapidly increased the integration of multiple service providers in the process of delivering video content—connecting video content providers to data and research analytics services, and targeted advertising platforms. This integration has, in turn, posed novel questions regarding the scope of VPPA liability. Recent years have seen a pattern of VPPA claims asserted against digital content providers,8 streaming services,9 and providers of devices used to view or stream video content.10 Courts have struggled to define “personally identifiable information” in light of these changing technological norms and the legislative intent underlying the law. Some courts have held that a unique device identifier may constitute personally identifiable information under the VPPA, resulting in significant potential liability for the defendant.11
The Ninth Circuit addressed this challenge in Eichenberger. Plaintiff Chad Eichenberger downloaded the WatchESPN Channel on his Roku streaming device and used it to watch sports-related news and entertainment programming.12 He alleged that every time he watched a video, ESPN knowingly disclosed to third-party data analytics company, Adobe Analytics, “(1) Plaintiff’s Roku serial number and (2) the identity of the video that he had watched.”13 The plaintiff further alleged that Adobe connected that information to other information that it had obtained from separate sources, such as email addresses and Facebook profile information, and returned the resulting demographic data back to ESPN in an aggregated form.14 On the basis of these allegations, the plaintiff asserted a claim under the VPPA against ESPN, arguing that Adobe used the compiled information to identify him as having watched specific videos and, in turn, that ESPN had “disclosed his ‘personally identifiable information’ to Adobe.”15
The district court dismissed the plaintiff’s VPPA claim on the ground that the information disclosed by ESPN did not constitute “personally identifiable information.” The Ninth Circuit affirmed the dismissal on the same ground.
The court examined two different standards articulated by the First and Third Circuits. In Yershov v. Gannet Satellite Info. Network, Inc.,16 “the First Circuit held that the term ‘personally identifiable information’ encompasses ‘information reasonably and foreseeably likely to reveal which … videos a person obtained.”17 In contrast, in In re Nickelodeon Consumer Privacy Litig., the Third Circuit held that “‘personally identifiable information’ means only that information that would ‘readily permit an ordinary person to identify a specific individual’s video-watching behavior.’”18
Ultimately, the Ninth Circuit adopted the Third Circuit’s “ordinary person” definition, finding that it was supported by sound policy and legislative intent.
First, the court concluded that the “ordinary person” definition more appropriately “viewed the disclosure from the perspective of the disclosing party,” rather than based on what the recipient does (or could do), with the disclosed information.19 Thus, the Third Circuit’s “‘ordinary person’ test better informs video service providers of their obligations under the VPPA,” rather than making their liability turn on circumstances outside of their control.
Second, the court concluded that the “ordinary person” test hewed more closely to “the regime that the VPPA’s enacting Congress likely had in mind.” As the Third Circuit previously recognized, “[t]he classic example will always be a video clerk leaking an individual customer’s video rental history. Every step away from that 1988 paradigm will make it harder for a plaintiff to make out a successful claim.”20 The Ninth Circuit similarly reasoned that the disclosure of “a sizable ‘pool’ of possible viewers,” such as “a local high school teacher”—rather than disclosure of a name or address—was not what Congress had in mind when it defined “personally identifiable information.” And this was so regardless of the plaintiff’s allegations that Adobe Analytics could identify an individual based on other information in its possession.21
Mindful of an apparent split between the First and Third Circuit tests, the Ninth Circuit explained that its decision was consistent with the holding in Yershov. Although the First Circuit articulated a broader test, its holding actually “was quite narrow,” turning on the combined and simultaneous disclosure of: (1) a GPS location; (2) a unique device identifier; and (3) video titles, that together “would enable most people” to identify an individual.22 Notably, and consistent with the Ninth Circuit’s reasoning, the Supreme Court previously declined to address these allegedly different Circuit standards, denying a petition for writ of certiorari in In re Nickelodeon that was based in significant part on that case’s alleged divergence from Yershov.23
In sum, two federal circuit courts—including the one covering California, where many video service providers are based—have now held that the disclosure of a unique device identifier by a video tape service provider is not actionable under the VPPA. Both courts have also signaled reluctance to uphold VPPA actions based primarily on the disclosure of numeric identifiers tied to devices or web browsers, or based on the alleged ability of a recipient to match those identifiers with other identifiable information. This holding will make it easier for video service providers to lawfully tailor their privacy policies and practices to avoid VPPA liability.
The opinion left some open questions, however. The court acknowledged that “modern technology may indeed alter—or many already have altered—what qualifies under the statute. A Facebook link or email address may very well readily enable an ‘ordinary person’ to identify an individual.”24 While Eichenberger may signal a downturn in VPPA actions, we can expect to see future lawsuits that continue to push the boundaries on what information can give rise to VPPA liability, and in what circumstances.
1 Eichenberger v. ESPN, Inc., No. 15-35449 (9th Cir. Nov. 29, 2017).
2 In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262, 278 (3d Cir. 2016), cert denied, 137 S. Ct. 624 (2017)
3 Id. (quoting S. Rep. No. 100-599, at 1 (1988)).
4 See In re Hulu Privacy Litig., 2012 U.S. Dist. LEXIS 112916, at *13-19 (N.D. Cal. Aug. 10, 2010) (holding that “video tape service provider” includes services engaged in digital video distribution); see also In re Vizio, Inc., 238 F. Supp. 3d 1204, 1221 (C.D. Cal. 2017) (“[F]or the defendant to be engaged in the business of delivering video content, the defendant’s product must not only be substantially involved in the conveyance of the video content to consumers but also significantly tailored to serve that purpose.”).
5 18 U.S.C. § 2710(b)(1).
6 Id. § 2710(a)(3).
7 In re Nickelodeon, 827 F.3d at 288 (quoting S. Rep. No. 112-258, at 2 (2012)).
8 E.g., id. (VPPA claim against Viacom for Nick.com).
9 E.g., In re Hulu Privacy Litig., 86 F. Supp. 3d 1090, 1092 (N.D. Cal. 2015) (VPPA claim against Hulu based on video streaming services).
10 E.g., In re Vizio Consumer Privacy Litig., 238 F. Supp. 3d 1204 (C.D. Cal. 2017) (VPPA claim against Vizio based on Smart TVs).
11See, e.g., Yershov v. Gannet Satellite Info. Network, Inc., 820 F.3d 482, 484-86 (1st Cir. 2016) (holding that Android ID combined with GPS coordinates constitutes personally identifiable information under the VPPA); In re Hulu Privacy Litig., 2014 U.S. Dist. LEXIS 59479, at *42-46, (N.D. Cal. Apr. 28, 2014) (holding that Facebook ID cookies may, in certain contexts, constitute personally identifiable information under the VPPA).
12 Eichenberger v. ESPN, Inc., No. 15-35449, Slip Op. at *4 (9th Cir. Nov. 29, 2017).
15 Id. at *5.
16 Yershov v. Gannet Satellite Info. Network, Inc., 820 F.3d 482, 486 (1st Cir. 2016).
18 Id. at *13 (citing In re Nickelodeon, 827 F.3d at 267).
20 In re Nickelodeon, 827 F.3d at 290.
21 Eichenberger, Slip Op. at *12-13.
22 Id. at *14 (citing Yershov, 820 F.3d at 489).
23 137 S. Ct. 624 (2017) (denying petition for writ of certiorari filed in C.A.F. v. Viacom, No. 16-346, 2016 U.S. S. Ct. Briefs LEXIS 3363 (Sept. 15, 2016)).
24 Eichenberger, Slip Op. at *14.