May 22, 2022

Volume XII, Number 142

Advertisement
Advertisement

May 20, 2022

Subscribe to Latest Legal News and Analysis

Making VHS Relevant Again: The Uncertain Scope of Personal Information Protected by the Video Privacy Protection Act of 1988

The Ninth Circuit recently became the third federal appellate court to tackle what constitutes “personally identifiable information” protected by the Video Privacy Protection Act of 1988 (“VPPA”). Last year, the First Circuit and the Third Circuit propounded different standards for applying this statute, as they each grappled with the necessary leap from the age of VCRs to modern video services. In Eichenberg v. ESPN, the Ninth Circuit weighed in, adopting the Third Circuit’s approach and holding that a Roku device serial number coupled with the names of videos watched on an ESPN application were not “personally identifiable” within the meaning of the VPPA. The information, the Ninth Circuit reasoned, would not “readily permit an ordinary person to identify a specific individual’s video-watching behavior.” Therefore it was not protected by the VPPA.

The Third Circuit addressed a similar issue last year and held that Viacom did not violate the VPPA by disclosing certain information to Google (a user’s IP address, a user’s browser and operating settings, and a computing device’s unique device identifier). While Viacom was allegedly aware that Google might be able to combine this information with other data in its possession to identify users, an ordinary person would certainly not be able to do so.

Both the Third and the Ninth Circuits concluded that the situations presented were too far removed from the VPPA’s Congressional purpose. Enacted nearly thirty years ago, the VPPA was designed to address a problem that has been rendered virtually obsolete by modern technology: a video rental store’s disclosure without consent of a list of videos rented by a customer. As explained in the legislative history, a Washington, D.C. newspaper published the video rental history of then-Supreme Court nominee Robert H. Bork, and Congress responded by passing the VPPA “[t]o preserve personal privacy with respect to the rental, purchase or delivery of video tapes or similar audio visual materials.” The statute allows “consumers” to sue a “video service provider,” for “knowingly disclos[ing], to any person, personally identifiable information concerning any consumer of such provider.”

Over the last thirty years, technology has dramatically altered how we watch videos and track viewing habits. While the Blockbuster era is over, video watching and the related privacy concerns are more prevalent than ever. Using a customer’s name to monitor viewing history has been replaced with much less obvious identifiers such as login information or device serial numbers. This raises the question: When is information similar enough to a customer’s name on a video rental list such that disclosure would allow identification of a consumer’s viewing history in violation of the VPPA?

The statute itself offers little help. As the First Circuit observed last year, the statutory definition of “personally identifiable information”—that it “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape provider”—is “awkward and unclear.” Congress had the opportunity to clarify the definition of “personally identifiable information” when it passed an amended version of the VPPA in 2013, but declined to do so. It so far has left this issue for the courts to decide.

Of the three Courts of Appeals to address this issue, two—the Third and Ninth Circuits—applied the “ordinary person” standard described above. However, both courts recognized that there remains uncertainty surrounding how the “ordinary person” standard will apply in future cases. Importantly, under the Third and Ninth Circuit’s approach, whether information is “personally identifiable” can change over time. Technological advances may alter whether an “ordinary person” could identify video users based on certain information, including the specific types of information at issue in prior cases.

The other Court of Appeals to address the definition of “personally identifiable information” in the digital age—the First Circuit—focused on whether information was “reasonably and foreseeably likely” to reveal a user’s identity. In dicta, it suggested that disclosing social security numbers to the government “plainly identifies the person,” and that announcing an athlete’s jersey number would allow anyone with a game program to identify the athletes. These two scenarios seem to depart somewhat from the “ordinary person” standard by considering particular resources available to the receiving party, not just the ordinary person.  However, as pointed out by the Third and Ninth Circuits, the actual holding of the First Circuit was consistent with the “ordinary person” approach. It found that the information at issue (GPS coordinates) was “personally identifiable” because “most people” could use it to identify a user. Thus, it remains to be seen if a court would apply a broader definition than the “ordinary person” standard.

© 2022 Proskauer Rose LLP. National Law Review, Volume VII, Number 354
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Amelia Friedman, Litigation Attorney, Proskauer Rose Law Firm
Associate

Amelia Friedman is an associate in the Litigation Department. She focuses on complex civil and commercial litigation matters, including products liability and consumer litigation. Amelia has appeared in state and federal court and in administrative proceedings before the EEOC and MSPB.

Prior to joining Proskauer, Amelia clerked for the Honorable Nancy F. Atlas of the U.S. District Court for the Southern District of Texas. At The University of Texas School of Law, she served as the Administrative Editor of the Texas Law Review, where she was...

310-84-5615
Advertisement
Advertisement
Advertisement