VPPA Still Doesn’t Protect App Downloaders–Perry v. CNN
Plaintiff sued CNN under the Video Privacy Protection Act, alleging that CNN wrongly disclosed plaintiff’s viewing records without plaintiff’s consent. The allegation is that plaintiff used the CNN app, which records viewing history, and CNN sent this information to Bango, a third party data analytics company. CNN allegedly disclosed to Bango the viewing activity along with the MAC address (a unique string of numbers associated with plaintiff’s device). Bango then allegedly used the information to link the user’s MAC address to other information and built a profile of plaintiff that includes the name, location, phone number, email address, and payment information, combined with the viewing history that CNN disclosed.
Standing: CNN argued that Spokeo v. Robins deprived plaintiff of standing because plaintiff did not allege any harm apart from the wrongful disclosure in question. The court rejects CNN’s reading of Spokeo. In this court’s view, Spokeo recognized that statutory harm alone can suffice where the legislature demonstrates a clear intent to create cognizable injury through the statute. That was the case here. The court cites to the rationale for passing the statute in the first place–the wrongful disclosure of then-nominee Bork’s videotape viewing records. The court also looks to the common law history of privacy torts and notes that in many circumstances, mere disclosure alone, even without misuse of information, is actionable. Thus, plaintiff does not have to show any more injury than wrongful disclosure to have Article III standing.
Whether plaintiff is a subscriber: The second and dispositive question is whether plaintiff is a “subscriber” as defined by the statute. The limited case law on the issue recognizes plaintiff as a subscriber either where the plaintiff pays to obtain the content or where there is some sort of ongoing subscription relationship. Plaintiff initially alleged in district court that he downloaded the free app and this was the extent of his relationship. This was insufficient under another Eleventh Circuit case (Ellis v. Cartoon Network). This time around, plaintiff alleges that he paid for a premium cable package that entitled him to get “premium content” on his devices, and this satisfied the necessary ongoing relationship. The court says this is still insufficient:
[the] ephemeral investment and commitment associated with [plaintiff’s] downloading of the [app,] even with the fact that [plaintiff] has a separate cable . . . subscription that includes CNN content, is simply not enough to consider [plaintiff] a subscriber under Ellis.
Accordingly, the court declines to reach the issue of whether the information disclosed by CNN is “personally identifiable information” under the VPPA.
Whether the Court’s ruling in Spokeo v. Robins would push back the wave of impending privacy litigation was an open question following Spokeo. I think this question can be decisively answered in the negative. It’s rare to see a dismissal on standing grounds supported by Spokeo, and most of those cases would have not satisfied standing pre-Spokeo anyway.
As to the court’s reading of the term “subscriber,” there’s a tension there between reading the statute broadly to protect consumers on the one hand, and facilitating crushing privacy lawsuits on the other. There’s also of course the difference between the state of affairs when the statute was passed (e.g., before Netflix) to the changing landscape of content consumption today. You can certainly argue that content nowadays often involves a non-monetary quid pro quo, so looking to whether the consumer pays money is a poor metric. But it’s certainly a bright line. And as this case illustrates, the “ongoing relationship” test spelled out by Ellis and applied here is vague at best.
Ultimately, it’s a loss for the privacy bar, but courts continue to struggle with aspects of the statute to reach this result.
Case citation: Perry v. CNN, No. 16-13031 (11th Cir. Apr. 27, 2017)