Enter to open, tab to navigate, enter to select
Sliding Scale Test for the VPPA's PII Definition Adopted and Standing Confirmed After Spokeo: Third Cir.
Practical Law Legal Update w-002-7230 (Approx. 6 pages)
Sliding Scale Test for the VPPA's PII Definition Adopted and Standing Confirmed After Spokeo: Third Cir.
by Practical Law Intellectual Property & Technology
| Published on 28 Jun 2016 • USA (National/Federal) |
In In re: Nickelodeon Consumer Privacy Litigation, the US Court of Appeals for the Third Circuit affirmed the district court's dismissal of the plaintiff's Video Privacy Protection Act (VPPA) claims, holding that it does not impose liability on recipients of personally identifiable information (PII) and that information is not PII unless it readily permits an ordinary person to identify a specific individual's video watching behavior. The Third Circuit adopted a sliding scale test to determine when disclosure of different data elements could reasonably lead to an individual's identification, finding that disclosure of IP addresses, device identifiers, or browser fingerprints on their own did not.
On June 27, 2016, in In re: Nickelodeon Consumer Privacy Litigation, the US Court of Appeals for the Third Circuit held plaintiffs had standing to bring various privacy related claims against Viacom, Inc. and Google, Inc., but upheld dismissal of all claims except for a New Jersey tort law claim against Viacom for intrusion upon seclusion ( (3d Cir. Jun. 27, 2016)).
Background
Viacom owns the Nickelodeon children's television station and operates a companion website, Nick.com, featuring related content, including videos. Viacom also allegedly partners with Google to serve third party advertising from the site and allows Google to collect site visitor information to sell targeted advertising based on browsing activity.
According to the complaint, Viacom's website registration process collects a child's birthdate and gender, then Viacom assigns the child a code. Viacom's process also includes a message to the children's parents that states, "HEY GROWN UPS: We don't collect ANY personal information about your kids. Which means we couldn't share it even if we wanted to!".
The complaint alleged that Viacom's website, however, employs first party cookies to track the games and videos played by a specific child and also triggers Google's third party advertising cookies, which allow Google to track that individual's website activity over time and across different websites. Plaintiffs' alleged that Viacom also shared profile and other first party cookie information with Google that ultimately enabled Google to track the individual child's:
- Username/alias, gender, and birthdate.
- IP address.
- Operating system and browser settings and versions, like screen resolutions.
- Unique device IDs and DoubleClick persistent cookie ID.
- Web communications, including detailed URL requests and video materials requested from the Viacom children's sites.
The complaint further alleged identifying individual web users from this seemingly anonymous data using digital fingerprinting to link online and offline activity is technically easy for Google because of its ubiquitous online presence. They also provided survey evidence that tracking and profiling children's website activity violates current social norms.
Parents of children visiting the Nick.com website filed a class action law suit claiming Viacom and Google's alleged actions violated a variety of federal and state statutes, including the Video Privacy Protection Act of 1988 (VPPA), and New Jersey's common law tort for intrusion upon seclusion (18 U.S.C. §2710).
Outcome
The district court dismissed the consolidated class action against both Viacom and Google in its entirely for failure to state a claim. The Third Circuit reversed the dismissal of the common law intrusion upon seclusion claim against Viacom, but upheld dismissal of all remaining claims against both defendants.
Article III Standing
The US Supreme Court recently clarified that when a plaintiff alleges a procedural violation of a statutory right, courts must determine whether that alleged violation entails a degree of risk sufficient to meet Article III's concreteness requirements (Spokeo Inc. v. Robins, 136 S. Ct. 1540 (2016)). Bare procedural statutory violations without concrete harm would not satisfy Article III's injury-in-fact requirement (see Legal Update, Supreme Court Reverses Ninth Circuit for Incomplete Standing Analysis).
Addressing the Supreme Court's recent decision, the Third Circuit noted that intangible harms may still give rise to standing even if they are difficult to measure. Analyzing the standing elements in light of Spokeo, the Third Circuit found the plaintiff's alleged injury was:
- Particularized because each plaintiff complained about disclosures of their own specific online behavior.
