Caveat Vendor

Video Privacy Protection Act Does Not Protect Device Identifiers, Another Court Rules

May 08, 2015

Adam M. Reich

On May 7, 2015, the United States District Court for the Western District of Washington (Seattle) joined other courts in narrowly construing the phrase “personally identifiable information” under the Video Privacy Protection Act, 18 U.S.C. § 2710 (the “VPPA”) to exclude a device identifier, even if a third party could use that identifier in combination with other information to identify the individual.  The VPPA prohibits video service providers from knowingly disclosing “personally identifiable information” about their customers without their consent.
In Eichenberger v. ESPN, Inc., U.S.D.C., W.D. Wash. No. 2:14-cv-00463-TSZ, the plaintiff downloaded the “WatchESPN Channel” to a Roku digital media-streaming device.  The plaintiff alleged that, without his knowledge, the WatchESPN Channel transmitted his unique Roku device serial number and video selection to a third party, Adobe Analytics.  The plaintiff contended that this constituted an unlawful transmission of “personally identifiable information” under the VPPA because Adobe “automatically correlated [the transmitted information] with existing user information possessed by Adobe [from sources like Facebook and email accounts], and therefore identified [the plaintiff] as having watched specific video material.”

The court dismissed the complaint, with prejudice, declaring that a Roku device serial number and a user’s viewing records do not constitute “personally identifiable information.”  The court held that a plaintiff does not and cannot bring a viable claim under the VPPA when he or she relies on a theory that a third-party recipient of information from a video streaming service combines that information to identify the user.
The Eichenberger decision is consistent with other recent federal court decisions.  In Locklear v. Dow Jones & Co., No. 1:14-CV-00744-MHC, 2015 WL 1730068, at *4 (N.D. Ga. Jan. 23, 2015), a district court dismissed a VPPA claim on the grounds that a “Roku serial number, without more, does not constitute PII[.]”  Similarly, in _In re: Hulu Privacy Litig_ation, U.S.D.C., N.D. Cal. Case No. 11-cv-03764-LB, 2015 WL 1503506, at *1 (N.D. Cal. Mar. 31, 2015), a district court entered summary judgment for digital streaming provider Hulu in a VPPA putative class action suit finding that Hulu’s separate transmission of a Facebook user’s identification and his or her video watching habits on the website hulu.com did not constitute disclosure of “personally identifiable information.”

While the Eichenberger decision is not groundbreaking, it does continue a trend toward construing the statute narrowly and avoiding the temptation to reinterpret its provisions to apply to forms of media and sharing not envisioned at the time of the law’s enactment.

Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.

Subscribe to Caveat Vendor. You will receive an email when the blog has been updated.__

Get In Touch With Us

Contact Us