The Video Privacy Protection Act - Recent Decisions Further Narrow the Contours of Liability
By Behnam Dayanim and Kevin P. Broughel
The Video Privacy Protection Act (“VPPA”) came into existence in the wake of a Washington Post report of Supreme Court nominee Robert Bork’s video rental history. Although the days of renting VHS tapes are now gone, the VPPA endures. Over the last several years a number of high profile lawsuits have been filed against online video and service providers for alleged violations of the VPPA. With the explosion of streaming and other forms of digital content—forms of media that the 1980s-era statute could not have anticipated—these suits have caused anxiety among content providers of all stripes.
However, two recent decisions, In re: Hulu Privacy Litig.
limit the scope of information that is considered “personally identifiable” for purposes of the statute;
reinforce the requirement that any disclosure by a content provider be “knowing”; and
provide meaning to the scope of “consumer” entitled to protection under the law by excluding the casual visitor to a site with whom that site has no ongoing or deliberate relationship.
Personally Identifiable Information
Liability under the VPPA requires the disclosure of “personally identifiable information.” Personally identifiable information is “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.”
In Hulu, the district court considered whether the website hulu.com was wrongfully disclosing “personally identifiable information” to Facebook. The plaintiffs were registered Hulu users who watched Hulu video content. Information regarding the plaintiffs was transmitted from Hulu to Facebook via Facebook’s “Like” button, even if the user did not click the Like button. The information was transmitted in two ways. First, Hulu would send Facebook a watch page address that would include the title of the video displayed on that watch page. This would allow Facebook to send Hulu the code for the Like button so that it could be downloaded and used on the watch page. Second, if a Hulu user had logged into Facebook using certain settings within the prior four weeks, the Like button would transmit a “c_user” cookie to Facebook. The “c_user” cookie contained the user’s Facebook user ID in a numeric format. In sum then, “when a Hulu watch page loaded with the Facebook Like button, the page prompted a user’s web browser to transmit the watch page address and Facebook c_user cookie to Facebook-controlled servers.”
In granting summary judgment to Hulu, the court found that there was no evidence that the website disclosed “personally identifiable information” as defined under the statute. The basis for this conclusion was that Hulu transmitted separately the user’s identity and the video material selected—there was no connection made by Hulu between the video information and the user’s identity. As the court observed:
This means that, even if both elements were sent to Facebook, they did not necessarily disclose a user ‘as having requested or obtained specific video materials’ unless Facebook combined the two pieces of information. Without Facebook forging that connection there is no ‘disclosure’ of ‘personally identifiable information’ under the terms of the VPPA.
In reaching this result, the district court distinguished the Hulu fact pattern from that of Judge Bork. In the Judge Bork case, the list provided an “obvious” connection between a specific user and the material “requested or obtained.” In contrast, Hulu sent the information separately such that “[u]nlike in the paradigmatic Judge Bork case, the connection … would be established, if at all, by an act of the recipient.”
A Knowing Disclosure
The VPPA also requires that the disclosure of “personally identifiable information” be made “knowingly.” Previously, one court that addressed this issue held that Netflix could not violate the VPPA by allegedly displaying a list of a subscriber’s recently watched video titles on the subscriber’s television. The court reasoned that Netflix could not “knowingly” violate the statute under these circumstances because Netflix would have no way of knowing if people other than the subscriber were present in the room when the transmission of “personally identifiable information” occurred.
In Hulu, the court reached a similar result. The Hulu court held that in addition to there being no connection made by Hulu between its users and videos those users watched, there was no credible evidence that Hulu knew that Facebook might connect the information in the c-user cookie and watch page address:
[T]here is no evidence that Hulu knew that Facebook might combine a Facebook user’s identity (contained in the c_user cookie) with the watch-page address to yield ‘personally identifiable information’ under the VPPA. There is consequently no proof that Hulu knowingly disclosed any user ‘as having requested or obtained specific video materials or services.’
As such, the plaintiffs could not satisfy the VPPA standard that a defendant must “knowingly” transmit “personally identifiable information” to others to be held liable. The court also rejected plaintiffs’ citation to various other facts that purportedly showed that Hulu knew that the Facebook “c_user” cookie sent user-identifying information to Facebook because the facts were either not connected to the Like button, were too general to raise an issue of fact, or did not show that Hulu knew what specific information would be sent to Facebook.
Qualifying as a Consumer
The VPPA allows recovery for those individuals who are consumers of video tape service providers. The VPPA defines “consumer” as a “renter, purchaser or subscriber of goods or services from a video tape service provider.”
The Southern District of New York in Austin-Spearman, however, dismissed without prejudice a recent VPPA claim where the plaintiff alleged that she was a subscriber of a television network’s website that, like Hulu, allegedly transmitted “personally identifiable information” via Facebook’s “c_user” cookie.
As these recent decisions illustrate, courts will continue to grapple with applying a 1980s era privacy statute to evolving technology and information sharing mechanisms. The cases do suggest that courts will not entertain VPPA claims absent demonstrable evidence that those providing online services are knowingly transmitting personally identifiable data that connect specific users to specific videos. Moreover, while a plaintiff need not pay to be deemed a “consumer” under the VPPA, sporadic interaction with a website or similar online service provider is likely insufficient unless the plaintiff can point to specific actions that show a “desire to forge ties” with the provider.