Robinson v. Disney Online d/b/a Disney InteractiveREPLY MEMORANDUM OF LAW in Support re: 30 MOTION to Dismiss First Amended Complaint. . DocumentS.D.N.Y.October 17, 2014 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK JAMES ROBINSON, individually and on behalf of others similarly situated, Plaintiff, v. DISNEY ONLINE D/B/A DISNEY INTERACTIVE, Defendant. ECF Civil Action No. 1-14-CV-4146 (RA)(DCF) REPLY IN SUPPORT OF DEFENDANT’S MOTION TO DISMISS FIRST AMENDED COMPLAINT TABLE OF CONTENTS PAGE i I. PRELIMINARY STATEMENT .........................................................................................1 A. Plaintiff Fails To State A Claim Because He Does Not Allege Any Disclosure Of Personally Identifiable Information ..................................................3 1. The Alleged Disclosure Does Not “Identify A Person” ..............................3 2. Plaintiff Does Not Identify Factual Allegations To Support A Reasonable Inference That Adobe Could Have Personally Identified Him Or Any Other DI Channel User...........................................6 B. Plaintiff Is Not A “Consumer” Under The VPPA ...................................................9 III. CONCLUSION ..................................................................................................................10 TABLE OF AUTHORITIES PAGE(S) ii FEDERAL CASES Ashcroft v. Iqbal, 556 U.S. 662 (2009) ...................................................................................................................8 Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) ...............................................................................................................8, 9 Ellis v. The Cartoon Network, Inc., No. 1:14-cv-484, 2014 WL 5023535 (N.D. Ga. Oct. 8, 2014) ....................................1, 3, 4, 10 In re Hulu Privacy Litig., No. C11-03764, 2012 WL 3282960 (N.D. Cal. Aug. 10, 2012) ..............................................10 In re Hulu Privacy Litig., No. C 11-03764 LB, 2014 WL 1724344 (N.D. Cal. Apr. 28, 2014) .................................1, 5, 6 In re Nickelodeon Consumer Privacy Litig., MDL No. 2443, 2014 WL 3012873 (D.N.J. July 2, 2014) ........................................................1 Rolon v. Henneman, 517 F.3d 140 (2d Cir. 2008)...................................................................................................6, 8 Wright v. Ernst & Young LLP, 152 F.3d 169 (2d Cir. 1998).......................................................................................................7 FEDERAL STATUTES 18 U.S.C. § 2710(a)(3) .................................................................................................................1, 3 1 I. PRELIMINARY STATEMENT Plaintiff has not rebutted Disney Interactive’s showing that the First Amended Complaint (“FAC”) should be dismissed. Most fundamentally, nothing in Plaintiff’s opposition cures his failure to allege that Disney Interactive disclosed personally identifiable information (“PII”) under the Video Privacy Protection Act (“VPPA”). Plaintiff’s efforts to have the Court overlook that deficiency through cobbling together a number of unrelated and strained arguments from outside the VPPA context are without legal basis and do not save his claim. First, even though the VPPA defines PII to include “any information which identifies a person as having requested or obtained specific video materials or services,” 18 U.S.C. § 2710(a)(3) (emphasis added), and imposes liability based upon a party’s disclosure of PII to third parties, Plaintiff asks the Court to impose VPPA liability based on a theory only loosely tethered to Disney Interactive’s disclosures of information to Adobe. This theory turns on Adobe’s alleged capability to use information Adobe allegedly obtained from Roku and/or other third parties, in combination with information from Disney Interactive that is not itself PII, to personally identify DI Channel users and their video selections. Every court to consider this theory of liability has rejected it, including one last week. In Ellis v. The Cartoon Network, Inc. (“Cartoon Network”), No. 1:14-cv-484, 2014 WL 5023535, *3 (N.D. Ga. Oct. 8, 2014), an action filed by Plaintiff’s counsel here, the court dismissed a nearly identical VPPA claim with prejudice, holding that “[t]he emphasis is on disclosure, not comprehension by the receiving person.” Id. (citing In re Nickelodeon Consumer Privacy Litig. (“Nickelodeon”), MDL No. 2443, 2014 WL 3012873, *10 (D.N.J. July 2, 2014); In re Hulu Privacy Litigation (“Hulu”), No. C 11-03764 LB, 2014 WL 1724344, at *14 (N.D. Cal. Apr. 28, 2014)). Second, Plaintiff seeks to avoid the requirement under Twombly/Iqbal that he plead facts to support a plausible inference that Adobe obtains information from Roku and/or “additional 2 sources” that enables it to tie Roku device serial numbers to personal information, as required to “personally identify” DI Channel users. Plaintiff argues that such allegations are unnecessary because “Adobe