Court Rejects VPPA Claim Against Viacom and Google Based on Failure to Disclose Identity
I blogged before about the privacy lawsuit against Viacom and Google over the disclosure of the viewing habits of minors.
The court previously rejected the claims on the basis that the disclosure of user attributes (such as demographic information, unique identifier and IP address), without more, does not amount to disclosure of someone’s personal identity (“information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider”). Plaintiffs went back and amended their claims, but they don’t have any better luck the second time around. Their allegations amounted to the argument that because we’re dealing with the all-knowing Google, a disclosure of these attributes is equivalent to the disclosure of a person’s actual identity:
Plaintiffs argue that because of Google’s ubiquitous presence on the Internet, it can learn a lot from even limited information. Plaintiffs note that Google owns a vast network of services — including Google.com, Gmail, YouTube, and so forth — which collects ample data about users of those services, sometimes including their full names. Plaintiffs contend that with that information already in hand, Google can take the information Viacom sends it and indeed ascertain personal identities.
The court is not persuaded. Citing to the Hulu case, among others, the court says that the VPPA is only implicated where the video rental service provider discloses the actual identity.
The court also rejects plaintiffs’ claims under the New Jersey anti-hacking statute (no business or property damage; harm to PII insufficient, notwithstanding its marketability) and the intrusion upon seclusion claim (this type of a disclosure is not “highly offensive”).
The court is somewhat troubled by the conduct—tracking of minors’ viewing habits—but it joins other cases in saying that the VPPA is only triggered when there is disclosure of a person’s actual identity. If any case would have been good to push a re-identification theory, this would have been it, and the court’s rejection of it shows that courts (trial courts at least) are not buying it–at least in the VPPA context.
This case is a great illustration of how changing circumstances make this type of regulation difficult and often clunky. (Any number of laws would fall into this category, ranging from reader privacy to social media password legislation.) When passed in 1998, Blockbuster was still around, and bricks and mortar rental stores were the focus of the legislation. Fast forward 13 years later, and the argument is around re-identification in the context of online streaming, something we’re not even sure the law covers. (The VPPA was updated in 2012 but the update only allowed consent to be procured online, in a document separate from the terms of service, but the consent could be blanket consent for a period of time.)
Case citation: In re Nickelodeon Consumer Privacy Litigation, 2015 WL 248334, MDL No. 2443 (SRC) (D.N.J. Jan. 20, 2015)