On April 26, 2016, the First Circuit handed down a plaintiff-friendly Video Privacy Protection Act (“VPPA”) decision offering potentially expansive definitions of “subscriber” and “personally identifiable information.” The case, Yershov v. Gannett Satellite Info. Network, Inc., No. 15-1719, 2016 WL 1719825 (1st Cir. Apr. 29, 2016), suggests that in some cases, an unregistered user of a mobile application may qualify as a “subscriber” under the VPPA, and that device identifiers may constitute “personally identifiable information” when combined with precise location data.
The court’s reasoning diverges from that of the Eleventh Circuit and a string of district courts, including several in the Ninth Circuit, which have narrowly construed the VPPA. When combined with the VPPA’s draconian statutory damages provisions, the potential split may embolden plaintiffs’ lawyers to file additional VPPA cases, particularly within the First Circuit, because of the potential for a damages windfall.
As explained in more detail below, companies offering mobile applications that include video features should carefully evaluate the types of data they are collecting, the purpose of the collection, and whether the information is being shared with third parties to determine how that activity might implicate the VPPA as interpreted by the First Circuit.
The VPPA prohibits “video tape service provider[s]” from “knowingly disclos[ing], to any person, personally identifiable information concerning any consumer of such provider” under certain circumstances without a particular form of consent. 18 U.S.C. § 2710(b)(1)-(2) (emphasis added). “[P]ersonally identifiable information” in turn “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” § 2710(a)(1). “[C]onsumer” means “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” § 2710(a)(2) (emphasis added).
In Gannett, the plaintiff alleged that he downloaded Gannett’s USA Today news mobile application and used it to read articles and watch videos. He did not register a user profile, nor did he consent to any terms relating to the sharing of content he viewed. The plaintiff further alleged that Gannett collected the titles of each video he watched, along with his location and device identifier, and provided all this information to Adobe for analytics. Adobe, in turn, allegedly used the information to create identifiable user profiles, including individuals’ names, age, income, and behavioral history.
The district court dismissed the complaint for failing to state a VPPA claim, reasoning that, while the information the plaintiff provided Gannett constituted personally identifiable information, the plaintiff was not a “subscriber” because his interaction with the application did not involve “payment, registration, commitment, delivery, and/or access to restricted content.”
First Circuit Opinion
The First Circuit agreed with the district court that the information provided by the plaintiff – video title, device identifier, and location – constituted “personally identifiable information.” Finding little interpretive guidance in the statutory text, the court arrived at its conclusion through an example where an individual watched videos in the application from two locations every day. This pattern, the court reasoned, would allow a company to surmise that the locations are the user’s home and work addresses, which in turn would allow a company to identify the person by name. The court explained that this was all the more plausible there because Gannett disclosed the information to Adobe, which allegedly had the capability of identifying individuals by name with the device identifier and location information. The court did, however, recognize that “there is certainly a point at which the linkage of information to identify becomes too uncertain, or too dependent on too much yet-to-be-done, or unforeseeable detective work.”
The First Circuit disagreed, however, with the district court’s interpretation of “subscriber,” which had been cited by the Eleventh Circuit as the “better reasoned of the existing opinions on the issue” in Ellis v. Cartoon Network, Inc., 803 F.3d 1251, 1256 (11th Cir. 2015). The First Circuit declined to adopt a definition for “subscriber,” instead holding only that the plaintiff plausibly alleged he was a “subscriber” by alleging that he downloaded the application and was required to provide his location and device identifier in order to watch videos on the application.
The opinion adds to the uncertainty regarding the role of location information and device identifiers in the definition of “personally identifiable information.” While the court indicated that the combination can be personally identifiable information, it provided no definitive answer as to when that will be the case. Consequently, companies that offer video through mobile applications should carefully evaluate the practice of collecting and sharing these elements with third parties. Companies should also consider the role that consent can play in mitigating these risks.
Even so, as the First Circuit recognized, the plaintiff here (and VPPA plaintiffs in general) still has a long way to go. The court explained that to actually prove a violation of the VPPA, the plaintiff will have to establish that the device ID and the location data at issue would in fact identify him – which, depending on, among other things, the frequency and precision of the data, could be no small feat. The court also indicated that the way Gannett treats and generates revenue across its various platforms could detract from the plaintiff’s ability to establish himself as a “subscriber.”
For more information regarding the VPPA, Gannett or to discuss privacy practices generally, please feel free to contact Heather Egan Sussman, Doug Meal, Jim DeGraw, Rohan Massey, Seth Harrington, David McIntosh, Mark Szpak, Michelle Visser, Paul Rubin, Marc Berger, Laura Hoey, David Cohen, or another member of Ropes & Gray’s leading privacy & data security team.