Hulu Unable to Shake Video Privacy Protection Act Claims

Plaintiffs were Hulu Plus subscribers who alleged that Hulu improperly disclosed their personal information to third parties (comScore and Facebook) in violation of the Video Privacy Protection Act.

On Hulu’s motion for summary judgment, the court grants it as to Hulu’s disclosures to comScore but denies it as to its disclosures to Facebook.

Hulu users had profile pages, and for a time, the URL of a user’s profile page contained a user’s Hulu user ID (unencrypted). Also for a time, the profile page displayed the person’s name.

Plaintiffs alleged that for an approximately 20 month period, the audience-measuring technology in place disclosed to comScore the unique Hulu user ID associated with the particular Hulu user, as well as the name of the program being viewed, along with other details. Hulu’s code also allowed for the placement of a unique comScore ID for each user that allowed comScore to track the user’s surfing habits on other sites where comScore otherwise collected information.

Information was similarly transferred to Facebook via the Facebook “like” button. The code (written by Hulu) transferred to Facebook the title of the video on the page in question (via the referer URL), and the user’s IP address. This occurred automatically–i.e., without the user pressing the “like” button. Separately, Facebook also received cookies associated with the Facebook.com domain that provided information to Facebook regarding the browser, and in some instances the user’s Facebook ID in question or the Facebook ID of the last Facebook user who logged in with that particular browser.

The question is whether the information disclosed by Hulu constitutes “personally identifiable information” under the Video Privacy Protection Act. The text of the statute merely refers to information that could “identify a person”; the person need not be identifiable by name. That said, the court says the statute is ambiguous as to whether it covers unique identifiers such as user IDs. After reviewing the legislative history, the court says things like user IDs are not covered—i.e., the legislative history confirms that the statute protects information that:

identifies a specific person and ties that person to particular videos that the person watched.

Thus, according to the court, disclosing that user 12925 watched the movie “Pulp Fiction” on May 5th does not fall under the statute. [At the same time, the court also says that the statute "does not require identification by a name necessarily". I was somewhat confused about its conclusion here.]

comScore disclosures: The court grants Hulu’s request for summary judgment as to the disclosures to comScore, saying that comScore could only hypothetically obtain a user’s name and then ascertain that person’s viewing habits. The evidence indicated that it never took this step. (The court relies on a declaration submitted by comScore for this proposition.) The court also says the fact that Hulu’s code caused a user’s browser to assign the user a unique comScore ID does not alter the VPPA analysis:

looking at the evidence very practically, comScore doubtless collects as much evidence as it can about what webpages Hulu users visit. Its cookies help it do that. There may be substantial tracking that reveals a lot of information about a person. The cookies may show someone’s consumption relevant to an advertiser’s desire to target ads to them. And there is a VPPA violation only if that tracking necessarily reveals an identified person and his video watching.

Facebook disclosures: Hulu made the same argument regarding the Facebook disclosures as it did regarding the comScore disclosures: Hulu never disclosed anyone’s name, and it was a purely hypothetical concern that Facebook would “tie[] its Facebook user cookies to the URL for the watch page.” The court disagrees and says that the statute does not require an actual name, only “something akin to it.” Indeed,

a Facebook user . . . generally is an identified person on a social network platform. The Facebook User ID is more than a unique, anonymous identifier. It personally identifies a Facebook user.

In contrast to the comScore disclosures, the court says that Facebook disclosures included both the video name and the cookie (containing the Facebook ID) (“the . . . cookies–sent . . . at the same time the watch page loaded with the video name–together reveal information about what the Hulu user watched and who the Hulu user is on Facebook”).

Thus, the court says that it’s possible plaintiffs state a VPPA claim based on the disclosures to Facebook. Furthermore, although a disclosure must be “knowing,” the court says the facts are unclear as to what Hulu knew about the information that was being transmitted. The court also rejects (based on a factual dispute) the consent argument based on putative consent in the Facebook terms of service.

