The Video Privacy Protection Act was enacted in 1988 following the publication of Supreme Court nominee Robert Bork’s family video rental records. The Act generally prohibits “video tape service providers” from knowingly disclosing, to a third party, “personally identifiable information concerning any consumer.” Mark Ellis, on behalf of himself and a class of individuals, sued Cartoon Network alleging that the transfer of video viewing data tied to a mobile device ID number to Bango, a third party that could match the ID number to an individual, violated the Act. The District Court found that Ellis was a subscriber and therefore a “consumer” entitled to the Act’s protections but that the transferred data was not personally identifiable data. Ellis appealed that decision.
Free Mobile App Users are Not Subscribers
On Oct. 9, a panel of judges from the Eleventh Circuit ruled that Ellis was not in fact a subscriber and affirmed the lower court’s dismissal of the class action, albeit on different grounds. While district courts have been mixed on the issue of what activity constitutes a subscription, the Eleventh Circuit found that the definition proffered in a recent Massachusetts District Court case, Yershov v. Gannett Satellite, was the most compelling. That case, which the Eleventh Circuit cited in the Ellis decision, concluded that subscriptions involve either “payment, registration, commitment, delivery, or access to restricted content.” While agreeing with the lower court that payment was not the sole criterion to define subscription, the appellate court in Ellis synthesized Yershov and common dictionary definitions to conclude that “subscription” involves some type of commitment, relationship, or association (financial or otherwise) between a person and an entity. Mere download and use of a free app does not fit that definition.
Lower Court’s Finding on Personally Identifiable Information Not Addressed
The Eleventh Circuit declined to rule on the District Court’s finding that the distribution of data that cannot, without more, identify an individual is not personally identifiable information under the Act. The lower court’s finding, however, is consistent with a California District Court decision earlier this year where Hulu’s transfer of cookie and video viewing data to Facebook was found to be non-personally identifiable. These opinions would seem to support a trend in the United States in favor of developers of mobile applications and against class action plaintiffs on this issue. While in the EU the ability to simply distinguish between users on the basis of a unique identifier is often deemed to constitute personally identifiable information, that expansive reading does not appear to be taking root in the United States.
Class action litigation related to data collection associated with streaming video and cross-device data collection represents an ongoing and emerging area of class action litigation risk. Plaintiffs increasingly look to find new ways to leverage existing statutory and regulatory obligations in creative and aggressive ways, especially where attorneys’ fees or statutory penalties may be available. The Eleventh Circuit’s ruling represents the latest page in this ongoing struggle for businesses that provide video and other content online. Along with the privacy provisions of the Cable Act and the Telecom Act, the VPPA represents yet another tool by which unsuspecting companies that provide content may find themselves tripped up in expensive litigation. Violations of the VPPA may result in costly litigation expenses, damage awards (including liquidated damages of $2,500 per violation and reasonable attorneys’ fees) and reputational harm. Businesses making available or distributing content often find that the availability of specialist counsel familiar with Washington, D.C. and specialty regulatory requirements coupled with deep technology understanding and expertise, may help provide practical risk management solutions for emerging technologies and markets.
About Goodwin Procter’s Privacy & Cyber Security Practice
Goodwin Procter’s Data, Privacy and Cybersecurity Practice leverages the firm’s core strengths, collaborating across the firm’s highly regarded technology, financial institutions, licensing, litigation and investigations, regulatory and appellate practices. This unique approach, focusing on client needs and value, enables us to engage specialists whose experience and leadership is framed by a holistic understanding of the nature and importance of information to modern enterprises.