Video Privacy Protection Act Plaintiffs Can Proceed Against Hulu Absent Showing of Actual Injury

Plaintiffs sued Hulu asserting violations of the Video Privacy Protection Act based on alleged disclosures to Comscore and Facebook of plaintiffs’ viewing information. The court denied an initial motion to dismiss by Hulu based on standing. Hulu later brought a summary judgment motion arguing that plaintiffs could not recover statutory damages absent a showing of actual injury. In depositions one of the plaintiffs intimated that as a paying customer he suffered injury. Nevertheless, ultimately, plaintiffs admitted that other than “feeling like [their] privacy ha[d] been violated,” plaintiffs could not identify any specific injury. The key question was whether plaintiffs could recover statutory damages merely by showing a violation of the statute, notwithstanding their failure to identify actual injury.

The court says yes, pointing to the structure of the statute, which defines an “aggrieved person” as any person whose information has been wrongly disclosed. Hulu says that inclusion of the word “aggrieved” in the statute indicates that some sort of injury is a prerequisite to statutory damages, but the court says no:

the practical import of the statute is that the words “aggrieved person” in subsection (c) mean the same thing they do in subsection (b)(1): a consumer whose personally identifiable is disclosed by the video provider in violation of the statute.

Hulu cited to the Drivers Privacy Protection Act in support of its argument that actual damages were required, but the court says that the DPPA and cases construing it are similar and actually support plaintiffs’ position. While the statutes are somewhat differently structured, this is because unlike the DPPA the VPPA “has permissible disclosures that do not create a right to sue by the consumer.”

Hulu also cited to Sterk v. Best Buy where a federal district court said that Congress cannot circumvent standing rules, and that in order to seek injunctive relief under the VPPA, plaintiffs have to show harm and cannot merely rely on a statutory violation. The court distinguishes Best Buy on the basis that it involved standing and it was a wrongful retention case. The court also points to Sterk v. Redbox, where the Seventh Circuit held that a VPPA plaintiff alleging wrongful retention had to allege injury beyond a mere violation of the statute. The Seventh Circuit in Redbox intimated that the analysis would be different if there was an allegation of disclosure.

Finally, Hulu also cited to Doe v. Chao, a Privacy Act case. However, the court distinguishes this case, saying that it involved a holding about the need to prove actual damages, as opposed to “actual injury”.

Hulu may have another chance to try to knock out the VPPA claims on the basis that its disclosure to third parties was not “knowing,” but plaintiffs need not show any injury apart from a statutory violation in order to recover statutory damages.

__

The cases that deal with the statutory construction issue make my head hurt. This should not be the case, but it often seems like courts are unnecessarily mired in minutiae in figuring out whether legislators intended for recovery to be dependent on showing some sort of injury or damage apart from a mere statutory violation. Should it really be that hard for the legislature to specify whether the statute allows for recovery by anyone who proves a statutory violation?

Edwards v. First American was teed up as a case that asked the question of whether Congress could legislate Article III harm, or whether regardless of what the statute said, recovery requires some showing of minimal injury. Although this ruling does not address standing (and is thus somewhat clunky as a vehicle) perhaps this case presents a similar opportunity. Of course, being a privacy case, it’s a tough case from the defense side to argue that regardless of what the statute said plaintiff’s are not entitled to recovery. A wrongful retention case under the VPPA would be a better vehicle to raise this type of a challenge.

Courts dealing with privacy claims have taken an ambivalent view of standing. Some courts take a strict approach and use Article III standing as a tool to weed out what they view as non-meritorious claims. Others, such as this one, take a more lenient approach. Given the broad definition of standing enunciated by the Supreme Court, a change will likely require the Court to take up one of these cases. For what it’s worth, on the question of whether Congress can enact statute that allow for recovery absent showing of actual harm I’m skeptical that courts will end up saying that this can’t be done.

Case citation: In re Hulu Privacy Litigation (Case No. 11-03764I) (N.D. Cal. Dec. 20, 2013) [pdf]

Other coverage:

Hulu Privacy Litigation Continues After Court Concludes No Actual Injury Required

Related posts:

IMDB’s Disclosure of Actress’s Age Will Go To Trial – Hoang v. Amazon

Did California Unintentionally (?) Impose New Statutory Duties on Every Blogger? A Post on the Newly Enacted California Reader Privacy Act

Redbox Can be Liable Under the Video Privacy Protection Act for Failure to Purge Video Rental Records — Sterk v. Redbox

Seventh Circuit: No Private Cause of Action Under the Video Privacy Protection Act for Failure to Purge Information–Sterk v. Redbox

Court Declines to Dismiss Video Privacy Protection Act Claims against Hulu

No Privacy Claim Against Netflix for Disclosing Viewing Histories and Instant Queue Titles Through Netflix-Enabled Devices — Mollett v. Netflix

Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation

Class Action Against Path Over Cellphone Address Book Access Keeps Going

Judge Koh Whittles Down iPhone App Privacy Lawsuit

Data Breach Claim Survives Based on Allegation of Misuse of Personal Information — Burrows v. Purchasing Power

Sony Network Data Breach Class Action Suffers Setback — In re Sony Gaming Network

Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks

9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian

First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing–Katz v Pershing

New Essay: The Irony of Privacy Class Action Lawsuits