A New York district court opinion is the latest addition to our watch of ongoing VPPA-related disputes, a notable decision on the issue of what exactly is a disclosure of “personally identifiable information” (PII) under the VPPA. Does PII refer to information which must, without more, link an actual person to actual video materials? Or are there circumstances where the disclosure of video viewing data and a unique device ID constitute disclosure of PII?
In Robinson v. Disney Online, No. 14-04146 (S.D.N.Y. Oct. 20, 2015), the plaintiff claimed that the Disney Channel app transmitted video viewing data and his Roku device serial number to a third-party analytics company for data profiling purposes each time he viewed a video clip, constituting a violation of the VPPA. In particular, the plaintiff did not argue that the information disclosed by Disney constituted PII by itself, but rather that the disclosed information was PII because the analytics company could potentially identify him by “linking” these disclosures with “existing personal information” obtained elsewhere. In dismissing the action, the court held that PII is information which itself identifies a particular person as having accessed specific video materials, and whereas names and addresses, as a statutory matter, identify a specific person, an anonymized Roku serial number merely identifies a device.
“Indeed, the most natural reading of PII suggests that it is the information actually disclosed by a ‘video tape service provider,’ which must itself do the identifying that is relevant for purposes of the VPPA…not information disclosed by a provider, plus other pieces of information collected elsewhere by non-defendant third parties.”
“Disney’s liability turns only on whether the information it disclosed itself identified a specific person. It did not. Thus, [the analytics company’s] ability to identify Robinson by linking this disclosure with other information is of little significance.”
Rejecting the plaintiff’s expansive definition of PII under the statute, the court noted that if nearly any piece of information could, with enough effort, be combined with other information to identify a person, “then the scope of PII would be limitless.” Ultimately, the court settled on the definition of PII as being “information which itself identifies a particular person as having accessed specific video materials.” Yet, the court noted that in certain circumstances, “context may matter,” to the extent other information disclosed by the provider permits a “mutual understanding that there has been a disclosure of PII.” For example, according to the court, a provider could not evade liability if it disclosed video viewing data and a device ID, along with a code that enabled a third party to identify the specific device’s user. However, as the court found, while Disney may have disclosed the plaintiff’s Roku serial number, it did not disclose a correlated decryption table or other identifying information that would enable a third-party analytics company to decrypt the hashed Roku serial number and other information necessary to identify the specific device’s user.
The Robinson case is an important ruling for companies that deliver video to customers via digital streaming devices (or even via mobile devices), as the court made a narrow reading of the scope of liability under the VPPA. However, with multiple VPPA suits currently before federal appeals courts (many of which concerning the disclosure of an anonymous device ID), the debate is far from over and we will continue to monitor the latest rulings in this emerging area.