Yershov v. Gannett Satellite Information Network, Inc.

RESPONSE to Motion re MOTION TO DISMISS FOR FAILURE TO STATE A CLAIM MOTION to Dismiss for Lack of Jurisdiction Enlarged Response to Motion to Dismiss, pursuant to Dkt. No. 18

D. Mass.November 21, 2014

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF MASSACHUSETTS ALEXANDER YERSHOV, individually and on behalf of all others similarly situated, Plaintiff, v. GANNETT SATELLITE INFORMATION NETWORK, INC. d/b/a USA TODAY, a Delaware corporation, Defendant. Case No.: 1:14-cv-13112 Judge F. Dennis Saylor IV PLAINTIFF’S RESPONSE IN OPPOSITION TO DEFENDANT’S MOTION TO DISMISS LEAVE TO FILE GRANTED ON 10/20/2014 Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 1 of 32 i TABLE OF CONTENTS INTRODUCTION .........................................................................................................................1 STATEMENT OF FACTS ............................................................................................................2 ARGUMENT ..................................................................................................................................3 I. Yershov Alleges that Gannett Disclosed His PII by Transmitting Data to Adobe that Identified Him as Viewing Specific Video Materials ..............................................4 A. The VPPA’s definition of PII is broad, and the case-by-case analysis it requires shows that Yershov’s Android ID and video records are PII .............4 1. Common usage confirms that “personally identifying information” applies to any information that distinguishes a specific consumer ....................................................................................5 2. Gannett takes far too narrow a view of PII, ignore modern data analytics and identification practices, and read additional requirements into the VPPA without any textual basis .........................9 a. The Hulu decision supports a finding that the Android IDs at issue are personally identifying because Adobe can and did use them to identify individual App users ........................................9 b. Gannett’s other authorities take far too narrow a view of what it means to “identify” and are inconsistent with Hulu, and the breadth of government opinions on the issue, and common usage ................................................................................11 B. Yershov alleges sufficient facts to show that the Android ID and video viewing history disclosed by Gannett is PII in this case ...................................15 II. Yershov is a “Consumer” Entitled to the VPPA’s Protections Because He Downloaded, Installed, and Used the App to View Video Content .............................18 III. Yershov Suffered an Injury-in-Fact in the Form of Gannett’s Disclosure of his PII to Adobe, and He Therefore Has Standing to Sue .................................................19 A. Gannett’s violation of Yershov’s privacy rights as conferred by the VPPA is enough to establish Article III standing .............................................19 B. Because Yershov pleads that he was personally identified by Gannett’s disclosures, rather than that such identification was merely possible, his injuries are actual rather than speculative, and he has standing to sue .........24 CONCLUSION ............................................................................................................................25 Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 2 of 32 ii TABLE OF AUTHORITIES UNITED STATES SUPREME COURT CASES: Bell Atl. Corp. v. Twombly, 550 U.S. 554 (2007) ............................................................................3 Erickson v. Pardus, 551 U.S. 89 (2007) ..........................................................................................3 Fed. Election Comm’n v. Akins, 524 U.S. 11 (1998) .....................................................................22 Havens Realty Corp. v. Coleman, 455 U.S. 363 (1982) ....................................................19, 20, 23 Linda R.S. v. Richard D., 410 U.S. 614 (1973) .............................................................................19 Warth v. Seldin, 422 U.S. 490 (1975) ............................................................................................19 UNITED STATES CIRCUIT COURT OF APPEALS CASES: David v. Alphin, 704 F.3d 327 (4th Cir. 2013) ........................................................................22, 23 El Dia, Inc. v. Governor Rosello, 165 F.3d 106 (1st Cir. 1999) ..............................................10, 17 Graczyk v. West Pub. Co., 660 F.3d 275 (7th Cir. 2011) ..............................................................21 In re Sharmas Holdings, LLC, 642 F.2d 263 (1st Cir. 2011) ....................................................5, 18 Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir. 2012) ................................................................24, 25 Kendall v. Employees Ret. Plan of Avon Prods., 561 F.3d 112 (2d Cir. 2009) .............................23 Klimas v. Comcast Cable Comm’ns., Inc., 465 F.3d 271 (6th Cir. 2006) .....................................21 Kyles v. J.K. Guardian Sec. Servs., Inc., 222 F.3d 289 (7th Cir. 2000) ............................19, 21, 22 Merlonghi v. United States, 620 F.3d 50 (1st Cir. 2010) .................................................................4 Pollard v. Law Office of Mandy L. Spaulding, 766 F.3d 98 (1st Cir. 2014) ............................23, 24 Pruitt v. Comcast Cable Holdings, LLC, 100 Fed. Appx. 713 (10th Cir. 2004) .....................12, 13 Sutliffe v. Epping School Dist., 584 F.3d 314 (1st Cir. 2009) ..........................................................3 Torres-Negron v. J & N Records, LLC, 504 F.3d 151 (1st Cir. 2007) ............................................3 Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 3 of 32 iii UNITED STATES DISTRICT COURT CASES: Aronson v. Advanced Cell Tech., Inc., 972 F. Supp. 2d 123 (D. Mass. 2013) ................................5 Ellis v. The Cartoon Network, Inc., No. 14-cv-484, 2014 WL 5023535 (N.D. Ga. Oct. 8, 2014) ..........................................................11, 12, 19 In re Hulu Privacy Litig., No. 11-03764, 2012 WL 3282960 (N.D. Cal. Aug. 10, 2012) ......................................................18, 19, 21 In re Hulu Privacy Litig., No. 11-cv-3764, 2013 WL 6773794 (N.D. Cal. Dec. 20, 2013) .............................................................20, 22 In re Hulu Privacy Litig., No. 11-cv-3764, 2014 WL 1724344 (N.D. Cal. Apr. 28, 2014) ........................................................... passim In re JPMorgan Chase Mortg. Modification Litig., 680 F. Supp. 2d 220 (D. Mass. 2012) ............3 In re Nickelodeon Consumer Privacy Litig., MDL No. 2443, 2014 WL 3012873 (D. N.J. July 2, 2014) ..............................................................10, 11, 12 Johnson v. Microsoft, No. 06-cv-900, 2009 WL 179440 (W.D. Wash. June 23, 2009) ..........13, 14 Kinder v. Meredith Corp., No. 14-cv-11284, 2014 WL 4209575 (E.D. Mich. Aug. 26, 2014) ................................................................21 Klimas v. Comcast Cable Comm’ns., Inc., No. 02-cv-72054, 2003 WL 23472182 (E.D. Mich. July 1, 2003) aff’d on other grounds, 465 F.3d 271 (6th Cir. 2006) .......13, 14 Santiago v. Colvin, No. 13-cv-30120, 2014 WL 4772290 (D. Mass. Sept. 23, 2014) ....................3 Sterk v. Best Buy Stores, LP, No. 11-cv-1894, 2012 WL 5197901 (N.D. Ill. Oct. 17, 2012) ................................................................21, 22 Sterk v. Redbox Automated Retail, LLC, No. 11-cv-1729, 2012 WL 3006674 (N.D. Ill. July 23, 2012) ......................................................................22 Sterk v. Redbox Automated Retail, LLC, No. 11-cv-1729, 2013 WL 4451223 (N.D. Ill. Aug. 16, 2013) ....................................................................................................22 Sys. Mgmt., Inc. v. Loiselle, 154 F. Supp. 2d 195 (D. Mass. 2011) .................................................6 Viacom Int’l Inc. v. YouTube, Inc., 253 F.R.D. 256 (S.D.N.Y. 2008) .....................................12, 13 Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 4 of 32 iv STATUTES: 15 U.S.C. §§ 6501 – 06 ....................................................................................................................6 18 U.S.C. § 2710 .................................................................................................................... passim 20 U.S.C. § 