The Video Privacy Protection Act (VPPA) was enacted in 1988 in response to Robert Bork’s Supreme Court confirmation hearings before the Senate judiciary committee, during which his family’s video rental history was used to great effect and in excoriating detail. This was the age of brick-and-mortar video rental stores, well before the age of instant video streaming and on-demand content. Nonetheless, VPPA compliance is an important component to any privacy and data security programs of online video-content providers, websites that host streaming videos and others that are in the business of facilitating consumers viewing streaming video.
Judicial application of the VPPA to online content has produced inconsistent results, including how the statute’s definition of personally-identifiable information (PII)—the disclosure of which triggers VPPA-liability—has been interpreted. Under the VPPA, PII “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 18 U.S.C. § 3710(a)(3). Courts and commentators alike have noted that this definition is vague particularly when applied to new technological situations, as it describes what counts as PII rather than providing an absolute definition. Specifically in the streaming video context, the dispute of the PII definition typically turns on whether a static identifier, like an internet protocol (IP) address or other similar identifier uniquely assigned to consumers, counts as PII under the VPPA.
The issue has percolated through the lower federal courts, and the majority of these decisions have followed the holding from In re: Hulu Privacy Litigation, No. C 11-03764 LB, 2014 WL 1724344 (N.D. Cal. Apr. 28, 2014) (“Hulu”). In the Hulu case, as noted at the time, the court held that a static identifier can theoretically count as PII under the VPPA if it is combined with other identifying information. The decision has formed a touchstone of sorts in this area and continues to be discussed today in cases that turn on the disclosure of IP addresses.
Until May of last year, no Federal Court of Appeal had addressed the issue of whether an IP address or static identifier counts as PII under the VPPA. Since then, two Federal Courts of Appeal recently weighed-in on the issue:
- In May of 2016, the 1st Circuit Court of Appeals held that static identifiers count as PII when they are accompanied with a subscriber’s GPS coordinates at the time they viewed videos. Yershov v. Gannett Satellite Info. Network, Inc., 820 F.3d 482 (1st Cir. 2016).
- In June of 2016, the 3rd Circuit held that IP addresses, without more indicia of the subscriber’s identity, do not qualify as PII under the VPPA and, therefore, disclosure of that information does not trigger liability under the statute. In re Nickelodeon Consumer Privacy Litig., No. 15-1441 (3d Cir. June 27, 2016).
Both courts noted that the ambiguity inherent in VPPA’s definition of PII prevents absolute rules about the definition of PII, recognizing that context is key when determining what is PII under the VPPA. That is, deciding whether a particular piece of information counts as PII necessarily involves an evaluation of whether that piece of information—when combined with other pieces of information available to the disclosing or receiving party—can be used to identify the person who viewed streaming video. The courts sought to imagine all information that could potentially be used to identify a consumer on a spectrum ranging from the most to least attenuated from the consumer, and the definition of PII under the VPPA is information that can be used to clearly identify the consumer. Obviously, a Circuit split arose from these cases, since not only did the two Federal Appeals Courts answer the question differently as to the specific facts they were evaluating but the two opinions demonstrate a wide disparity in logic. Two points of comparison underscore this point:
- Both Courts considered the VPPA’s legislative history—including the 2013 amendments, which did not change the statute’s definition of PII (discussed below)—and came to the opposite conclusion about the definition’s scope (with the 1st Circuit deciding for a more inclusive definition and the 3rd Circuit deciding on a more limited definition).
- The Courts gave significantly different weight to similar static identifiers—the 1st deciding such an identifier was far less attenuated from a person’s identity than the 3rd circuit.
Judicial disagreement over statutory definitions is not a novel challenge for privacy and data security compliance programs. So, for example, the Telephone Consumer Protection Act and the Computer Fraud and Abuse Act are two such privacy statutes that have produced conflicting interpretations of its provisions. Nevertheless, the disparity between the conditions that existed when the VPPA was enacted and those under which it is being litigated today is striking. It is hard to imagine the legislative personalities at the time the law was enacted conceiving of the technology at the center of these disputes.
Several commentators have stated that technology has outpaced the VPPA. The law’s ambiguity will continue to develop in-step with new-media consumer products. For example, smart-TV manufacturers have recently faced VPPA lawsuits—a far cry from Blockbuster Video. Congress amended the VPPA in 2013; at the time the amendments were praised as bringing the law into the digital age. However, the amendments failed to update the statutory definitions to reflect the modern conditions of streaming video, primarily dealing with electronic consent and related time periods. This lack of action, specifically with respect to providing more explicit or detailed definition of PII, was viewed differently by the 1st and 3rd Circuits in the recent cases discussed above.
Until the ambiguity is definitively addressed or the VPPA is amended or replaced, virtually every firm or party involved in producing, hosting, or facilitating streaming video should be cautious when considering VPPA compliance and disclosing consumers’ IP addresses and other static identifiers.