The decision further aligns the circuit courts in holding that the private right of action is limited to the Act’s prohibition on unauthorized disclosures only.
A recent attempt to expand the breadth of the private right of action under the Video Privacy Protection Act1 (the Act) failed when the U.S. Court of Appeals for the Ninth Circuit ruled that the Act does not provide a private right of action to consumers for violations of the Act’s data retention and destruction requirements. The court also provided a business-friendly interpretation of the Act’s “ordinary course of business” exception to its prohibition on disclosures of personally identifiable information. It held that a video tape service provider’s transfer of its customer database to a corporate affiliate, either incident to a transfer of ownership or to facilitate the affiliate’s provision of services on its behalf, constituted an allowable disclosure in the ordinary course of business of the video tape service provider under the Act.
Background
The plaintiff in Rodriguez v. Sony Computer Entertainment America, LLC,2 used Sony’s PlayStation Network to rent and purchase several videogames and movies. Subsequent to his registration as a user of the PlayStation Network, Sony transferred control or operation of the PlayStation Network, along with the plaintiff’s user data, to one of its affiliates. The plaintiff alleged that Sony and its affiliate retained his personally identifiable information after he stopped using the PlayStation Network beyond the time limits permitted under the Act and that the transfer of user information to the affiliate was a disclosure of his personally identifiable information in violation of the Act.
The Video Privacy Protection Act
Originally created in response to the disclosure of then-Supreme Court nominee Robert Bork’s video rental habits, the Act has taken on increasing importance as it has been applied to a range of online service providers that collect information about users of audio visual content. The Act prohibits a video tape service provider3 from knowingly disclosing personally identifiable information4 of any consumer5 and creates a private right of action for aggrieved consumers against a video tape service provider that violates the prohibition.6 The Act provides for a number of exceptions to the prohibition on disclosure, including an important exception for disclosures incident to the “ordinary course of business” of the video tape service provider, which is defined as “debt collection activities, order fulfillment, request processing, and the transfer of ownership.”7 The Act also requires video tape service providers to “destroy personally identifiable information as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected” except in narrow circumstances.8
Data Destruction Requirement and the Private Right of Action
The Ninth Circuit’s determination that there is no private right of action under the Act for a failure to adhere to the data retention and destruction requirements hinged on a question of statutory interpretation.9 After reviewing the structure and legislative history of the Act, the Ninth Circuit joined the Sixth and Seventh Circuits in holding that the Act only provides for a private right of action for a violation of the prohibitions on disclosures of personally identifiable information.10 The court was swayed by the fact that section 2710(c) was placed after the prohibition on disclosure, but before the other requirements of the Act, indicating that it applied only to the disclosure prohibition that immediately preceded it.
In addition, the court noted that section 2710(a), prohibiting disclosure, specifically referenced the availability of a remedy (albeit with an internally inconsistent cross-reference11), while section 2710(e), requiring destruction, and section 2710(d), relating to inadmissibility of evidence, do not. Finally, the court reviewed the legislative history of the Act and determined that the history did not support an intent by Congress to provide a private right of action for failure to adhere to the data retention and destruction requirements.
Disclosure in the Ordinary Course of Business
The court also addressed whether Sony’s disclosure of its PlayStation Network consumer information database to an affiliate during an intra-corporate transfer of operation of the network was an allowable disclosure incident to the ordinary course of business. The plaintiff alleged in his first complaint that Sony “shared, sold, and/or transferred” his personal information to its affiliate in connection with the affiliate’s taking over the network. The court stated that such a transfer fell squarely within an allowable disclosure incident to a transfer of ownership under the statute.
In an amended complaint, the plaintiff alleged that no transfer of ownership in fact occurred and that Sony had simply transferred management of the network to its affiliate. Even with the new characterization, the court agreed with the Seventh Circuit in determining that transfers of personal information to third-party service providers that perform services in support of the video tape service provider’s business (e.g., customer service) constitute transfers “incident to the ordinary course of business” under the Act. In doing so, the Ninth Circuit refused to narrowly construe the “order fulfillment” and “request processing” aspects of the definition of ordinary course of business.
Pepper Points
The decision is good news for technology companies, as creative class action counsel have recently tested the limits of the Act in actions against them.12 The decision also further aligns the circuit courts in holding that the private right of action is limited to the Act’s prohibition on unauthorized disclosures only. This will help to limit nuisance suits against technology companies where plaintiffs seek damages for technical violations of the retention and destruction requirements. Perhaps more important is the court’s recognition that video tape service providers may disclose their full database of customer information to their third-party service providers to facilitate customer service and other aspects of a video tape service provider’s business. This holding means that the Act will not inhibit companies from focusing on the parts of their business they do best or from sourcing non-core aspects of their business to third-party service providers consistent with the current business practices of many companies.
Endnotes
1 18 U.S.C. § 2710 et. seq.
2 Rodriguez v. Sony Computer Entm’t Am., LLC, No. 12-17391 (9th Cir. Sept. 4, 2015), available at http://cdn.ca9.uscourts.gov/datastore/opinions/2015/09/04/12-17391.pdf.
3 A “video tape service provider” is defined as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials, or any person or other entity to whom disclosure is made” under specified circumstances under the Act, including a disclosure made incident to the ordinary course of business of the video tape service provider. 18 U.S.C. § 2710(a)(4).
4 “Personally identifiable information” includes information that identifies a person as having requested or obtained specific video materials or services from a video tape service provider. 18 U.S.C. § 2710(a)(3).
5 A “consumer” means any renter, purchaser or subscriber of goods or services from a video tape service provider. 18 U.S.C. § 2710(b)(1).
6 18 U.S.C. § 2710(a)(1).
7 18 U.S.C. §§ 2710(a)(2), 2710(b)(2)(E).
8 18 U.S.C. § 2710(e).
9 The language of the Act is ambiguous as to whether the private right of action is limited to disclosure violations because section 2710(c), which provides for the private right of action, states that any person aggrieved by an act “in violation of this Section” may bring a civil suit. It is unclear on its face whether the reference to “this Section” specifically refers to the disclosure prohibition in section 2710(b)(1) only or the statute as a whole, which includes the data retention and destruction requirements in section 2710(e) as well as a prohibition on receiving certain personally identifiable information into evidence in section 2710(d).
10 See Sterk v. Redbox Automated Retail, LLC, 672 F.3d 535 (7th Cir. 2012); Daniel v. Cantrell, 375 F.3d 377 (6th Cir. 2004).
11 Section 2710(a)(1) refers the reader to the “relief provided in subsection (d).” However, subsection (d) does not discuss relief but instead prohibits introducing personally identifiable information into evidence in certain circumstances.
12 See, e.g., In re Hulu Privacy Litig., No. 3:11-cv-03764-LB (N.D. Cal. Mar. 31, 2015) (discussing requirements to show a “knowing” disclosure in violation of the Act); Austin-Spearman v. AMC Network Entm’t LLC, No. 1:14-cv-06840 (S.D.N.Y. Apr. 7, 2015) (discussing who qualifies as a “consumer” under the Act).
