In a much anticipated decision in the class action In re Hulu Privacy Litigation, U.S. Magistrate Judge Laurel Beeler of the U.S. District Court for the Northern District of California has shed new light on the meaning of “personally identifiable information” (PII) under the Video Privacy Protection Act (VPPA). This has important implications for companies that host videos on their websites and integrate their services with social media companies or web analytics service providers.
The court held on summary judgment that the transmission to a third party of unique user IDs, in and of themselves, along with video viewing history, does not constitute disclosure of PII under the VPPA.
In reaching its conclusion, the court distinguished between anonymous IDs that Hulu, LLC provided to the audience metrics company comScore, Inc. (which the court held were not PII) and a social networking service’s user IDs that Hulu provided to the social networking service (as to which the court held there were material issues of fact with respect to whether they could permit the identification of specific persons and thus be PII).
The court granted Hulu’s motion for summary judgment with respect to the comScore disclosures but not with respect to the social networking service disclosures.
The court’s decision shows that, when determining whether unique IDs associated with consumers’ online video viewing history are PII regulated by the VPPA, context matters.
In particular, companies that transmit such information should be aware of several key points:
First, the decision declined to impose VPPA liability for the disclosure of unique user IDs associated with video viewing history, where such IDs did not identify specific persons and where the record revealed only a hypothetical ability to correlate unique user IDs to specific persons but no evidence that it actually happened.
Second, the decision makes clear that companies should be mindful of the context in which they share unique user IDs with third parties, particularly with respect to whether the IDs permit the recipient or another party to identify specific persons, either directly or through information to which they already have access.
Third, the decision highlights the potential danger for companies that integrate social media plug-ins or other functionality on web pages where consumers watch videos. Companies providing online video services should consider taking steps to ensure that: (1) cookies and other data transmitted to another entity, such as a user ID that is matched with the video provider’s user ID for the same person, do not permit identification of specific individuals; and (2) video viewing history is not shared unintentionally, such as through a referrer URL that is transmitted during a standard browser request.
Finally, the decision highlights other important questions of fact that may exist when evaluating VPPA exposure, including whether the disclosing party had knowledge of the disclosure and whether the consumer consented to it.
With limited exceptions, the VPPA imposes liability—including liquidated damages of up to $2,500 per incident—on a video tape service provider that knowingly discloses, to any person, PII concerning any consumer of the video tape service provider. Liability extends to companies that provide online video services, such as Hulu, and the definition of PII includes “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.”
In this case, the plaintiffs alleged that Hulu wrongfully disclosed its users’ video viewing history to comScore and a social networking service. comScore had provided Hulu with audience metric data about Hulu’s users, and the social networking service had provided social networking features through placement of its “Like” button on Hulu’s video watch pages. Each company received different data from Hulu during the delivery of its services. Among other data, comScore received unique numerical Hulu User IDs and comScore User IDs, while the social networking service had access to its own first-party cookies containing its own unique user IDs. Each company also received the title of the video watched, either as a parameter in a set of data transmitted or in the referrer URL of the page on which the user viewed the video.
ASSESSING THE LINK BETWEEN USER IDS AND SPECIFIC PERSONS
In its decision, the court addressed three different disclosures by Hulu:
the disclosure to comScore of watch pages and Hulu User IDs;
the disclosure to comScore of the comScore User ID cookies; and
the disclosure to the social networking service of watch pages and the social networking service’s cookies.
The key issue for the court was whether the disclosures of the video titles were tied to specific identified persons, such that they constituted prohibited disclosures of PII under the VPPA. The court stated that “the statute, the legislative history, and the case law do not require a name, [but] instead require the identification of a specific person tied to a specific transaction . . . .” Providing further explanation, the court stated that “a unique anonymized ID alone is not PII but context could render it not anonymous and the equivalent of the identification of a specific person.” In other words, context matters insofar as the circumstances link the unique user IDs to specific persons.
In applying this reasoning, the court held that Hulu’s disclosure to comScore of watch pages and Hulu User IDs did not constitute disclosure of PII: despite the fact that comScore could have used the Hulu User IDs to access Hulu users’ profile pages and obtain their names, there was no evidence that it did so, and there was thus no disclosure of PII for purposes of the VPPA.
The court next addressed Hulu’s disclosure to comScore of the comScore User ID cookies. The court explained that, although the comScore User IDs permitted comScore to conduct “substantial tracking that reveals a lot of information about a person,” the disclosure did not violate the VPPA because the tracking did not reveal “an identified person and his video watching.”
On the other hand, the court suggested that disclosure of the social networking service’s own, first-party user IDs to the social networking service itself, together with video viewing history, may constitute disclosure of PII under the VPPA. The court noted that “[t]he Facebook User ID is more than a unique, anonymous identifier. It personally identifies a Facebook user. That it is a string of numbers and letters does not alter the conclusion.” In addition, the court emphasized that “a Facebook user—even one using a nickname—generally is an identified person on a social network platform” and that “[the Facebook User ID] identifies the Hulu user’s actual identity on Facebook.” Therefore, the court denied Hulu’s motion for summary judgment with respect to its disclosures to the social networking service.
The decision with respect to the social networking service highlights the risk posed by integrations with social media companies on websites that host video services. Such integrations may cause a cookie or other data to be sent from a user’s browser without any affirmative action by the user, which could permit the social media company to identify a specific person and his or her video watch history—and thus trigger VPPA liability, although the court declined to make a decision on this aspect at this stage of the proceedings.
In practical terms, this risk means that companies providing online video services should take steps to ensure that: (1) cookies and other data transmitted to another entity, such as a user ID that is matched with the video provider’s user ID for the same person, do not permit identification of specific individuals; and (2) video viewing history is not shared unintentionally, such as through a referrer URL that is transmitted during a standard browser request.
OTHER POTENTIAL LIMITATIONS UNDER THE VPPA: “KNOWING” DISCLOSURE AND USER CONSENT
The court ruled that material issues of fact remained regarding whether Hulu disclosed the social networking service’s user IDs knowingly and without user consent. The court stated that “[o]ther cases involving violations of privacy statutes show that in the context of a disclosure of private information, ‘knowingly’ means consciousness of transmitting the private information. It does not mean merely transmitting the code.” Thus, the court stated that “if [Hulu] knew what [the social networking service’s cookies] contained and knew that it was transmitting PII . . . then Hulu is liable under the VPPA.” The court did not, however, grant summary judgment to Hulu based simply on the fact that Hulu’s servers could not read the social networking service’s cookies. Rather, the court held that other evidence may show that Hulu knew that the social networking service was receiving its own first-party user IDs within its cookies and was reading them together with video viewing history.
In light of the court’s decision, companies that—without affected individuals’ VPPA-compliant consent—disclose any type of identifier, together with video viewing history, to any other person or company should pay very close attention to exactly what information they transmit and whether it could be used by the recipient to identify specific individuals.