Recent Decisions Clarify Reach of VPPA, Plaintiffs Pursue Alternative Theories9 Sep, 2014 By: Ana Tagvoryan, Blank Rome LLP, Joshua Briones, Blank Rome LLP
Online service providers often collect user data in various forms for statistical or marketing purposes, which often include sharing of the information with third parties. Recent developments provide guidance as to what information is protected under applicable statutes, as well as what defenses may be available when litigation arises out of this practice.
The Video Privacy Protection Act (VPPA) prohibits the unauthorized disclosure of personally identifiable information (PII) to third parties. Plaintiffs have argued that video-streaming habits are shared with third parties along with PII without the Web user’s permission or consent. In the Hulu case, for example, plaintiffs argued that the code that loads and operates the “Like” button on Hulu’s webpage causes the browser of the Hulu user to send to Facebook a URL of the user’s watch page – and under certain circumstances, a cookie called the “c_user” cookie that enables Facebook to link information identifying the Hulu user with that Hulu user’s video choices.
In April, the district court ruled that cookies used to send data to Facebook were covered by the statute because they contained information about these users’ actual identity (such as IP address and Facebook ID), but unique IDs that were presented in a generalized way to the Web analytics companies were not, because such data was linked to a device rather than a user.
Following that ruling (which was made on a motion to dismiss), the district court in June declined to certify a class around the Facebook cookie sharing allegations, finding it difficult to prove whether any particular user’s “cookie” information was shared with Facebook such that his or her viewing habits were disclosed. If users took steps to block tracking, their movie-viewing history wouldn't have been shared. The court reasoned that there didn't appear to be a good way to distinguish between the users who took those kinds of measures and the ones who did not.
The ruling denying class certification, as well as the findings by the court last April, coincides with New Jersey Federal Judge Stanley Cheslar’s recent decision involving Google and Viacom. Cheslar found that information concerning anonymous user IDs, a child’s gender and age and information about the computer used to access video-streaming websites did not amount to personally identifiable information under the VPPA. Instead, Cheslar reasoned that the information must be “akin to a name.”
What Does This Mean?
Because of the limits of the applicability of VPPA, and the hurdles to class certification, plaintiffs have increasingly looked to breach of contract, common law fraud and state consumer fraud statutes for recovery. For example, Google was recently sued in California for breach of contract and unfair competition arising out of alleged sharing of private customer data to third-party app developers in connection with Google’s Wallet and Play services.
Thus, online service providers would do well to have a thorough understanding of the user information they are collecting and disclosing to third parties, as well as the adequacy of their privacy policies and disclosures. Companies should also explore methods for obtaining consent for use of personal data, as the potential exposure can be high.
Ana Tagvoryan and Joshua Briones head Blank Rome's privacy class action practice out of Los Angeles. In addition to representing clients across the nation, their team also provides compliance counseling and related advise on privacy, social media and cybersecurity.