wouldn’t need to receive information tying the Roku serial numbers to other identifying information,” but instead “would only have to associate the serial numbers with other information that is associated [with] other information that is itself identifying.” Opp. at 11.1 Even accepting this hypothetical (and unintelligible) information daisy chain, there are no factual allegations in the FAC to support a plausible inference that Adobe obtained information, from one source or a combination of sources, allowing it to personally identify DI Channel users based on Roku device serial numbers. Moreover, Plaintiff does not allege any facts supporting a plausible inference that Adobe could or does reverse engineer the 32-digit hexadecimal hashed Roku device serial numbers it receives from the DI Channel into 12-digit alphanumeric actual Roku Device serial numbers, as required to use any such “linked” information to personally identify DI Channel users. Again, Plaintiff argues in his opposition that such allegations are unnecessary because hashed serial numbers “are as useful as plain-text serial numbers in acting as unique identifiers.” Opp. at 13- 14 (internal citations and quotation marks omitted). But that argument is circular. Hashed serial numbers, like plain-text serial numbers, can be used to personally identify DI Channel users only if they are tied to personal information for those users, and Plaintiff alleges no facts in the FAC establishing that Adobe has such information for hashed or “plain-text” serial numbers. Plaintiff’s fallback argument, that he should be allowed to conduct discovery into his theory of liability, is exactly the type of fishing expedition that the pleading standard established by Twombly and Iqbal is meant to prevent. Plaintiff must allege facts, if they exist, to state a claim for relief before subjecting Disney Interactive to the burdens and cost of discovery. 1 “Opp.” refers to Plaintiff’s Response in Opposition to the motion to dismiss (Dkt. No. 33). 3 Finally, even apart from Plaintiff’s failure to allege that Disney Interactive disclosed PII, he cannot overcome his failure to allege that he is a “renter” or “subscriber” under the VPPA. Plaintiff cites to dictionary definitions that he prefers to those in Merriam-Webster, which Disney Interactive cited, and then stretches his preferred definitions beyond their ordinary meaning to fit his arguments. Because the definitions cited by Disney Interactive reflect the common understanding of the terms “renter” and “subscriber,” and Plaintiff never gave identifying information or money to Disney Interactive, he does not satisfy either definition and cannot state a claim under the VPPA. For the reasons set forth in Disney Interactive’s opening brief and below, and because Plaintiff already has had two opportunities to state a claim, the FAC should be dismissed with prejudice. See Cartoon Network, 2014 WL 5023535, at *3 (dismissing with prejudice because plaintiff had amended once and “additional amendments would be futile because … disclosure of an Android ID alone … does not qualify as” PII). II. ARGUMENT A. Plaintiff Fails To State A Claim Because He Does Not Allege Any Disclosure Of Personally Identifiable Information 1. The Alleged Disclosure Does Not “Identify A Person” Plaintiff is wrong that he has satisfied his pleading requirements by alleging that Roku device serial numbers sent from the DI Channel to Adobe are PII because Adobe “may” use Roku device serial numbers and personal information obtained from Roku “and/or” other unidentified third parties to personally identify DI Channel users. Under the VPPA, PII is information that “identifies a person.” 18 U.S.C. § 2710(a)(3) (emphasis added). It is not anonymized information that somehow could be deciphered down the distribution chain through additional efforts by the recipient using information obtained from other sources. As Disney Interactive set forth in its opening brief, the courts in Hulu and Nickelodeon directly rejected Plaintiff’s theory. And just last week the court in Cartoon Network, 2014 WL 4 5023535, at *2-3, reached the same conclusion in a case involving facts nearly identical to those alleged here. The Cartoon Network court held that unique identifiers associated with Android- based mobile phones were not PII when disclosed by Cartoon Network’s Android app to Bango, a data analytics company. Relying on Nickelodeon, the court concluded that PII is information that “in its own right, without more” ties an individual to video materials, and that “[t]he emphasis is on disclosure, not comprehension by the receiving person.” Id. at *3 (emphasis added). The Android IDs disclosed to Bango did not qualify as PII under that standard because “Bango had to use information ‘collected form a variety of other sources’” to connect Android IDs to specific individuals. Id. (quoting the complaint). In other words, “[f]rom the information disclosed by the Defendant alone, Bango could not identify the Plaintiff or any other members