Definition of “PII” Under VPPA Continues to Evolve with 3rd Circuit Ruling
On June 27, 2016, the U.S. Court of Appeals for the 3rd Circuit became the latest appellate court to weigh how the Video Privacy Protection Act (VPPA or “the Act”) – a 1988 statute meant to protect consumer privacy by prohibiting the disclosure of a consumer’s video rentals or purchases from the corner video store – in an online world.
Interpreting the Act for the first time, the court squarely addressed one of the most important issues in modern VPPA litigation: what qualifies as “personally identifiable information” or “PII” protected by the Act. Finding it unadvisable to craft a “single-sentence holding capable of mechanistically deciding future cases,” the court went on to “articulate a more general framework” for determining what information constitutes PII for purposes of the VPPA and concluded that PII is “the kind of information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior.”
In In re Nickelodeon Consumer Privacy Litigation, the 3rd Circuit reviewed the district court’s dismissal of the plaintiffs’ putative class action against Viacom, Inc. and Google, Inc. claiming the defendants violated federal, California, and New Jersey laws, including the VPPA by allegedly collecting and disclosing online information about children under the age of 13. The court ultimately affirmed the dismissal of all of the plaintiffs’ claims except an intrusion upon seclusion claim under New Jersey law, and remanded the matter back to the district court.
In addressing the VPPA specifically, the 3rd Circuit held that the static digital identifiers at issue in this case, such as IP addresses, browser fingerprints and persistent identifiers found in online advertising cookies, do not qualify as PII. Based on the Act’s legislative history, the court found that “Congress’ purpose in passing the [VPPA] was quite narrow: to prevent disclosures of information that would, with little or no extra effort, permit an ordinary recipient to identify a particular person’s video-watching habits.” Accordingly, “to an average person, an IP address or a digital code in a cookie file would likely be of little help in trying to identify an actual person.”
The court found that Plaintiffs’ reliance on the Federal Trade Commission’s inclusion of persistent identifiers as “personal information” under the Children’s Online Privacy Protection Act (COPPA) Rule cut against their arguments of such inclusion under the VPPA. The court noted that Congress built flexibility into COPPA by giving the FTC “the authority to expand the types of information that count as personally identifying under that law,” while by contrast, the VPPA “does not empower an administrative agency to augment the definition of ‘personally identifiable information’ in light of changing circumstances or new technologies. The meaning of that phrase in the [VPPA] is, it would appear, more static.” The court also noted that Congress could have updated the definition of PII to include persistent identifiers, such as IP addresses, in its 2013 amendment, but chose not to.
The Nickelodeon decision comes down two months after Yershov v. Gannett Satellite Information Network, Inc., in which the 1st Circuit held that PII under the VPPA includes the GPS coordinates of a device when disclosed with video titles associated with those coordinates. The 3rd Circuit stated that its decision was not in conflict with Yershov because street locations can be easily determined using GPS coordinates and can disclose what are likely to be an individual’s home or work addresses. Therefore, the 3rd Circuit stated that “GPS coordinates contain more power to identify a specific person than…an IP address, device identifier, or browser fingerprint.”
The court also recognized that, if accepted, Plaintiffs’ argument that persistent identifiers must be PII if a third party may be able to correlate enough data points to identify a particular person was both too speculative and lacked any limiting principle:
If an IP address were to count as [PII], either standing alone or coupled with similar data points, then the disclosure of an IP address to any Internet company with registered users might trigger liability under the Act. Indeed the import of the plaintiffs’ position seems to be that the use of third-party cookies on any website that streams video content is presumptively illegal. We do not think the [VPPA] sweeps quite so broadly.
Although the court held the definition of PII under the statute to be static, its framework still allows for a shifting range of what kind of information would fit within the definition. Looking back to Congress’ intent when it passed the Act, the court stated:
the classic example [of PII] will always be a video clerk leaking an individual customer’s video rental history. Every step away from that 1988 paradigm will make it harder for a plaintiff to make out a successful claim. Some disclosures predicated on new technology, such as the dissemination of precise GPS coordinates or customer ID numbers, may suffice. But others…are simply too far afield from the circumstances that motivated the Act’s passage to trigger liability.
Thus, the court ultimately left the scope of PII open, finding that “Congress intended for future courts to read contemporary norms about privacy into the statute’s original text.” As such, the 3rd Circuit’s standard will still require courts to engage in fact-specific inquiries to determine whether disclosures of alleged PII in VPPA cases would readily permit an ordinary person to identify a specific individual’s video-watching behavior. As technology continues to change, we can be sure that what the meaning of PII is will continue to be a hotly litigated topic.