Android ID Isn’t Personally Identifiable Information Under the Video Privacy Protection Act

This is another Video Privacy Protection Act lawsuit. The Cartoon Network has an app on the Android platform. Plaintiff (not a minor) downloaded the app. He complains that The Cartoon Network’s disclosure of his viewing history to a third party analytics company named Bango (located in the UK) violates the VPPA.

The court initially rejects the standing challenge, noting that the VPPA expressly creates a private cause of action. The court also rejects Defendant’s argument that plaintiff, not being a paying customer, is not a subscriber. Finally, the court focuses on the key question of whether the Android ID is “personally identifiable information” under the statute.

The court says no, citing to other decisions saying that information will not identify a person by itself is insufficient. For example, in the Hulu case, where the recipient had to take further steps to ascertain the identity of the person in question, this information was held to not be personally identifiable information. (While concluding that no violation stemmed from disclosure of certain information, the the court in Hulu said that disclosure of Facebook ID could result in a violation.) The court also cites to a Cable Act case which holds that disclosure of cable box codes which could identify a person but only with additional information does not violate that statute.

__

While the law was recently “fixed” to address the procurement of consent online, the amendments did not tackle the more difficult question of how the VPPA interacts with well-worn online tracking principles. Oddly, despite the clarification of the consent-procurement issue, VPPA defendants have not primarily relied on consent as a defense. (Hopefully the lobbyists who were hired to address the consent issue did not just ignore the definitional issues raised in this case. I’m guessing the VPPA amendments could not clarify the definition of personally identifiable information because it would not have been possible to get a bill passed that tackled this issue.)

In any event, courts addressing claims under the VPPA are leaning in the direction of treating things like device IDs as not personal information, based on the notion that if additional effort or information is required to derive a person’s identity then there’s no violation. (Courts, particularly in California, dealing with the statute applicable to collection of personal information by retailers at the point of sale have taken a different approach.) Perhaps this makes sense. It’s certainly tough to argue that the latest wave of VPPA lawsuits is anything more than an attempt to exploit a plaintiff-friendly statute. On the other hand, the decisions don’t seem to delve into whether this means plaintiffs are left without a remedy from the privacy standpoint. Is Bango, the third party tracking company, subject to the VPPA? Presumably, it can freely use the information disclosed, but would the consumer have recourse against it? Is it subject to the VPPA’s wacky purging rules? [As a sidenote, that Bango’s location–the UK–did not merit any discussion whatsoever struck me as odd. They don’t exactly seem like the kind of entity that would be amenable to an argument that they are subject to US laws.]

Case Citation: Ellis v. The Cartoon Network, 14-cv-484 (N.D. Ga. Oct 8, 2014)

Related posts:

Hulu Unable to Shake Video Privacy Protection Act Claims

Judge Koh Puts the Kibosh on LinkedIn Referral ID Class Action — Low v. LinkedIn

Video Privacy Protection Act Plaintiffs Can Proceed Against Hulu Absent Showing of Actual Injury

Court Declines to Dismiss Video Privacy Protection Act Claims against Hulu

Seventh Circuit: No Private Cause of Action Under the Video Privacy Protection Act for Failure to Purge Information–Sterk v. Redbox

Redbox Can be Liable Under the Video Privacy Protection Act for Failure to Purge Video Rental Records — Sterk v. Redbox

Apple May Be Liable For Privacy Violations by Third Party Developed Apps

Judge Boots Privacy Lawsuit Against Pandora but Plaintiffs Can Replead – Yunker v. Pandora

No Privacy Claim Against Netflix for Disclosing Viewing Histories and Instant Queue Titles Through Netflix-Enabled Devices — Mollett v. Netflix

Breach of Data Retention Policy Doesn’t Create Actionable Injury – Burton v. Time Warner (Catch-up Post)

Court Says Plaintiff Lacks Standing to Pursue Failure-to-Purge Claim Under the VPPA – Sterk v. Best Buy

Judge Dismisses Claims Against Pandora for Violating Michigan’s Version of the VPPA – Deacon v. Pandora Media

Split 9th Circuit Panel Approves Facebook Beacon Settlement – Lane v. Facebook

Supreme Court Strikes Down Statute Restricting Sale and Use of “Prescriber” Data on First Amendment Grounds — Sorrell v. IMS

Beacon Class Action Settlement Approved — Lane v. Facebook

California Supreme Court Rules That a ZIP Code is Personal Identification Information — Pineda v. Williams-Sonoma