Digital Media and Data Privacy Law Blog

You may be too young for this to have been a big thing to you, but almost 30 years ago, D.C. Circuit Judge Robert Bork was nominated to the Supreme Court, and Washington, D.C. went into a tizzy.  Coming as it did just a year after Antonin Scalia joined the Court in 1986, Judge Bork’s nomination had many people very excited and very motivated: some to have him on the Court, and some to keep him off.  In the midst of this hooha, a writer at the Washington City Paper thought it would be cool if Bork’s local video store would share a list of the judge’s rentals.  It did.  And at the time it was completely legal for the store to share the list.  But even Bork opponents thought that was a creepy idea, and Congress soon passed the Video Privacy Protection Act to prohibit such privacy breaches in the future.  The Act created a civil remedy against a “video tape service provider” for “knowingly disclos[ing], to any person, personally identifiable information concerning any consumer of such provider.” 18 U.S.C. § 2710(b)(1).  The First Circuit answered some questions about the statute last Friday.

Facts               

All of the “facts” that follow come from a complaint that the court of appeals assumed to be true.  But . . . fast forward to 2016, when Gannett publishes USA Today and offers the newspaper’s content through a mobile software app called the “USA Today Mobile App.”  Let’s call it – I don’t know – the “App.”  The App allows users to access this content, including videos, on their mobile devices.  When opened for the first time, the App presents a screen that seeks the user’s permission for it to “push” or display notifications on the device.  After choosing “Yes” or “No,” the user is directed to the App’s main user interface. During this process, the App does not seek or obtain the user’s consent to disclose anything about the user to third parties.  But Gannett apparently does disclose information about users to third parties, specifically Adobe Systems, Inc., which collects disparate pieces of information about users and compiles “an intimate look at the different types of materials consumed by the individual.”  Each time the user views a video clip on the App, Gannett sends Adobe (1) the title of the video viewed, (2) the GPS coordinates of the device at the time the video was viewed, and (3) certain identifiers associated with the user’s device, such as its unique Android ID.

Adobe takes this and other information culled from a variety of sources to create user profiles comprised of a given user’s personal information, online behavioral data, and device identifiers.   While Gannett does not send names and physical addresses to Adobe from the App, the information Adobe eventually amasses may include the user’s name and address, age and income, “household structure,” and online navigation and transaction history.  All of this information allows Adobe’s clients, such as Gannett, “to . . . accurately target advertisements to its users.”

Alexander Yershov was one of those users.  Every time he watched a video clip on the App, Gannett disclosed to Adobe the title of the viewed video, Yershov’s unique Android ID, and the GPS coordinates of Yershov’s device at the time the video was viewed. Using this information, Adobe was able to identify Yershov and link the videos he had viewed to his individualized profile maintained by Adobe.  This must have really ground Yershov’s gears, because he brought a putative class action suit against Gannett for disclosing this information under the Video Privacy Protection Act.

Issues

The First Circuit faced two main issues on the review of the district court’s grant of Gannett’s motion to dismiss.  First, was the information Gannett gave to Adobe “personally identifiable information” under the statute?  The court of appeals agreed with the district court that it was.   The statutory definition – information that “identifies a person as having [obtained a video]” is not terribly helpful.  But the court noted that “[m]any types of information other than a name can easily identify a person,” and held that the information Gannett sent to Adobe about Yershov got past the threshold.

Second, was Yershov a “consumer” under the Act?  To be a consumer, he would have to be a renter, purchaser, or subscriber of Gannett’s videos.  He had not paid money to watch the videos, so he wasn’t a renter or purchaser.  Was he a subscriber?  Without a statutory definition, the court applied standard dictionary definitions and found that he was.  One such definition  said that “subscribe” meant “[t]o receive or be allowed to access electronic texts or services by subscription,” with “subscription” defined, in turn, to include “[a]n agreement to receive or be given access to electronic texts or services.”  As the court said:

This is just what we have here: Gannett offered and Yershov accepted Gannett’s proprietary mobile device application as a tool for directly receiving access to Gannett’s electronic text and videos without going through other distribution channels, much like how a newspaper subscriber in 1988 could, if he wished, retrieve a copy of the paper in a box at the end of his driveway without having to go look for it at a store

The court went on to note that by using the App to establish seamless access to an electronic version of USA Today, Yershov established a relationship with Gannett that is materially different from what would have been the case had USA Today simply remained one of millions of sites on the web that Yershov might have accessed through a web browser.  And while Yershov didn’t pay Gannett money, the videos weren’t free: he did provide the company with his Android ID and his mobile device’s GPS location whenever he viewed a video. 

What It Means

Is your company producing or offering videos on its digital platforms for public consumption?  Are you taking information about your users and selling it or otherwise giving it to third parties?  If so, here are the things you’ll want to consider:

• If your users are downloading an app or registering in a way that could be viewed as “subscription” to allow viewing videos, you may be at risk and will want to address with your lawyers what information about your users you share with third parties, whether it is enough to constitute “personal information” under the VPPA and whether and how you to obtain the requisite consent from the user under the VPPA.  The definition of “subscription” is still not clear across all jurisdictions.  In a similar case from last year, Ellis v. The Cartoon Network, Inc., 803 F.3d 1251 (11th Cir. 2015), the indicia of commitment were much lower, and the court held the viewer not to be a “subscriber.” 

• What information are you collecting from your users?  Not everything will fall under the category of “personally identifiable information”—a term that means different things under different federal and state laws.  But the more you collect, the more times you collect it, the more likely it is that you will maintain data that triggers various risks and obligations under state or federal laws. 

• Do you want to have that information?  As alleged in the complaint in this case, Gannett did.  But your corporate needs may be different, and abstaining from collecting the information from viewers in the first place might be a reasonable option.  Most important, understanding what it means to have that information is critical.

Finally, Yershov is not the final word on this subject.  The reversal here only allows the case to proceed to discovery, so we may yet learn more about what amounts to “subscription” in this context.