Robinson v. Disney Online d/b/a Disney InteractiveMEMORANDUM OF LAW in Support re: 30 MOTION to Dismiss First Amended Complaint. . DocumentS.D.N.Y.September 12, 2014UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK JAMES ROBINSON, individually and on behalf of others similarly situated, Plaintiff, v. DISNEY ONLINE D/B/A DISNEY INTERACTIVE, Defendant. ECF Civil Action No. 1-14-CV-4146 (RA)(DCF) MEMORANDUM OF LAW IN SUPPORT OF DEFENDANT’S MOTION TO DISMISS FIRST AMENDED COMPLAINT Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 1 of 22 TABLE OF CONTENTS PAGE i I. PRELIMINARY STATEMENT .........................................................................................1 II. BACKGROUND AND FACTUAL ALLEGATIONS .......................................................4 A. The VPPA Prohibits Disclosures That “Identify A Person” ....................................4 B. The DI Channel Transmits Hashed Device Serial Numbers To Adobe ..................4 C. According To Plaintiff, Adobe “Has The Capability” To Use Hashed Device Serial Numbers From The DI Channel To Identify DI Channel Users ........................................................................................................................6 III. ARGUMENT .......................................................................................................................6 A. Plaintiff Fails to State a VPPA Claim Because He Does Not Allege Any Disclosure of PII ......................................................................................................7 1. The Alleged Disclosures Are Not PII ..........................................................7 2. Allegations That Adobe “Has The Capability” To Personally Identify DI Channel Users Do Not Save Plaintiff’s Claim ........................10 (a) Allegations Regarding Adobe, Roku, And Other Third Parties Are Irrelevant .....................................................................10 (b) Allegations Regarding Adobe, Roku, And Other Third Parties Should Be Disregarded Because They Are Not Adequately Pled .............................................................................12 B. Plaintiff Fails to State a VPPA Claim Because He Is Not a “Consumer” Under the VPPA ....................................................................................................16 IV. CONCLUSION ..................................................................................................................17 Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 2 of 22 TABLE OF AUTHORITIES PAGE(S) ii FEDERAL CASES Ashcroft v. Iqbal, 556 U.S. 662 (2009) .............................................................................................................7, 15 Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) .............................................................................................................7, 16 BP Am. Prod. Co. v. Burton, 549 U.S. 84 (2006) ...................................................................................................................16 Chambers v. Time Warner, Inc., 282 F.3d 147 (2d Cir. 2002).....................................................................................................12 In re Hulu Privacy Litig., No. C11-03764, 2014 WL 1724344 (N.D. Cal. Apr. 28, 2014) ......................................8, 9, 11 In re Hulu Privacy Litig., No. 11-03764, 2012 WL 3282960 (N.D. Cal. Aug. 10, 2012) ................................................17 In re Nickelodeon Consumer Privacy Litig., MDL No. 2443, 2014 WL 3012873 (D.N.J. July 2, 2014) .............................................. passim Johnson v. Microsoft Corp., No. C06-0900, 2009 WL 1794400 (W.D. Wash. June 23, 2009) ............................................10 Low v. LinkedIn Corp., 900 F. Supp. 2d 1010 (N.D. Cal. 2012) ...................................................................................10 Matusovsky v. Merrill Lynch, 186 F. Supp. 2d 397 (S.D.N.Y. 2002) ..................................................................................7, 12 Pension Ben. Guar. Corp. ex rel. St. Vincent Catholic Med. Cntrs. Ret. Plan v. Morgan Stanley Inv. Mgmt. Inc., 712 F.3d 705 (2d Cir. 2013).......................................................................................................7 Perrin v. United States, 444 U.S. 37 (1979) ...................................................................................................................16 Pruitt v. Comcast Cable Holdings, 100 F. App’x 713 (10th Cir. 2004) ............................................................................................9 Steinberg v. CVS Caremark Corp., 899 F. Supp. 2d 331 (E.D. Pa. 2012) .................................................................................10, 11 Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 3 of 22 TABLE OF AUTHORITIES (CONTINUED) PAGE(S) iii Viacom Int’l Inc. v. YouTube Inc., 253 F.R.D. 256 (S.D.N.Y. 2008) ...............................................................................................9 FEDERAL STATUTES 18 U.S.C. § 2710(a)(1) ...............................................................................................................3, 16 18 U.S.C. § 2710(a)(3) .................................................................................................................1, 4 18 U.S.C. § 2710(b)(1) ..............................................................................................................4, 16 FEDERAL RULES Fed. R. Civ. P. 12(b)(6)................................................................................................................1, 6 LEGISLATIVE MATERIALS S. Rep. No. 100-599 (1988) .....................................................................................................1, 4, 8 Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 4 of 22 1 I. PRELIMINARY STATEMENT Defendant Disney Online d/b/a Disney Interactive (“Disney Interactive”) submits this Memorandum of Law in support of its Motion for an order, pursuant to Federal Rule of Civil Procedure 12(b)(6), dismissing the First Amended Complaint with prejudice for failure to state a claim upon which relief can be granted. The Video Privacy Protection Act (“VPPA”) prohibits the disclosure of personally identifiable information (“PII”), which the VPPA defines to include “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 18 U.S.C. § 2710(a)(3). Congress enacted the VPPA in 1988 in response to a video store’s disclosure of a list of videos rented by then-Supreme Court nominee Judge Robert Bork to a newspaper reporter because, as Senator Patrick Leahy explained, “[i]t is nobody’s business what Oliver North or Robert Bork or Griffin Bell or Pat Leahy watch on television ….” S. Rep. No. 100-599, at 5-6 (1988). Accordingly, the fundamental requirement for liability under the VPPA is disclosure of “information which identifies a person.” Here, Plaintiff asks the Court to ignore this requirement and impose VPPA liability on Disney Interactive for allegedly disclosing the cryptographically hashed serial number of a Roku device he used to stream Disney Interactive video content to his television over the Internet.1 The Roku device, which is manufactured and sold by third party Roku Inc., is a set-top box roughly the size of a hockey puck that connects to a user’s television with a cable. Roku device users access video content through software applications referred to as “channels” that they download from Roku’s website. Plaintiff alleges that he downloaded a “channel” for Disney Interactive video content (the “DI Channel”). He further alleges that, each time he views Disney 1 Through cryptographic hashing, each 12-digit alphanumeric Roku device serial number is converted into a random 32-digit hexadecimal number. Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 5 of 22 2 Interactive video content, the DI Channel cryptographically hashes the serial number of his Roku device and then transmits the hashed serial number and his video selection to Adobe⎯a data analytics company that analyzes DI Channel usage patterns, on an aggregated and anonymized basis, to understand and improve user experience. According to Plaintiff, even though the hashed device serial number does not personally identify him, it is nevertheless PII because Adobe “has the capability to” identify DI Channel users and their video selections based on data that Adobe “assuredly” obtains from Roku and/or unidentified “additional sources.” Plaintiff’s First Amended Complaint should be dismissed for three separate and independent reasons. First, and most fundamentally, a hashed Roku device serial number is not PII under the VPPA because it does not “without more, itself link an actual person to actual video materials.” In re Nickelodeon Consumer Privacy Litig. (“Nickelodeon”), MDL No. 2443, 2014 WL 3012873, *10 (D.N.J. July 2, 2014) (emphasis added). Plaintiff admits that the DI Channel transmits only hashed Roku device serial numbers to Adobe, but he contends that they constitute PII because Adobe potentially could use them to identify DI Channel users and their video selections based on other information that Roku and/or “additional sources” potentially disclosed to Adobe. Thus, Plaintiff asks the Court to ignore the express language of the VPPA, prohibiting disclosure of information that identifies a person, and to read in new language to include information that potentially could be used by the recipient to identify a person. Such an interpretation is contrary to the plain text of the VPPA and case law interpreting it, and it would result in an unwarranted expansion of the scope of the VPPA from prohibiting disclosures based on the nature of the information disclosed (i.e., information that identifies a person) to prohibiting disclosures, and imposing liability, based on the potential actions of a third party. The Court should reject Plaintiff’s invitation to rewrite the VPPA in this way. Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 6 of 22 3 Second, even under Plaintiff’s incorrect interpretation of what constitutes PII, he does not plead facts necessary to support the lynchpin of his theory of liability⎯that Adobe could potentially use hashed Roku device serial numbers from the DI Channel to identify DI Channel users and their video selections. Under the pleading standard set forth in Twombly and Iqbal, Plaintiff must at least allege facts to support a plausible inference that Adobe actually had this “capability,” which Plaintiff admits depends on Adobe (1) obtaining Roku device serial numbers and related personal information from Roku or other sources, and (2) using that information to associate DI Channel users with their Roku device serial numbers in Adobe’s existing databases. As explained below, Plaintiff not only fails to allege any facts to support a plausible inference that (1) and (2) occurred, but also he does not allege that Adobe could, much less did, somehow reverse engineer the 32-digit hexadecimal hashed Roku device serial numbers from the DI Channel so as to be able to link them to the 12-digit alphanumeric actual Roku device serial numbers supposedly saved in Adobe’s existing databases. In short, Plaintiff’s claim is based on pure speculation and therefore should be dismissed under Twombly and Iqbal. Third, Plaintiff’s VPPA claim should be dismissed because Plaintiff does not adequately allege that he was a “consumer,” which the VPPA defines as a “renter, purchaser, or subscriber of goods or services from a video tape service provider.” 