Disney Not Liable For Disclosing Device IDs And Viewing Habits
This is another VPPA case grappling with the question of how the statute defines “personally identifiable information.” A recent key VPPA ruling addressed the issue of whether someone who downloads an app is a “subscriber” (answer: no), but the PII question is one that has vexed several courts. Most courts hold that the information disclosed must, “without more,” identify a person. Thus, the VPPA does not apply to disclosure of a unique identifier that the recipient could use to ascertain the user’s identify.
Plaintiff, a Roku user, downloaded the Disney app via the Roku channel store. He was able to watch Disney videos using this app. He alleged that Disney allowed a third party (Adobe) to collect the (hashed) serial number of plaintiff’s Roku device along with the plaintiff’s viewing history.
The court says the statute is unclear on the scope of PII. Language in the definition section suggests that the information must identify a particular person (rather than an anonymous individual), but this does not resolve whether information sufficient to ascertain the identity of the user qualifies. On the other hand, the statute also says that PII “includes” someone’s name and address, indicating that the definition is broader than just this. The court notes that, while the majority of courts embrace a narrow definition of PII (under which the information itself must identify the person), there is one decision to the contrary. The court, however, rejects this approach:
this conclusion is at odds with the VPPA’s particularized definition of PII and is overly expansive. If nearly any piece of information can, with enough effort on behalf of the recipient, be combined with other information so as to identify a person, then the scope of PII would be limitless. Accord Nickelodeon, 2014 WL 3012873, at *11 (“Certainly, this type of information might one day serve as the basis ofpersonal identification after some effort on the part of the recipient, but the same could be said for nearly any type of personal information.”). Whatever the impact of modern digital technologies on the manner in which personal information is shared, stored, and understood by third parties like Adobe, the Court cannot ascribe such an expansive intent to Congress in enacting the VPPA. It would render meaningless the requirement that the information identify a specific person as having rented or watched specific videos, as all information would, with some work, be identifying, and would transmute a statute focused on disclosure of specific information to one principally concerned with what third parties might conceivably be able to do with far more limited disclosures.
The court is worried about a limiting principle and cannot come up with a workable one. The defendant’s knowledge is not an effective limiting principle because, if all information can ultimately identify someone, it is difficult to conceive of a case where disclosure would be not be “knowing”. Another possible limiting principle may be where the third party can instantly identify a person using information disclosed or collected, but this would be tough to reconcile with the “knowing” standard imposed on the disclosing entity. (How would the disclosing entity know the capabilities of the receiving entity?)
Ultimately, the court adopts the narrower definition of PII:
As alleged, the disclosures at issue here indicate only that a specific device somewhere was used by someone to watch specific videos. Id. 13. An unrelated third party equipped with the information purportedly disclosed by Disney, and nothing more, could not identify Robinson. The third party would not know his name, his age, his gender, his social security number, his home address or any other information tantamount to a physical location, or any similar details that would enable it to identify Robinson as the specific person accessing specific videos on his specific Roku device. The somewhere and someone remain unknown until Adobe purportedly combines Disney’s disclosure with other information collected from elsewhere. See Am. Compl. 27, 29, 55-57. Thus, Robinson’s allegations, as measured against the definition of personally identifiable information adopted by the Court, fail to show that he is entitled to relief.
The court does express some sympathy for plaintiff and says it remains “sensitive to the policy implications posed by the increasing ubiquity of digital technologies, which, as Robinson ably alleges, have dramatically expanded the depth, range, and availability of detailed, highly personal consumer information.”
There have been a few privacy lawsuits under the VPPA that stretch the statutory definitions (those alleging failure to purge; violations based on intra-household disclosures) but the claims asserted in this case actually present a good case of statutory ambiguity. It is simplistic to say that the VPPA requires someone to be identified by name. Even in Judge Bork’s era, one can envision how he could have been identified without actually having been named (“check out the profile and viewing habits of a key Supreme Court nominee!”). Fast forward 25 years later, and this ability to identify someone with a piece of ancillary information is much greater.
The court cites to a case (Yeshov v. Gannett Satellite Info) as one of the few cases embracing a broad view of PII under the VPPA. The case involved claims brought by users of an app, and the court ended up dismissing the claims on the basis that the user was not a “subscriber”. (The Cartoon Network case we blogged about took a similar approach. See “App Users Aren’t “Subscribers” Under the VPPA–Ellis v. Cartoon Network”.) That case fell to the wayside of the blogging queue but is definitely one to watch.
Eric’s Comment: I think we realized several years ago that any effort to divide data into “personally identifiable” and “not personally identifiable” is incoherent. It’s not surprising courts have no good way of interpreting inherently incoherent language.
Case citation: Robinson v. Disney Online, 2015 U.S. Dist LEXIS 142486 (S.D.N.Y. Oct 20, 2015) [pdf]