Alleged VPPA Violations In Online Purchase
Cappello v. Walmart
Class complaint – Walmart allegedly shared information about plaintiffs’ online purchases with Facebook, without plaintiffs’ knowledge or written consent. Specifically, plaintiffs claimed Walmart shared personally identifiable movie and video game purchase information (via Facebook IDs) with Facebook. Plaintiffs further claimed that Facebook then used that information to target them with advertising for other Walmart products.
Claims were filed under the VPPA and the California equivalent Cal. Civ. Code. §1799.3.
[Alameda Co. Sup. Ct.; RG18923367]
jbho: the impact of the CaCPA may be felt here. Federal courts have thus far declined to call Facebook (cookie) IDs “personal information” under the VPPA. But the broad definition of “personal information” under the CaCPA includes unique identifiers such as ” … a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias …” [§1798.140(x)]. Will the state court apply this definition? AFAIK, “personal information” is not defined in §1799.
MAC Address Not Personal In The 3rd Circuit
White v. Samsung
Dismissed – Samsung, LG, and Sony (collectively “Defendants”) allegedly used Automatic Content Recognition (ACR) devices/software and Automatic Recording (ARS) devices/software installed on Smart TVs to (i) intercept, track, and record the private communications and personal data of consumers, and (ii) transmit that information to third parties. Plaintiffs claimed their personal information – as well as the personal information of anyone else watching their Smart TVs – was captured and shared without consumer knowledge or consent. Plaintiff’s further claimed Defendants collected a selection of pixels on TV screens which Defendants matched against a database of television, movie, and commercial content, in order to determine consumer viewing habits. These habits were used to uniquely identify viewers by tying habits to IP address, wired and wireless MAC addresses, WiFi signal strength, nearby WiFi access points, and other items. Additionally, plaintiffs alleged Defendants record everything said in front of a Smart TV, and transmitted the recordings to third parties – regardless of whether the recordings were related to the provision of any service. Finally, plaintiffs claimed if they had known Defendants ACR an ACS were actively monitoring their behaviors and sharing such information with third parties, they would not have purchased Defendants’ Smart TVs.
Plaintiffs filed claims under the New Jersey Consumer Fraud Act (NJCFA), ECPA, and the VPPA, as well as Common Law Fraud claims, Breach of Express Warranty, Breach of the Duty of Good Faith and Fair Dealing, Breach of Contract, and Unjust Enrichment.
On motion to dismiss, the court found:
- VPPA – precedent dictated that for information to be personal under the VPPA, the information must readily permit an ordinary person to know an actual, specific person (In re Nickelodeon Consumer Privacy Litigation – 3rd Circ.; 15-1441). The court found that plaintiffs failed to allege how an ordinary person could use the information in question to readily identify a particular person. The court declined to adopt the reasoning in In re Vizio Privacy Litigation (C.D. CA; 8:16-ml-02693), where the court found a MAC address could be personal, finding the out-of-circuit case held little weight in the 3rd Circuit.
- ECPA – there was no interception, since Defendants were direct participants in the communications.
- NJCFA – precedent dictated that a non-resident plaintiff could not bring a consumer fraud act claim where the sole connection to New Jersey was the defendants’ location. Since plaintiffs were residents of Florida and New York, and they did not allege that they purchased the Smart TVs in New Jersey, Plaintiffs did not have a sufficient connection to New Jersey to sue under the NJCFA (despite Defendants’ “super-massive” presence in New Jersey).
- Contract Claims – plaintiffs did not identify a specific loss, or demonstrate a specific benefit received by Defendants. Plaintiffs alleged Defendants warranted they would “properly and adequately protect plaintiffs’ data,” but failed to identify a specific affirmation, promise, or guarantee required to sustain such a claim. Since plaintiffs failed to demonstrate any expectation of remuneration for their data, Unjust Enrichment claims failed as well.
[D. N.J.; 2:17-cv-01775]
jbho: the circuit split is deeper entrenched on the definition of personal information.
Thanks to the CaCPA, California buyers may have more luck with these claims. And this case could serve as a blueprint for how not to plead claims?
Ultimately, it appears plaintiffs failed to make a reasonable case here. The court noted that “Plaintiffs treat Defendants—several distinct companies—as a single entity, without pleading any facts whatsoever to support this treatment. Moreover, Plaintiffs refer to Defendants’ Smart TVs generally, without identifying any specific model or models that form the foundation for their claims.”