1232g ............................................................................................................................6 42 U.S.C. § 1320d ............................................................................................................................7 Fed. R. Civ. P. 12 .............................................................................................................................3 REGULATIONS: 16 C.F.R. § 312.2 (2013) .............................................................................................................6, 8 34 C.F.R. § 99.3 (2012) ...........................................................................................................6, 7, 8 45 C.F.R. §164.514(e)(2) .............................................................................................................7, 8 MISCELLANEOUS Antonin Scalia, The Doctrine of Standing as an Essential Element of the Separation of Powers, 17 Suffolk U. L. Rev. 881, 885 (1983) ............................................................20 Handbook for Safeguarding Sensitive Personally Identifiable Information at 5, Dep’t of Homeland Sec. (Mar. 2012), available at http://www.dhs.gov/sites/default/files/publications/privacy/Guidance/ handbookforsafeguardingsensitivePII_march_2012_webversion.pdf .................................7 Identify, Dictionary.com, http://dictionary.reference.com/browse/identify (last accessed Oct. 12, 2014) ................................................................................................5 Identify, Oxford Dictionaries, http://www.oxforddictionaries.com/us/definition/american_english/identify (last accessed Oct. 16, 2014) ................................................................................................5 Identity, Merriam-Webster Online Dictionary, http://www.merriam- webster.com/dictionary/identity (last accessed Oct. 12, 2014) ............................................5 Multiple Users | Android Developers, http://developer.android.com/about/versions/android- 4.2.html#multipleusers (last visited Oct. 7, 2014) .............................................................18 Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 5 of 32 v Partner Finder, Adobe, http://solutionpartners.adobe.com/home/partnerFinder.html (last accessed Sept. 30, 2014) ............................................................................................17 Privacy and Technology Focus Group: Final Report and Recommendations at 58, Global Justice Information Sharing Institute – U.S. Dep’t of Justice (Sept. 19, 2006), available at http://www.it.ojp.gov/documents/ privacy_technology_focus_group_full_report.pdf (last accessed Oct. 12, 2014) ......8, 9, 10 Rules and Regulations – Protecting PII – the Privacy Act, GSA.gov, http://www.gsa.gov/portal/content/104256 (last accessed Oct. 16, 2014) ...........................7 subscribe, Encyclopedia.com, http://www.encyclopedia.com/topic/subscribe.aspx (last accessed Oct. 17, 2014) ..............................................................................................18 subscribe (1.1), Oxford Dictionaries, http://www.oxforddictionaries.com/definition/english/subscribe (last accessed Oct. 17, 2014) ..............................................................................................18 Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 6 of 32 1 INTRODUCTION This putative class action focuses on Defendant Gannett Satellite Information Network, Inc.’s USA Today mobile application (the “App”), through which it offers consumers news and media content, including streaming videos, on their Android mobile devices. Plaintiff Alexander Yershov alleges that each time he used the App to watch video content, Gannett disclosed his Android ID (a unique, 64-digit identifier for his Android device) and video viewing records to data analytics giant Adobe Systems, Inc. Yershov further alleges that these disclosures to Adobe—a company that specializes in tracking and analyzing consumers’ online behavior— violate the Video Privacy Protection Act, 18 U.S.C. § 2710 (“VPPA”), a 1988 law prohibiting the disclosure of such personally identifiable information (“PII”)—i.e., “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” Id. at § 2710(a)(3). Gannett now seeks dismissal of Yershov’s complaint, primarily arguing that unique identifiers like Android IDs cannot, as a matter of law, identify individuals. However, the common usage of the phrase “personally identifiable information,” government regulations and agency positions, and leading privacy scholars all disagree with that position. Indeed, it is commonly accepted that unique identifiers like Android IDs identify specific individuals, especially when disclosed to data analytics companies like Adobe, whose entire business depends on using such information to identify and track specific individuals. Failing that, Gannett raises two additional flawed arguments. First, Gannett argues that Yershov is not entitled to the VPPA’s protections because he is not a “consumer” who rented, purchased, or subscribed to Gannett’s goods or services. Consistent with the only decisions on the matter, however, Yershov is a subscriber because he downloaded, installed, and used the App Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 7 of 32 2 to regularly watch Gannett’s streaming video content. Second, Gannett argues that Yershov has not suffered an injury-in-fact and therefore lacks Article III standing to sue. But that position is belied by decades of First Circuit and Supreme Court precedent establishing that injury-in-fact means nothing more than the invasion of a legal right, and legal rights can be conferred by the legislature. Thus, because the VPPA confers such a right on Yershov, he has sufficiently alleged an injury in fact in the form of Gannett’s unlawful disclosure of his PII. For these reasons and as explained further below, the Court should deny Gannett’s motion in its entirety and allow Yershov’s claim to proceed. STATEMENT OF FACTS Gannett is “an international media company that produces a variety of news and entertainment programming.” (See Class Action Complaint and Demand for Jury Trial (“Compl.”), Dkt. 1, ¶ 1.) In addition to USA Today and dozens of local newspapers throughout the country, Gannett distributes the USA Today Mobile App, through which consumers can read news stories, and watch news and other video clips. (Id. ¶¶ 1, 2.) Relevant here, App users are not required to (and do not) consent to the disclosure of their PII. (Id. ¶ 11.) Nevertheless, each time Yershov watched a video on the App, Gannett disclosed information to Adobe that identified what he had watched on the App. (Id. ¶¶ 13, 42.) Adobe is a massive “data analytics company.” (Id. ¶ 13.) “The business models of such ‘big data’ companies center on the collection of disparate pieces of uniquely identifying information and online behavioral data about individual consumers, which they then compile to form comprehensive profiles about consumers’ entire digital lives. These profiles can then be used for targeted advertising, sold as a commodity to other data brokers, or both.” (Id. ¶ 3.) For his part, Yershov downloaded and installed the USA Today App to “read news Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 8 of 32 3 articles and watch video clips.” (Id. ¶ 39.) He never granted Gannett permission to disclose his PII to anyone. (Id. ¶¶ 11, 40, 41.) Nevertheless, each time he watched a video on the App, Gannett disclosed his PII (in the form of his Android ID and viewing history) to Adobe. (Id. ¶ 42.) Yershov alleges that because of the detail of Adobe’s consumer dossiers, that information identified him and his associated video viewing records to Adobe. (Id. ¶¶ 18, 29, 42.) ARGUMENT On a Rule 12(b)(6) motion to dismiss, the Court is required to “accept[] as true all well- pleased facts in the complaint and draw[] all reasonable inferences in the plaintiffs’ favor.” Sutliffe v. Epping School Dist., 584 F.3d 314, 325 (1st Cir. 2009). To survive such a motion, a complaint need not plead “[s]pecific facts,” but instead, must only contain a statement of the claim in question that “give[s] the defendant fair notice of what the . . . claim is and the grounds upon which it rests.” Erickson v. Pardus, 551 U.S. 89, 93 (2007) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 554, 555 (2007)). Where a defendant challenges the Plaintiff’s standing to sue, the complaint is analyzed under Rule 12(b)(1). See In re JPMorgan Chase Mortg. Modification Litig., 680 F. Supp. 2d 220, 228 (D. Mass. 2012). “There are two types of challenges to a court’s subject matter jurisdiction: facial challenges and factual challenges.” Torres-Negron v. J & N Records, LLC, 504 F.3d 151, 162 (1st Cir. 2007). “Facial challenges on a complaint,” like Gannett’s here, “require the Court merely to look and see if the plaintiff has sufficiently alleged a basis of subject matter jurisdiction, and the allegations in [plaintiff’s] complaint are taken as true for purposes of the motion.” Id. (internal quotations omitted)). As on a Rule 12(b)(6) motion, “the court ‘must credit the plaintiff’s well-plead factual allegations and draw all reasonable inferences in the plaintiff’s favor.’” Santiago v. Colvin, No. 13-cv-30120, 2014 WL 4772290, at *1 (D. Mass. Sept. 23, Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 9 of 32 4 2014) (quoting Merlonghi v. United States, 620 F.3d 50, 54 (1st Cir. 2010)). Here, Gannett makes three arguments in favor of dismissal. First, it argues that the information it disclosed was not PII. Second, that Yershov was not a “subscriber” to its services and therefore is not a “consumer” protected by the VPPA. And third, that Yershov suffered no injury and therefore lacks standing to sue. As explained below, each argument fails, and the Court should deny Gannett’s motion in its entirety. I. Yershov Alleges that Gannett Disclosed His PII by Transmitting Data to Adobe that Identified Him as Viewing Specific Video Materials. Gannett raises two challenges to Yershov’s assertion that it disclosed his PII. First, it argues that unique identifiers—used by companies like Adobe to track individual users’ activities across a variety of media—by law cannot be personally identifying. Second, it attacks the sufficiency of Yershov’s allegations that Gannett’s disclosures were identifying in fact. Gannett’s arguments fail for three reasons. First, the VPPA’s plain language makes clear that “personally identifiable information” is not limited to traditional identifiers like consumers’ actual names and physical addresses. Instead, it “includes” any information that identifies an individual as having viewed specific videos. Second, Gannett’s authorities fail to establish that that “identify,” in the context of the VPPA, means “identify by name.” And third, Yershov adequately alleges facts showing that Gannett’s disclosures identified him to Adobe. A. The VPPA’s definition of PII is broad, and the case-by-case analysis it requires shows that Yershov’s Android ID and video records are PII. Gannett’s first argument is that it could only violate the VPPA by disclosing a customer’s name, address, and video records in plain-text format. Gannett is mistaken—the VPPA’s definition of PII is not so narrow. Instead, it defines “personally identifiable information” to “include[] information which identifies a person as having requested or obtained specific video Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 10 of 32 5 materials or services from a video tape service provider.” 18 U.S.C. § 2710(a)(3) (emphasis added). The VPPA does not, however, define “identifies,” and thus the Court looks to that term’s “plain and ordinary meaning.” In re Sharmas Holdings, LLC, 642 F.2d 263, 265 (1st Cir. 2011). 1. Common usage confirms that “personally identifying information” applies to any information that distinguishes a specific consumer. In common usage, “identifying information” doesn’t only mean names and addresses. Instead, it also includes any data that uniquely distinguishes a single person out of a group.1 When analyzing a statute’s text, “[t]he court may consider a word’s accepted dictionary definition in order to determine its ordinary meaning.” See Aronson v. Advanced Cell Tech., Inc., 972 F. Supp. 2d 123, 124 (D. Mass. 2013). Here, “identify” has a number of meanings, but clearly is accepted to encompass more than names alone. Oxford Dictionaries define “identify” as to “[e]stablish or indicate who or what (someone or something) is.”2 Webster’s defines “identity” not only as “the name of a person,” but also “who someone is,” “the qualities, beliefs, etc., that make a particular person or group different from others,” and “the distinguishing character or personality of an individual.”3 Likewise, a leading online dictionary defines “identify” as “to recognize or establish as being a particular person or thing, or “to verify the identity of.”4 As these dictionary definitions make clear, then, “identifying” doesn’t just mean “naming,” it instead refers to any information used to distinguish a single individual from many. The Court may also look to federal privacy laws similar to the VPPA, and the regulations implementing them, to understand the meaning of “identify.” See Sys. Mgmt., Inc. v. Loiselle, 1 Although “personally identifiable information,” is a defined term, “identifies,” as used in the definition of PII is not. Thus, a common usage analysis is appropriate. 2 Identify, Oxford Dictionaries, http://www.oxforddictionaries.com/us/definition/american_ english/identify (last accessed Oct. 16, 2014). 3 Identity, Merriam-Webster Online Dictionary, http://www.merriamwebster.com/ dictionary/identity (last accessed Oct. 12, 2014). 4 Identify, Dictionary.com, http://dictionary.reference.com/browse/identify (last accessed Oct. 12, 2014). Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 11 of 32 6 154 F. Supp. 2d 195, 206 (D. Mass. 2011) (“[S]imilar words in similar statutes should be given similar meanings.”). For instance, the regulations implementing the Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501 – 06, confirm the widespread view that identifiers like Android IDs do identify particular individuals. New regulations effective July 1, 2013 defined “personal information” under that Act as: “individually identifiable information about an individual collected online, including: (1) A first and last name; (2) A home or other physical address including street name and name of a city or town; (3) Online contact information as defined in this section; (4) A screen or user name where it functions in the same manner as online contact information, as defined in this section; (5) A telephone number; (6) A Social Security number; (7) A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier; (8) A photograph, video, or audio file where such file contains a child's image or voice; (9) Geolocation information sufficient to identify street name and name of a city or town; or (10) Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.” 16 C.F.R. § 312.2 (2013) (emphasis added). Likewise, the regulations implementing the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, recognize that “identifying” information means more than simply “[t]he student’s name.” It also includes address; “indirect identifiers” such as “date of birth, place of birth, and mother’s maiden name”; “[a] personal identifier, such as the student’s social security number, student number, or biometric record”; as well as any “[o]ther information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.” 34 C.F.R. § 99.3 (2012) (emphasis added). Finally, the regulations implementing the Health Insurance Portability and Accountability Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 12 of 32 7 Act, 42 U.S.C. § 1320d, recognize 18 types of “direct identifiers”: names; geographic subdivisions smaller than states; dates (i.e., birth, death, admission, discharge, etc.) with limited exceptions; telephone and fax numbers; email addresses; social security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers (including license plate numbers); device identifiers and serial numbers; URLs; IP addresses; biometric identifiers; and full-face photos. 45 C.F.R. §164.514(e)(2) (2013). As these regulations make clear, innumerable types of data are considered identifying, and it is well accepted that unique identifiers such as Android IDs are among them. Government publications regarding personally information further confirm that a wide variety of data are considered “identifying.” For example, the Department of Homeland Security defines “personally identifiable information” as “any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual . . . .”5 The General Services Administration takes a similarly broad view, defining PII as “information that can be used to distinguish or trace an individual’s identity, either alone or in combination with other information that is linked or linkable to a specific individual.”6 The GSA goes on to recognize that the “definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified.” Id. And, the Department of Justice agrees that PII simply refers to information that 5 Handbook for Safeguarding Sensitive Personally Identifiable Information at 5, Dep’t of Homeland Sec. (Mar. 2012), available at http://www.dhs.gov/sites/default/files/publications/ privacy/Guidance/handbookforsafeguardingsensitivePII_march_2012_webversion.pdf. 6 See Rules and Regulations – Protecting PII – the Privacy Act, GSA.gov, http://www.gsa.gov/portal/content/104256 (last accessed Oct. 16, 2014). Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 13 of 32 8 distinguishes one individual from another, defining PII as “one or more pieces of information that when considered together or when considered in the context of how it is presented or how it is gathered sufficient to specify a unique individual.”7 According to the Department, this information can include “personal characteristics,” (height, distinguishing features, biometrics, etc.), any “unique set of numbers or characters assigned to a specific individual, including name; address; phone number; social security number; e-mail address; driver’s license number” and more, as well as personally unique descriptions of events, locations, or places.8 Common usage of the phrase “personally identifiable information,” then, as confirmed by other statutes, and numerous government regulations and publications, shows that identifying information is not limited solely to names and addresses, but broadly includes any data that differentiates a single person from a group at large. Those same sources recognize that unique identifiers (such as the Android IDs at issue here), are in fact uniquely identifying and therefore—if combined with a video viewing record—are PII under the VPPA. See 34 C.F.R. § 99.3; 45 C.F.R. § 164.514(e)(2). 2. Gannett takes far too narrow a view of PII, ignore modern data analytics and identification practices, and read additional requirements into the VPPA without any textual basis. Gannett offers several decisions to support its position that unique identifiers like Android IDs can never “identif[y] a person” as required by the VPPA. Gannett is mistaken for two primary reasons. First, the decision Gannett relies on as the cornerstone of its argument—the recent opinion in In re Hulu Privacy Litig., No. 11-cv-3764, 2014 WL 1724344 (N.D. Cal. Apr. 28, 2014) (“Hulu”)—actually supports Plaintiff’s position that Android IDs are personally 7 Privacy and Technology Focus Group: Final Report and Recommendations at 58, Global Justice Information Sharing Institute – U.S. Dep’t of Justice (Sept. 19, 2006), available at http://www.it.ojp.gov/documents/privacy_technology_focus_group_full_report.pdf (last accessed Oct. 12, 2014). 8 Id. at 59. Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 14 of 32 9 identifying. And second, Gannett’s remaining authorities take far too narrow a view of what it means to “identify” someone, and ignore both the common usage of that term (as discussed above) and the capabilities of data analytics companies like Adobe. a. The Hulu decision supports a finding that the Android IDs at issue are personally identifying because Adobe can and did use them to identify individual App users. Gannett argues that the Hulu decision holds that unique identifiers per se cannot be “personally identifying” under the VPPA. (See Defendant’s Memorandum of Law in Support of Motion to Dismiss Class Action Complaint and Demand for Jury Trial (“Def. Br.”), Dkt. 14-1 at 7 – 8.) Gannett misreads that opinion. In Hulu, the Court actually held that unique identifiers, when disclosed to recipients who could understand them, were personally identifying under the VPPA. Hulu, 2014 WL 1724344 at *14. In that case, the plaintiffs alleged that online video provider Hulu had disclosed their Facebook user IDs to the Facebook social network, and their Hulu user IDs to data analytics company comScore, Inc. Id. In ruling on summary judgment, the Hulu court began by recognizing that a person can “be identified in many ways: by a picture, by pointing, by an employee number, by the station or office or cubicle where one works, by telling someone what ‘that person’ rented[,]” and that “identification” isn’t limited to actual names alone. Id. at *11. From that basic point the court then held that “the statute, the legislative history, and the case law do not require a name, [but] instead[,] require the identification of a specific person tied to a specific transaction, and support the conclusion that a unique anonymized ID alone is not PII but context could render it not anonymous and the equivalent of the identification of a specific person.” Id. (emphasis added). Further, in addressing the very argument Gannett raises here—that an Android ID is no more than an anonymous string of numbers—the Hulu court held that the Facebook IDs in question being “a string of numbers and letters does not alter the conclusion. [Computer] [c]ode Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 15 of 32 10 is a language, and languages contains names, and the string is the Facebook user name.” Id. at *14. Accordingly, the court denied the defendant’s motion for summary judgment on that issue. 9 Implicit in that order was the Hulu court’s recognition that context matters. For example, the disclosures of the Facebook IDs to Facebook were identifying because (1) that’s how Facebook actually identifies its users, and (2) the information disclosed was tied to unique profiles on the Facebook social network. Id. Applying that analysis here requires a finding that Android IDs are PII. Indeed, as with the Facebook IDs in Hulu, the Android IDs are (1) how Adobe identifies specific individual consumers—including App users—and (2) are tied to those consumers’ unique profiles in Adobe’s databases. (Compl. ¶¶ 19 – 23, 28, 29, 42.) And, as with the Facebook IDs in Hulu, because Adobe has extensive consumer tracking databases, an App user “generally is an identified person” in Adobe’s records. (Id.) Thus, the Android ID “is more than a unique, anonymous identifier. It personally identifies [an App] user. That it is a string of numbers and letters does not alter the conclusion.” See Hulu, 2014 WL 1724344, at *14. b. Gannett’s other authorities take far too narrow a view of what it means to “identify” and are inconsistent with Hulu, and the breadth of government opinions on the issue, and common usage. Gannett next relies on In re Nickelodeon Consumer Privacy Litig., MDL No. 2443, 2014 WL 3012873, *10 (D. N.J. July 2, 2014) (“Nickelodeon”), and though it hasn’t done so already, will surely rely on reply on the Northern District of Georgia’s recent decision in Ellis v. The 9 The Hulu court’s entry of summary judgment against the plaintiffs with respect to the disclosure of Hulu user IDs to comScore—which Gannett relies on—is inapposite here. Rather than holding that the disclosures to comScore could not have been PII, the Hulu court simply held that the plaintiffs had failed to present evidence that they had been identified—i.e., that they failed to show that comScore had actually linked video histories to their profiles. See id. at *12 (“There is no evidence that comScore did this. The issue is only that it could.”) Here, by contrast, Yershov has alleged that Adobe does actually identify specific individuals as having watched specific videos using their Android IDs, and again, those allegations are entitled to a presumption of truth. (Compl. ¶¶ 22 – 29); see also See El Dia, Inc. v. Governor Rosello, 165 F.3d 106, 108 (1st Cir. 1999) (“In reviewing a motion to dismiss, we accept all well-pleaded facts as true and draw all reasonable inferences in favor of the plaintiff.”). Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 16 of 32 11 Cartoon Network, Inc., No. 14-cv-484, 2014 WL 5023535 (N.D. Ga. Oct. 8, 2014). Gannett’s reliance on those cases is misplaced as well. In both of those cases, the courts correctly recognized that “‘a person’ can be identified by more than just their name and address.” See Nickelodeon at 2014 WL 3012873, at *19 (citing Hulu); Ellis, 2014 WL 5023535, at *9. Nevertheless, and seemingly ignoring the Hulu’s court’s reasoning, both courts held that disclosure of a unique identifier could only violate the VPPA if it was somehow tied to an individual’s actual name. See Nickelodeon, 2014 WL 3012873 at *19 (concluding that in order to constitute PII under the VPPA, “information . . . must, without more, itself link an actual person with actual video materials.”); see also Ellis 2014 WL 5023535, at *3 (holding that an “Android ID, without more, is not personally identifiable information” supposedly because “the disclosure by the Defendant [t]here required [the third party recipient of the IDs] to collect information from other sources” to make it identifiable). In other words, both courts found that PII under the VPPA is effectively limited to identifying an individual’s actual name (in connection with their video viewing history). That conclusion, however, ignores the Hulu court’s contextual analysis (which both courts claimed to endorse), common usage of the word “identify,” governmental agencies’ definitions of PII, and the capabilities of analytics companies like Adobe. Indeed, as the Hulu court noted, “[o]ne can be identified in many ways: by a picture, by pointing, by an employee number, by the station or office or cubicle where one works . . . .” Hulu, 2014 WL 1724344, at *11 (emphasis added). These examples demonstrate the importance of context, and of the recipient’s access to and knowledge of information that may render the disclosure identifying. For instance, were Gannett to provide an employer a list of its employees’ video viewing records listed by employee number, such a disclosure would clearly be identifying. That is, the records would identify individuals to the employer based because of the Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 17 of 32 12 employee numbers, even though the numbers would likely be meaningless to anyone else who receives them.10 Likewise, for example, a video tape service provider’s disclosure of video records associated with Massachusetts drivers license numbers to the Massachusetts RMV would be personally identifying, because the drivers license numbers would identify specific individuals to the RMV, even though they would be meaningless to many other persons like, for example, a local restaurant.11 Equally misplaced is Gannett’s reliance on Pruitt v. Comcast Cable Holdings, LLC, 100 Fed. Appx. 713 (10th Cir. 2004) and Viacom Int’l Inc. v. YouTube, Inc., 253 F.R.D. 256 (S.D.N.Y. 2008) for the proposition that unique identifiers can never be personally identifying. (See Def. Br. at 9 – 10.) In Pruitt, the court held that because the data at issue—unique anonymous identifiers stored in Comcast cable boxes—had not been combined with the identifying information from Comcast’s own databases, it was not “personally identifying.” Pruitt, 100 Fed. Appx. at 716. Thus, while “Pruitt stands for the proposition that an anonymous, unique ID without more does not constitute PII . . . it also suggests that if an anonymous, unique 10 The analogy to this case is clear. Here, Yershov alleges that the Android IDs were identifying when disclosed to Adobe because that is how Adobe identifies App users. Thus, whereas a 64-Digit Android ID would likely be nothing more than a long string of characters when in the hands of the Court or counsel, it identifying to Adobe, whose primary function in this context is to identify and analyze specific individuals and their behaviors. (See Compl. ¶¶ 18, 19 – 23.) And, in any event, Yershov’s allegations that Adobe did identify specific individuals using their Android IDs must be taken as true at this stage of the proceedings. El Dia, Inc., 165 F.3d at 108. 11 Nevertheless, the Nickelodeon and Ellis courts would find no disclosure of PII in either example. Instead, under the Ellis/Nickelodeon standard, these disclosures would not be PII because the numbers would not identify specific individuals to every possible recipient. Ellis, 2014 WL 5023535, at *3. This, despite the fact that the numbers would be identifiable to the recipients. Likewise, the Nickelodeon and Ellis analysis would hold that nearly all of the categories of identifying information recognized by the FERPA and HIPAA regulations, the General Standards Administration, the Department of Homeland Security, and the Department of Justice are not actually identifying. For these reasons, the Ellis and Nickelodeon analysis is simply incompatible with common usage, and contrary to accepted definitions and explanations of identifying information. Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 18 of 32 13 ID were disclosed to a person who could understand it, that might constitute PII.” Hulu, 2014 WL 1724344, at *11 (emphasis in original). Because the recipient of the information in this case (Adobe), can and does identify specific individuals using the identifiers disclosed (Android IDs), (Compl. ¶¶ 22 – 29.), Pruitt is inapposite. Likewise for Viacom. As the Hulu court explained: What was at issue [in Viacom], however, was not the users’ identities. Instead, because the case was a copyright case against YouTube, what mattered was the number of times the users viewed particular videos. [Viacom, 253 F.R.D. at 262.] YouTube “did not refute that the login ID is an anonymous pseudonym that users create for themselves when they sign up with YouTube which without more cannot identify specific individuals” Id. at 262. (emphasis added). The Court dismissed YouTube’s privacy concerns as speculative and ordered discovery. Id. That result makes sense: the case was about discovery to establish copyright damages, not consumers’ identities. The consumer identities were not relevant. Indeed, Viacom issued a press release that the parties would anonymize the data before disclosure to address YouTube users’ privacy concerns. [Citation omitted.] Also, the decision does not provide enough of a factual context to determine whether the user IDs in Viacom identified a person or were anonymized. The case’s holding is relevant only to the extent that it recognizes that unique anonymous IDs do not necessarily identify people. Hulu, 2014 WL 1724344, at **9 – 10. Finally, Gannett’s reliance on cases involving the disclosure of IP addresses is also misplaced. (See Def. Br. at 10) (citing Klimas v. Comcast Cable Comm’ns., Inc., No. 02-cv- 72054, 2003 WL 23472182 (E.D. Mich. July 1, 2003) aff’d on other grounds, 465 F.3d 271 (6th Cir. 2006); Johnson v. Microsoft, No. 06-cv-900, 2009 WL 179440, at *4 (W.D. Wash. June 23, 2009)). In Klimas, for instance, the court held that: [A] dynamic IP address cannot constitute PII . . . . Unlike a home address, which for the most part stays constant, a dynamic IP address is more like a hotel room number. Dynamic IP addresses constantly change and unless an IP address is correlated to some other information, such as Comcast’s log of IP addresses assigned to its subscribers (or a hotel registry in the analogy of hotel room numbers), it does not identify a single subscriber by itself. Id. at *5. Likewise, in Johnson, the court recognized that many Internet service providers “assign Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 19 of 32 14 dynamic IP addresses that change each time the user connects to the Internet.” 2009 WL 179440, at *4. Ultimately, the Johnson court held that IP addresses alone, without “matching [them] to a list of a particular Internet service provider’s subscribers,” did not constitute PII within the meaning of the privacy policy in question. Id. But again, Yershov alleges something more. Specifically, Yershov alleges that the Android IDs in this case are not dynamic, but rather stay constant with a user, and thus are more like home addresses than hotel rooms, to extend the Klimas analogy. Klimas, 2003 WL 23472182, at *5. Indeed, like home addresses, while Android IDs may change periodically through one’s life and later be used by others, they are generally considered identifying during the pendency of an individual’s use. Put another way, IP addresses regularly change and are used only to identify a specific computer at a specific time, whereas Android IDs are static and for that very reason are used by entities like Adobe to identify specific individuals at specific times across multiple services. (Compl. ¶¶ 16 – 18, 21, 22.) * * * Accordingly, where, as here, a video service provider (like Gannett) discloses a unique identifier (like an Android ID) and video viewing history to a third party (like Adobe) that actually uses that information to identify specific individuals and the videos they viewed, the information disclosed is PII. Hulu at *11 (“One could not skirt liability under the VPPA, for example, by disclosing a unique identifier and a correlated look-up table.”). B. Yershov alleges sufficient facts to show that the Android ID and video viewing history disclosed by Gannett is PII in this case. Turning to the disclosures in this case, Gannett argues that the contextual allegations in Plaintiff’s Complaint—establishing how and why the information disclosed by Gannett is identifying to Adobe—are irrelevant and inadequately pled. (Def. Br. at 7.) Gannett’s arguments, however, misread the allegations in the Complaint and misconstrue governing law. Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 20 of 32 15 To start, Yershov alleges that the Android ID disclosed by Gannett identified him to Adobe as having viewed specific videos. (Compl. ¶¶ 18, 42.) From there, Yershov details how— given Adobe’s existing wealth of data about him and the other Class members—the disclosures allowed Adobe to “identify [him] and attribute his video viewing records of an individualized profile of [him] in its databases.” (Compl. ¶ 42 (emphasis added).) Yershov additionally alleged that Android IDs were in fact used by Adobe to identify and track him. (Compl. ¶ 18.) What Gannett is alleged to have done, then, is “disclose a unique identifier” (an Android ID) to a third party (Adobe) that already possessed a “correlated look-up table.” Hulu, 2014 WL 1724344, at *11. Thus, the Android IDs disclosed were “not anonymous and [were] the equivalent of the identification of a specific person.” Id. (explaining that Pruitt, 100 Fed. Appx. 713 “suggests that if an anonymous, unique ID were disclosed to a person who could understand it, that might constitute PII.”). As such, Gannett’s disclosures identified Yershov as having viewed specific videos, and constituted disclosures of PII under the VPPA. Gannett then offers several attacks on Yershov’s factual bases for asserting that its disclosures identified him. (Def. Br. at 13.) First, Gannett takes issue with Yershov quoting Christopher Comstock, a senior project manager at Adobe, who explained how the company creates profiles on individual consumers’ online behaviors using unique identifiers like the Android ID. (Def. Br. at 13 – 14.) Gannett asserts that Mr. Comstock says that Adobe does not yet engage in one particular type of data correlation—“probabilistic matching”—and therefore the identification alleged in the Complaint could not have taken place. (See Def. Br. at 14.) Gannett’s argument, however, deliberately misreads both the Complaint and the interview with Mr. Comstock. As Plaintiff notes in paragraph 23 of his Complaint, Adobe does presently have the ability to identify users across devices “when they have a known customer ID”: Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 21 of 32 16 Q: What are your clients requesting when it comes to cross-device matching? Mr. Comstock: This applies to advertisers and publishers. They’re asking us first to be able to identify when they have a known customer ID. They want that ID to be the linking mechanism across different devices. From an AudienceManager standpoint, we can do that and tie those different device profiles to be a common user profile. (Compl. ¶ 23 (emphasis added).) Only later in the interview (and the Complaint) is any mention of probabilistic matching made, and Mr. Comstock makes a clear distinction between probabilistic matching (which is not currently a service Adobe offers for its clients), and “cross- device matching . . . when they have a known customer ID,” which Adobe does currently offer. (See Dkt. 14-4 at 2 – 3.)12 Thus, the interview with Mr. Comstock does indeed support Plaintiff’s allegations—Adobe can and does use unique identifiers to tie different device profiles to common user profiles, like Yershov’s. (Compl. ¶ 23; Dkt. 14-4 at 2.) Second, Gannett argues that Yershov’s Complaint misinterprets a figure from Adobe’s marketing materials related to the “depth of information captured by Adobe’s data analytics services.” (Compl. ¶ 27; see also Def. Br. at 14 – 15.) As Gannett points out, the figure cited in the Complaint comes from a white paper promoting the “Adobe Campaign” advertising service, which helps Adobe’s clients “access data that already exists internally” by “aggregating customer data from different systems and mak[ing] it centrally available.” (Dkt. 14-5 at 2.) Gannett says this means that the data referred to in the Complaint is not ever added to Adobe’s databases. (Def. Br. at 14 – 15.) It does not follow, however, that because Adobe Campaign helps companies “access data that already exists internally,” that Adobe does not access and use this data on its own. (See Def. Br. at 14.) Instead, the key takeaway from the white paper (and consistent with Yershov’s allegations) is that Adobe has access to that information, gathered 12 Even if Adobe does not yet offer in-house probabilistic matching, the interview with Mr. Comstock does not deny that Adobe uses its clients’ probabilistic matching results to refine its own data. (Dkt. 14-4 at 2 – 3.) Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 22 of 32 17 from dozens of its clients13 (whether Gannett is one such client or not), and its public representations suggest that it uses such information to identify specific consumers.14 Third, Gannett challenges Yershov’s allegations regarding the Adobe Analytics Privacy Policy. Yershov contends that the Privacy Policy shows that Adobe receives identifying information (including email addresses, account information, or Facebook profile information) from its clients, supporting the inference that Adobe’s customer profiles do identify individuals. (Def. Br. at 15; Compl. ¶¶ 25). Gannett points to the Privacy Policy’s statement that “Adobe does not use the information we collect for a company except as may be allowed in a contract with that company,’ which ‘is usually limited to providing [] services to the company,’” and that the only information shared between companies is “‘anonymous and does not identify individuals.’” (Def. Br. at 15.) From this, Gannett surmises, it is impossible that Adobe could have combined client data and itself identified consumers. (Id.) To the contrary, Gannett’s challenge ignores the word “usually” in the Privacy Policy, as well as the fact that even if Adobe only shared anonymous information among companies, it would still have access to that combined information in identifying form, before attempting to de-identify it. Thus, accepting the facts alleged as true and drawing all reasonable inferences in his favor, Yershov has sufficiently alleged that Gannett disclosed to Adobe information that “personally identified” him as having viewed specific videos.15 13 See Partner Finder, Adobe, http://solutionpartners.adobe.com/home/partnerFinder.html (last accessed Sept. 30, 2014). 14 Again, to the extent the white paper is open to interpretation, all reasonable inferences must be drawn in Yershov’s favor at this point. See El Dia, Inc., 165 F.3d at 108. 15 Gannett also challenges Yershov’s citation to Google’s guide for developers of Android apps, contending that Android devices only assign different Android IDs to different users if some default setting is changed. (Def. Br. at 15 n.7.) Not true. The “explicit[] modif[ication]” refers to the fact that when the user takes some action, such as creating a new user account (which will, by default, create a new Android ID). (Dkt. 14-6 at 4; see also Compl. ¶ 17.) Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 23 of 32 18 II. Yershov is a “Consumer” Entitled to the VPPA’s Protections Because He Downloaded, Installed, and Used the App to View Video Content. Gannett next urges dismissal because Yershov is not a “consumer” as required by the VPPA. The VPPA defines “consumer” as “any renter, purchaser, or subscriber of goods or services from a video service provider[.]” 18 U.S.C. § 2710(a)(1). The VPPA does not, however, define “subscriber.” See 18 U.S.C. § 2710(a). As such, the Court must interpret the term by using its “plain and ordinary meaning.” In re Sharmas Holdings, LLC, 642 F.2d at 265. When discussing online services like the App, “subscribe” means “[a]n arrangement by which access is granted to an online service.”16 Both the Hulu and Ellis courts confirm this reading. See In re Hulu Privacy Litig., No. 11-03764, 2012 WL 3282960, at *8 (N.D. Cal. Aug. 10, 2012) (finding plaintiffs subscribers where alleged that they were “subscribers” and that “[t]hey visited hulu.com and viewed video content,” “regardless of whether they were registered and logged in.”); Ellis, 2014 WL 5023535, at *2 (“[Plaintiff] downloaded the CN App and used it to watch video clips. His Android ID and viewing history were transmitted to Bango. These facts suffice to qualify the Plaintiff as a ‘subscriber,’ and as such, a ‘consumer.’”). Here, Yershov’s allegations fit the common usage of “subscribe” in the online and mobile context. As in Hulu and Ellis, Yershov alleges that he downloaded the App (thus entering into an agreement with Gannett to provide him streaming video through the App) and did request and Plaintiff’s interpretation is confirmed by the guide itself, which notes that when multiple users exist on a device, “[f]rom [the] app’s point of view, each user is running on a completely separate device.” See Multiple Users | Android Developers, http://developer.android.com/ about/versions/android-4.2.html#multipleusers (last visited Oct. 7, 2014). If nothing else, the Parties’ dispute over the Android Developer guide confirms that the context-dependent, fact- intensive determination of whether the information disclosed is PII is inappropriate for resolution on a Rule 12 motion. 