The emerging home entertainment market is rife with both opportunity and peril for media and entertainment content providers. Home entertainment is increasingly provided through “Smart” devices such as Microsoft Xbox and Sony PlayStation video games systems, Smart TVs and devices that connect to regular TVs such as Apple TV or Google’s Chromecast. With 800 million television households worldwide, and Americans spending nearly five hours per day watching television, the opportunities for access and growth in this home entertainment market are staggering. (BI Intelligence, “The Smart TV App Revolution is Coming: Here’s What you Need to Know,” October 3, 2013.) The emergence of “Smart” technology is opening new avenues for advertisers, media and entertainment companies to reach consumers at home and provide them with content and services in a new interactive, direct and personalized manner. As the home entertainment market evolves, advertisers, media and entertainment companies who choose to operate in this space must be aware of the potential danger and take certain steps to ensure transparency in their data collection efforts for the protection of consumers.
Unlike their predecessors, the “Smart” devices of today serve as intermediary platforms between the consumer and the content providers and facilitate real time interaction. To personalize services and content provided, media and entertainment companies collect data from consumers composed primarily of personal information. Personal information may take the form of credit card and financial information. Personal information may also take the form of names, addresses and web browsing history. Personal information is obtained in most cases from consumers entering information during transactions and from media and entertainment companies collecting data from consumer’s web-browsing habits. On occasion, these platforms may scan the home network of the consumer to collect personal information. Collectively, this personal information may be used to facilitate the purchase of content, and to target advertising for certain products and services. It is the permissive (and non-permissive) collection, use and protection of personal information through these “Smart” devices that underlie most data privacy claims in the home entertainment market.
In re: Sony Gaming Networks and Customer Data Security Breach Litigation, 2014 WL 223677, Jan. 21, 2014, illustrates how these data privacy disputes tend to emerge. In Sony, hackers breached the Sony PlayStation online network exposing the personal information of more than 31 million consumers. Eleven plaintiffs filed a class action asserting 51 common law, state and federal statutory claims. In the complaint, the class alleged that Sony failed to provide reasonable network security, including industry-standard encryption that would safeguard the personal information. Sony sold the PlayStation and PSP video game consoles to the plaintiffs for use in playing games, connecting to the Internet and accessing Sony’s online services. Through Sony’s online services, the plaintiffs could access content such as movies, TV shows and third party services such as NetFlix and MLB.TV. To utilize the Sony’s online services, the plaintiffs were required to submit personal information including names, mailing addresses, email address, birth dates, and credit and debit card information. Ultimately, Sony shut down its online services and notified users of its online network.
Consumer Data Privacy Plaintiffs Get Their Day
The Sony decision illustrates how courts have evolved the consideration given to consumer data breach claims. Previously, data breach claims were unlikely to survive a motion to dismiss. This is because courts found a lack of standing under Article III as well as a failure to allege “injury in fact.” Now, courts are permitting these claims to proceed on the merits. In Sony, the defendants moved to dismiss claims pursuant to Federal Rule of Civil Procedure 12(b)(1) (lack of Article III standing) and 12(b)(6) (failure to state a claim upon which relief can be granted). The court denied Sony’s 12(b)(1) motion finding that the plaintiffs sufficiently established standing where it alleged that Sony collected its personal information and wrongfully disclosed it when it allowed hackers to steal the personal information. Notably, the court rejected Sony’s argument that the Supreme Court’s decision last year in Clapper v. Amnesty Int’l, 2013 WL 673253, required the plaintiff to allege that their personal information was accessed by a third party, finding that the plaintiffs need only allege that there was a “credible threat” of access by a third party for Article III standing.
Pursuant to Sony’s 12(b)(6) motion, the court dismissed the majority of the plaintiffs’ common law claims because they were insufficiently pled or failed to allege actual injury. However, the court did allow some of the plaintiffs’ claims based on violations of state consumer protection statutes where the plaintiffs allege that Sony failed to provide material information regarding the inadequacy of security of Sony’s online networks at the time the consoles were purchased. Specifically, the court found sufficient the plaintiffs’ allegations that Sony misrepresented that it would take reasonable steps to secure the plaintiffs’ personal information and use “industry standard encryption” to prevent a breach.
In this regard, the Sony court’s ruling is consistent with the recent tendency among courts to allow statutory based claims, which do not require plaintiffs to establish actual injury, to survive Rule 12(b)(6) challenges. For example, in In re Hulu Privacy Litigation, 2013WL 6773794, December 20, 2013 the plaintiffs asserted claims under the Video Privacy Protection Act (VPPA) alleging that Hulu disclosed personal information to third parties. The court denied Hulu’s motion for summary judgment, which argued that the plaintiffs could not recover under the VPPA where they did not allege actual damages. The court found that since the VPPA provided for statutory damages, the plaintiffs need only show a violation of the VPPA - wrongful disclosure - to recover damages. A showing of actual harm was not required.