Eichenberger v. ESPN
Affirmed – ESPN allegedly disclosed plaintiff’s viewing habits on his Roku device, along with his personal information (Roku device serial number), to third-party data analytics company Adobe without his consent. The district court ruled that the Roku device serial number was not personally identifiable information under the VPPA (any device ID – IP Address, Android ID – is not personal), and even if a third-party recipient could potentially re-identify an individual, that was not enough to make an anonymous identifier personal.
The appellate court found that although plaintiff had standing (VPPA disclosure rules codified a context-specific extension of the substantive right to privacy), the Roku device serial number was not personal. The court followed the reasoning from In re Nickelodeon Consumer Privacy Litigation (3rd Circ.; 15-1441), finding that for information to be personally identifiable under the VPPA, it must readily permit an ordinary person to identify a particular individual as having watched certain videos. Moreover, the VPPA focused on disclosure, and not a recipient’s use, so the definition must remain the same irrespective of a recipient’s capabilities.
Here, plaintiff conceded that Adobe would need additional information to identify him – data that ESPN did not provide (and never possessed). Thus the linkage of information needed to identity a person was too uncertain to trigger liability under the VPPA.
[9th Circ.; 15-35449 (Orig: W.D. WA; 2:14-cv-00463)]
jbho: some relief in the ruling, as it provides reassurance that anonymous IDs are not personal. Although, the court did say other ostensibly anonymous information could be deemed personal, specifically stating that GPS location data could enable most people to identify an individual’s home and work addresses.
Unfortunately, the ruling may lead to more VPPA litigation, as the court ruled every unauthorized disclosure of an individual’s personally identifiable information and video-viewing history is a concrete injury. Similar to the TCPA, if every violation creates standing, I imagine there will be no shortage of plaintiff’s willing to test theories that a given identifier is personal. The court even provided a head start, stating “(i)t is not difficult to imagine other examples that may also count – for example, an individual’s name and telephone number or an individual’s name and birthday or, as in Yershov [v. Gannet (1st Circ.; 15-1719) ], the GPS coordinates of a particular device.”
Remember, the VPPA requires the informed, written consent of a consumer before sharing viewing information, consent given at the time the disclosure is sought.
Bernardino v. Barnes & Noble
Class complaint – Barnes & Noble allegedly shared plaintiff’s video purchase information with Facebook, without her knowledge or consent. Plaintiff claimed the information would be shared whether or not plaintiff clicked on Facebook plug-ins, and whether or not she was logged into Facebook. Plaintiff further claimed that purchase information would be shared through Facebook tracking pixels, invisible to the user.
[S.D. N.Y.; 1:17-cv-04570]
jbho: another complaint that focuses on device/account identifiers and browser fingerprint data as ‘personal.’ Haven’t seen a court yet rule these are ‘personal’ – except for IP Addresses in Yershov v. Gannet (1st Circ.; 15-1719 (Orig: D. Mass; 1:14-cv-13112) which was voluntarily dismissed.
The complaint dives into deep detail on plug-ins & tracking pixels to make its case. It will be interesting to see where this goes. At what point does the VPPA kick in? Is browsing for titles without purchase covered? Is adding to cart? Or must a purchase be completed? Per 18 USC § 2710(a)(3):
“the term ‘personally identifiable information’ includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider” (emphasis added)
Will an HTTP GET count as a ‘request’?
Also interesting, the complaint compares Barnes & Noble’s pages to Amazon, stating Amazon does not share information unless a user clicks the plug-in. Perhaps Amazon has modified for compliance with EU regulations? (and the VPPA compliance comes along for free?)
Plaintiff Not A Subscriber Under VPPA Just Because He Downloaded An App (but VPPA harms concrete)
Perry v. CNN
Affirmed – CNN allegedly disclosed plaintiff’s viewing habits on the CNN mobile app, along with his personal information (MAC Address), to third-party data analytics company Bango without his consent. The lower court ruled that a MAC Address was not ‘personal’ and plaintiff was not a ‘subscriber’ since he only downloaded a free app and watched free videos.
On appeal, the court found – following its opinion in Ellis v. Cartoon Network – that plaintiff had standing (violation of an individual interest in preventing disclosure sufficient to constitute injury in fact). However, plaintiff failed to allege he was a subscriber. The app was free, as was the content he viewed. Moreover, he did not create an account or ‘register’ with CNN (there was no “ongoing commitment or relationship”).
Since the court established that plaintiff was not a subscriber (sufficient to dismiss VPPA claims), the court need not consider whether a MAC Address was ‘personally identifiable information.’
[11th. Circ; 16-13031 (Orig: N.D. GA; 1:14-cv-02926)]
jbho: So no cover under Spokeo, but at least a clarification on what constitutes a subscriber.
