Important and Troubling Video Privacy Protection Act (VPPA) Ruling From First Circuit–Yershov v. Gannett
This is a Video Privacy Protection Act case alleging that Gannett, the owner of USA Today, improperly disclosed personally identifiable information to Adobe. Adobe offers analytics services to its clients by collecting user information and building user profiles. As alleged in the complaint, a unique identifier disclosed to Adobe by Gannett allows Adobe to identify and track a particular user of USA Today’s app across multiple devices, apps, and services.
Yershov, the plaintiff, downloaded and installed the USA Today app on his Android phone. He alleged that each time he viewed a video, Gannett disclosed the title of the video, his device ID, and GPS coordinates to Adobe. In resolving Gannett’s motion to dismiss, the district court embraced the minority view and held that the device ID was personally identifiable information under the VPPA. But the court nevertheless dismissed the claims on the basis that Yershov was not a subscriber. The First Circuit agrees with the district court on the PII ruling, but disagrees on Yershov’s status as a subscriber. Despite the non-payment of any subscription fees or incurring any ongoing obligation on the part of Yershov, the court says he may still be a subscriber on the facts as pled.
Whether the complaint alleges disclosure of PII: The court says that the statute doesn’t limit identifying information just to a person’s name. Admittedly, GPS coordinates or a device identifier alone (without additional information) can’t allow a person to be identified. However, the complaint alleged that Adobe had additional information that allowed it to easily identify the person using the information disclosed by Gannett:
While there is certainly a point at which the linkage of information to identity becomes too uncertain, or too dependent on too much yet-to-be-done, or unforeseeable detective work, here the linkage, as plausibly alleged, is both firm and readily foreseeable to Gannett.
The court is not clear about whether the device ID and GPS separately constitute PII or whether disclosure of both together alters the result.
Whether Yershov alleges he is a “subscriber”: As to the definition of a “subscriber,” the court looks to dictionary definitions, finding one favorable to plaintiff:
“[t]o receive or be allowed to access electronic texts or services by subscription”
The court acknowledges that other definitions look to payment or repeated interactions (other than transmission and receipt of content), but the court settles on a broader definition. If the term “subscriber” as used in the VPPA required payment, this would render the other terms in the statute (‘purchaser’ or ‘renter’) superfluous, as a paying subscriber is either a purchaser or a renter. Even a free introductory trial period would be something Congress would presumably want covered by the VPPA, so this also cuts against using the payment of fees as a touchstone for the definition of subscriber.
The court disagrees with the Eleventh Circuit’s ruling in Cartoon Network (holding that an app downloader is not a subscriber) and distinguishes it based on differences in the parties’ allegations. The court also rejects the Eleventh Circuit’s analogy of downloading an app to favoriting or bookmarking a website’s address. (In this court’s view, why else would a content company bother developing an app if an app was equivalent to a favorite in a browser?) The court says that an app may be more akin to a “hotline” that Congress surely would have intended to cover by the VPPA:
Imagine that Gannett had installed a hotline at Yershov’s home, for free, allowing him to call Gannett and receive instant delivery of videos in exchange for his name and address, and he then used the hotline over the course of many months to order videos.
[Eric’s comment: this gave me flashbacks to the terrible offline-to-online analogies we used to see in the 1990s]
The court does disclaim the result saying that the facts may turn out to be different than alleged, and Yershov may not turn out to be a subscriber after all, but as alleged, he passes the test.
___
Buoyed by Facebook’s Beacon settlement, the availability of statutory damages, and statutory technicalities (e.g., an imprecise requirement to purge records), plaintiffs have fallen in love with the VPPA. However, they have not had much success asserting VPPA claims, typically because courts have employed a relatively narrow definition of PII. While disclosing someone’s Facebook profile may fall in the grey area, several courts have held that something like a device ID is not PII. The Disney case is the most recent ruling on that score. See “Disney Not Liable For Disclosing Device IDs And Viewing Habits”. The statute itself unhelpfully provides illustrative examples of PII (name and address) but does not contain clear limits. I suspect the drafters recognized that a narrow definition (i.e., limited to just name and address) did not sufficiently conform to the realities of how people were referred to by companies at the time the VPPA was enacted. Since then, both the amount of data about users and the ways in which third parties can de-identify users has increased dramatically. It appears that plaintiffs lawyers and companies will continue to battle over this unhelpful definition of PII in the VPPA.