Importantly, the Sony ruling addresses three points that are likely to arise in other data privacy actions relating to the home entertainment market: (1) it illustrates how courts might apply the “certainly impending” requirement from the Supreme Court decision in Clapper v. Amnesty Int’l USA, to determine whether there has been an “injury-in-fact” sufficient to establish Article III standing; (2) it continues a trend of court’s accepting the plaintiffs’ use of violations of state unfair competition statutes to survive 12(b)(6) motions, rather than having to establish “actual injury”; and, (3) it recognizes that companies cannot simply represent that they provide data protection, but rather have to show that their data protection efforts are effective and meet industry standards.
It is critical to understand that the data privacy and security issues that arose from use of video game consoles in the Sony case have applicability across the spectrum of home entertainment market platforms. Because today’s video game systems are fully equipped entertainment systems, they provide a gateway between consumers and media and entertainment content providers, similar to Smart TVs and devices such as Apple TV and Google Chromecast. The more interaction these “Smart” devices facilitate, the more opportunities media and entertainment companies have to collect personal information from its users. As a result, the types of claims presented from use of the video game consoles in Sony are likely to emerge on other platforms as they continue to evolve and usage becomes more widespread. In fact, just last week, consumers filed a class action lawsuit in the U.S. District Court for the Northern District of Georgia against the Wall Street Journal, and its WSJ Channel, for impermissibly collecting their personal information while viewing the WSJ Channel, and subsequently disclosing it to third parties.
Consumers Are Not Alone
The increased interaction between media and entertainment content providers and consumers in the home is likely to draw the watchful eye of governmental entities, such as the Federal Trade Commission (FTC) and state attorneys general. The FTC and state attorneys general in particular have stepped up their enforcement of state and federal consumer data protection laws. Federal law such as the Child Online Privacy Protection Rule (COPPA), which controls the collection of personal information from children under the age of 13, is frequently used by the FTC to enforce consumer rights. For example, last year the FTC charged Path Inc., which created a social networking application used on mobile devices, with violating COPPA by collecting the personal information from nearly 3,000 children without first obtaining parental approval. FTC settled with Path Inc. for $800,000. Given the access children have to home entertainment platforms, similar violations are likely to rise as media and entertainment content providers increase their presence on these platforms. In addition, state attorneys general are likely to take action to protect consumer data, considering that they have previously sought and obtained settlements as high as $17 million in data privacy actions in other contexts.
In this climate, where regulators and consumers are on full alert regarding data privacy and hackers are waiting to strike new targets, media and entertainment companies who operate in this home entertainment market must take certain steps adequately protect consumer data and inform consumers of how they will use their data. Utilizing the following principles on the front-end can further efforts to avoid issues with consumer data privacy.
Provide Notice and Disclosure: Providing consumers with notice that data is being collected, disclosing how collected data will be used and disseminated, identifying how collected data will be protected, and providing consumers with the ability and option to “opt-out” of data collection efforts is essential to complying with data privacy standards. The FTC has recently expressed the importance of this requirement and indicated increased attention to its observance. If Apple’s $32.5 million settlement with the FTC in January for failure to provide notice and disclosure to parents regarding billing activity by children in apps is any indication, failure to comply can be costly.
Data Protection and Encryption: Companies must upgrade and stay abreast of the current data protection and encryption technology and employ it when handling consumer data. As the Sony case suggests, courts will look beyond simple representations and focus on results in determining whether companies are employing the latest methods. More importantly, companies may be held liable where they represent that they employ data protection and encryption methods, which are found to be substandard. Companies should examine the many orders and settlements from enforcement actions taken by the Federal Trade Commission that identify specific deficiencies in data security and protection measures taken by the offending companies. In addition, it is imperative to consult and comply with standards for data protection established by industry groups such as the Interactive Advertising Bureau and the Digital Advertising Alliance.
Insurance: Given the vast amount of data generated in the home entertainment environment, the potential liability to millions of affected consumers can be significant. Obtaining insurance policies that cover these types of claims is essential. Companies should not assume that existing policies cover these data privacy claims. A judge recently ruled that two insurers had no duty to defend Sony on two of its policies, finding that the policy only applied to actions by Sony, not by the hackers. Companies who plan to operate in this area would benefit from reviewing their existing policies and securing additional “cyber” specific policies that specifically cover these types of claims.
Given the enormous market at stake, media and entertainment companies will jockey for position to provide the most popular content, unique services, targeted advertising and interactivity that will transform the way consumers experience entertainment in their homes. The ability to access and collect vast amount of data from consumers pursuant to these interactions carries with it increased responsibility and increased liability. Content and service providers who prepare will be able to reap the rewards that “Smart” technology provides and avoid the serious and substantial risks that can occur without.