US courts continue to find major media companies to have no liability under the Video Privacy Protection Act for online business activities.  But to date, judicial reasoning has been inconsistent: Most courts take the view that anonymous identifiers should not be considered to be personally identifiable information (PII). Others avoid the question of whether data is PII and instead rely on a narrow definition of “consumer” in ruling for the media companies.  Recent cases illustrate the different approaches:

  • Anonymous IDs are – or might be – personally identifiable.  In early October, the Cartoon Network, a unit of Time Warner, won in the Eleventh Circuit Court of Appeals.  That court may have been following a trend started with a Massachusetts court in a similar case against Gannett, the publisher of USA Today:  instead of focusing on whether particular data points should be considered “personally identifiable information”, the court determined that a viewer of online videos should not be considered to be a “consumer” under the VPPA.
  • Anonymous IDs are not personally identifiable.  But on October 20, in Robinson v. Disney Online, the Federal District Court for the Southern District of New York  ruled in favor of a Disney subsidiary – on a summary judgment motion – determining that the anonymous data tracked and shared should not be considered to be “personally identifiable information” for purposes of the VPPA.   

What the Statute Says – and What it Means.  Under the VPPA, there may be liability for a media company (a “video tape service provider”) that “knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider”. 

Most courts have determined that for a data point to be considered to be “personally identifiable”, it must identify a particular person.  

The Massachusetts court in the Gannett case found that code identifiers, like the android ID, should be considered to be “personally identifiable information”.  Yet, the Massachusetts court then found no liability because the viewer of the video was not a “consumer” under the VPPA.   

The VPPA defines the term “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider”.

In both the Gannett and Cartoon Network cases, the courts looked at the word “subscriber” and found it did not include members of the public who merely view videos online.

But the October 20, 2015 New York case followed the majority view, and found that under the VPPA:  PII is information which itself identifies a particular person as having accessed specific video materials.  The Court went on to find that the unique anonymous identifiers, in that context, were not personally identifiable, and dismissed the lawsuit against Disney. 

 

With the recent quagmire of decisions surrounding PII, companies need to "walk the line" of consumer privacy carefully.

With the recent quagmire of decisions surrounding PII and the Video Privacy Protection Act, companies need to “walk the line” of consumer privacy carefully.

 

Next Steps.  So where does this leave us?  Courts have consistently found no liability in connection with the online video viewing activities of the general public.  However, for those sites that create a subscriber relationship with visitors – presumably with “sign-in” and payment elements – the potential for VPPA liability remains if the broader definitions of “personally identifiable information” are adopted by courts. 

As many experts are advising to look at “context” in determining whether a data point should be considered “personally identifiable information”, media companies should continue to carefully monitor their data sharing practices, and minimize the information being shared – including video names when linked to various viewer IDs – so as to minimize potential liability in the future.