You may be too young for this to have been a big thing to you, but almost 30 years ago, D.C. Circuit Judge Robert Bork was nominated to the Supreme Court, and Washington, D.C. went into a tizzy. Coming as it did just a year after Antonin Scalia joined the Court in 1986, Judge Bork’s nomination had many people very excited and very motivated: some to have him on the Court, and some to keep him off. In the midst of this hooha, a writer at the Washington City Paper thought it would be cool if Bork’s local video store would share a list of the judge’s rentals. It did. And at the time it was completely legal for the store to share the list. But even Bork opponents thought that was a creepy idea, and Congress soon passed the Video Privacy Protection Act to prohibit such privacy breaches in the future. The Act created a civil remedy against a “video tape service provider” for “knowingly disclos[ing], to any person, personally identifiable information concerning any consumer of such provider.” 18 U.S.C. § 2710(b)(1). The First Circuit answered some questions about the statute last Friday.
Facts
All of the “facts” that follow come from a complaint that the court of appeals assumed to be true. But . . . fast forward to 2016, when Gannett publishes USA Today and offers the newspaper’s content through a mobile software app called the “USA Today Mobile App.” Let’s call it – I don’t know – the “App.” The App allows users to access this content, including videos, on their mobile devices. When opened for the first time, the App presents a screen that seeks the user’s permission for it to “push” or display notifications on the device. After choosing “Yes” or “No,” the user is directed to the App’s main user interface. During this process, the App does not seek or obtain the user’s consent to disclose anything about the user to third parties. But Gannett apparently does disclose information about users to third parties, specifically Adobe Systems, Inc., which collects disparate pieces of information about users and compiles “an intimate look at the different types of materials consumed by the individual.” Each time the user views a video clip on the App, Gannett sends Adobe (1) the title of the video viewed, (2) the GPS coordinates of the device at the time the video was viewed, and (3) certain identifiers associated with the user’s device, such as its unique Android ID.
Adobe takes this and other information culled from a variety of sources to create user profiles comprised of a given user’s personal information, online behavioral data, and device identifiers. While Gannett does not send names and physical addresses to Adobe from the App, the information Adobe eventually amasses may include the user’s name and address, age and income, “household structure,” and online navigation and transaction history. All of this information allows Adobe’s clients, such as Gannett, “to . . . accurately target advertisements to its users.”
Alexander Yershov was one of those users. Every time he watched a video clip on the App, Gannett disclosed to Adobe the title of the viewed video, Yershov’s unique Android ID, and the GPS coordinates of Yershov’s device at the time the video was viewed. Using this information, Adobe was able to identify Yershov and link the videos he had viewed to his individualized profile maintained by Adobe. This must have really ground Yershov’s gears, because he brought a putative class action suit against Gannett for disclosing this information under the Video Privacy Protection Act.
Issues
The First Circuit faced two main issues on the review of the district court’s grant of Gannett’s motion to dismiss. First, was the information Gannett gave to Adobe “personally identifiable information” under the statute? The court of appeals agreed with the district court that it was. The statutory definition – information that “identifies a person as having [obtained a video]” is not terribly helpful. But the court noted that “[m]any types of information other than a name can easily identify a person,” and held that the information Gannett sent to Adobe about Yershov got past the threshold.
Second, was Yershov a “consumer” under the Act? To be a consumer, he would have to be a renter, purchaser, or subscriber of Gannett’s videos. He had not paid money to watch the videos, so he wasn’t a renter or purchaser. Was he a subscriber? Without a statutory definition, the court applied standard dictionary definitions and found that he was. One such definition said that “subscribe” meant “[t]o receive or be allowed to access electronic texts or services by subscription,” with “subscription” defined, in turn, to include “[a]n agreement to receive or be given access to electronic texts or services.” As the court said:
This is just what we have here: Gannett offered and Yershov accepted Gannett’s proprietary mobile device application as a tool for directly receiving access to Gannett’s electronic text and videos without going through other distribution channels, much like how a newspaper subscriber in 1988 could, if he wished, retrieve a copy of the paper in a box at the end of his driveway without having to go look for it at a store
The court went on to note that by using the App to establish seamless access to an electronic version of USA Today, Yershov established a relationship with Gannett that is materially different from what would have been the case had USA Today simply remained one of millions of sites on the web that Yershov might have accessed through a web browser. And while Yershov didn’t pay Gannett money, the videos weren’t free: he did provide the company with his Android ID and his mobile device’s GPS location whenever he viewed a video.