- Concrete because the video viewing information allegedly unlawfully disclosed was not a bare procedural violation. Instead, it directly related to redress rights Congress provided for unauthorized disclosures of information that, in its judgment, ought to remain private.
The court also specifically held that Spokeo did not alter its previous standing analysis for similar statutory-based privacy related class action claims in In re Google Inc. Cookie Placement Consumer Privacy Litigation (806 F.3d 125 (3d Cir. 2015)). For more information on In re Google Inc., see Legal Updates, Standing for Consumers in Google Cookie Litigation: Third Circuit.
Video Privacy Protection Act (VPPA)
The VPPA prohibits providers of video tapes or other similar audio visual materials from knowingly disclosing information that identifies a person as having requested or obtained specific video materials or services to third parties.
Focusing first on Google, the court held that VPPA liability only attached to video providers disclosing information, not to the recipients of that information. Because the complaint did not allege any prohibited disclosures by Google, the court affirmed the claim's dismissal.
The court then turned to the VPPA's personally identifiable information (PII) definition, which it found to be ambiguous. Recognizing that contrasting positions taken by other courts reflect a fundamental disagreement over what kinds of information are sufficiently "personally identifying" for their disclosure to trigger liability, the court determined that the statute's legislative history required a narrow understanding of PII. While holding that PII includes more than just a person's name, it also determined that courts should closely tie the definition to information readily permitting an ordinary person to identify a specific individual's video watching behavior.
To account for these nuances, the court adopted a sliding scale analysis as a framework for deciding the question, rather than a set definition. Starting on one end with the classic example of a clerk disclosing a person's name and rented video, every step away makes a successful claim harder, until the identity linkage becomes too uncertain or dependent on detective work to trigger statute liability. Data elements on the spectrum might range, from:
- Persons' actual names, as the most likely trigger.
- Public information easily used to identify someone, like telephone numbers or address, as a highly likely trigger.
- Non-public information not easily matched to a specific person without additional information access, like social security numbers, as a less likely trigger.
- Static digital identifiers that must be combined with information that is not easily accessible, as unlikely triggers.
Following this sliding scale analysis, the court held that IP addresses, digital cookie codes, or browser fingerprints would not allow average people to specifically identify an individual. It also rejected the allegation that Google could assemble otherwise anonymous pieces of data provided by Viacom to unmask the identity of individual children as too hypothetical to support liability under the VPPA.
This decision seemly conflicts with the US Court of Appeals for the First Circuit's recent decision in Yershov v. Gannett Satellite Information Network, Inc., finding the legislative history supported a broader PII definition that could include data elements such as mobile device ID and GPS coordinates (820 F.3d 482 (1st Cir. 2016). For more information on Yershov v. Gannett Satellite Information Network, Inc., see Legal Update, Free Mobile App Users Are Subscribers Under the VPPA: First Cir.. The Third Circuit, however, simply distinguished the cases based on their facts, indicating that the addition of GPS data, which individuals can easily convert into exact location information, just moved the sliding scale closer to the PII side.
Remaining Claims
The Plaintiff's other claims (Federal Wiretap, Stored Communications Act, New Jersey Computer Related Offenses Act, which New Jersey courts have interpreted in line with the federal Computer Fraud and Abuse Act, and California Invasion of Privacy Act) failed on the merits for the same reasons previously described in the Third Circuit's earlier In re Google Inc. Cookie Placement Consumer Privacy Litigation decision.
The court, however, reinstated the Plaintiff's New Jersey tort claims and remanded the case back to the district court for further proceedings, holding that:
- The Children's Online Privacy Protection Act of 1998 (COPPA) did not preempt the claim, because it was based on the alleged false expectation of privacy Viacom intentionally created by their registration disclosures, then allegedly violated (15 U.S.C. §§ 6501-6506).
- Reasonable fact finders could deem Viacom's alleged conduct highly offensive or an egregious breach of social norms because their statements may have encouraged parents to permit their children to browse those websites under false pretenses.