Header graphic for print
Inside Privacy Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

Court Dismisses VPPA Suit Against Netflix

Posted in Litigation, United States

The past few years have witnessed a series of attempts by plaintiffs to apply the Video Privacy Protection Act (“VPPA”) — a statute passed in 1988 to protect against certain disclosures of video rental records — to the video distribution technologies of today.  For example, in Sterk v. Redbox Automated Retail, plaintiffs sued the video kiosk operator for violating the VPPA’s prohibitions against disclosure of video rental data and prolonged retention of such data.  (The Seventh Circuit threw out the retention claim after an interlocutory appeal of the district court ruling, but the disclosure claim is still pending.) 

Mollett v. Netflix, a suit filed under the VPPA (and an analogous California statute, Cal. Civ. Code. § 1799.3) involved yet another attempt at applying the statute in a way that its drafters could not have envisioned.  Noting this and several other infirmities in the complaint, Judge Davila of the Northern District of California dismissed the suit earlier this week. 

 

The Mollett plaintiffs alleged that Netflix violated the VPPA and § 1799.3 by providing its video streaming service through devices (such as Blu-ray players and gaming consoles) in such a way that registered users’ video viewing activities could be seen by other users of the devices. The plaintiffs alleged that the password required to enable the Netflix service on their devices was required only during the initial registration of the devices; thereafter, others accessing Netflix through the devices could readily see the registered members’ activities.  By configuring the setup and access restrictions in this way, the plaintiffs alleged that Netflix violated the VPPA and § 1799.3 by disclosing the the plaintiffs’ video viewing activities to other users of the devices without the plaintiffs’ consent.

Judge Davila held that the complaint was insufficient on two grounds. First, any disclosure by Netflix was authorized as a disclosure to the subscribers (i.e., the plaintiffs) themselves, a disclosure that both statutes permit.  By registering their devices — and leaving them “coupled to their accounts” — the plaintiffs chose to allow other users of their devices to access information allegedly protected by the VPPA and § 1799.3.  (The court did not need to reach the question of whether this information actually was protected by the VPPA or even whether Netflix was a proper VPPA defendant.)  According to the court, the plaintiffs made this choice knowingly because Netflix’s privacy policy had informed them that they “were responsible for maintaining the confidentiality of [their] account information and for restricting access to [the] computer or device through which [they] access[ed] [their] Netflix account[s].”

Second, the court held that the plaintiffs had failed to satisfy the scienter requirement under either the VPPA or§ 1799.3.  As Judge Davila stated, “the court would be unable to draw a reasonable inference from the allegations of the complaint that Netflix knew that people other than the Plaintiffs were present when it displayed [video viewing information] . . . . Those circumstances are necessarily outside of Netflix’s control or potential knowledge when it serves the information to the device.”