October 17, 2016 -

Court Provides Guidance on the Spectrum of Potentially Identifying Information

By Christopher Dodson and Andrew Baer

A recent decision by the U.S. Court of Appeals for the Third Circuit is a split decision for adtech companies and content providers. The decision upheld a district court’s dismissal of Video Privacy Protection Act claims against Viacom and Google as well as state invasion of seclusion claims against Google, but reversed the district court’s dismissal of state invasion of seclusion claims against Viacom. Nickelodeon, a subsidiary of Viacom, operates, a website that features games and streaming videos for children. As part of the sign-up process for the site, a message was presented to users that read “HEY GROWN-UPS: We don’t collect ANY personal information about your kids. Which means we couldn’t share it even if we wanted to.” participated in Google’s digital display advertising network, so Google was dropping third party cookies on each user’s computer and collecting information such as the user’s IP address, a unique device identifier and device fingerprint information for the purpose of targeting advertisements.

Readers not interested in the details of the decision, can skip to the end for three important lessons from this decision (see 3 Key Lessons below).

In this class action suit (In re: Nickelodeon Consumer Privacy Litigation, No. 15—1441 (3d Cir. June 27, 2016)), the plaintiffs alleged that both Nickelodeon and Google violated, among other things, the federal Video Privacy Protection Act and New Jersey’s common law privacy right against invasion of seclusion. The trial court dismissed all claims, and the plaintiffs appealed.

Video Privacy Protection Act Claims

A violation of the 1988 Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710, occurs where a “video tape service provider” knowingly discloses “personally identifiable information concerning any consumer” of such a service. Under the statute, a video tape service provider means anyone “engaged in the business…of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.” While the statute was written to address pre-internet services (i.e. video stores), the language is broad enough to include online video services. “[P]ersonally identifiable information” under the statute means “information which identifies a person as having requested or obtained specific video materials or services from a video tape provider.” The VPPA allows a plaintiff to recover a minimum of $2,500 per violation plus punitive damages, attorneys’ fees and litigation costs. Thus, the potential liability for an online video service is significant.

The Third Circuit upheld the trial court’s dismissal of the VPPA claims against both Google and Viacom. The plaintiffs argued that Viacom disclosed the URLs visited by a user (“effectively reveal[ing] what videos” a user watched), and which could be combined with the “static digital identifiers (such as IP addresses, browser fingerprints, and unique device identifiers)” to link the videos to the real-world identity of a user.

Google defended against this claim by asserting that the statute defines a violation as the disclosure of information covered by the statute, not the receipt of covered information. The plaintiffs countered that the VPPA provides for relief for a person aggrieved by a violation, and a person is just as aggrieved when a third party receives protected information as by the disclosure of it. The court, quoting a Seventh Circuit decision, held that “the more plausible interpretation” is that the prohibited conduct is limited to disclosure and upheld the trial court’s dismissal of the VPPA claim against Google.

In its defense of the VPPA claim, Viacom asserted that it did not disclose personally identifiable information. Specifically, Viacom argued that the IP address, the browser fingerprint (described by the court as the user’s browser and operating system settings) and a unique device identifier do not constitute personally identifiable information. The plaintiffs argued that since this information was used to track a single device as it accessed different websites, it effectively identifies a particular person.

In determining what is “personally identifiable” under the VPPA, the court analyzed the static digital identifiers as part of a spectrum of information. At one end is a name, which directly identifies a person. Then there are pieces of information, such as a phone number or a physical address, which do not directly identify a person but could be used to identify a person by accessing other publicly available information, such as a phone book or property records. Below that on the spectrum is information, such as a social security number, which could be used to match a person with more difficulty. Finally, the court placed the static digital identifiers below that. These identifiers would be of little help to an average person in identifying an actual person.

While most courts have held static digital identifiers on their own not to be personally identifiable information, the Third Circuit acknowledged a case with a different outcome coming out of the First Circuit. In Yershov v. Gannett Satellite Information Network, Inc., 104 F.Supp. 3d 135 (D.Mass. 2015), the plaintiff had used USA Today’s mobile app, which disclosed information about his video usage to a third party analytics company, including his GPS coordinates. In a decision affirmed by the First Circuit Court of Appeals, the trial court held that the disclosures of static digital identifiers, which included GPS coordinates of the user, could theoretically be used to identify an individual person.

The Third Circuit, however, determined, based on the statute’s legislative history, that the VPPA was intended to protect personally identifiable information that identifies a specific person and ties that person to a particular video watched by the person. Thus, while GPS information, such as in Yershov, contained more power to identify a specific person, an IP address, a device identifier or a browser fingerprint was not sufficient to do so because the linkage of information to identity becomes too uncertain or too dependent on yet-to-be-done or unforeseeable “detective work.” (While the court did not expressly address the combination of an IP address, a device identifier and a browser fingerprint, using the court’s analysis, the combination of all three still appears to be too dependent on yet-to-be-done detective work to link a specific person to a particular video.) Instead, personally identifiable information under the VPPA means the kind of information that would readily permit an ordinary person to identify a specific individual’s video-watching history.

Intrusion Upon Seclusion Claims

Turning to the intrusion upon seclusion claim against Google and Viacom, the court had to determine whether the plaintiffs stated the elements necessary for such a claim under New Jersey law. New Jersey law requires that a plaintiff show (i) an intentional intrusion (ii) upon the seclusion of a plaintiff that is (iii) highly offensive to a reasonable person. In determining whether the plaintiffs alleged an “intentional intrusion,” the court determined that the presence or absence of consent to the data collection was essential. Since the plaintiffs alleged the data collection occurred without their consent, the court held that the first element was met. The second element is met when a defendant intrudes into a private place or invades a private seclusion with which a plaintiff has surrounded himself. The court found that a reasonable person could conclude that Viacom’s promise not to collect any personal information about children created an expectation of privacy relating to activity on

On the third element, the court upheld the trial court’s dismissal as to Google’s use of tracking cookies. The court ruled that Google’s use of tracking cookies on the children’s website was not sufficiently offensive because it was the same technology Google used on countless other sites and was accepted as serving a legitimate commercial purpose. Viacom, however, met with a different fate. Because it created an expectation of privacy with its message to parents (“We don’t collect ANY personal information about your kids. Which means we couldn’t share it even if we wanted to.”), it may have encouraged parents to permit children to use the website under false pretenses. Thus, a reasonable jury could conclude that an intrusion of seclusion occurred by collection of information through deceitful tactics by Viacom. Thus, the Third Circuit reversed the trial courts dismissal of the intrusion upon seclusion claims against Viacom.

3 Key Lessons

Clients should take away several points from this decision. First, it is critical to ensure that their statements about privacy (whether in a privacy policy or elsewhere) conform with their actual practices. Second, understand at a deep level the details of what data is being collected and how it is being used and disclosed, including by third party tools used on a website or mobile property. The first two lessons are interrelated. Pseudonymous information that is not directly identifying, but is on the spectrum of information that could be used to identify a specific person, is often collected by third party tools. Statements by the Federal Trade Commission make it clear that it is moving in the direction of treating pseudonymous information/persistent identifiers that can be reasonably linked to a particular person, computer, or device as personally identifiable. Thus, to ensure that a privacy policy conforms to actual practice, site owners are going to need to engage in a deep dive into the third party tools they use as well as the automatic logging that occurs on the platform that is hosting their website, mobile backend, or cloud services. If tool and platform providers do not volunteer enough information, clients should press them for more details.

The third lesson is not to overlook the impact of optics when designing business processes and privacy practices. When a court is able to describe a company’s actions as “duplicitous,” as the court did here, the company is going to have a bad day in court.