Ninth Circuit Weighs In On Scope of Identifiable Information under VPPA

by Ropes & Gray LLP
Contact

Ropes & Gray LLP

On November 29, 2017, the Ninth Circuit added to an existing circuit split that has emerged regarding the definition of “personally identifiable information” under the  Video Privacy Protection Act (VPPA). The Ninth Circuit affirmed the dismissal of a class action after construing the term to include only information that enables an “ordinary person” to identify an individual. Eichenberger v. ESPN, Inc., No. 15-35449, 2017 WL 5762817 (9th Cir. Nov. 29, 2017). This interpretation puts the Ninth Circuit at odds with the First Circuit, which last year adopted a more expansive definition of “personally identifiable information” that potentially extends the reach of the VPPA to far more online tracking activity. (Our Alert on the First Circuit’s decision is here.) While the Ninth Circuit’s Eichenberger decision is helpful for online actors concerned about the potential for class actions and large-scale statutory damages under the VPPA, the circuit split underscores the ambiguity in the VPPA, and online actors should not necessarily view the Ninth Circuit’s decision as a green light or the last word. In addition, and potentially just as challenging, the VPPA remains only part of the overlapping and increasingly complex regulatory environment for online tracking, including developments at the Federal Trade Commission and in the European Union’s upcoming General Data Protection Regulation (GDPR) and ePrivacy Regulation.

The VPPA prohibits “video tape service provider[s]” from knowingly disclosing “personally identifiable information concerning any consumer” without a particularly onerous form of consent. 18 U.S.C. § 2710(b)(1)-(2) (emphasis added). “[P]ersonally identifiable information” in turn “includes information which identifies a person as having requested or obtained specific video materials or services.” § 2710(a)(1). While the VPPA was originally passed in 1988 to address disclosure of video rental history by brick-and-mortar video rental stores, it has become increasingly attractive to plaintiffs’ lawyers and others objecting to video data-sharing practices because of its damages provisions. A court may award damages to any person aggrieved by a violation of the Act, that are “not less than liquidated damages in an amount of $2,500” in addition to punitive damages and attorneys’ fees.  18 U.S.C. § 2710(c)(2). And those circuit courts that have considered the question, including the Ninth Circuit here, have held that a violation of the VPPA’s substantive provisions is itself sufficient for Article III standing. 

Courts have struggled with defining “personally identifiable information” for purposes of the VPPA. Last year, in Yershov v. Gannett Satellite Info. Network, Inc., 82 F.3d 482 (1st Cir. 2016), the First Circuit held that mobile device GPS data constituted “personally identifiable information” when that information was disclosed to Adobe for analytics and marketing because the data was “reasonably and foreseeably likely” to identify the user. Id. at 486 (emphasis added). A Third Circuit decision following Yershov took a narrower approach to analogous data, finding that an IP address, browser settings, and device ID were not “personally identifiable information” when disclosed to a marketing and analytics provider because that information would not “permit an ordinary person to identify” a specific individual. In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262, 290 (3d Cir. 2016) (cert. denied).

In the Ninth Circuit’s recent Eichenberger decision, the court considered whether a Roku device identifier in conjunction with a user’s video viewing history was “personally identifiable information” under the VPPA. The court examined the approaches taken by the First and Third circuits, and adopted the Third Circuit’s narrower construction of “personally identifiable information,” holding that it means information that would “permit an ordinary person” to identify an individual. Although rejecting the First Circuit test, the Ninth Circuit attempted to reconcile its holding with that of the First Circuit, suggesting that geolocation data may be identifiable to an ordinary person.

The distinction between the two tests is that the “ordinary person” test is a narrower, objective test – it does not rely on the recipient’s capabilities. By contrast, the “reasonably and foreseeably likely” test is contextual. Applying the latter, the First Circuit accounted for the capability of Adobe to combine the disclosed data with other data in a way that may have allowed Adobe to identify the plaintiff. Under the “ordinary person” test, these capabilities and other data sources are irrelevant to whether information is personally identifiable. While the Third and Ninth circuits’ adoption of the narrower approach presents a potential hurdle for plaintiffs in those circuits, the risk of litigation remains heightened in the First Circuit, which has adopted the broader test, and in the other circuits that have not addressed the issue.

Other sources of risk in this area remain as well. For instance, the FTC has in several enforcement actions and other statements indicated that it takes a more expansive view of what information is considered personally identifying or sensitive information about individuals. That information, according to the FTC, can include device identifiers and analogous data. Last year, for instance, the FTC and the New Jersey Attorney General’s joint enforcement action against Vizio included allegations that Vizio shared consumers’ video viewing habits, and that device identifiers and IP addresses rendered that information personally identifiable. The complaint referred to this data as “sensitive television viewing activity” and alleged that the sharing of such information without consent was both an unfair and deceptive trade practice. Vizio did not challenge the FTC’s untested assertion, and the action resulted in a $2.2 million settlement. The FTC has also issued a cross-device tracking staff report, recommending transparency, choice, and consent in similar contexts.

The “ordinary person” test adopted by the Third and Ninth circuits also diverges from the meaning of “personal data” under the GDPR, which requires consideration of “all the means reasonably likely to be used . . . by the controller or by another person to identify the natural person directly or indirectly.” GDPR, Recital 26 (emphasis added). Thus, structuring data collection and sharing arrangements in the video context likely will remain a complex affair for companies operating internationally.

The potential for statutory penalties available under GDPR, the burdensome nature of the remedies sought by the FTC (compliance programs, monitoring and in some cases monetary relief), and the availability of statutory damages under the VPPA underscore the value of proactively assessing and mitigating risk in advance, ideally with the assistance of counsel familiar with this area of the law. And, in the face of a class action or regulatory investigation, companies should engage counsel familiar with privacy and data security concerns broadly.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ropes & Gray LLP | Attorney Advertising

Written by:

Ropes & Gray LLP
Contact
more
less

Ropes & Gray LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.