On Tuesday, March 31, the U.S. District Court for the Northern District of California granted Hulu’s motion for summary judgment in a complaint alleging that Hulu had violated the Video Privacy Protection Act (VPPA) by sharing user information with Facebook.  In granting summary judgment, the court found no genuine issue of material fact regarding whether Hulu “knowingly” disclosed video viewing information connected to individual Hulu users to Facebook, a required element for VPPA liability.  While the court’s holding may be too fact-bound to have widespread impact on other VPPA cases, it does highlight the important role of the VPPA’s knowledge requirement in determining liability under the statute.

The case, In re Hulu Privacy Litigation, was originally filed in 2011 as a putative class action alleging that Hulu had violated the VPPA by disclosing information about users’ identities and videos viewed to third parties.  Although the case originally alleged VPPA claims over Hulu’s disclosures of viewing information to several third parties, the court denied class certification and dismissed VPPA claims regarding all disclosures except those to Facebook in April 2014.  (Covington partners Simon Frankel and Emily Henn joined Hulu’s litigation team as co-counsel in January 2014, several months before that earlier ruling.)  The remaining claim against Facebook alleged that, in order to implement a Facebook “like” button on pages where Hulu users watched videos, Hulu separately sent Facebook the page’s URL, in which the video’s title was embedded, and a “c_user” cookie that could contain a Hulu user’s Facebook ID in a numeric format if the user was logged into Facebook.  Hulu argued that providing these two data points separately to Facebook did not constitute a “disclosure” under the VPPA, and that Hulu had no knowledge that Facebook would link them to determine that a specific user had “requested or obtained” the video from that watch page.

The VPPA prohibits a “video tape service provider” from “knowingly” disclosing “personally identifiable information” that “includes information which identifies a person as having requested or obtained specific video materials or services” from the provider.  The court agreed with Hulu that neither the c_user cookie nor the URL qualified as a prohibited disclosure under the VPPA, as neither piece of information, by itself, identified an individual and the video materials or services that individual requested.  As a result, the court held that the plaintiffs had to show more than the mere fact that this information was disclosed to Facebook.  Instead, the court required plaintiffs to demonstrate a “‘connection’ of the two” pieces of information that would “create[] the ‘disclosure’ of PII that the VPPA requires.”

On this point, the court rejected the plaintiffs’ argument that Hulu knew that Facebook could combine the information from these two pieces of information together to tie a Hulu user to the videos he or she watched, holding that the plaintiffs had not shown that Hulu worked together with Facebook to communicate this information in separate forms.  Quoting directly from Hulu’s brief, the court held that Hulu “could not have ‘knowingly’ disclosed PII to Facebook unless it knew that Facebook was combining the Facebook user ID with the video title embedded in Hulu’s watch page URL” to link an individual to specific video materials that the individual has requested or obtained.

Magistrate Judge Laurel Beeler emphasized the VPPA’s requirement of a “knowing” disclosure, noting that the plaintiffs failed to establish any genuine issue of material fact regarding whether Hulu knew that Facebook could combine these pieces of information to connect users to the videos they viewed.  Referencing the disclosure of Supreme Court nominee Robert Bork’s video rental history, the catalyst for the passage of the VPPA, Judge Beeler noted that Hulu’s disclosures were analogous to a video provider handing over two separate pieces of paper to a reporter, one with a list of videos and one with an individual’s name.  Unless “both parties understood how the name and titles were related,” these separate disclosures could not form the basis for VPPA liability.

Judge Beeler also rejected the plaintiffs’ arguments that Hulu knew it was disclosing user identities through the “c_user” cookie while acknowledging that proof of this element, without proof of a connection to a user’s viewing history, could not form the basis for a VPPA claim.  Although the plaintiffs argued that an optional feature of the Facebook like button, “show_faces,” should have alerted Hulu to the fact that Facebook could identify Hulu users, Judge Beeler noted Hulu had not enabled this feature in the U.S., and no evidence in the record indicated what, if any, information was sent to Facebook without this feature fully enabled.  Judge Beeler also dismissed the plaintiffs’ reliance on evidence that the c_user cookie was present during Hulu’s internal testing, noting the lack of proof that “anyone at Hulu saw this, knew generally what c_user signified, or recognized . . . [the number included within the cookie] as a Facebook ID.”  Finally, Judge Beeler also rejected the plaintiffs’ reliance on internal Hulu emails regarding cookies and Hulu’s privacy policy, finding that these generalized communications did not address “the Like button, the c_user cookie, the watch-page URLs, or any connection among these things.”

While the court’s decision may be too fact-specific to have a wide impact on future VPPA cases, it does emphasize the importance of the knowledge element in VPPA claims.  Future arguments regarding the VPPA’s knowledge requirement will turn on what video providers knew about any specific information that may have disclosed, especially regarding what third parties did with that information.  Although the disclosure of information via a URL and separate cookie proved key to the question of VPPA liability in this case, the court’s opinion indicates that entities likely cannot avoid VPPA liability by separating disclosures to third parties if those entities know these elements will subsequently be combined to disclose the specific video choices of an identified individual.  Diligence and proper controls over use of disclosed information by recipients remain key for entities seeking to reduce the risk of future VPPA liability.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.