On Tuesday, Jan.20, New Jersey Federal District Judge Stanley R. Chesler dismissed with prejudice the last remaining allegations in a multidistrict class action against Viacom and Google, formally ending plaintiffs’ suit accusing the Internet and multimedia companies of tracking children’s Internet usage and disclosing their video-viewing activities without consent and in violation of state and federal law.
Last July, Judge Chesler dismissed with prejudice many of the claims raised in In re Nickelodeon Privacy Litigation, a consolidated MDL class action against Viacom and Google, holding that plaintiffs had failed to substantiate their charges. The judge dismissed the majority of plaintiffs’ claims with prejudice in his July Opinion, but gave plaintiffs leave to amend their Video Privacy Protection Act (VPPA) claim against Viacom, as well as the New Jersey Computer Related Offenses Act (CROA) and New Jersey intrusion upon seclusion tort claims against both defendants.
Last week, however, Judge Chesler found that, even with a reprieve to amend, plaintiffs still could not muster sufficient facts to support cognizable injuries under those laws. In dismissing all remaining allegations with prejudice, Judge Chesler stated that plaintiffs’ amended complaint failed to cure the deficiencies that plagued their initial complaint, and went so far as to categorize one of plaintiffs’ claims as attempting “to fit square pegs into round holes,” but at the same time acknowledging that plaintiffs have identified conduct that may be worthy of further legislative and executive attention.
Video Privacy and Protection Act – Part 2
Judge Chesler’s July Opinion dismissed plaintiffs’ VPPA claim against Viacom without prejudice, giving plaintiffs the opportunity to plead additional facts to support their claim that the company improperly disclosed personally identifiable information (PII) because “it appears that Plaintiffs could possibly plead facts sufficient to cure the defects” in its VPPA claim. Judge Chesler previously held that PII under the VPPA “is information which must, without more, itself link an actual person to actual video materials,” and thus does not include information such as user IDs, gender, age, IP addresses, or information concerning a user’s computer. Further, the court ruled that none of the above information, either individually or in the aggregate, “could without more serve to identify an actual, identifiable Plaintiff” and any videos he or she watched.
To support their remaining VPPA claim against Viacom, plaintiffs argued that Google’s vast presence on the Internet allows the company to collect “ample data about users of [Google’s] services, sometimes including their full names.” Armed with the vast troves of user data, Google could then take information disclosed by Viacom and discover an individual’s true personal identity.
But the court found that the amended complaint did not include any allegation “that Google can identify the individual Plaintiffs in this case... nor any allegation that Google has actually done so.” In citing to the Northern District of Georgia’s recent decision in Ellis v. Cartoon Network, Inc., Judge Chesler noted that plaintiffs’ amended Complaint failed to solve the essential flaw in its allegation against Viacom – namely, how the data disclosed by Viacom could, by itself, link an individual to videos he or she watched. Based on the amended complaint, the data Viacom disclosed still did not qualify as PII since that data could not, “without more,” identify individual persons.
The court also took umbrage with plaintiffs’ notion that Google could identify specific individuals by using the immense amount of data it has amassed on its users, saying that plaintiffs’ claim was purely theoretical since they had not alleged that any member of the class actually had a Google account that the company could use in combination with Viacom’s disclosed data to identify particular persons.
State Law Claims
The July Opinion also permitted plaintiffs to amend their complaint to supply additional facts supporting their allegations that both Viacom and Google had violated the CROA and New Jersey’s common law tort of intrusion upon seclusion. The court’s original dismissal order found that plaintiffs did not allege injuries sufficient to back either claim.
In his analysis of the amended complaint, Judge Chesler questioned the CROA’s applicability to the facts, noting that the CROA focuses on computer hacking and requires plaintiffs to demonstrate damage to business or property. Because plaintiffs were not victims of a computer hacking and did not have any information stolen, the court held that “Plaintiffs again seek to fit square pegs into round holes” by trying to state a claim under “another statute that does not appear apt to the circumstances.” The court dismissed the CROA claim, saying that because plaintiffs did not state how they themselves could have monetized the information collected by the defendants’ cookies (despite the possible value of the data to third-party companies), or how Viacom and Google’s actions prevented them from doing so, they failed to sufficiently demonstrate an injury to business or property.
Finally, the Judge dismissed plaintiffs’ claim that Viacom and Google’s actions violated New Jersey’s common law privacy tort of “intrusion upon seclusion” that creates liability for intentional intrusions that are “highly offensive to a reasonable person.” Although plaintiffs directed the court to studies showing disapproval of children’s online activities being tracked, the court found this was not evidence of what an ordinary person finds “highly offensive,” as liability would require.
End of the Road for Plaintiffs’ Suit Reinforces VPPA’s Limits?
The complete dismissal of plaintiffs’ remaining claims is just the latest example of a federal district court acknowledging that the VPPA does not prohibit the sharing of non-personally identifiable information with other parties. Rather, courts have been consistent in holding that the types of de-identified information at issue in these cases – device identifiers and cookie IDs, even when accompanied by limited demographic attributes like gender and age – does not qualify as PII under the VPPA. Instead, the VPPA requires that disclosed information must, “without more,” link a particular person to his or her specific video viewing history to constitute PII that may not be disclosed or shared. Theoretical allegations that third parties “could” combine the non-PII data with additional information or make other efforts to discover an individual’s identity through reverse engineering are not sufficient. As this law and the concept of “knowingly” develop, however, companies should be mindful of recent FTC guidance and not only limit disclosures to non-PII, but contractually prohibit third parties from attempting to re-identify it.
The complete dismissal of In re Nickelodeon Privacy Litigation is another affirmation that the application of the VPPA has limits in the digital age, and cannot be used to by plaintiffs to attack every perceived privacy intrusion. While a win for Viacom and Google, Judge Chessler’s additional commentary gave some credence to plaintiffs’ concerns, stating that “[t]o be sure, however, the Court’s role in this decision is not to pass on the morality nor the wisdom of companies tracking the anonymous web activities of children for advertising purposes.… Although Plaintiffs have identified conduct that may be worthy of further legislative and executive attention, they have not cited any existing and applicable legal authority to supports their claims.” Only time will tell whether the President’s proposed Consumer Privacy Bill of Rights or some other legislative initiative will give plaintiffs’ the square hole they are looking for. If so, the good news is that most of the new legislative proposals we see introduced on this subject limit enforcement to the Federal Trade Commission or state attorneys general, without providing a private right of action for consumers. It is a strange world when the promise of regulatory enforcement is good news…