of the putative class.” Id. As the Court reasoned, “[l]ike the disclosure in In re Hulu that did not violate the VPPA because the third party had to take extra steps to connect the disclosure to an identity, the disclosure by [Cartoon Network’s app] required Bango to collect information from other sources” and therefore did not violate the VPPA either. Id. Thus, all three courts to consider the issue of what constitutes PII within the meaning of the VPPA have held that the determining factor is whether the information itself identifies a person.2 Plaintiff’s attempt at analogies only underscores that the disclosures alleged here are not PII under the VPPA. According to Plaintiff, disclosing a hashed Roku device serial number to Adobe is the same as disclosing a person’s employee number to his employer or his New York state driver’s license number to the New York State Department of Motor Vehicles. In both of these situations, however, the information disclosed was created by the recipient for the purpose 2 As noted in Disney Interactive’s opening brief, these holdings also are consistent with cases outside of the VPPA context holding that unique identifiers—without more—are not PII. See Memorandum of Law in Support of Disney Interactive’s Motion to Dismiss Plaintiff’s First Amended Complaint (Dkt. No. 31) (“Mot.”) at 9-10 & n.6. 5 of identifying a person and thus itself identifies a person. Plaintiff also points to the distinction drawn by the court in Hulu between the alleged disclosure of Facebook IDs to Facebook and the alleged disclosure of Hulu User IDs to comScore. But, again, the Hulu court’s ruling denying summary judgment turned on whether, under the particular facts of that case, the information disclosed could itself identify a person. Hulu, 2014 WL 1724344, at *14. None of these examples is analogous to the DI Channel’s transmission of anonymous, hashed Roku device serial numbers to Adobe for the purpose of aggregating DI Channel usage patterns and returning them to Disney Interactive to assist Disney Interactive in improving its users’ experience. Notwithstanding the clear authority on point interpreting the VPPA, Plaintiff cites to the “findings by several government agencies and leading academics” construing the meaning of PII in contexts other than the VPPA. None of these citations supports deviating from the plain language of the statute, and Plaintiff cannot use them to manufacture an issue of fact where none exists. Plaintiff cites to a publication from the National Institute of Standards and Technology (“NIST”), defining PII to include “any information that can be used to distinguish or trace an individual’s identity,” or that is “linked or linkable to an individual[.]” Opp. at 7-8. This citation has no application here because, as NIST makes clear, this definition is “intended primarily for U.S. Federal government agencies” to protect against the risk of “security breaches,” and “uses a broad definition of PII to identify as many potential sources of PII as possible.”3 Next, Plaintiff cites to an FTC report concluding that storing PII in separate repositories does not change its character as PII. Id. at 8. This citation does not apply here either because it addresses how storage of PII affects its status as PII, not what type of information constitutes PII. Finally, Plaintiff cites to “noted privacy scholars” who conclude that “[w]hile some attributes may be uniquely identifying on their own, any attribute can be identifying in combination with them.” 3 http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf at ES-1. 6 Id. at 8 n.1. This citation, like the others, does not support Plaintiff’s position and, indeed, proves too much. If “any attribute can be identifying in combination with” others, then all providers of streaming video who share anonymized information with a data analytics company to understand usage patterns and improve user experience may be subject to VPPA liability. 2. Plaintiff Does Not Identify Factual Allegations To Support A Reasonable Inference That Adobe Could Have Personally Identified Him Or Any Other DI Channel User Even if Plaintiff’s theory of liability had any basis in law, which it does not, it would fail on its own terms because Plaintiff does not identify any facts to support a reasonable inference that Adobe could, much less did, use hashed Roku device serial numbers from the DI Channel to personally identify DI Channel users and their video selections. Plaintiff’s conclusory allegations of fact, just like conclusory allegations of law, are not “factual content” that support a plausible claim for relief. See Rolon v. Henneman, 517 F.3d 140, 149 (2d Cir. 2008) (Sotomayor, J.) (“we are not bound to accept conclusory allegations or legal conclusions masquerading as factual conclusions” (internal quotation marks omitted)). Plaintiff argues that “[w]hat Disney is alleged to essentially have done [] is disclose a unique identifier (his Roku serial number) to a third-party (Adobe) that already possessed a correlated look-up table.” Opp. at 10 (internal citations and quotation marks omitted). Thus, Plaintiff acknowledges that, under his theory of liability, prior to receiving any information from the DI Channel, Adobe must somehow obtain information that allows it to link hashed Roku device serial numbers to personal information of DI Channel users. See, e.g., FAC ¶ 27 (“[B]ecause it associates users’ identities with their Roku’s serial number, Adobe needs only to link existing personal information … with a Roku device to discover the person’s identity and their video records.”). Otherwise, there would be no way for Adobe to personally identify DI Channel users based on only hashed Roku device serial numbers. 