18 U.S.C. § 2710(a)(1). Plaintiff alleges that he was a “subscriber” and a “renter,” but he does not fall within the common meaning of either term. He does not allege that he registered or established an account with Disney Interactive or paid money to Disney Interactive to view video content on the DI Channel. Indeed, Plaintiff does not allege that his identity ever was known to Disney Interactive. Under these circumstances, Plaintiff cannot reasonably claim to be either a “subscriber” or “renter” of video content or services from Disney Interactive. Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 7 of 22 4 At bottom, the fatal flaw in Plaintiff’s VPPA claim against Disney Interactive is that it is based not on alleged disclosures by Disney Interactive, which disclosures Plaintiff admits do not personally identify DI Channel users, but on potential disclosures by third parties and potential actions by Adobe. Because Plaintiff already has amended his complaint, and no further amendment will cure the deficiencies requiring dismissal of his VPPA claim, Plaintiff’s First Amended Complaint should be dismissed with prejudice. II. BACKGROUND AND FACTUAL ALLEGATIONS A. The VPPA Prohibits Disclosures That “Identify A Person” The “impetus” for the VPPA was a newspaper article profiling Judge Robert Bork “based on the titles of 146 films his family had rented from a video store.” S. Rep. No. 100–599, at 5. During the otherwise divisive Senate Judiciary Committee hearings on Judge Bork’s Supreme Court nomination, Senators from both parties agreed that the disclosure of Judge Bork’s video viewing history by his local video store was an invasion of his privacy. Id. at 5-6. Congress enacted the VPPA to “preserve personal privacy with respect to the rental, purchase or delivery of video tapes or similar audio visual materials.” Id. at 1. Under the VPPA, “[a] video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider” is subject to suit in federal court by any person “aggrieved” by such action. 18 U.S.C. § 2710(b)(1). “Personally identifiable information,” referred to as “PII,” is defined for purposes of the VPPA to include “information which identifies a person as having requested or obtained specific video materials.” Id., § 2710(a)(3). B. The DI Channel Transmits Hashed Device Serial Numbers To Adobe Plaintiff alleges that Disney Interactive “offers its news and entertainment programming to consumers via a variety of mediums, including through its proprietary software application [DI Channel] that it developed for use with a digital media-streaming device called the Roku.” Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 8 of 22 5 First Amended Complaint (“FAC”) ¶ 1.2 Roku devices, like other “streaming media devices,” such as Apple TV and Google Chromecast, stream movies, television shows, music, and other video and audio content to a user’s television via the Internet.3 A Roku device connects to a user’s television with a cable and contains a processor, wireless antenna, and memory to store video content as it streams into the device from the Internet. Users access content on their Roku devices through software applications called “channels” that they download from Roku using its “proprietary online digital media platform” called the Roku Channel Store. Id. ¶ 10. Plaintiff alleges that, starting in December 2013, he downloaded and began using the DI Channel on his Roku device “to watch certain Disney video clips.” Id. ¶ 39. Users who download, install, and open the DI Channel are presented with a “main user interface” used to browse and view Disney Interactive video content. See id. ¶¶ 10, 12 & Figs. 1-2. Plaintiff further alleges that, each time he viewed video content using the DI Channel, a record containing his hashed Roku device serial number and video selection was sent to Adobe, a “third-party data analytics company.” Id. ¶ 13. According to Plaintiff, hashing “refers to a process whereby data is converted into a fixed-length, shortened format that acts as a reference point to the original input data.” Id. ¶ 13 & n.4. Plaintiff does not allege that Adobe could, much less did, use hashed Roku device serial numbers (32-digit hexadecimal) to identify actual Roku device serial numbers (12-digit alphanumeric) for DI Channel users. He also does not, and cannot, allege that he provided any personal information to Disney Interactive through the DI Channel because there is no registration process or other means by which a DI Channel user can submit such information, or that he paid Disney Interactive any money to download or use the DI Channel.4 2 The FAC is Ex. A to the attached Declaration of Bryan H. Heckenlively, dated Sept. 12, 2014. 