16 See, e.g., subscribe (1.1), Oxford Dictionaries, http://www.oxforddictionaries.com/ definition/english/subscribe (last accessed Oct. 17, 2014); subscribe, Encyclopedia.com, http://www.encyclopedia.com/topic/subscribe.aspx (last accessed Oct. 17, 2014). Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 24 of 32 19 receive video content from Gannett through the App. (Compl. ¶¶ 39, 53.) Thus, Yershov is a subscriber under the word’s plain meaning. See In re Hulu Privacy Litig., 2012 WL 3282960, at *8; Ellis, 2014 WL 5023535, at *2. III. Yershov Suffered an Injury-in-Fact in the Form of Gannett’s Disclosure of his PII to Adobe, and He Therefore Has Standing to Sue. Gannett next contends that Yershov lacks Article III standing to sue because Gannett’s conduct supposedly did not cause him any injury-in-fact. In particular, Gannett argues that (i) the VPPA does not confer standing based on “a mere statutory violation,” (Def. Br. at 18), and (ii) that even if it does, Yershov failed to allege anything beyond the speculative possibility that he could be identified. (Def. Br. at 19.) Each of these arguments misses their mark. A. Gannett’s violation of Yershov’s privacy rights as conferred by the VPPA is enough to establish Article III standing. As an initial matter, it is hornbook law that a violation of a statutorily created right, without more, can be the injury-in-fact sufficient to confer Article III standing. The Supreme Court has consistently held that “Congress can enact statutes creating legal rights, the invasion of which creates standing, even though no injury would exist without the statute.” Linda R.S. v. Richard D., 410 U.S. 614, 617 n.3 (1973); see also Warth v. Seldin, 422 U.S. 490, 500 (1975); Havens Realty Corp. v. Coleman, 455 U.S. 363, 373 – 74 (1982).17 “Essentially, the standing question in such cases is whether the constitutional or statutory provision on which the claim rests properly can be understood as granting persons in the plaintiff’s position a right to judicial relief.” Warth, 422 U.S. at 500. 17 See also Antonin Scalia, The Doctrine of Standing as an Essential Element of the Separation of Powers, 17 Suffolk U. L. Rev. 881, 885 (1983) (“Standing requires . . . the allegation of some particularized injury to the individual plaintiff. But legal injury is by definition no more than the violation of a legal right; and legal rights can be created by the legislature.”). Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 25 of 32 20 Here, the VPPA confers a right to privacy in the viewing of videos, and an enforcement right on any “person aggrieved by any act of a person in violation of” its provisions. 18 U.S.C. § 2710(c). Where, as here, an act confers a substantive right and provides that a “person aggrieved” by its violation may sue, such a person has “suffer[ed] an injury ‘in precisely the form the statute was intended to guard against.’” Kyles v. J.K. Guardian Sec. Servs., Inc., 222 F.3d 289, 298 (7th Cir. 2000) (quoting Havens, 455 U.S. at 373). The Hulu and Ellis courts recently confirmed that no injury beyond disclosure is necessary for standing to assert a VPPA claim. Beginning with the VPPA’s text, the Hulu court noted that subsection (b) of the VPPA “refers to the ‘aggrieved person’ in the singular and precedes it with a definite article.” In re Hulu Privacy Litig., No. 11-cv-3764, 2013 WL 6773794, at *5 (N.D. Cal. Dec. 20, 2013). “Thus, the ‘aggrieved person’ is the consumer whose information was disclosed.” Id. Rejecting the argument that a plaintiff must show some injury beyond disclosure, the Hulu court noted further that “[s]ubsection (b) does not refer to ‘an aggrieved person’ or ‘any person aggrieved.’ The consumer, therefore, is ‘aggrieved’ based solely on the disclosure of personally identifiable information to third parties and the video tape service provider is liable to that ‘aggrieved person’ for the relief in subsection (c).” Id. From this, the Hulu court recognized that: The “any aggrieved person” language in subsection (c) establishes that any person who meets the definition of “the aggrieved person” in subsection (b)(2) (which demonstrated an injury-in-fact for Article III standing purposes) ‘may bring’ a federal lawsuit. 18 U.S.C. § 2710(c)(1). The Court then ‘may award actual damages but not less than liquidated damages of $2,500.’ Id. § 2710(c)(2). Nothing in subsection (c) (or any other part of the statute) requires an injury beyond a violation of subsection (b). Id.18 The Ellis court reached the same conclusion, holding that “because the Plaintiff is alleging a 18 Courts nationwide regularly apply these principles to determine that violations of consumer privacy rights confer standing. See, e.g., Graczyk v. West Pub. Co., 660 F.3d 275, 278 Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 26 of 32 21 violation of the VPPA, he alleges an injury.” Ellis, 2014 WL 5023535, at *2. Gannett’s authorities not require a different result. It first contends that Sterk v. Best Buy Stores, LP, No. 11-cv-1894, 2012 WL 5197901 (N.D. Ill. Oct. 17, 2012) established that a VPPA plaintiff must allege additional injury beyond disclosure to have standing. (Def. Br. at 18.) But the Sterk opinion is inapposite for two reasons. First, it misapplied Seventh Circuit and Supreme Court law. Specifically, it relied on Kyles, 222 F.3d at 295, to argue that because the VPPA requires a plaintiff to be “aggrieved,” “a plaintiff must plead an injury beyond a statutory violation to meet the standing requirement of Article III.” Sterk, 2012 WL 5197901, at *6. However, Kyles (and decades of Supreme Court precedent) expressly holds the opposite—i.e., that when a statute grants a right to relief to an “aggrieved” party, a plaintiff “has standing to sue, even if she has not been harmed apart from the statutory violation.” Kyles, 222 F.3d at 298 (emphasis added); see also Fed. Election Comm’n v. Akins, 524 U.S. 11, 19 – 20 (1998) (“History associates the word ‘aggrieved’ with a congressional intent to cast the standing net broadly.”). Second, as explained by the Hulu court, the Sterk v. Best Buy decision is distinguishable on the facts, and should be limited to its context. In re Hulu Privacy Litig., 2013 WL 6773794, at *8. That is, the Sterk court “found that Sterk had not alleged a disclosure and, therefore, must allege some other economic harm . . . to the extent Sterk made some other allegations about (7th Cir. 2011) (finding no monetary harm necessary to state a claim under the Driver’s Privacy Protection Act, as “Congress has defined the relevant injury under the DPPA as ‘obtain[ment], disclos[ure], or [use].’”) (citation omitted); Klimas v. Comcast Cable Comm’ns., Inc., 465 F.3d 271, 275 – 76 (6th Cir. 2006) (finding standing where plaintiff alleged violations of the Cable Act’s privacy provisions, with no claim of economic harm); Kinder v. Meredith Corp., No. 14- cv-11284, 2014 WL 4209575, at *2 (E.D. Mich. Aug. 26, 2014) (noting that “pursuant to Warth, the Michigan legislature can create new legal rights by virtue of enacting a statute,” and finding that plaintiff had Article III standing to sue under Michigan’s companion statute to the VPPA where she “alleged that [the defendant] violated her rights pursuant to the [Act] by improperly disclosing and selling her personal information.”). Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 27 of 32 22 economic harm, the court rejected them as not grounded in the actual facts.” Id. (citing Sterk v. Best Buy Stores, 2014 WL 5197901).19 “In sum, the Sterk Defendants challenged standing (and injury-in-fact) based on evidence that only showed a transmission of PII by wholly-owned subsidiaries to a parent company, and Plaintiffs did not show any disclosure within the meaning of the VPPA and had no injury and no standing. Sterk does not support a conclusion that injury beyond disclosure is a prima facie element of a VPPA claim.” In re Hulu Privacy Litig., 2013 WL 6773794, at *9 (citations omitted). Next, Gannett argues that two out-of-circuit ERISA establish that statutory rights are irrelevant to the standing analysis. (Def. Br. at 18 – 19.) In David v. Alphin, 704 F.3d 327, 338 – 39 (4th Cir. 2013), the Fourth Circuit found that ERISA plaintiffs who suffered no financial harm could not satisfy Article III’s standing requirement by asserting their statutory rights “to ensure that the Pension Plan is operated in accordance with law, the fiduciaries discharge their duties with care, skill, prudence, loyalty, and diligence, and that fiduciaries do not engage in self- dealing.” Id. at 339. Gannett says that holding was echoed by the Second Circuit in Kendall v. Employees Ret. Plan of Avon Prods., 561 F.3d 112, 121 (2d Cir. 2009). Those two cases, however, are fundamentally distinguishable, in that they involved ERISA claims, which are brought by plan members who sue “on behalf of the Pension Plan,” and “are not permitted to recover individually.” David, 704 F.3d at 332. Thus, rather than addressing whether a VPPA plaintiff has standing to sue when his privacy rights are invaded, the 19 Other VPPA cases within its own district confirm that Sterk v. Best Buy is limited to its own facts. See Sterk v. Redbox Automated Retail, LLC, No. 11-cv-1729, 2012 WL 3006674, at **8 – 9 (N.D. Ill. July 23, 2012); see also Sterk v. Redbox Automated Retail, LLC, No. 11-cv- 1729, 2013 WL 4451223, at *3 (N.D. Ill. Aug. 16, 2013) (denying a motion to dismiss based on the Sterk v. Best Buy decision and holding that plaintiffs’ allegations “that their privacy rights, recognized and protected by the VPPA, were violated when Redbox disclosed plaintiffs’ PII to a third-part vendor without their consent . . .along with the evidence that plaintiffs have produced showing that the disclosure actually occurred, are sufficient to confer standing.”). Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 28 of 32 23 cases offered by Gannett addressed the entirely separate issue of whether an individual who is not entitled to any direct relief has standing to sue. Id. In fact, the Kendall Court itself recognized that where a statute gives a person “in the plaintiff’s position a right to judicial relief,” the “invasion of [a right created by statute] creates standing.” Kendall, 561 F.3d at 118 (quoting Warth, 422 U.S. at 500) (emphasis added). Further, both the First Circuit and the Supreme Court have consistently held that “[t]he invasion of a statutorily conferred right may, in and of itself, be a sufficient injury to undergird a plaintiff’s standing even in the absence of other harm.” Pollard v. Law Office of Mandy L. Spaulding, 766 F.3d 98, 102 (1st Cir. 2014) (citing Havens, 455 U.S. at 373 – 74). Thus, in Pollard, the First Circuit held that the statute at issue (the FDCPA) “bestow[ed] upon consumers a right not to receive communications that overshadow or are inconsistent with [a required] validation notice,” regardless of whether the plaintiff “actually [is] confused” by the overshadowing or inconsistency. 766 F.3d at 102 – 03. (“Seen in this light, the absence of confusion is irrelevant to the standing injury.”). The parallels between Pollard and this case are clear. Like the FDCPA, the VPPA confers a specific legal right on Yershov—a right to privacy in his video viewing records. See 18 U.S.C. § 2710. And, like the FDCPA, the VPPA imposes no additional requirements on the vindication of that right; embarrassment, fear, or any other additional injury are “irrelevant to the standing inquiry.” Pollard, 766 F.3d at 103. Thus, by alleging that Gannett violated his privacy rights by disclosing video viewing records that identified him, Yershov has “adequately alleged that [his] personal right was violated when” Gannett disclosed his PII. “That comprised an injury attributable to the defendant’s actions—an injury that will be redressed by an award of damages. No more is exigible to confirm the plaintiff’s Article III standing.” Id. Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 29 of 32 24 B. Because Yershov pleads that he was personally identified by Gannett’s disclosures, rather than that such identification was merely possible, his injuries are actual rather than speculative, and he has standing to sue. Gannett is also mistaken in arguing that Yershov alleges only the mere possibility of injury, rather than actual PII disclosure and injury. (See Def. Br. at 18 – 19.) As explained in section I.B above, Yershov expressly alleges that Gannett disclosed information about him in the form of his video viewing history and Android ID, that the information disclosed was PII, and that he was in fact identified as a result of that disclosure. (Compl. ¶¶ 42, 54, 57.) Thus, he does not merely allege that Adobe could have identified him using the data Gannett disclosed; he alleges that Adobe actually did so. (Id.) Gannett relies heavily on Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir. 2012), where the First Circuit reiterated Article III’s “causation” requirement. In Katz, a brokerage account holder sued a clearing broker, alleging that the broker breached its contractual and statutory duties to protect certain sensitive information. Id. The Court first acknowledged that Congress “can raise to the status of legally cognizable injuries certain harms that might otherwise have been insufficient at common law, and they may confer the authority to sue for those harms on private persons or public entities.” Id. at 76. That in mind, the Court reiterated that the traditional three- prong standing test still applied: a plaintiff must allege (i) an actual invasion of her legal rights (ii) caused by the defendant and (iii) redressable by suit. Id. at 71. The Court then concluded that because the plaintiff had only alleged that “some unspecified people’s nonpublic information” had been disclosed, “the complaint [did] not contain an allegation that the plaintiff’s nonpublic personal information has actually been accessed by any unauthorized user.” Id. (emphasis added). Thus, “[w]ithout any reference to an identified breach of the plaintiff’s data security,” the plaintiff could not “allege and show that [she] personally ha[d] been injured, [rather than] that Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 30 of 32 25 some injury ha[d] been suffered by other members of the class to which [she] belong[ed] and which [she] purport[ed] to represent.” Id. (emphasis added). Comparing the allegations here to those in Katz only confirms Yershov’s standing. To start, as the Katz court contemplated, Yershov identifies a statute (the VPPA) granting him rights, which if invaded, would grant him standing to sue. Id. at 75; see Part III.A, supra. Where Yershov’s complaint differs from Katz, however, by containing express allegations that Gannett actually disclosed his PII, and that he was actually identified as a result. (Compl. ¶¶ 42, 54, 57.) Accordingly, the Court should reject Gannett’s attempts to argue that Plaintiff failed to allege an actual injury, and deny its motion to dismiss. CONCLUSION For the reasons stated above, Plaintiff Alexander Yershov, individually and on behalf of all others similarly situated, respectfully requests that this Honorable Court deny Gannett’s Motion to Dismiss and award such other relief as it deems necessary, reasonable, and just. Respectfully submitted, ALEXANDER YERSHOV, individually and on behalf of all others similarly situated, Dated: October 17, 2014 By: s/ J. Dominick Larry One of Plaintiff’s Attorneys Benjamin H. Richman (Admitted pro hac vice) brichman@edelson.com J. Dominick Larry (Admitted pro hac vice) nlarry@edelson.com EDELSON PC 350 North LaSalle St., Suite 1300 Chicago, Illinois 60654 Tel: 312.589.6370 Fax: 312.589.6378 Erica C. Mirabella (#676750) erica@mirabellallc.com MIRABELLA LAW LLC 132 Boylston Street, 5th Floor Boston, Massachusetts 02116 Tel: 617.580.8270 Fax: 617.583.1905 Counsel for Plaintiff and the Putative Class Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 31 of 32 26 CERTIFICATE OF SERVICE I hereby certify that this document filed through the ECF system will be sent electronically to the registered participants as identified on the Notice of Electronic Filing (NEF) and paper copies will be sent to those indicated as non-registered participants on November 21, 2014. s/ J. Dominick Larry Case 1:14-cv-13112-FDS Document 20 Filed 11/21/14 Page 32 of 32