__

This was one confusing ruling. For starters, I could not tell whether the court concluded that the statute covered a specific name or merely an identifier that pointed to a person. The court says the statute “does not require identification by name,” but then I could not figure out why the comScore disclosures, which resulted in transmission of the unique user ID for Hulu and which would lead in some instances to a user’s name, would be treated any different from the Facebook disclosure, which resulted in Facebook being able to gather the Facebook ID and ultimately a person’s name and identity. Perhaps one explanation is that any disclosures on a user’s Hulu page are user-initiated or clearly consented to. Alternatively, the Facebook disclosure allowed Facebook to glean the user’s name and identity while knowing the Hulu profile page did not? The court does not explain the differences in treatment. (In this age of facial recognition and data analytics, you wonder how easy it would be for a third party to take take a Hulu profile page and reverse engineer a person’s identity.)

The same undercurrent of schizophrenia runs through the court’s evaluation of whether Facebook or comScore in fact engaged in any re-identification. The court takes at face value the representation that comScore does not do this, but seems unwilling to accept at face value the representations regarding what Facebook did with the data. Perhaps there is a bit of Facebook exceptionalism at work here.

The decision is super-interesting for a few other reasons. First, courts tend to be erratic in their treatment of reidentification. Although the statutes in question are all different, compare this result with the Song-Beverly credit card cases (e.g., Pineda), where courts say that even a zip code along with demographic information is enough to identify someone. Another scenario in which plaintiffs tried to argue re-identification but where this argument did not carry the day was in Steinberg v. CVS.

More interestingly, the decision highlights the often-unintended consequences of coding and technical decisions. Hulu’s developers probably never thought about what precise information would be transmitted to third parties and in what circumstances. The court’s discussion about the interactions between Hulu’s servers and Facebook servers, and the various ways in which Hulu could have implemented the code to prevent the automatic transmission of a user’s Facebook ID and the video title in question, is a good teachable moment for anyone involved in the development process, including lawyers, developers, or product folks. The court alludes to the fact that the disclosure was automatic, but ends up imputing responsibility to Hulu for any information that is transmitted as a result of its code.

The decision is also worth contrasting with standard referer ID cases (Low v. LinkedIn), where plaintiffs have struggled. Here, or course, there is a statute specifically prohibiting the disclosure of titles (along with identities), so that provides a necessary hook.

Eric’s Comments: The VPPA is old and, in my opinion, outdated. It’s a good cautionary example against technology-by-technology attempts to regulate privacy. They look silly a few decades later. Given the explosion of new privacy laws being enacted right now, many making very specific technological assumptions, I expect we’ll look back in a couple of decades on those and feel they are equally outdated as the VPPA is today.

Case citation: In re: Hulu Privacy Litigation, C 11-03764B LB (N.D. Cal. Apr 28, 2014)

Related posts:

Judge Koh Puts the Kibosh on LinkedIn Referral ID Class Action — Low v. LinkedIn

Video Privacy Protection Act Plaintiffs Can Proceed Against Hulu Absent Showing of Actual Injury

Court Declines to Dismiss Video Privacy Protection Act Claims against Hulu

Seventh Circuit: No Private Cause of Action Under the Video Privacy Protection Act for Failure to Purge Information–Sterk v. Redbox

Redbox Can be Liable Under the Video Privacy Protection Act for Failure to Purge Video Rental Records — Sterk v. Redbox

Apple May Be Liable For Privacy Violations by Third Party Developed Apps

Judge Boots Privacy Lawsuit Against Pandora but Plaintiffs Can Replead – Yunker v. Pandora

No Privacy Claim Against Netflix for Disclosing Viewing Histories and Instant Queue Titles Through Netflix-Enabled Devices — Mollett v. Netflix

Breach of Data Retention Policy Doesn’t Create Actionable Injury – Burton v. Time Warner (Catch-up Post)

Court Says Plaintiff Lacks Standing to Pursue Failure-to-Purge Claim Under the VPPA – Sterk v. Best Buy

Judge Dismisses Claims Against Pandora for Violating Michigan’s Version of the VPPA – Deacon v. Pandora Media

Split 9th Circuit Panel Approves Facebook Beacon Settlement – Lane v. Facebook

Supreme Court Strikes Down Statute Restricting Sale and Use of “Prescriber” Data on First Amendment Grounds — Sorrell v. IMS

Beacon Class Action Settlement Approved — Lane v. Facebook

California Supreme Court Rules That a ZIP Code is Personal Identification Information — Pineda v. Williams-Sonoma