Interesting to note that in the ‘subscriber’ determination, the court found any ‘enhanced’ features in the app were accessible through plaintiff’s cable provider, not necessarily the app itself. Plaintiff’s choice to watch CNN live on the app (after logging in) rather than on his television did not convert him into a CNN ‘subscriber.’ Plaintiff’s cable provider was not named as a defendant.
MAC Address Could Be Personal Information
In re Vizio Privacy Litigation
Dismissed in part (leave to amend) – Vizio allegedly collected and shared private viewing information without consumer knowledge or consent. Plaintiffs alleged, the information shared was personal (e.g., IP Addresses, MAC address, zip codes, product serial numbers), despite Vizio’s characterization of the data as ‘non-personal’ or ‘anonymous.’ Plaintiffs further alleged information about data collection, use, and sharing practices were either not stated, or inadequately stated, depending on when the television was purchased, and any ability to opt-out of tracking was obfuscated in the television settings. Plaintiffs stated had they known about VIZIO’s data collection practices and tracking software, they would not have purchased or would have paid less.
The court found plaintiffs had standing since ECPA and the VPPA both imposed a duty of confidentiality, and protected against harms sufficient to for congress to grant private rights of action, thus confirming the concreteness of plaintiffs’ claimed harms. Similarly, plaintiffs had standing for state law claims for invasion of privacy and intrusion upon seclusion.
On consumer protection claims, the court rejected Vizio’s contention that plaintiffs failed to allege a product defect, and Vizio’s alleged “concealed collection and disclosure” could not be excluded from consideration at this point. Moreover, under the premium price theory, plaintiffs’ allegations they would not have paid conferred statutory standing.
Finally, differences in software of specific makes/models were not sufficient to defeat standing, since general factual allegations at the motion to dismiss phase showed plaintiffs suffered substantially similar injuries irrespective of a particular make/model of TV.
On VPPA Claims, the court further ruled:
• Vizio was plausibly a “video tape service provider” since it not only conveyed video content to consumers, but its services were significantly tailored to serve that purpose (provided seamless access Netflix, Hulu, YouTube, and Amazon Instant Video).
• Plaintiffs were plausibly “consumers” since they paid a premium for the Smart TV’s ability to seamlessly deliver video content (and Vizio continued to service TVs by pushing software updates to improve them).
• Data was plausibly “personally identifiable information” since the statutory definition was not exhaustive list, but provided representative samples (the suffix ‘able’ meaning ‘capable of’, and the statutory definition at § 2710(a)(3) being “the term ‘personally identifiable information’ includes …” (emphasis added)). Whether Vizio’s disclosures were “reasonably and foreseeably likely to reveal” what Plaintiffs watched was a factual inquiry “ill-suited for resolution on a motion to dismiss.”
On ECPA Claims, the court ruled that plaintiffs failed to allege any synchronous or near real-time capture of data. However, the court granted plaintiffs leave to amend their claims (and their ‘inscrutable’ graphic).
The court declined to dismiss omission-based fraud and unjust enrichment claims, finding plaintiff sufficiently alleged Vizio failed to disclose material information or embedded material information in obscure settings. It found plaintiffs allegations of affirmative misrepresentations and false advertising lacking, but did grant leave to amend.
The second amended consolidated complaint is due 23mar2017 (Filed 23Mar Doc#136).
UPDATE: 25July 2017 – motion to dismiss Second Consolidated Complaint denied (Doc # 199)
Plaintiff alleged, based on Vizio’s Patent filing (U.S. Patent No. 9,071,868 (issued Jun. 30, 2015)), that Vizio TVs take samples of programming in real time, and send fingerprints of those samples to a centralized server to compare against existing fingerprints. In this context, the court found that the programming information was plausibly more than metadata, and could constitute the content of a communication. Thus, plaintiffs allegations were sufficient to sustain the amended ECPA/Wiretap claims.
On Vizio’s motion to dismiss injunctive relief (as duplicative of the FTC Order), the court found that an agreement to take certain steps in the future was not tantamount to actual performance. Since plaintiffs were not a party to FTC Order, they would have no recourse if Vizio failed to comply. Since Vizio had not submitted any evidence it halted practices in the FTC Order, it had not met the “formidable burden of demonstrating that subsequent events make it absolutely clear that the allegedly wrongful behavior could not reasonably be expected to recur” (citation omitted).
