A New York district court opinion is the latest addition to our watch of ongoing VPPA-related disputes, a notable decision on the issue of what exactly is a disclosure of “personally identifiable information” (PII)  under the VPPA.  Does PII refer to information which must, without more, link an actual person to actual video materials?  Or are there circumstances where the disclosure of video viewing data and a unique device ID constitute disclosure of PII?

In Robinson v. Disney Online, No. 14-04146 (S.D.N.Y. Oct. 20, 2015), the plaintiff claimed that the Disney Channel app transmitted video viewing data and his Roku device serial number to a third-party analytics company for data profiling purposes each time he viewed a video clip, constituting a violation of the VPPA.  In particular, the plaintiff did not argue that the information disclosed by Disney constituted PII by itself, but rather that the disclosed information was PII because the analytics company could potentially identify him by “linking” these disclosures with “existing personal information” obtained elsewhere.  In dismissing the action, the court held that PII is information which itself identifies a particular person as having accessed specific video materials, and whereas names and addresses, as a statutory matter, identify a specific person, an anonymized Roku serial number merely identifies a device.

“Indeed, the most natural reading of PII suggests that it is the information actually disclosed by a ‘video tape service provider,’ which must itself do the identifying that is relevant for purposes of the VPPA…not information disclosed by a provider, plus other pieces of information collected elsewhere by non-defendant third parties.”

“Disney’s liability turns only on whether the information it disclosed itself identified a specific person. It did not. Thus, [the analytics company’s] ability to identify Robinson by linking this disclosure with other information is of little significance.”

Rejecting the plaintiff’s expansive definition of PII under the statute, the court noted that if nearly any piece of information could, with enough effort, be combined with other information to identify a person, “then the scope of PII would be limitless.”  Ultimately, the court settled on the definition of PII as being “information which itself identifies a particular person as having accessed specific video materials.”  Yet, the court noted that in certain circumstances, “context may matter,” to the extent other information disclosed by the provider permits a “mutual understanding that there has been a disclosure of PII.”  For example, according to the court, a provider could not evade liability if it disclosed video viewing data and a device ID, along with a code that enabled a third party to identify the specific device’s user. However, as the court found, while Disney may have disclosed the plaintiff’s Roku serial number, it did not disclose a correlated decryption table or other identifying information that would enable a third-party analytics company to decrypt the hashed Roku serial number and other information necessary to identify the specific device’s user.

The Robinson case is an important ruling for companies that deliver video to customers via digital streaming devices (or even via mobile devices), as the court made a narrow reading of the scope of liability under the VPPA.  However, with multiple VPPA suits currently before federal appeals courts (many of which concerning the disclosure of an anonymous device ID), the debate is far from over and we will continue to monitor the latest rulings in this emerging area.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jeffrey Neuburger Jeffrey Neuburger

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise…

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise, combined with his professional experience at General Electric and academic experience in computer science, makes him a leader in the field.

As one of the architects of the technology law discipline, Jeff continues to lead on a range of business-critical transactions involving the use of emerging technology and distribution methods. For example, Jeff has become one of the foremost private practice lawyers in the country for the implementation of blockchain-based technology solutions, helping clients in a wide variety of industries capture the business opportunities presented by the rapid evolution of blockchain. He is a member of the New York State Bar Association’s Task Force on Emerging Digital Finance and Currency.

Jeff counsels on a variety of e-commerce, social media and advertising matters; represents many organizations in large infrastructure-related projects, such as outsourcing, technology acquisitions, cloud computing initiatives and related services agreements; advises on the implementation of biometric technology; and represents clients on a wide range of data aggregation, privacy and data security matters. In addition, Jeff assists clients on a wide range of issues related to intellectual property and publishing matters in the context of both technology-based applications and traditional media.