VPPA Harms Concrete, But Roku ID Not Personally Identifiable

Roku device serial number is not personally identifiable, but it’s not difficult to imagine other identifiers that may be

Eichenberger v. ESPN
Affirmed – ESPN allegedly disclosed plaintiff’s viewing habits on his Roku device, along with his personal information (Roku device serial number), to third-party data analytics company Adobe without his consent. The district court ruled that the Roku device serial number was not personally identifiable information under the VPPA (any device ID – IP Address, Android ID – is not personal), and even if a third-party recipient could potentially re-identify an individual, that was not enough to make an anonymous identifier personal.

The appellate court found that although plaintiff had standing (VPPA disclosure rules codified a context-specific extension of the substantive right to privacy), the Roku device serial number was not personal. The court followed the reasoning from In re Nickelodeon Consumer Privacy Litigation (3rd Circ.; 15-1441), finding that for information to be personally identifiable under the VPPA, it must readily permit an ordinary person to identify a particular individual as having watched certain videos. Moreover, the VPPA focused on disclosure, and not a recipient’s use, so the definition must remain the same irrespective of a recipient’s capabilities.

Here, plaintiff conceded that Adobe would need additional information to identify him – data that ESPN did not provide (and never possessed). Thus the linkage of information needed to identity a person was too uncertain to trigger liability under the VPPA.
[9th Circ.; 15-35449 (Orig: W.D. WA; 2:14-cv-00463)]
jbho: some relief in the ruling, as it provides reassurance that anonymous IDs are not personal. Although, the court did say other ostensibly anonymous information could be deemed personal, specifically stating that GPS location data could enable most people to identify an individual’s home and work addresses.

Unfortunately, the ruling may lead to more VPPA litigation, as the court ruled every unauthorized disclosure of an individual’s personally identifiable information and video-viewing history is a concrete injury. Similar to the TCPA, if every violation creates standing, I imagine there will be no shortage of plaintiffs willing to test theories that a given identifier is personal. The court even provided a head start, stating “(i)t is not difficult to imagine other examples that may also count – for example, an individual’s name and telephone number or an individual’s name and birthday or, as in Yershov [v. Gannet (1st Circ.; 15-1719) ], the GPS coordinates of a particular device. And modern technology may indeed alter — or may already have altered — what qualifies (as personally identifiable) under the statute.” (emphasis added)

Remember, the VPPA requires the informed, written consent of a consumer before sharing viewing information, consent given at the time the disclosure is sought.

Leave a Reply

%d bloggers like this: