Narrow Definition of “Personally Identifiable Information” Kills VPPA Case–Eichenberger v. ESPN
This is a Video Privacy Protection Act case. Plaintiff downloaded the WatchESPN channel on his Roku device and used it to watch videos. When he watched a video, ESPN disclosed the plaintiff’s device serial number and video title to Adobe Analytics. Plaintiff alleged that Adobe used the information to “identify specific consumers” by connecting the data shared with existing data in Adobe’s database. Adobe obtained the information in its database (used to identify consumers) from sources other than ESPN. Adobe gives the data it derives back to ESPN in an aggregated form, and ESPN “in turn provides advertisers with aggregate information about its users’ demographics.”
Plaintiff alleged Adobe used the data ESPN provided to identify him as having watched specific videos. He asserted that ESPN’s disclosure violated his rights under the VPPA. The district court dismissed, and the Ninth Circuit affirmed.
Standing: The Ninth Circuit first tackles standing under Spokeo and has no trouble concluding that plaintiff satisfies Article III standing. Spokeo dealt with “bare procedural violations” and held that in some circumstances, these violations could be sufficient to satisfy standing. However, plaintiff alleged the violation of a restriction on disclosure, and unlike a procedural rule, every violation of this restriction “offends the interests that the statute protects.” The court also cites to Congressional judgment as supporting this interpretation. The statute was intended to give consumers greater control over their personal information. Similarly, privacy torts don’t require actual harm (beyond the disclosure) to be legally sufficient. Finally, the court looks to the VPPA’s history and says that the disclosure of Judge Bork’s viewing records were not themselves harmful (they were “decidedly commonplace”). Under ESPN’s interpretation–that he needed to have been “aggrieved” beyond the disclosure–the VPPA would not have even provided him with recourse.
“Personally Identifiable Information”: The court says “personally identifiable information” extends beyond actual viewing or rental records, and covers some information that “can be used” to identify an individual. But it’s unclear precisely what the definition encompasses. The key question is whether the statute embodies a purely subjective or a foreseeability-type standard. Some courts have said that if information would be reasonably likely to reveal a person’s identity, then it’s personally identifiable information (Yershov). Others have looked to the perspective of the disclosing party (Nickelodeon), and the Ninth Circuit adheres to this view:
the statute views disclosure from the perspective of the disclosing party. It looks to what information a video service provider discloses, not what the recipient of that information decides to do with it.
The court follows the Third Circuit and adopts a subjective, “ordinary person” test.
The court says this interpretation “fits most neatly” with the regime Congress must have had in mind in 1988. In that time, a video store clerk would know: if he or she disclosed someone’s name and viewing history that they were violating the statute. But if they merely described the person in more generic terms, there would be no violation. The court says the Roku device serial number is more like the latter scenario: “It created a sizeable ‘pool’ of possible viewers . . . ” The court notes that technological changes have undoubtedly altered the ability of companies to derive identity information using data but
the advent of the internet did not change the disclosing-party focus of the statute.
It would be really interesting to see data on how the numerous VPPA class actions have panned out. There have been many!
The court’s test, like many other Ninth Circuit tests, leaves you with a lot of questions. The court says that some information beyond conventional identity information still constitutes personally identifiable information, but it never provides any meaningful examples. Nor does it provide any scenario in which disclosure of this other category of information that can be used to derive identity would trigger the statute.
As to the subjective test, does this mean that the disclosing party has to know that the recipient can use the information to de-identify? Would contractual assurances from the receiving party help insulate the disclosing party’s conduct? The court’s concerns about liability being imposed by something outside of the disclosing party’s control resonate, but the test it articulates seems to leave a lot of room for workarounds. And ultimately, perhaps the court’s decision is driven by the fact that there’s no human reviewing the de-identified records, and it all occurs as part of a large-scale data transaction between companies.
The court describes what looks like a mild circuit split. I wonder if there’s any chance the Supreme Court could take up a case presenting this question?
1) We’ve occasionally blogged on privacy concerns about analytics services (e.g., Garcia v. Zimride). This case raised the issue squarely, and it worked out for the defendants this time. However, if you are running an analytics service, you’re probably increasingly nervous about the wide range of potential privacy risks you face. And if you are a publisher using an analytics service, this case highlights the potential exposure you might face from your analytics provider’s activities.
2) The court’s approach to reidentification is interesting: the disclosing publisher isn’t responsible for an analytics service’s potential or actual reidentification unless the publisher discloses information that readily permits an “ordinary person” to identify a particular individual as having watched certain videos. This is a defendant-favorable definition of reidentification, and it will be interesting to see if courts similarly do not hold publishers accountable for the reidentification capacities of third parties in non-VPPA contexts.
Case citation: Eichenberger v. ESPN, Inc., 2017 WL 5762817 (9th Cir. Nov. 29, 2017)
Netflix recently tweeted the following and predictably came under fire for it:
To the 53 people who’ve watched A Christmas Prince every day for the past 18 days: Who hurt you?
— Netflix US (@netflix) December 11, 2017