Two recent news items have drawn attention to the shifting sands that underlie the foundations of digital media and the ad tech world: the recent inconsistent rulings in Video Privacy Protection Act (VPPA) cases, as well as some recent statements from the FTC regarding what should be considered to be Personally Identifiable Information.
VPPA – Inconsistent Rulings
The VPPA generally prohibits the sharing of information about a consumer’s video viewing habits. There have been a string of recent cases which focus on questions as to whether various sorts of information amount to “personally identifiable information” (PII) linking a particular person to a particular video – and whether a particular person should be considered a “customer” or “subscriber” benefitting from the protections of the VPPA. Read more>
In mid-April, a Federal District Judge in Atlanta dismissed a VPPA class action case against CNN, ruling that a 12-digit Media Access Control (MAC) address should NOT be considered to be PII, and that downloading an app does not make someone a “subscriber” (and thus not a “consumer”) for purposes of the VPPA.
Yet in late April, the ruling of a first circuit court of appeals panel in Boston (including retired Justice Souter) in a case against USA Today essentially reached the opposite conclusions: finding that device a identifier and precise geolocation data may be considered “PII” and that downloading an app – even without payment – could make someone a “subscriber” (and thus a protected “consumer”) for purposes of the VPPA. The court remanded the case to the district court to further consider the question in light of the particular facts at issue.
Well, which is it? Nearly all cases to date have generally followed the trend in the CNN case, as courts have rarely found device identifiers to be PII for purposes of the VPPA, and have been strict in considering whether a person should be considered a “subscriber”.
FTC Guidance – Context is Everything
Recent statements from the FTC focusing on the context of particular information may help align these conflicting results.
Jessica Rich, the Director of the FTC Bureau of Consumer Protection, recently stated that the FTC regards “data as ‘personally identifiable,’ and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.” Ms. Rich noted that the FTC had been consistently making the same observations since its 2009 staff report on online behavioral advertising and 2012 Privacy Report.
So What’s Next?
Taking the broad view, digital publishers need to monitor the tracking they are conducting (or permitting) on their site and app visitors, and consider whether alphanumeric identifiers should be considered to be PII, in the context of the site or app. While the long trend of VPPA rulings has been quite permissive of the current digital media and ad tech ecosystems, a more contextual view of what is PII and who is a “consumer”, in light of changing technologies and market behaviors, could lead to very different results – and potential liability for digital media companies.
The digital ecosystem has been a minefield of potential risks for content distributors. The best ways to monitor privacy and compliance risks are for companies to (i) understand fully what data is being collected and shared, (ii) confirm that meaningful consent and opt-out opportunities are made available to site and app visitors, (iii) take steps to assure compliance with applicable US – and foreign – laws, like the VPPA, COPPA (Children’s Online Privacy Protection Act) and EU privacy directives, and, perhaps most critically, (iv) be prepared to react quickly as rules and market practices evolve.