What It Means
Is your company producing or offering videos on its digital platforms for public consumption? Are you taking information about your users and selling it or otherwise giving it to third parties? If so, here are the things you’ll want to consider:
- If your users are downloading an app or registering in a way that could be viewed as “subscription” to allow viewing videos, you may be at risk and will want to address with your lawyers what information about your users you share with third parties, whether it is enough to constitute “personal information” under the VPPA and whether and how you to obtain the requisite consent from the user under the VPPA. The definition of “subscription” is still not clear across all jurisdictions. In a similar case from last year, Ellis v. The Cartoon Network, Inc., 803 F.3d 1251 (11th Cir. 2015), the indicia of commitment were much lower, and the court held the viewer not to be a “subscriber.”
- What information are you collecting from your users? Not everything will fall under the category of “personally identifiable information”—a term that means different things under different federal and state laws. But the more you collect, the more times you collect it, the more likely it is that you will maintain data that triggers various risks and obligations under state or federal laws.
- Do you want to have that information? As alleged in the complaint in this case, Gannett did. But your corporate needs may be different, and abstaining from collecting the information from viewers in the first place might be a reasonable option. Most important, understanding what it means to have that information is critical.
Finally, Yershov is not the final word on this subject. The reversal here only allows the case to proceed to discovery, so we may yet learn more about what amounts to “subscription” in this context.
Add a comment
Archives
- January 2022
- June 2021
- March 2020
- August 2019
- March 2019
- October 2018
- July 2016
- June 2016
- May 2016
- February 2016
- November 2015
- September 2015
- July 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- July 2014
- March 2014
- July 2013
- June 2013
- April 2013
- March 2013
- October 2012
- September 2012
- August 2012
- April 2012
- March 2012
- February 2012
- January 2012
- November 2011
- September 2011
- June 2011
- May 2011
- April 2011
- February 2011
- January 2011
- December 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2006
- February 2006
Recent Posts
- Rethinking Your Cyber Insurance Needs as Your Workplace Evolves
- Data Breach Defense for Educational Institutions
- COVID-19 and the Increased Cybersecurity Risk in a Work-From-Home World
- Like Incorporating Facebook into your Website? EU Decision Raises New Issues
- Lessons Learned: Key Takeaways for Every Business from the Capital One Data Breach
- Will Quick Talks to WRAL About Privacy Issues Related to Doorbell Cameras
- About Us
- Not in My House - California to Regulate IoT Device Security
- Ninth Circuit Says You’re Going to Jail for Visiting That Website without Permission
- Ninth Circuit Interprets “Without Authorization” under the Computer Fraud and Abuse Act
Topics
- Data Security
- Data Breach
- Privacy
- Defamation
- Public Records
- Cyberattack
- FCC Matters
- Reporters Privilege
- Political Advertising
- Newsroom Subpoenas
- Shield Laws
- Internet
- Miscellaneous
- Digital Media and Data Privacy Law
- Indecency
- First Amendment
- Anti-SLAPP Statutes
- Fair Report Privilege
- Prior Restraints
- Education
- Wiretapping
- Access to Courtrooms
- FOIA
- HIPAA
- Drone Law
- Access to Search Warrants
- Access to Court Dockets
- Intrusion
- First Amendment Retaliation
- Mobile Privacy
- Newsroom Search Warrants
- About This Blog
- Disclaimer
- Services