3 For basic information on the Roku device, see generally https://www.roku.com/meet-roku. 4 Plaintiff also alleges that transmissions from the DI Channel to Adobe “facially appear to be sent to” a domain affiliated with Disney Interactive, which he further alleges “permits Adobe to Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 9 of 22 6 C. According To Plaintiff, Adobe “Has The Capability” To Use Hashed Device Serial Numbers From The DI Channel To Identify DI Channel Users Plaintiff alleges that, while the DI Channel does not transmit the name, address, or any other personally identifying information for DI Channel users, the hashed serial numbers of their Roku devices are nevertheless PII because Adobe “has the capability to” use those hashed device serial numbers to personally identify DI Channel users. Id. ¶ 29. According to Plaintiff, this “capability” exists because Adobe “may combine information in its databases from various sources,” one of which “assuredly” is Roku, to “associate[] users’ identities with their Roku[] serial numbers.” Id. ¶ 27 (emphases added). As a result, Plaintiff alleges, when Adobe receives hashed device serial numbers from the DI Channel, Adobe “need[] only to link existing personal information (whether it obtains the data from Roku or elsewhere) with a Roku device to discover the person’s identity and their video records.” Id. (emphasis added). Based on this chain of hypothetical events, Plaintiff contends that the hashed device serial numbers transmitted from the DI Channel to Adobe are PII based on Adobe’s “capability” to use them to personally identify DI Channel users and their video selections. As explained below, even if that were a basis for VPPA liability against Disney Interactive, which it is not, Plaintiff does not allege a single fact to support a plausible inference that these hypothetical events, all of which are essential to Plaintiff’s theory of liability, actually occurred. III. ARGUMENT A complaint must be dismissed when a plaintiff’s allegations fail to state a claim upon which relief can be granted. Fed. R. Civ. P. 12(b)(6). Although allegations of fact are taken as true, “legal conclusion[s] couched as a factual allegation . . . are not entitled to the assumption of circumvent security measures the Roku device may implement.” FAC ¶¶ 14-15. Like Plaintiff’s other allegations, he alleges no facts to support any allegation of circumvention of any security measures that may be implemented by Roku. Nor does he explain the relevance of this conclusory and unsupported allegation to any claim in the case. Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 10 of 22 7 truth.” Ashcroft v. Iqbal, 556 U.S. 662, 678-79 (2009). A “plaintiff’s obligation to provide the ‘grounds’ of his ‘entitle[ment] to relief’ requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). The complaint must instead contain “sufficient factual matter” apart from legal conclusions “to state a claim . . . that is plausible on its face.” Iqbal, 556 U.S. at 678. “If a plaintiff’s allegations are contradicted by” a document incorporated by reference into a complaint, the court need not accept those allegations as true. Matusovsky v. Merrill Lynch, 186 F. Supp. 2d 397, 400 (S.D.N.Y. 2002). Nor must the court indulge unwarranted inferences to save a complaint. Pension Ben. Guar. Corp. ex rel. St. Vincent Catholic Med. Cntrs. Ret. Plan v. Morgan Stanley Inv. Mgmt. Inc., 712 F.3d 705, 723 (2d Cir. 2013) (dismissing claims where the inferences necessary to sustain Plaintiffs’ claims were not “reasonable”). The application of these principles here requires dismissal. A. Plaintiff Fails to State a VPPA Claim Because He Does Not Allege Any Disclosure of PII 1. The Alleged Disclosures Are Not PII Plaintiff alleges that the DI Channel transmitted two pieces of information to Adobe: (1) hashed Roku device serial numbers, and (2) video selections. See, e.g., FAC ¶¶ 13, 42. He does not, and cannot, allege that the DI Channel transmitted any personally identifying information, such as names and addresses, or even that the DI Channel collected such information from users. Thus, the only alleged disclosures by Disney Interactive, through the DI Channel, are cryptographically hashed Roku device serial numbers and videos accessed through those Roku devices. Id. ¶ 13. These transmissions do not “identify a person” and, therefore, do not constitute a prohibited disclosure of PII under the VPPA. As the Senate Report explains, the VPPA prohibits disclosure of “information that identifies a particular person as having engaged in a specific transaction with a video tape Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 11 of 22 8 service provider.” S. Rep. No. 100-599, at 12 (emphasis added). Relying on this legislative history, courts have interpreted the VPPA as applying only to disclosures that “identif[y] a specific person and tie[] that person to particular videos that the person watched.” In re Hulu Privacy Litig. (“Hulu”), No. C11-03764, 2014 WL 1724344, *8 (N.D. Cal. Apr. 28, 2014) (emphasis added); see also id. (“The Senate Report shows the legislature’s concern with disclosures linked to particular, identified individuals.”) (emphasis added); Nickelodeon, 2014 WL 3012873, at *10 (PII “is information that must link ‘a specific, identified person and his video habits’”) (citing Hulu, 2014 WL 1724344, at *12, 14) (emphasis added). In Nickelodeon, the most recent case on this issue, the court rejected a VPPA claim based on alleged disclosures that “might one day serve as the basis of personal identification after some effort on the part of the recipient.” 