Hulu Video Privacy Protection Act Summary Judgment Ruling in the N.D. of California Emphasizes Importance of Knowing What Data Companies Are Collecting And Sharing When Consumers Watch Video Online

by Ropes & Gray LLP
Contact

On Monday, April 28, 2014, the Northern District of California in In Re: Hulu Privacy Litigation, No. 3:11-cv-03764-LB (M.J. Laurel Beeler), issued a summary judgment opinion under the Video Privacy Protection Act (“VPPA”), 18 U.S.C. § 2710, that underscores the challenges and risks companies can face in sharing user video behavior information with third parties through web beacons and other online tools.

The VPPA, enacted originally in the wake of Judge Bork’s Supreme Court confirmation hearings, generally prohibits videotape service providers from knowingly disclosing personally identifiable information (“PII”) of a consumer, including a consumer’s video viewing history, to a third party. The VPPA also provides for a private right of action and permits a court to award statutory damages of at least $2500 per violation and attorneys’ fees, which has led plaintiffs’ attorneys to seek to apply it to the online world.

The class action brought against Hulu is an example. Hulu is an online video service that allows users to watch video on-demand through “watch pages.” The plaintiffs generally alleged that the “beacon” technology used by Hulu’s analytics vendor, comScore, also transmitted PII to comScore and that the placement of a “Like” button on a watch page resulted in Facebook unlawfully receiving PII too. Hulu moved for summary judgment, arguing that (i) it only disclosed anonymous user IDs, not PII; (ii) if the information was PII, it did not “knowingly” disclose it under the VPPA; and (iii) Facebook users consented to the disclosure. 

The comScore Disclosures

The information comScore received through beacons on Hulu’s watch page included 1) the Hulu user’s unique identification number (“Hulu User ID”); 2) an alphanumeric string Hulu used to differentiate between web browsers; 3) the Hulu “Ad ID” identifying a particular advertisement being played; 4) the name of the program or video being watched; and 5) the unique comScore user ID (“comScore UID”) that linked the user and video choice information to other information it gained about the same user when the user visited other sites where comScore collects data. 

The court, following a number of cases to consider the issue, held that an anonymous unique identifier, without more, is not PII under the VPPA. Applying that holding to the information that Hulu provided to comScore, the court held that providing Hulu User IDs along with information about the videos watched, by itself, was not a violation of the VPPA. The court reasoned that the VPPA requires “identifying the viewers and their video choices” and that a unique identifier, without more, does not violate the VPPA.

The plaintiffs argued that comScore could use the unique Hulu User ID to access the Hulu profile page of a user and then capture the user’s first and last name from the profile page. However, because the plaintiffs failed to show that comScore actually did that, the court granted Hulu summary judgment. In doing so, the court looked at the evidence “very practically” and noted that while comScore “doubtless collects as much evidence as it can about what webpages Hulu users visit” and there may be “substantial tracking that reveals a lot of information about a person,” it held a VPPA violation occurs “only if that tracking necessarily reveals an identified person and his video watching.”

The Facebook Disclosures

The court found the disclosures to Facebook to be more problematic. Hulu’s placement of the Facebook Like button on a watch page meant that, in addition to the URL web address of the Hulu watch page (which at the time also contained the video name), four sets of data were automatically sent to Facebook via Facebook’s cookies: 1) the user’s IP address; 2) the datr cookie identifying the browsers; 3) the lu cookie that identified the previous Facebook user using the browser to log into Facebook; and 4) the c_user cookie for any user who logged into Facebook using the default setting in the past four weeks. All this information was sent with the loading of the Hulu watch page, without the user having to click the Like button. 

The court noted several key differences between the data made available to comScore and the data made available to Facebook. Because the lu and the c_user cookies transmitted Facebook IDs, the court found that the information identified the Hulu user. By including in Hulu’s single transmission to Facebook the video name and the Facebook user cookies, the court found “the link between the user and the video was more obvious.” While strongly suggesting that that was enough to trigger the VPPA, the court held there was a material question of fact as to whether that information was sufficient to identify individual consumers. 

The court also held there was an issue of material fact as to whether Hulu “knowingly” disclosed this information to Facebook, as required by the knowledge element of the VPPA. Since inclusion of the Like button was an optional choice, and not necessary for the function of Hulu’s watch pages, the court thought more information was needed. It offered that “it might be dispositive if Facebook could not auto-authenticate a user when the Like button loaded” but also that, even if Hulu was itself unable to read Facebook’s cookies, if Hulu “knew what they contained and knew that it was transmitting PII . . . then Hulu is liable under the VPPA.”

Hulu also argued that Facebook users had consented to disclosure of their information through Facebook’s “click-wrap agreements.” The VPPA previously required, through early January 2013 (which includes the period at issue in the lawsuit), that the “informed, written consent of the consumer [be] given at the time the disclosure is sought.”1 The court stated that it had no evidence that, at the time in question, this kind of consent was sought, and so rejected the argument. 

The Hulu decision highlights the importance of being aware of what user information is tracked through a company’s online properties, by whom, and how. The Northern District of California court appears to be willing to impose liability under the VPAA for the information included and transmitted in cookies placed by third parties, even if the company sending those cookies cannot read or control them. The potential for that liability underscores the importance of adopting and implementing “privacy by design” principles in all aspects of online development and thinking through user consent issues carefully.


1  The VPPA currently allows sharing of PII and video information to “any person with the informed, written consent (including through an electronic means using the Internet) of the consumer that- (i) is in a form distinct and separate from any form setting forth other legal or financial obligations of the consumer; (ii) at the election of the consumer- (I) is given at the time the disclosure is sought; or (II) is given in advance for a set period of time, not to exceed 2 years or until consent is withdrawn by the consumer, whichever is sooner; and (iii) the video tape service provider has provided an opportunity, in a clear and conspicuous manner, for the consumer to withdraw on a case-by-case basis or to withdraw from ongoing disclosures, at the consumer's election.” 18 U.S.C. 2710(b)(2)(B).

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ropes & Gray LLP | Attorney Advertising

Written by:

Ropes & Gray LLP
Contact
more
less

Ropes & Gray LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
Feedback? Tell us what you think of the new jdsupra.com!