7 This theory of liability rests entirely on the conclusory allegations in the FAC that Adobe (1) obtains “personal information” from “Roku and/or additional sources” and (2) “associates” that information with the hashed Roku device serial numbers. FAC ¶ 27, 29 (emphasis added). Without both (1) and (2), Adobe would not be “capable” of using hashed serial numbers from the DI Channel to personally identify DI Channel users, and it certainly could not actually have used those hashed serial numbers to personally identify DI Channel users. But Plaintiff has not alleged any facts to support either conclusion.4 Plaintiff has responded to this problem by pushing his theory even further afield. With respect to (1), Plaintiff now contends that Adobe actually “wouldn’t need to receive information tying the Roku serial numbers to other identifying information.” Opp. at 11 (emphasis added). Instead, he now argues, “Adobe would only have to associate the serial numbers with other information that is associated [with] other information that is itself identifying.” Id. And that information “could come from other Roku channels, other data analytics or data mining companies, or even from the consumer himself in other transactions with Adobe.” Id. (emphasis added). Plaintiff does not identify any facts to support this hypothetical (and unintelligible) information chain⎯he identifies no Roku channel, no data analytics company, and no consumer that actually provided information to Adobe that would allow it to connect the dots in this way. Because he offers no such facts, this argument does no more than underscore how attenuated and speculative Plaintiff’s theory of liability truly is. 4 To the extent that Plaintiff’s theory is that Adobe actually identified him or other DI Channel users, his claim fails for the independent reason that this theory appears nowhere in the FAC. Wright v. Ernst & Young LLP, 152 F.3d 169, 178 (2d Cir. 1998) (“a party is not entitled to amend its complaint through statements made in motion papers”). This theory also fails on its merits because, as explained in the text, it is without any legal basis and there are no factual allegations to support it. 8 Plaintiff’s theory is all the more implausible with respect to item (2), above. Plaintiff has not alleged that Adobe could or did reverse engineer the hashed Roku device serial numbers it received from the DI Channel. This is equally fatal to his claim. Unless Adobe could match hashed Roku device serial numbers to actual Roku device serial numbers, the hypothetical “look-up table” would be useless; Adobe could not connect the hashed number to personal information associated with the actual Roku device serial number. But there is no allegation in the FAC whatsoever, much less a factual allegation, that Adobe had the ability to match the hashed Roku device serial numbers to actual Roku device serial numbers. Plaintiff admits as much in the opposition. Rather than identifying any alleged facts that would establish Adobe’s ability to dehash serial numbers, he argues that “for purposes of identifying an individual, a hashed serial number works just as well as a plain-text one and is in fact used by analytics companies to do so.” Opp. at 13-14. All this means is that a hashed serial number could be just as useful as a plain-text serial number to a company that always uses the same hashed serial numbers to identify its customers. But that is not what Plaintiff needs to establish here. Plaintiff does not explain how Adobe would be able to link a hashed serial number used by Disney Interactive to a non-hashed Roku device serial number, without reverse engineering or otherwise dehashing the hashed serial number. There certainly are no facts alleged in the FAC that would plausibly permit that leap. Rather than pointing to facts that show the plausibility of his theory of liability, Plaintiff repeatedly asks the Court to draw inferences in his favor. Id. at 2, 4, 12, 14. This argument misses the mark entirely. To survive a motion to dismiss, Plaintiff must “plead[] factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). Even if Plaintiff’s theory of liability had any legal basis, 9 which it does not, he has not alleged any facts—as opposed to conclusions of fact—that allow this Court to draw reasonable