The Third Circuit Court of Appeals handed the defendants a partial victory in In re Nickelodeon Consumer Privacy Litigation on June 27. While its decision last year in In re Google Inc. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015), foreclosed many of the plaintiff’s claims under state and federal law, the Third Circuit found that new allegations under the Video Privacy Protection Act (VPPA) and for intrusion upon seclusion under New Jersey law required it “to break new ground.”
While the Third Circuit ultimately rejected claims that defendants violated the VPPA (reversing only the district court’s dismissal of the intrusion upon seclusion claim), plaintiffs’ allegations raised two key questions under the VPPA: first, whether Google, as a third party recipient of data from Viacom, was an appropriate defendant under the VPPA, and second, what constituted “personally identifiable information” (PII) under the VPPA? The answers to both questions came out in the defendants’ favor and give further insight into how courts understand what constitutes PII under the VPPA. The decision also demonstrates how courts will continue to grapple with the Supreme Court’s recent Spokeo decision and its potential impact on civil privacy litigation.
The VPPA’s Applicability to Third Parties
The Third Circuit held that the VPPA only allows plaintiffs to sue a person or entity that discloses PII, and not a person who merely receives such information. The legal issue arose due to potential for a lack of clarity between sections 2710(b)(1) and (c)(1) of the VPPA. While section (b) explains that the VPPA applies to any “video tape service provider who knowingly discloses [PII],” section (c) creates a private right of action to anyone “aggrieved by any act of a person.”
According to the plaintiffs, they were just as “aggrieved” when a third party receives PII as when a video tape service provider discloses it. They relied on an earlier district court decision that held that any person, rather than any video tape service provider, could be liable under the VPPA. In Dirkes v. Borough of Runnemede, 936 F.Supp. 235 (D.N.J. 1996), investigators uncovered information about Dirkes’ rental of adult films and further disseminated this as part of a police disciplinary hearing and in a court proceeding. Perhaps due to the sensitive set of facts involved, that court found that the VPPA’s “broad remedial purpose” was best served by allowing plaintiffs to sue any “individuals who have come to possess (and who could disseminate) the private information.” No other decision has interpreted the VPPA in this fashion, and the Third Circuit was further persuaded by more recent decisions by the Sixth and Seventh Circuits that limit the VPPA’s applicability to third parties.
The Court agreed that the best explanation of the VPPA is that section (b) makes certain conduct—the knowing disclosure of PII by a video tape service provider—unlawful, and section (c) creates a cause of action against persons who engage in such a disclosure, meaning the “video tape service provider,” or Viacom, in this case. The court cautioned that if any and all third parties could be held liable under the VPPA, the law would have no need to define “video tape service providers” in the first place. As a result, because Google was not alleged to have disclosed any PII in a role as a video tape service provider in this instance, the district court’s dismissal of claims against the company were affirmed.
Is an IP Address PII Under the VPPA?
The next question was whether Viacom had disclosed PII under the VPPA. With this decision, the Third Circuit became only the second circuit court to address the scope of PII after a First Circuit decision in May. The opinion notes early on that “the proper meaning of the phrase ‘personally identifiable information’ is not straightforward.”
According to the court, three pieces of information (IP addresses, browser fingerprints, and unique device identifiers) were critical to the plaintiff’s VPPA allegations because they allegedly allowed Google to track the same computer across time. The court recognized that VPPA litigation reflects a “fundamental disagreement” over what sorts of information are sufficiently personally identifying to trigger liability. It discussed a spectrum of PII ranging from a person’s actual name to static digital identifiers, and noted that the 2012 In re Hulu Privacy Litigation established a general rule that static digital identifiers do not count as PII “at least by themselves.”
The court further recognized that “norms about what ought to be treated as private information” are both in flux and subject to technological novelties, but it concluded that a narrower understanding of PII under the VPPA was more persuasive than the defendants’ alternative. This was based on statutory interpretation and legislative history along with subsequent developers in federal privacy law.
For example, the court looked at the Children’s Online Privacy Protection Act (COPPA) and made note of the Federal Trade Commission’s expansion of the definition of “personal information” in its 2013 COPPA Rule. While this definition captures the sorts of technical information at issue here, it is also the product of the FTC’s statutory authority to define what counts as personal information under COPPA. The meaning of the VPPA is “more static” in contrast. It also noted that Congress was made aware of the VPPA’s definitional limits and did not update the definition of PII when the law was revised in 2013.
The court found that the allegation that Google could assemble “otherwise anonymous pieces of information to unmask the identity of individual children is . . . simply too hypothetical to support liability under the Video Privacy Protection Act.” Instead, the VPPA’s “prohibition on the disclosure of personally identifiable information applies only to the kind of information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior. In our view, the kinds of disclosures at issue here, involving digital identifiers like IP addresses, fall outside the Act’s protections.”
However, the Third Circuit emphasized that “some disclosures predicated on new technology” may suffice as a disclosure of PII under the VPPA. The opinion goes to great pains to make clear that it does not create a circuit split with the First Circuit’s recent decision in Gannett v. Yershov, which found the dissemination of precise GPS coordinates to be a disclosure of PII. According to the Court, location information simply may “contain more power to identify a specific person than, in [the Third Circuit’s] view, an IP address, a device identifier, or a browser fingerprint.”
New Jersey-Based Intrusion Upon Seclusion Not Preempted by COPPA
The Third Circuit then turned to plaintiffs’ invasion of privacy claim and rejected Viacom’s argument that it was preempted by COPPA, which prohibits states from imposing liability on commercial activities in ways that are “inconsistent with [COPPA’s] treatment of those activities.”
While COPPA regulates the collection and use of children’s personal information, the Third Circuit concluded that “it says nothing about whether such information can be collected using deceitful tactics.” Plaintiffs had alleged that Viacom’s online registration process included a message stating:
HEY GROWN-UPS: We don’t collect ANY personal information about your kids. Which means we couldn’t share it even if we wanted to!
According to the court, this may have created “an expectation of privacy” on Viacom’s websites, which allowed it to obtain personal information “under false pretenses.” “Understood this way, there is no conflict between the plaintiffs’ intrusion claim and COPPA,” the court held.
Spokeo Does Not Alter Plaintiff’s Standing in This Case
Finally, the Third Circuit briefly addressed the Supreme Court’s Spokeo decision and whether it altered the court’s view as to whether plaintiffs’ had Article III standing here. In Spokeo, the Supreme Court provided two examples—a failure to comply with a statutory notice requirement and the dissemination of inaccurate information under the Fair Credit Reporting Act—as “bare procedural violations” that could produce no harm. The Third Circuit concluded that none of these pronouncements called into question plaintiffs’ standing here. Plaintiffs had alleged injuries that both were clearly particularized, as each plaintiff alleged disclosure of information relating to his or her online behavior, and concrete harms that may have been “intangible” but were still “a clear de facto injury, i.e., the unlawful disclosure of legally protected information.”
In re Nickelodeon Consumer Privacy Litigation will continue in any event, serving as a warning to industry to be careful about the content of its disclosures to consumers and the information it shares with third parties. The Third Circuit openly admits that its decision leaves open many questions for another day, and we are certain to see more of such days in the coming months.