Media companies have been trying to make sense of the seemingly inconsistent rulings interpreting the Video Privacy Protection Act (VPPA) and whether anonymous identifiers – like IP addresses – are considered personally identifiable information (PII).
Anonymous IDs Are PII?
Most courts have ruled that anonymous identifiers are not PII. But in late April, in Yershov v. Gannett, the Federal Court of Appeals for the First Circuit in Boston raised the possibility that anonymous identifiers may amount to PII for purposes of the VPPA.
Now the Third Circuit in Philadelphia has weighed in: In In Re: Nickelodeon Consumer Privacy Litigation, the Court followed the majority trend and, ruling in favor of Nickelodeon (and parent company Viacom), found that anonymous identifiers like IP addresses, the “browser fingerprint” of various browser settings, and the computer’s unique device identifier are not “personally identifiable information” under the VPPA.
PII Under the VPPA.
Under the VPPA, personally identifiable information “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” The Court focused on the difficulty of linking unique device IDs to particular people and did not expand PII to include anonymous identifiers. The Court distinguished this narrow definition of PII under the VPPA from the more precise and inclusive language included in statues like the Children’s Online Privacy Protection Act and related regulations, which include anonymous identifiers in the definition of PII.
The Nickelodeon Court aligned their narrow reading of the VPPA from the contrary conclusion reached in the Yershov case due to the absence of GPS (geo location) data in the Nickelodeon case. The Court stated that GPS data “contain more power to identify a specific person than, in our view, an IP address, a device identifier, or a browser fingerprint.”
Focus on GEO data
This emphasis on the significance of geolocation data reflects the current focus of privacy regulators as well. The FTC has been concerned with the broad availability of geolocation data and the inconsistent manner in which companies obtain consent to track geo data from consumers. The FTC has been quite aggressive in its recent enforcement actions regarding wrongfully obtained geo data, including the nearly $1 million settlement with mobile ad tech company InMobi in June, which collected geo information from consumers whether or not they had provided the requested consent.
What should you do?
It is clear that the boundaries of what is and is not PII have begun to blur. While anonymous identifiers alone are not personal information under the VPPA, those identifiers, when linked to geo information, may be considered personal information. So media companies should consider carefully whether geo information is being shared, and if it is shared in a way such that it is linked to anonymous identifiers, because the two items may together be considered personal information under the VPPA.