UPDATE: 13Oct2017 – in rejecting Vizio’s bid to challenge the court’s decision to not toss the suit (Doc#224), the court stated: “this Court did not hold that Vizio’s collection and disclosure practices violate the Video Privacy Protection Act … all the Court did was open the door to discovery on these highly fact-dependent issues involving intricate technologies … Because there is a ‘good prospect’ that the proposed questions would be entirely academic by the time the Ninth Circuit could possibly resolve them, Vizio has not shown that an interlocutory appeal would materially advance this litigation.” Since more litigation was likely anyway “(p)laintiffs need not succeed on their VPPA claims for their Wiretap Act, consumer protection, and state privacy claims to have merit“, interlocutory appeal could derail, rather than materially advance litigation. (Doc#224)
UPDATE: 4Oct2018 – proposed settlement (Doc#282). Highlights include:
• Non-reversionary $17,000,000 settlement fund
• $13 to $31 for each class member (estimated)
• $5,000 for each class representative (requested – how many?)
• $5,666,666.67 for class counsel (requested – 33% of settlement fund)
[C.D. CA; 8:16-ml-02693]
jbho: The meat of this case really lies in the analysis of what constitutes personal information under the VPPA. The court here favored the 1st Circuit’s opinion in Yershov over the 3rd Circuit’s analysis in Nickeloeon .
“The Court finds Yershov to be a more persuasive interpretation of the VPPA than In re Nickelodeon. First, Yershov focused foremost on the text of the statute, while In re Nickelodeon turned quickly to “the more controversial realm of legislative history.” See Lamie, 540 U.S. at 536. Perhaps, if the statutory language were particularly indecipherable and the legislative history decisively resolved the issue, this approach might be understandable. But In re Nickelodeon recognized that “portions” of the legislative history suggested a broader interpretation of personally identifiable information and the statutory text was “amenable” to such an interpretation. 827 F.3d at 286-86.[The Third Circuit’s legislative history analysis focused on two statements made at a joint hearing that do not obviously concern the proper scope of the term “personally identifiable information” and relate to a prior version of the bill that also covered libraries. In re Nickelodeon Consumer Privacy Litig., 827 F.3d at 285-86. The Supreme Court has repeatedly criticized attempts to divine Congressional intent from “highly generalized, conflicting statements in the legislative history.” Rust v. Sullivan, 500 U.S. 173, 185 (1991).] Second, In re Nickelodeon relied heavily on Congress’s decision not to amend the statute substantially in 2002. As the Supreme Court has instructed, this kind of “[p]ost-enactment legislative history (a contradiction in terms) is not a legitimate tool of statutory interpretation.” Bruesewitz v. Wyeth LLC, 562 U.S. 223, 242 (2011). Indeed, Yershov examined the same Congressional inaction and reached the exact opposite conclusion about its proper meaning. See 820 F.3d at 488. Third, under the Third Circuit’s “ordinary person” test it would be highly questionable whether even social security numbers would constitute personally identifiable information because, as the Third Circuit itself recognized, this information “might not be easily matched to . . . persons without consulting another entity, such as a credit reporting agency or government bureau.” In re Nickelodeon Consumer Privacy Litig., 827 F.3d at 283.”
Note also that the complaint uses Vizio’s own data service advertising materials to bolster plaintiff’s case. Something to think about if you’re providing and advertising similar services.
And finally, don’t forget that Vizio recently settled similar claims with the FTC to the tune of $2.2M.
Intangible Harm Is Concrete Injury-In-Fact
Yershov v. Gannett
Motion to dismiss denied – Gannett allegedly disclosed records of video clips viewed though its USA Today app, along with a user’s GPS coordinates and Android device id (Android ID), to third party Adobe, without consent.
On remand, after the appellate court confirmed an Android ID is personal, and determined an app user is a subscriber (consideration provided in the form of personal information), the district court ruled that plaintiff suffered a concrete, albeit ‘intangible’ injury – the invasion his privacy interest in his video viewing history. Violation of this congressionally created statutory right to privacy was sufficient to establish Article III standing.
Furthermore, plaintiff did not have to plausibly allege that Adobe had a ‘profile’ on him, he only needed to plausibly allege that Gannett disclosed personal information to Adobe.
UPDATE: 27Mar2017 – dismissed with prejudice (Yershov), class dismissed without prejudice
Per court filing (Doc #83): “Parties agree that Plaintiff lacks sufficient evidence to support his allegation that Defendant violated the Video Privacy Protection Act by “disclos[ing] his PII—in the form of the title of the videos he watched [on the USA Today App], his unique Android ID, and his GPS coordinates—to third party analytics company [Adobe Systems Inc.]” from which Adobe “identif[ied] Yershov and attribute[d] his video viewing records to an individualized profile of Plaintiff Yershov in its databases.””
