Security

Consumers Win Some, Lose Some in Privacy Legal Tussles

The Walt Disney Company’s recent decision to purchase major assets of 21st Century Fox in a transaction valued at $52 billion underscores the huge potential for distributing information and entertainment via the Internet.

The deal will allow the company to improve its direct-to-consumer offerings, Disney said when it disclosed the transaction early last month.

Digital distribution through personal devices naturally creates an opportunity for providers not only to generate entertainment revenue, but also to obtain valuable data on customers. However, with advances in digital distribution to millions of consumers comes the responsibility to provide adequate protection of private information for each one of those millions.

The providers of streamed content likely will find themselves dealing with a range of privacy laws and regulations, including the Video Privacy Protection Act. In fact, sports programming outlet ESPN, a Disney property, was involved in a recent U.S. appellate court decision brought by a video consumer under the VPPA.

Consumer Challenges ESPN Under Video Law

The ESPN case and other recent litigation involving the VPPA have resulted in a mixed bag of legal outcomes, with both consumers and content providers gaining and losing some legal leverage.

The consumer data gathering and sharing process drove Chad Eichbenberger, a resident of Washington state, to file a class action complaint against ESPN under the VPPA. ESPN captured the device number of Eichenberger’s Roku unit, which he used to access ESPN, as well as a list of the network’s programs that Eichenberger had viewed.

ESPN then disclosed that information to a third party, Adobe Analytics. Eichenberger charged that ESPN violated the VPPA by disclosing private data without his consent. A U.S. District Court in Washington dismissed the complaint, and Eichenberger appealed.

As a result of that appeal, consumers prevailed on one key aspect of the VPPA — the ability to litigate privacy complaints. However, in another highly significant element of the case, the court ruled in favor of ESPN directly, and content providers in general.

On that point, the U.S. Appeals Court for the Ninth Circuit ruled that the data transmitted from ESPN to Adobe did not qualify as protected information and that ESPN consequently did not violate the VPPA.

Consumers Win Legal Status

In many consumer privacy cases, the applicable U.S. law — such as the Fair Credit Reporting Act or the Federal Trade Commission Act — sets up a threshold for the complaining party to go court.

That threshold requires that the complaining party establish that the loss of privacy either caused some tangible loss or harm, such as financial loss, or resulted in the plaintiff having to live with increased risk of harm. If no such harm is present, there is no legal standing to go to court.

In the ESPN case, the Ninth Circuit court ruled that under the VPPA, no such level of harm is required to file a complaint.

The Ninth Circuit said that under the VPPA, ESPN’s alleged conduct violated a substantive right of consumers to “retain control over their personal information,” and thus provided a basis for standing to file a suit.

The ruling conformed with the Electronic Privacy Information Center’s amicus brief filed on behalf of consumers, which contended that in the VPPA Congress created a “statutory damages provision” that is “triggered by a violation of the Act, irrespective of the showing of consequential harm.”

The decision was a bit of a setback for ESPN, which introduced the standing issue in the case, and the ruling opened the door further for consumers to pursue VPPA cases.

“This is something that will be encouraging to plaintiffs who do not need to describe or quantify any harm, and will diminish the defendants’ ability to have cases dismissed,” said Nathanial Wood, counsel for Crowell & Moring.

Privacy Argument Tilts Toward Content Providers

On the other hand, the Ninth Circuit made it more difficult for plaintiffs to prevail in VPPA litigation when the courts address the issue of what exactly constitutes “private” information. In privacy litigation, violations are based on a multilevel classification of data known by the legal term of art as “personally identifiable information,” or PII.

To establish that PII is involved in a VPPA case, the Ninth Circuit ruled, in essence, that two circumstances must be present.

The first is that the only party that can be faulted is the party that discloses the information in the first place. That could be a video rental store clerk — a situation that triggered enactment of the VPPA in 1988, when the legal circumstances literally involved movie rentals.

In the digital age, the disclosing party could be an Internet information streaming provider — but not a third-party data aggregator or analytics service that receives the data from the original discloser and combines it with other information.

The second condition is that if an “ordinary person” cannot easily use the disclosed information to identify the consumer, then no violation has occurred. Thus, information that identifies only a physical product such as Roku unit — but not the product’s owner — would not be considered protected PII under the VPPA, according to the Ninth Circuit.

The court also ruled that disclosing a simple list of programs viewed by the consumer without revealing other identifiable references would not violate the VPPA.

Eichenberger had contended that by turning over the Roku product number and the list of programs he viewed to Adobe Analytics — which then combined that information with other material in a consumer database — ESPN had facilitated the improper disclosure of personal data in violation of the VPPA.

However, in rejecting that argument, the Ninth Circuit ruled that the role of a third-party pass-along entity was not covered by the VPPA. The court observed that the VPPA only “looks to what information a video service provider discloses, not to what the recipient of that information decides to do with it.”

The ruling on PII by the Ninth Circuit appears to tilt in favor of content providers for any litigation arising from the VPPA.

“In general, I would say that this is somewhat of a setback for consumers, in that it narrows the scope of personally identifiable information under VPPA,” said Rita Heimes, research director at the International Association of Privacy Professionals.

“The Ninth Circuit has provided some clarity to what types of data do not trigger a VPPA violation, such as device identifiers, and established a test for the district courts to follow when analyzing whether other types of data constitute PII,” Crowell & Moring’s Wood told the E-Commerce Times.

Still, content providers need to be wary of the VPPA, in that other appellate courts have ruled differently. It appears that future rulings under the VPPA could be both device- and content-specific.

“The Ninth Circuit recognized the validity of other cases,” Heimes told the E-Commerce Times, “because the factual basis was different in terms of the device.”

For example, a device with a more inherent capability to identify the user of streamed content — such as a mobile phone with GPS data — could be subject to the VPPA.

John K. Higgins

John K. Higgins has been an ECT News Network reporter since 2009. His main areas of focus are U.S. government technology issues such as IT contracting, cybersecurity, privacy, cloud technology, big data and e-commerce regulation. As a freelance journalist and career business writer, he has written for numerous publications, includingThe Corps Report and Business Week.Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John K. Higgins
More in Security

E-Commerce Times Channels