2014 WL 3012873, at *11. The plaintiffs alleged that Viacom transmitted two key pieces of information to Google for data analytics purposes each time a user viewed video content on a Viacom website: (1) the name of the video selection, and (2) a code identifying the user’s age and sex. Id. at *1. The plaintiffs in Nickelodeon further alleged that, for each user, a Viacom cookie5 collected and shared with Google a username, unique device identifier, the IP address of the user’s computer, and video selections, among other information. Id. at *1-2. The Nickelodeon court found that, like the hashed device serial numbers at issue in this case, “[m]uch of this information” is “not even anonymized information about the Plaintiff himself; it is anonymized information about a computer used to access a Viacom site.” Id. at *10. The court held that the alleged disclosures of the username, device identifier, IP address, and the like to Google did not constitute PII because that information was 5 As the Nickelodeon court explained, the so-called “cookies” were “text files” that Viacom placed on a user’s computer “to acquire certain information” about the user. See 2014 WL 3012873, at *1. Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 12 of 22 9 “not information that, without more, identifies a person—an actual, specific human being—as having rented, streamed, or downloaded a given video.” Id. at *11 (emphasis added). Earlier this year, the Hulu court rejected a similar VPPA claim based on the disclosure of a unique user identification number by Hulu to comScore, a data analytics company like Adobe. In Hulu, the plaintiffs alleged that, for users viewing video content on Hulu’s website, Hulu disclosed unique Hulu IDs and video selections to comScore. In addition, the plaintiffs alleged that Hulu created a public “profile page” for each user that included the user’s first and last name. Hulu, 2014 WL 1724344, at *3. Because the URL for the profile page included the user’s Hulu ID, and Hulu transmitted the Hulu IDs to comScore, the plaintiffs alleged that comScore “had the ‘key’ to locating users’ associated profiles that revealed the names the users provided when they signed up for Hulu.” Id. at *4. The court held that, even assuming that such “anonymous disclosures . . . hypothetically could have been linked to video watching,” that was “not enough to establish a VPPA violation.” Id. at *1, *12. Nickelodeon and Hulu are only the most recent in a long line of cases holding that anonymous unique identifiers, without more, are not PII. In Viacom Int’l Inc. v. YouTube Inc., for example, the court compelled YouTube to produce its “logging database,” which contained, for each video watched, the unique “login ID” of the user who watched it, the IP address of the user’s computer, and the “identifier for the video.” 253 F.R.D. 256, 261-62 (S.D.N.Y. 2008). In doing so, the court rejected YouTube’s argument that disclosing such information would expose it to liability under the VPPA because, as the court found, “the login ID is an anonymous pseudonym … which without more cannot identify specific individuals.” Id. at 262 (emphasis added) (internal quotation marks omitted). Similarly, in Pruitt v. Comcast Cable Holdings, 100 F. App’x 713, 716 (10th Cir. 2004), the court held that a unique identifier for Comcast cable boxes, referred to as a “unit address,” was not PII under the Cable Act, 47 U.S.C. § 551, et seq., Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 13 of 22 10 because “one cannot connect the unit address with a specific customer” without referring to Comcast’s billing system.6 Because the alleged disclosures by the DI Channel to Adobe do not, without more, identify any particular person and link that person to specific video content, Plaintiff’s VPPA claim fails as a matter of law. 2. Allegations That Adobe “Has The Capability” To Personally Identify DI Channel Users Do Not Save Plaintiff’s Claim Plaintiff’s allegations regarding potential disclosures to Adobe by Roku “and/or additional sources” and Adobe’s resulting “capability to use” hashed Roku device serial numbers to personally identify DI Channel users are legally irrelevant and inadequately pled. (a) Allegations Regarding Adobe, Roku, And Other Third Parties Are Irrelevant Plaintiff’s theory of liability is that the transmissions from the DI Channel to Adobe are PII, not because they contain any personally identifying information, but because Adobe “has the capability to use” hashed Roku device serial numbers to identify DI Channel users based on information that Adobe potentially receives from Roku “and/or additional sources.” FAC ¶ 29. Because these allegations do not concern any disclosure actually made by the DI Channel, they are irrelevant to Plaintiff’s VPPA claim. The Nickelodeon court rejected this theory of liability in dismissing claims based on allegations that Viacom’s disclosure of anonymous device identifiers might be used by the recipient to personally identify users “after some effort on the part of the recipient.” 2014 WL 6 See also, e.g., Johnson v. Microsoft Corp., No. C06-0900, 2009 WL 1794400, *4 (W.D. Wash. June 23, 2009) (holding that an IP address is not PII because it does not “identify a person,” only a computer); Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1021 (N.D. Cal. 2012) (rejecting privacy claims based on “allegations that third parties can potentially associate [unique LinkedIn usernames] with information obtained from cookies and can de-anonymize a user’s identity” as “speculative”); Steinberg v. CVS Caremark Corp., 899 F. Supp. 2d 331, 335-37 (E.D. Pa. 2012) (dismissing Health Insurance Portability and Accountability Act (“HIPPA”) claim by patients who alleged defendants sold confidential information; mere possibility that third party could identify patients’ de-identified data insufficient). Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 14 of 22 11 3012873, at *11. The court held that such information “is simply not information that, without more, identifies a person⎯an actual, specific human being⎯as having rented, streamed, or downloaded a given video.” Id. In so holding, the Nickelodeon court found that, consistent with the plain text of the VPPA prohibiting disclosure of “information which identifies a person,” VPPA liability turns on whether the information disclosed itself identifies a person, not what the recipient of that information might do with it. See also Steinberg, 899 F. Supp. 2d at 335-37 (rejecting HIPPA claims based on “re-identification theory” of liability, holding that the “status of the information disclosed by the defendants… governed the viability of the plaintiffs’ claims” (emphasis added)). The Hulu court likewise rejected a VPPA claim premised on the alleged actions of the recipient of a challenged disclosure. As noted, the court held that Hulu IDs allegedly disclosed by Hulu to comScore were not PII, even though the plaintiffs alleged that comScore “could easily” use those unique identifiers to personally identify users through their public Hulu profile pages. Hulu, 2014 WL 1724344, at *4, *12. The Hulu court distinguished alleged disclosures of Facebook IDs to Facebook by cookies placed by Facebook on users’ computers, holding there was a material issue of fact as to whether, in those particular circumstances, Facebook IDs were “more than a unique, anonymous identifier” because they “could show the Hulu user’s identity on Facebook.” Id. at *14. See also Nickelodeon, 2014 WL 3012873, at *12 (“Simply put, in a socially networked world a Facebook ID is at least arguably ‘akin’ to an actual name that serves without more to identify an actual person.”). Thus, as in Nickelodeon, the Hulu court’s analysis turned on whether the information disclosed itself identifies a person, and the court concluded there was a material issue of fact in that regard. An anonymous device identifier does not, without more, itself identify a person, and therefore does not constitute PII under the VPPA. Even Plaintiff implicitly acknowledges this by Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 15 of 22 12 conjuring up allegations that Adobe “has the capability to” use hashed Roku device serial numbers from the DI Channel to personally identify DI Channel users. These allegations are not only irrelevant because they concern supposed disclosures and actions by third parties, not Disney Interactive, but they also are inadequately pled. (b) Allegations Regarding Adobe, Roku, And Other Third Parties Should Be Disregarded Because They Are Not Adequately Pled Even under Plaintiff’s wrong interpretation of PII as extending to information that does not itself identify a person, but which Adobe “has the capability of” using to identify a person, Plaintiff fails to state a claim because this allegation is conclusory and based on factual allegations that do not support, and in fact contradict, the existence of any such capability.7 As another court in this district has explained, “[i]f a plaintiff's allegations are contradicted by” a document incorporated by reference into the complaint, “those allegations are insufficient to defeat a motion to dismiss.” Matusovsky, 186 F. Supp. 2d at 400. Adobe’s alleged “capability” to use hashed Roku device serial numbers to personally identify DI Channel users and link them to video selections depends on Adobe (1) obtaining Roku device serial numbers and personal information for DI Channel users from Roku “and/or” other unidentified third parties; and (2) associating those Roku device serial numbers and personal information in its databases. Both (1) and (2) are required for Adobe to be “capable” of using hashed Roku device serial numbers from the DI Channel to personally identify DI Channel users by “linking” them to Roku device serial numbers and associated personal information that 7 Because Plaintiff relies on these Roku and Adobe documents in the FAC, they are incorporated by reference therein and therefore may be considered on this motion to dismiss. See Chambers v. Time Warner, Inc., 282 F.3d 147, 152-53 (2d Cir. 2002) (on motion to dismiss, “the complaint is deemed to include any written instrument attached to it as an exhibit or any statements or documents incorporated in it by reference” or any document where the complaint “relies heavily upon its terms and effect, which renders the document integral to the complaint” (internal citations and quotation marks omitted)). Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 16 of 22 13 is already in Adobe’s databases. None of the materials Plaintiff cites to in the FAC supports a plausible inference that (1) and (2) occurred. First, Plaintiff relies on Roku’s Privacy Policy, which he characterizes as stating that “information uploaded from Roku Devices is personally identifiable by product serial number” and that Roku “may [] share information with companies integral to the use of our products,” including, “[f]or example,…content providers which have developed channels for the Roku Channel Store.” FAC ¶¶ 19, 28. That Policy, however, does not state that Roku shares Roku device serial numbers with any third party, or that it shares any information with Adobe. Nor does it state that a Roku device serial number⎯much less a hashed Roku device serial number⎯can be used to personally identify users by anyone other than Roku itself. Rather, it states that “Roku uses third parties (including contractors and service providers) to help with certain aspects of its operations, which may require disclosure of your information to them.” Heckenlively Decl., Ex. B at 6. In short, nothing in Roku’s Privacy Policy supports Plaintiff’s allegation that Roku is “assuredly” disclosing Roku device serial numbers and personal information, such as names and addresses, to Adobe (or anyone else) that could be used to personally identify DI Channel users and their video selections. Perhaps in recognition of this, Plaintiff alleges that Adobe obtains Roku device serial numbers and related personal information from Roku “and/or additional sources.” Id. ¶ 29. These “additional sources” are unidentified and unsubstantiated by any factual allegation in the FAC. Second, Plaintiff cites to an image from “Adobe’s marketing materials” depicting a pyramid describing the types, characteristics, and sources of customer data. FAC, Fig. 3. According to Plaintiff, this pyramid “portrays the frightening array of information that feeds into a consumer’s digital dossier using data transmitted from sources such as their digital devices.” Id. ¶ 23. This image is taken from a white paper for a marketing service offered by Adobe, Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 17 of 22 14 called Adobe Campaign. Heckenlively Decl., Ex. C at 2, 7. Plaintiff does not allege that Disney Interactive uses Adobe Campaign, so these allegations are irrelevant. Moreover, Plaintiff’s description of the pyramid as portraying information that “feeds into” Adobe’s databases from third parties, like Roku, is baseless. The pyramid identifies information possessed by Adobe’s customers, not Adobe, which Adobe Campaign helps those customers analyze and leverage for targeted marketing campaigns. Id at 1-2. As the white paper explains, Adobe Campaign is designed to help companies “access data that already exists internally” by “aggregat[ing] customer data from different systems and mak[ing] it centrally available” and “actionable.” Id. at 1 (emphasis added). Thus, Adobe Campaign does not use, combine, or provide access to information from third parties. It facilitates the effective use of information that Adobe customers already possess. Third, Adobe cites to two further sets of “marketing materials” posted on Adobe’s website. FAC ¶ 25. One of these documents relates to Adobe Target, another service offered by Adobe. The document does not say that Adobe Target or any other service offered by Adobe uses information to personally identify users, much less that Adobe personally identifies (or is capable of personally identifying) DI Channel users based on hashed Roku device serial numbers from the DI Channel. It reflects only the common-sense proposition that data analytics companies “use disparate pieces of information collected about consumers to identify and track their behavior.” Id. (emphasis added). The same is true of the second document, which is a report written by a research firm that describes what data analytics companies in general (not Adobe specifically) can do. Neither of these documents states that Adobe obtained any information from Roku or any other source that would allow Adobe to personally identify DI Channel users. Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 18 of 22 15 Fourth, Plaintiff cites to Adobe’s Privacy Policy for its data analytics services as showing that Adobe can combine information from different clients to personally identify users. That document flatly contradicts Plaintiff’s theory: “Adobe does not use the information we collect for a company except as may be allowed in a contract with that company,” which “is usually limited to providing our services to the company,” and even in those instances where Adobe may share information between companies, it is “‘aggregated’ information” that “is anonymous and does not identify individuals.” Heckenlively Decl., Ex. D at 2 (emphasis added). Plaintiff’s conclusory allegation that Adobe is “capable” of using hashed Roku device serial numbers from the DI Channel to personally identify DI Channel users should be disregarded because Plaintiff does not allege any facts supporting a reasonable inference that either of the two necessary prerequisites to that “capability” exists, and the facts that are alleged and incorporated by reference flatly contradict Plaintiff’s allegation. Even assuming such a reasonable inference exists, and it does not, Plaintiff fails to allege something even more fundamental to his theory of liability⎯that Adobe could or did “reverse engineer” the hashed Roku device serial numbers from the DI Channel. Without such an allegation, and facts to support it, there is no basis for Plaintiff’s allegation that Adobe is “capable” of personally identifying DI Channel users by “linking” hashed Roku device serial numbers from the DI Channel to actual