The disclosure of an app downloader’s GPS coordinates seems like a risky decision, and it’s something companies should consider staying away from unless thoroughly vetted. Again, the court is not clear about whether this tips the balance, but generally speaking, courts seem more sensitive to the invasive implications of location tracking, even if not persistent.
The court’s discussion on PII does not cite to any appellate cases in support of its conclusion, so it could be the first appellate ruling to tackle this question. The Eleventh Circuit ruling that dismissed a VPPA case on the grounds that an app downloader was not a subscriber punted on this issue. (See our blog post on that case here: “App Users Aren’t “Subscribers” Under the VPPA–Ellis v. Cartoon Network”.)
On the question of who constitutes a “subscriber,” common sense says that someone who downloads an app should qualify and is certainly distinct from the average person who surfs the web to consume content. Apps can provide a direct line to the user by allowing things such as notifications. It’s clunky to analogize them to casual web surfers. (As Eric notes, the “hotline” analogy is clumsy as well.) Both this court and the Eleventh Circuit in Cartoon Network fall back on a factual test, saying it depends on the nature of the relationship. Again, look forward to more litigation in this regard.
Curiously, many of these decisions do not involve much discussion of the apps terms of service. The VPPA’s consent provisions were amended in 2012; maybe this was due to a timing issue. Or perhaps Gannett will raise this issue down the road? (For what it’s worth, this ruling does not mean that the outlook is rosy for plaintiff, Gannett has several other defenses available, including that its disclosure was not knowing. This got Hulu of the hook.)
In any event, in reacting to the ruling, Jay Edelson, of the Edelson firm (counsel to plaintiff in this case) remarked that “app developers [are] now in panic mode” as a result of this decision. That can’t be far off the mark, at least as to those who deal with video tracking.
Eric’s Comments: I’m open-minded about the accuracy of the court’s determination that unique ID + GPS coordinates = PII, but I sure would have loved to see the court analyze that issue more carefully. The dicey reasoning reminded me a little of the heavy-footed California Supreme Court ridiculous ruling in Pineda that a zip code was PII for purposes of California’s Song-Beverly Act. In this case, the user data was far more identifiable than Pineda’s zip code–but still, did it satisfy the statutory requirements? And does the result really make sense in the context of the new technological environment?
The ruling’s breadth could imply that a prima facie VPPA claim attaches whenever online video content is subject to third party analytics. If that’s the real result of this case, then given the ubiquity of video and third party analytics, I agree with Jay Edelson that basically all online content publishers and analytics services should be panicking. I hope the ruling doesn’t have that effect.
Doctrinal hacks like the court’s amateurish “hotline” analogy highlighted an underlying paranoia about online tracking. A less skittish group of judges would have almost certainly found a way to reach a different legal conclusion.
Case citation: Yershov v. Gannett Satellite Information Network, Inc., No. 15-1719 (1st Cir. Apr. 29, 2016) [pdf].
Related posts:
App Users Aren’t “Subscribers” Under the VPPA–Ellis v. Cartoon Network
9th Circuit Rejects VPPA Claims Against Netflix For Intra-Household Disclosures
Court Rejects VPPA Claim Against Viacom and Google Based on Failure to Disclose Identity
Ninth Circuit Rejects Video Privacy Protection Act Claims Against Sony
AARP Defeats Lawsuit for Sharing Information With Facebook and Adobe
Lawsuit Fails Over Ridesharing Service’s Disclosures To Its Analytics Service–Garcia v. Zimride
Android ID Isn’t Personally Identifiable Information Under the Video Privacy Protection Act
Minors’ Privacy Claims Against Viacom and Google Over Disclosure of Video Viewing Habits Dismissed
Video Privacy Protection Act Plaintiffs Can Proceed Against Hulu Absent Showing of Actual Injury
Judge Boots Privacy Lawsuit Against Pandora but Plaintiffs Can Replead – Yunker v. Pandora
Split 9th Circuit Panel Approves Facebook Beacon Settlement – Lane v. Facebook
Court Declines to Dismiss Video Privacy Protection Act Claims against Hulu
Granick on CISPA’s Deficiencies (With Some of My Own Comments)