Minors’ Privacy Claims Against Viacom and Google Over Disclosure of Video Viewing Habits Dismissed
Plaintiffs alleged that Viacom and Google violated the Video Privacy Protection Act and other federal and state privacy laws by improperly collecting and passing along information when end users (kids) viewed videos or games at Viacom-owned websites (nick.com, nickjr.com, and neopets.com).
Plaintiffs alleged that Viacom created a record when a user views a video or plays a video game, by placing a cookie in the user’s browser which allows Viacom to glean a range of information regarding the user in question. The complaint alleges that Viacom shares this information with Google and also allows Google to place its own cookies on the user’s browser. Plaintiffs, on behalf of a putative class of minors, alleged that the disclosed information could allow identification of the user and the videos that person viewed.
Standing: Defendants argued that the mere collection of personal information does not cause economic harm to plaintiffs, so standing is lacking. While the court agrees with this proposition, the court says that this is not the only route to standing. Plaintiffs can satisfy standing by alleging a violation of a statutorily protected privacy right. (See Edwards v. First American.) When a plaintiff takes this route, applicable Third Circuit precedent collapses the standing inquiry with the question of whether there has been a statutory violation.
VPPA Claim against Google: Google argued that it can’t be held liable under the VPPA because it does not satisfy the definition of a “video tape service provider” for purposes of this case. Plaintiffs argued that the VPPA does not limit the universe of possible defendants to those who satisfy the VTSP definition. The court disagrees, rejecting plaintiffs’ reliance on a District of New Jersey case from 1996. The court ultimately says that only the party that collects and then improperly discloses the information can be held liable.
Plaintiffs also cited Google’s ownership of YouTube, arguing that this turns Google into a VTSP. However, he VPPA contemplates a civil cause of action against entities from whom “specific video material or services” has been requested, and given that the lawsuit focuses on videos made available from Viacom-owned websites, Google’s operation of YouTube cannot cause it to be a VTSP for purposes of this case.
Finally, plaintiffs also argued that Google’s failure to destroy old records under 2710(e) of the statute causes it to be liable under the VPPA. The court says, citing to Redbox, that only wrongful disclosure is enforceable via a civil cause of action.
VPPA Claim against Viacom: Viacom argued that as an entity providing online video, it is not a VTSP but the court rejects this argument. However, the court likes Viacom’s argument that Viacom did not disclose “personally identifiable information.” The court outlines the possibilities and rejects the argument advanced by Viacom (that the information must specifically identify someone by name) and also rejects the argument asserted by plaintiffs (that the information could be used to derive the identity of someone). Instead, the court takes a middle-ground approach and says that:
PII is information which must, without more, itself link an actual person to actual video materials.
[While various bits of information disclosed to Google] might one day serve as the basis of persnal identification after some efforts on the part of the recipient, . . . the same could be said for nearly any type of personal information: this Court reads the VPPA to require a more tanbigle, immediate link.
The court cites extensively to the recent Hulu decision. In that case, there were a few different disclosures, but the only one that implicated the VPPA was the disclosure “which identified the user’s ‘actual identity on Facebook’”. In contrast, in this case, information was collected and possibly disclosed which could help identify the person, it could not identify the person directly. (It’s not totally clear where the court draws the line here.)
Finally, the court also rejects plaintiffs’ reliance on COPPA, which the court says is irrelevant to the VPPA analysis. To the extent plaintiffs can show a violation of COPPA, the fact that Viacom’s end users were minors may be relevant, but plaintiffs can’t use their minor status to transform the standards applicable under the VPPA.
The Wiretap Act Claims Fail: The Wiretap Act claims were deficient for two reasons: (1) the Wiretap Act is a one-party consent statute, and (2) none of the defendants intercepted the “contents” of any communications. (See also Zynga/Facebook 9th Circuit ruling.)
The Stored Communications Act Claim: The Stored Communications Act protects the privacy in communications stored on a third party’s computers (or facilities). Because any cookies were placed on plaintiffs own computers, rather than on Google’s, this presents a threshold problem with plaintiffs’ claims. In addition to being out of whack with the basic structure of the statute, the court says that treating plaintiffs’ computers as “facilities” for purposes of the SCA would result in the anomalous scenario where Google or third party networks would be empowered to grant access to their users’ personal computers (section 2701(c) allows the provider of a wire or electronic communications service to grant permission to access a facility).
State Law Claims: The state law claims fall by the wayside as well.
Invasion of privacy under California law: Plaintiffs brought a claim under a California statute prohibiting the interception or eavesdropping of communications, but the court says that this statute has been interpreted in parallel to the Wiretap Act. Since the Wiretap Act claim fails, this claim fails as well.
New Jersey Computer Related Offenses Act: This is a computer crime statute but it requires damage to business or property. Since plaintiffs allege neither, they can’t sustain this claim.
Invasion of privacy under New Jersey Law: The invasion of privacy claim under New Jersey law also fails. While the court recognizes that New Jersey law offers greater protection for information than the federal constitution, and New Jersey law also protects a broad range of information about a person in addition to PII, the court says plaintiffs failed to allege that the intrusion would be “highly offensive” to the reasonable person.
Unjust enrichment: The court also dismisses the unjust enrichment claim on the basis that plaintiffs did not confer any benefit directly to defendants nor is there any allegation that there was a reasonable expectation of remuneration. That defendants may have “received a benefit” is not enough.
The VPPA continues to generate some interesting legal questions, ranging from what an entity’s obligation to purge looks like to who exactly is covered by the statute as a “video tape service provider.” The most interesting of course, is what exactly falls under the definition of “personally identifiable information.” Another statute that comes to mind as generating this question is the Song Beverly Credit Card Act and similar state statutes. Those cases have run the gamut, with one decision from California going so far as to say that even a zipcode could help a retailer identify the customer. A complicating factor in the online world, and one that the courts don’t seem to address directly, is the effect of a unique identifier that users are assigned, and whether disclosure of this identifier along with video viewing habits is enough to violate the statute. This uncertainty has led to some legal hang-ups. Facebook’s Beacon implementation was an initial one, where the violation was perhaps more obvious, but as the court notes, Hulu ran into some problems, and surprisingly, this case involves Viacom.
The court’s conclusion that Google can’t be liable because it’s not offering the videos in question is interesting. I wonder whether it sufficiently takes into account the relationship between advertiser and platform in the modern era. Sure Google doesn’t offer the videos, but if it knows who you are and what videos you watch, this seems to get at the intent behind the VPPA (as out-of-touch as a statute as it may be).
Viacom’s lack of emphasis on a terms of service/waiver-based argument was interesting. While the facts were unclear as to whether only information collected from registered users was the problem, at least as to these users there would seem to be a possible consent argument. The two explanations I could think of for the waiver argument not being front and center was: (1) waiver language in Viacom’s terms of service that was not as prominent as it could have been or (2) the fact that any waiver would be included in a terms of service and courts don’t seem willing to find these types of waivers effective when contained in a TOS (see, for example, the Gmail privacy litigation).
The courts’ disposal of the remaining issues is equally interesting.
Expect to see this case (as the Hulu one) appealed.
Case citation: In re Nickelodeon Consumer Privacy Litigation, MDL No. 2443 (SRC) (D.N.J. July 2, 2014)