Not sure what has motivated this. There doesn’t appear to be a settlement. Let me know if you hear something.
[D. Mass; 1:14-cv-13112 (1st Circ.; 15-1719)]
jbho: something to think about if you are going to stream videos on your sites or through your apps, and share any viewing related information with third parties (even for analytics). Might be safest to get consent – just in case.
If you are interested, a sampling of what I’ve seen as influential cases under the VPPA:
- 2nd (Austin-Spearman v. AMC) – plaintiff not a subscriber (but Cookie ID alone arguably “personal information”)
- [S.D. NY; 1:14-cv-06840]
- 3rd (In re Nickelodeon Consumer Privacy Litigation) – IP address, browser fingerprints, and unique device identifiers are not personal information under the VPPA (however, if technology existed where a user could enter an IP Address in a search engine and get the identity of the person, might be personal)
- [3rd Circ. ; 15-1441 (origin: D. N.J.; 2:12-cv-07829)]
- Precedential opinion (see below)
- 9th (In Re Hulu Privacy Litigation) – Cookie ID alone not “personal information” (but plaintiff arguably a ‘subscriber’, even though user need not register for a Hulu account to watch videos on hulu.com)
- [N.D. CA; 3:11-03764]
- 11th (Ellis v. Cartoon Network) – Device ID’s aren’t personal; plaintiff not a subscriber (user did not sign up or establish an account)
- [11th Circ.; 14-15046 (orig: N.D. GA; 1:14-cv-00484)]
- Reiterated most recently in Perry v. CNN [N.D. GA; 1:14-cv-02926]
To Be Personal, Information Must Readily Permit An Ordinary Person To Know An Actual, Specific Person
(and currently, IP address, browser fingerprints, and unique device identifiers don’t)
In re Nickelodeon Consumer Privacy Litigation
Precedential opinion – Viacom allegedly disclosed personal information to Google, including static identifiers (IP address, browser fingerprints, and unique device identifiers).
The court dismissed the following claims:
- Wiretap Act – although a URL may constitute ‘content’ of a conversation, Google was either a party to the communication or permitted to communicate by Viacom
- CIPA – similar to the Wiretap Act, the California Invasion of Privacy Act does not apply when the alleged interceptor is a party to the communication
- SCA – personal computing devices are not ‘facilities’
- New Jersey Computer Related Offenses Act – plaintiff failed to allege the kind of injury covered under the act (unjust enrichment cannot be used as measure of damages)
- VPPA – IP address, browser fingerprints, and unique device identifiers are not personal information under the VPPA.
- The court found that the VPPA prevents disclosures that, with little or no extra effort, would readily permit an ordinary person to know an actual, specific person’s video watching behavior. The definitions of personal information in other statutes were irrelevant. Congress gave no regulatory body the authority to update the definition of personal information under the VPPA (as it did with laws like COPPA), and chose not to change the definition when it updated the VPPA in 2013 (clarifying consent). Under the current technology* data like IP address, browser fingerprints, and unique device identifiers lack sufficient association to be considered personal.
- The court also ruled only the discloser has liability (not the recipient), dismissing claims against Google.
* the court did say that if technology existed where a user could enter an IP Address in a search engine and get the identity of the person using the computer with that IP Address, a different decision might be reached.
The court reversed dismissal of state Intrusion Upon Seclusion claims. Viacom represented on its website it would not collect personal information about children (stated on its website, “HEY GROWN-UPS: We don’t collect ANY personal information about your kids. Which means we couldn’t share it even if we wanted to!”). Although IP address, browser fingerprints, and unique device identifiers are not personal information under the VPPA, they are under COPPA (pursuant to FTC’s rulemaking authority under COPPA), thus could be considered personal information that parents would not expect Viacom would be collecting. There was no need to address preemption, since COPPA regulates how information may be collected & used, not collection through deceitful practices. That COPPA defined the information in question as personal was enough to create an expectation that such information would not be collected.
UPDATE On 9 Jan 2017, the Supreme Court denied plaintiff’s petition for certiorari (No. 16-346, C.A.F. v. Viacom)
[3rd Circ.; 15-1441 (origin: D. N.J.; 2:12-cv-07829)]
jbho: another interesting twist in how the courts are interpreting the VPPA.
I think a big takeaway here is that the courts may consider the same information to be personal under one law, but not personal under another. And current technological conditions may also play a part. If any (re)identification can be fairly easily performed, then you might have personal information after all?