Android ID Isn’t Personally Identifiable Information Under the Video Privacy Protection Act
This is another Video Privacy Protection Act lawsuit. The Cartoon Network has an app on the Android platform. Plaintiff (not a minor) downloaded the app. He complains that The Cartoon Network’s disclosure of his viewing history to a third party analytics company named Bango (located in the UK) violates the VPPA.
The court initially rejects the standing challenge, noting that the VPPA expressly creates a private cause of action. The court also rejects Defendant’s argument that plaintiff, not being a paying customer, is not a subscriber. Finally, the court focuses on the key question of whether the Android ID is “personally identifiable information” under the statute.
The court says no, citing to other decisions saying that information will not identify a person by itself is insufficient. For example, in the Hulu case, where the recipient had to take further steps to ascertain the identity of the person in question, this information was held to not be personally identifiable information. (While concluding that no violation stemmed from disclosure of certain information, the the court in Hulu said that disclosure of Facebook ID could result in a violation.) The court also cites to a Cable Act case which holds that disclosure of cable box codes which could identify a person but only with additional information does not violate that statute.
While the law was recently “fixed” to address the procurement of consent online, the amendments did not tackle the more difficult question of how the VPPA interacts with well-worn online tracking principles. Oddly, despite the clarification of the consent-procurement issue, VPPA defendants have not primarily relied on consent as a defense. (Hopefully the lobbyists who were hired to address the consent issue did not just ignore the definitional issues raised in this case. I’m guessing the VPPA amendments could not clarify the definition of personally identifiable information because it would not have been possible to get a bill passed that tackled this issue.)
In any event, courts addressing claims under the VPPA are leaning in the direction of treating things like device IDs as not personal information, based on the notion that if additional effort or information is required to derive a person’s identity then there’s no violation. (Courts, particularly in California, dealing with the statute applicable to collection of personal information by retailers at the point of sale have taken a different approach.) Perhaps this makes sense. It’s certainly tough to argue that the latest wave of VPPA lawsuits is anything more than an attempt to exploit a plaintiff-friendly statute. On the other hand, the decisions don’t seem to delve into whether this means plaintiffs are left without a remedy from the privacy standpoint. Is Bango, the third party tracking company, subject to the VPPA? Presumably, it can freely use the information disclosed, but would the consumer have recourse against it? Is it subject to the VPPA’s wacky purging rules? [As a sidenote, that Bango’s location–the UK–did not merit any discussion whatsoever struck me as odd. They don’t exactly seem like the kind of entity that would be amenable to an argument that they are subject to US laws.]
Case Citation: Ellis v. The Cartoon Network, 14-cv-484 (N.D. Ga. Oct 8, 2014)