Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

Limits of the VPPA: Ninth Circuit Panel Upholds Dismissal of VPPA Claim in Eichenberger v. ESPN, But Creates Low Bar for Satisfying Article III

Share

A federal circuit court recently rules that there was no actionable violation of the Video Privacy Protection Act (VPPA) when ESPN shared a user’s movie streaming device serial number with a third party.

A three judge panel of the U.S. Court of Appeals of the 9th Circuit unanimously affirmed a district court decision dismissing a claim alleging a violation of the VPPA, holding that the serial number of a Roku movie streaming device is not “personally-identifiable information” under the statute in Eichenberger v. ESPN, Inc., No. 15-35499 (9th Cir.).  In so doing, however, the Ninth Circuit also joined the Third and Eleventh Circuits in holding that, when alleging a violation of the VPPA, allegations of additional consequences stemming from the violation are not necessary to meet Article III’s standing requirement.

ESPN’s argument and the standing requirement under Spokeo

Plaintiff Chad Eichenberger sued ESPN for allegedly disclosing without consent his video viewing history to a third party, Adobe Analytics.  Eichenberger alleged that ESPN made this disclosure by enabling Adobe to access data linking video viewing histories to particular serial numbers associated with individual Roku devices.  According to the complaint, Adobe then allegedly combines the information with other data about an individual obtained from other sources, and returns aggregated demographic information back to ESPN to help ESPN understand its viewers and their interests.

Eichenberger argued that although ESPN did not directly identify the serial number as being associated with him,  ESPN nevertheless violated the VPPA because ESPN knew that Adobe would use the serial number information to identify him.

The panel started by addressing ESPN’s argument that the harms alleged by Eichenberger were not sufficiently concrete and particularized to confer standing under the Supreme Court’s decision in Spokeo v. Robins. In Spokeo, the court concluded that the mere allegation of a statutory violation is not, as a matter of law, sufficient to provide standing unless conduct constituting the statutory violation independently represents a concrete and particularized injury.

The panel rejected ESPN’s argument, finding that whereas Spokeo “concerned procedural violations of the [Fair Credit Reporting Act] that would not invariably injure a concrete interest,”
“the VPPA provision at issue here[] codifies a context-specific extension of the substantive right to privacy.”

Thus, according to the panel, “every disclosure of an individual’s ‘personally identifiable information’ and video-viewing history offends the interests that the statute protects.”  Thus, the panel held that a plaintiff need not identify any “further harm” arising from the alleged violation in order to have standing.  In so holding, the panel agreed with the decisions in Perry v. Cable News Network, Inc., 854 F.3d 1336 (11th Cir. 2017) and In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3rd Cir. 2016).

Court applies “ordinary person” standard

The plaintiff’s victory was short-lived, however: having found that Eichenberger had standing to assert a claim, the panel agreed with the district court that he had failed to actually state a claim because the information allegedly disclosed by ESPN was not “personally identifiable information” within the meaning of the VPPA.

The panel started its analysis seeming to agree with the plaintiff: by acknowledging that the definition of personally identifiable information under the VPPA includes more than just information which, by itself, can identify an individual as having watched certain programming, and includes information “that can be used to identify an individual.”

The panel thus posed the key question: “Under the VPPA, what information did Congress intend to cover as ‘capable of’ identifying an individual?”  The panel weighed two alternatives, the “reasonably and foreseeably likely” standard adopted by the First Circuit and the “ordinary person” standard adopted by the Third Circuit, and adopted the latter.

The panel provided two main reasons for its decision.  First, the panel explained that the ordinary person standard better informs providers of their obligations because it focuses on what information a provider discloses, not what a recipient decides to do with it.  Second, the panel explained that the ordinary person standard fits within the framework that Congress had in mind in 1988 when it enacted the VPPA—a pre-internet time when companies did not have access to big data.

Applying that standard, the panel agreed with the district court that Eichenberger’s complaint had failed to state an actionable violation of the VPPA, because, as Eichenberger conceded, ESPN’s disclosure of his Roku device’s serial number and the videos he watched “cannot identify an individual unless it is combined with other data in Adobe’s possession—data that ESPN never disclosed and apparently never even possessed.”

The decision is a mixed bag for video streaming companies and other firms that process online video viewership data.  While the adoption of the “ordinary person” standard provides greater certainty regarding what information can be shared without risking a VPPA suit, the panel’s standing analysis creates a very low bar for satisfying Article III.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

About the Author: Justin Kay

Justin is a partner in the firm's Business Litigation group. Read Justin's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

December 11, 2017
Written by: Justin Kay
Category: Privacy

Post navigation

Previous Previous post: Investigation Continues After Massive Data Breach at Henry Ford Health System
Next Next post: Smartwatch News: Privacy Edition

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT