Keywords: personally identifiable information, PII, cookie tracing, video privacy protection, VPPA

Plaintiffs traditionally face an uphill battle in class actions alleging misuse of personally identifiable information (PII) gathered from Internet cookie tracking (i.e., data transferred between users' web browsers and companies' web sites). Courts often take the view that plaintiffs lack cognizable injury—and thus standing—as browsing history and demographic information have little to no intrinsic value.1 However, the plaintiff's bar is ever on the lookout for new PII hooks, and recent efforts have centered on the Video Privacy Protection Act, 18 USC § 2710 (VPPA).

Congress enacted the VPPA in 1988 after Judge Robert Bork's video rental history famously leaked during his candidacy for nomination to Supreme Court. The VPPA prohibits "video tape service providers" from knowingly disclosing PII, which includes any information that links a customer to particular video materials or services. The VPPA provides a private right of action and statutory damages of no less than $2,500 per violation. Several states also have enacted laws protecting video privacy, including California, Connecticut, Delaware, Iowa, Louisiana, Maryland, Michigan, New York and Rhode Island.

The scope of these statutes is unsettled, particularly with regard to new forms of video media. But several recent decisions from an action out of the Northern District of California suggest that the VPPA may extend beyond traditional video rentals to streaming video services. The court first determined that streaming-video provider Hulu qualified as a "video tape service provider," and allowed a case to go forward on the theory that the VPPA's statutory damages—even absent other alleged actual damages—were sufficient to confer standing.2 The court later rejected Hulu's argument that its PII was anonymous and thus immune from VPPA liability.3 Instead, the court found that users could be identified by information other than actual names: on Hulu's site, there was computer code that enabled Facebook to process "like" requests. This code contained cookies that potentially revealed users' identities on Facebook. The two Hulu decisions are significant given the increasing use of streaming video by all sorts of companies and web sites.

In the wake of these decisions, numerous putative class actions have been filed under the VPPA. For example, a Wall Street Journal subscriber filed a putative class action against Dow Jones & Company, alleging that its "WSJ Channel" for digital streaming devices (such as Roku) disclosed subscribers' PII to a data analytic and advertising company, including records of every video ever viewed.4 Dow Jones has moved to dismiss, arguing that its PII is anonymous, that the VPPA does not apply to its free service and that plaintiff suffered no injury in fact—all arguments that bear watching.

In the past, companies such as Pandora and Netflix have defeated video-privacy suits by arguing that streaming-audio services and disclosures of PII to subscribers themselves are not covered by the statutes5 And the Hulu plaintiffs face additional hurdles, particularly at the class certification stage, where the individualized application of ad blocking software may predominate over common class issues.6 But VPPA suits are no doubt on the rise, and companies offering streaming video over the web should pay close attention to the developments in Hulu, Dow Jones and other emerging cases.

Footnotes

1 See, e.g., In re Doubleclick Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001); Low v. LinkedIn Corp., 900 F. Supp. 2d 1010 (N.D. Cal. 2012).

2 See In re Hulu Privacy Litig., 2012 WL 3282960 (N.D. Cal. Aug. 10, 2012).

3 See In re Hulu Privacy Litig., 2013 WL 6773794 (N.D. Cal. Dec. 20, 2013).

4 See Locklear v. Dow Jones & Co., Inc., Case No. 14-cv-00744 (N.D. Ga. Mar. 13, 2014).

5 See Mollett v. Netflix, Inc., 2012 WL 3731542 (N.D. Cal. Aug. 17, 2012); Deacon v. Pandora Media, Inc., 901 F. Supp. 2d 1166, 1172-1175 (N.D. Cal. 2012).

6 See In re Google Inc. Gmail Litig., 2014 WL 1102660 (N.D. Cal. Mar. 18, 2014).

Originally opublished 28 May 2014.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2014. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.