VPPA Still Doesn’t Protect App Downloaders–Perry v. CNN

IMG_5662Plaintiff sued CNN under the Video Privacy Protection Act, alleging that CNN wrongly disclosed plaintiff’s viewing records without plaintiff’s consent. The allegation is that plaintiff used the CNN app, which records viewing history, and CNN sent this information to Bango, a third party data analytics company. CNN allegedly disclosed to Bango the viewing activity along with the MAC address (a unique string of numbers associated with plaintiff’s device). Bango then allegedly used the information to link the user’s MAC address to other information and built a profile of plaintiff that includes the name, location, phone number, email address, and payment information, combined with the viewing history that CNN disclosed.

Standing: CNN argued that Spokeo v. Robins deprived plaintiff of standing because plaintiff did not allege any harm apart from the wrongful disclosure in question. The court rejects CNN’s reading of Spokeo. In this court’s view, Spokeo recognized that statutory harm alone can suffice where the legislature demonstrates a clear intent to create cognizable injury through the statute. That was the case here. The court cites to the rationale for passing the statute in the first place–the wrongful disclosure of then-nominee Bork’s videotape viewing records. The court also looks to the common law history of privacy torts and notes that in many circumstances, mere disclosure alone, even without misuse of information, is actionable. Thus, plaintiff does not have to show any more injury than wrongful disclosure to have Article III standing.

Whether plaintiff is a subscriber: The second and dispositive question is whether plaintiff is a “subscriber” as defined by the statute. The limited case law on the issue recognizes plaintiff as a subscriber either where the plaintiff pays to obtain the content or where there is some sort of ongoing subscription relationship. Plaintiff initially alleged in district court that he downloaded the free app and this was the extent of his relationship. This was insufficient under another Eleventh Circuit case (Ellis v. Cartoon Network). This time around, plaintiff alleges that he paid for a premium cable package that entitled him to get “premium content” on his devices, and this satisfied the necessary ongoing relationship. The court says this is still insufficient:

[the] ephemeral investment and commitment associated with [plaintiff’s] downloading of the [app,] even with the fact that [plaintiff] has a separate cable . . . subscription that includes CNN content, is simply not enough to consider [plaintiff] a subscriber under Ellis.

Accordingly, the court declines to reach the issue of whether the information disclosed by CNN is “personally identifiable information” under the VPPA.

__

Whether the Court’s ruling in Spokeo v. Robins would push back the wave of impending privacy litigation was an open question following Spokeo. I think this question can be decisively answered in the negative. It’s rare to see a dismissal on standing grounds supported by Spokeo, and most of those cases would have not satisfied standing pre-Spokeo anyway.

As to the court’s reading of the term “subscriber,” there’s a tension there between reading the statute broadly to protect consumers on the one hand, and facilitating crushing privacy lawsuits on the other. There’s also of course the difference between the state of affairs when the statute was passed (e.g., before Netflix) to the changing landscape of content consumption today. You can certainly argue that content nowadays often involves a non-monetary quid pro quo, so looking to whether the consumer pays money is a poor metric. But it’s certainly a bright line. And as this case illustrates, the “ongoing relationship” test spelled out by Ellis and applied here is vague at best.

Ultimately, it’s a loss for the privacy bar, but courts continue to struggle with aspects of the statute to reach this result.

Case citation: Perry v. CNN, No. 16-13031 (11th Cir. Apr. 27, 2017)

Related posts:

Important and Troubling Video Privacy Protection Act (VPPA) Ruling From First Circuit–Yershov v. Gannett

App Users Aren’t “Subscribers” Under the VPPA–Ellis v. Cartoon Network

9th Circuit Rejects VPPA Claims Against Netflix For Intra-Household Disclosures

Court Rejects VPPA Claim Against Viacom and Google Based on Failure to Disclose Identity

Court Says Plaintiff Lacks Standing to Pursue Failure-to-Purge Claim Under the VPPA – Sterk v. Best Buy

Judge Dismisses Claims Against Pandora for Violating Michigan’s Version of the VPPA – Deacon v. Pandora Media

Ninth Circuit Rejects Video Privacy Protection Act Claims Against Sony

AARP Defeats Lawsuit for Sharing Information With Facebook and Adobe

Lawsuit Fails Over Ridesharing Service’s Disclosures To Its Analytics Service–Garcia v. Zimride

Android ID Isn’t Personally Identifiable Information Under the Video Privacy Protection Act

Minors’ Privacy Claims Against Viacom and Google Over Disclosure of Video Viewing Habits Dismissed

Video Privacy Protection Act Plaintiffs Can Proceed Against Hulu Absent Showing of Actual Injury

Judge Boots Privacy Lawsuit Against Pandora but Plaintiffs Can Replead – Yunker v. Pandora

Split 9th Circuit Panel Approves Facebook Beacon Settlement – Lane v. Facebook

No Privacy Claim Against Netflix for Disclosing Viewing Histories and Instant Queue Titles Through Netflix-Enabled Devices — Mollett v. Netflix

Court Declines to Dismiss Video Privacy Protection Act Claims against Hulu

Granick on CISPA’s Deficiencies (With Some of My Own Comments)

Seventh Circuit: No Private Cause of Action Under the Video Privacy Protection Act for Failure to Purge Information–Sterk v. Redbox

Jan.-Feb. 2012 Quick Links, Part 6 (Privacy and more)

Redbox Can be Liable Under the Video Privacy Protection Act for Failure to Purge Video Rental Records — Sterk v. Redbox

Beacon Class Action Settlement Approved — Lane v. Facebook