inferences that Adobe actually obtains Roku device serial numbers and personal information for DI Channel users and that Adobe actually can use that information to look up and personally identify DI Channel users and their video selections upon receiving hashed Roku device serial numbers. As a result, Plaintiff “ha[s] not nudged [his] claims across the line from conceivable to plausible.” Twombly, 550 U.S. at 570.5 B. Plaintiff Is Not A “Consumer” Under The VPPA In arguing that he is both a “subscriber” and a “renter,” Opp. at 19-22, Plaintiff misstates the ordinary meaning of these terms and wrongly concludes that he fits within them. Plaintiff’s argument that he is not a “subscriber” does not withstand scrutiny. Merriam- Webster’s Dictionary defines “to subscribe” as “to enter one’s name for a publication or service” or “to receive a periodical service regularly on order.” Mot. at 16-17. Plaintiff concedes that he never provided Disney Interactive with his name, and he does not allege that he viewed video content on the DI Channel “regularly”—only that he viewed “certain” video clips. He therefore appears to take the position that Merriam-Webster’s definition of “subscribe” is wrong, citing instead to an Oxford English Dictionary definition. At first glance, this alternate definition appears not to require providing one’s name or receiving a regular service. But the cited definition is subordinate to another that defines “subscribe” as “arrange to receive something regularly, typically a publication, by paying in advance.”6 5 This is the case even crediting, for the sake of argument, Plaintiff’s dubious allegations regarding Adobe’s privacy policy and its marketing materials. At most, those documents establish that Adobe has and receives data, as one might expect from a data analytics company. But Plaintiff does not dispute that none of the documents states that Adobe has data linking hashed Roku device serial numbers to individual identities, which was the point Disney Interactive made in the Motion. Accordingly, Plaintiff’s refrain that the Court should resolve ambiguities in those documents in his favor does not help him avoid dismissal here. 6 See http://www.oxforddictionaries.com/definition/american_english/subscribe. 10 Plaintiff’s next argument, that, under Hulu, all users of streaming video services are “subscribers” is simply wrong. While the Hulu court rejected the argument that the plaintiffs were not subscribers because Hulu was free, it noted that Hulu created profile pages with the plaintiffs’ names. See In re Hulu Privacy Litig., No. C11-03764, 2012 WL 3282960, *8 (N.D. Cal. Aug. 10, 2012). Here, Plaintiff does not allege that DI Channel users had profile pages, paid money, or provided their names or other identifying information to Disney Interactive.7 Plaintiff’s argument that he was a “renter” asks the Court to find that Merriam-Webster’s definition of that term is wrong (again) and that Hulu’s analysis of its meaning under the VPPA is also wrong. Merriam-Webster defines “renter” as one who pays rent. The Hulu court held that the term “renter” “necessarily impl[ies] payment of money.” Id. Here, there is no allegation that Plaintiff paid anything to view video content using the DI Channel. Plaintiff cites to Oxford English Dictionary definitions of “rent” that refer to “payment” and “rate,” which he somehow combines to mean “valuable consideration.” He then cites to Black’s Law Dictionary and two inapposite cases for a definition of “valuable consideration” (not “rent”), which he then argues is broad enough to include watching advertisements in exchange for free video content. Opp. at 20-21. This argument is strained, to say the least, and in fact it contradicts the Black’s Law Dictionary definition of “rent” as “[t]o pay for the use of another’s property.” Black’s Law Dictionary (9th ed. 2009) (emphasis added). III. CONCLUSION For the reasons set forth above as well as those set forth in the Disney Interactive’s opening brief and the accompanying declaration and documents attached thereto, Disney Interactive’s motion should be granted and the FAC dismissed with prejudice. 7 Disney Interactive respectfully submits that the Cartoon Network court interpreted Hulu too broadly in concluding that the plaintiff there was a subscriber within the meaning of the statute. 11 Dated: October 17, 2014 MUNGER, TOLLES & OLSON LLP By: s/ Glenn D. Pomerantz Glenn D. Pomerantz 355 South Grand Avenue Thirty-Fifth Floor Los Angeles, CA 90071 Telephone: 213-683-9100 Email: glenn.pomerantz@mto.com Rosemarie T. Ring Email: rose.ring@mto.com Jonathan H. Blavin Email: jonathan.blavin@mto.com Bryan H. Heckenlively Email: bryan.heckenlively@mto.com 560 Mission Street Twenty-Seventh Floor San Francisco, CA 94105 Telephone: 415-512-4000 Admitted Pro Hac Vice -and- SCHWARTZ & THOMASHOWER LLP Rachel Schwartz 15 Maiden Lane, Suite 705 New York, NY 10038-5120 Tel: 212-227-4300 Email: rschwartz@stllplaw.com Attorneys for Defendant DISNEY ONLINE D/B/A DISNEY INTERACTIVE