Roku device serial numbers and associated personal information in Adobe’s databases. The Court does not have to accept these “mere conclusory allegations” as true. Iqbal, 556 U.S. at 678-79 (“Rule 8 marks a notable and generous departure from the hyper-technical, code-pleading regime of a prior era, but it does not unlock the doors of discovery for a plaintiff armed with nothing more than conclusions.”); Twombly, 550 U.S. at 555 (courts “are not bound to accept as true a legal conclusion couched as a factual allegation”). In Nickelodeon, the court Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 19 of 22 16 followed Iqbal in refusing to consider the plaintiffs’ conclusory allegation that the recipients of the challenged disclosures, Viacom and Google, “were able to identify specific individuals” by connecting “online activity and information” with “offline activity and information.” 2014 WL 3012873, at *2 n.3. Because those statements were “entirely conclusory” and supported by “no facts . . . which indicate when or how either Defendant linked the online information it collected with extra-digital information about the Plaintiffs,” the court declined to “credit the allegations.” Id. The Court should do the same here. B. Plaintiff Fails to State a VPPA Claim Because He Is Not a “Consumer” Under the VPPA Even if Plaintiff could allege that the DI Channel disclosed PII, which he cannot, his claim should be dismissed because he is not a “consumer” within the meaning of the VPPA. The VPPA prohibits the knowing disclosure of “personally identifying information concerning any consumer” of a video tape service provider. 18 U.S.C. § 2710(b)(1) (emphasis added). A “consumer” is defined as “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Id., § 2710(a)(1). Plaintiff alleges that he was a “subscriber” because he “downloaded and installed the [DI] Channel on his Roku device, and subsequently watched videos through the [DI] Channel,” and that he is a “renter” because Disney Interactive “grants him a temporary license to access and view specific videos in exchange for” viewing advertisements. FAC. ¶ 53. His allegations do not support either conclusion. Because the VPPA does not define “subscriber” or “renter,” these terms are “interpreted in accordance with their ordinary meaning.” BP Am. Prod. Co. v. Burton, 549 U.S. 84, 91 (2006) (citing Perrin v. United States, 444 U.S. 37, 42 (1979)). Merriam-Webster’s Dictionary defines the verb “to subscribe” as “to enter one’s name for a publication or service” or “to Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 20 of 22 17 receive a periodical or service regularly on order.”8 Plaintiff does not allege that he provided his name or any other personal information to Disney Interactive or that he viewed content regularly on the DI Channel. Instead, he alleges that he downloaded the DI Channel from the Roku channel store and watched “certain” clips using his Roku device. In Hulu, the court concluded that Hulu users were subscribers, in part because their “individual Hulu profile pages . . . included name, location preference information designated by the user as private, and Hulu username,” all of which Hulu gave to comScore. In re Hulu Privacy Litig., No. 11-03764, 2012 WL 3282960, *8 (N.D. Cal. Aug. 10, 2012). Here, by contrast, there is no allegation that Disney Interactive knew the identity of Plaintiff or any other DI Channel user. As for the allegation that Plaintiff was a “renter,” Merriam-Webster defines the verb “to rent” as “to take and hold under an agreement to pay rent,” and the noun as “the amount paid by a hirer of personal property to the owner for the use thereof.”9 There is no allegation that Plaintiff paid any money to Disney Interactive to use the DI Channel, and therefore no basis for his claim that he is a renter. His allegation that he viewed advertisements as an apparent substitute for payment does not change this result. In Hulu, the court held that “the terms ‘renter’ and ‘buyer’ necessarily imply payment of money.” Hulu, 2012 WL 3282960, at *8. Because Plaintiff’s allegations do not show that he is either a “subscriber” or a “renter” under the VPPA, he is not a “consumer” and therefore cannot state a VPPA claim. IV. CONCLUSION For the reasons set forth above as well as those set forth in the accompanying declaration and the documents attached thereto, Disney Interactive’ s motion should be granted and the Complaint dismissed with prejudice. 8 Available at http://www.merriam-webster.com/dictionary/subscribe (emphasis added). 9 Available at http://www.merriam-webster.com/dictionary/rent (emphasis added). Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 21 of 22 18 Dated: New York, New York September 12, 2014 MUNGER, TOLLES & OLSON LLP By: s/ Glenn D. Pomerantz Glenn D. Pomerantz 355 South Grand Avenue Thirty-Fifth Floor Los Angeles, CA 90071 Telephone: 213-683-9100 Email: glenn.pomerantz@mto.com Rosemarie T. Ring Email: rose.ring@mto.com Jonathan H. Blavin Email: jonathan.blavin@mto.com Bryan H. Heckenlively Email: bryan.heckenlively@mto.com 560 Mission Street Twenty-Seventh Floor San Francisco, CA 94105 Telephone: 415-512-4000 Admitted Pro Hac Vice -and- SCHWARTZ & THOMASHOWER LLP Rachel Schwartz 15 Maiden Lane, Suite 705 New York, NY 10038-5120 Tel: 212-227-4300 Email: rschwartz@stllplaw.com Attorneys for Defendant DISNEY ONLINE D/B/A DISNEY INTERACTIVE Case 1:14-cv-04146-RA Document 31 Filed 09/12/14 Page 22 of 22