The Ninth Circuit recently became the third federal appellate court to tackle what constitutes “personally identifiable information” protected by the Video Privacy Protection Act of 1988 (“VPPA”). Last year, the First Circuit and the Third Circuit propounded different standards for applying this statute, as they each grappled with the necessary leap from the age of VCRs to modern video services. In Eichenberg v. ESPN, the Ninth Circuit weighed in, adopting the Third Circuit’s approach and holding that a Roku device serial number coupled with the names of videos watched on an ESPN application were not “personally identifiable” within the meaning of the VPPA. The information, the Ninth Circuit reasoned, would not “readily permit an ordinary person to identify a specific individual’s video-watching behavior.” Therefore it was not protected by the VPPA.
The Third Circuit addressed a similar issue last year and held that Viacom did not violate the VPPA by disclosing certain information to Google (a user’s IP address, a user’s browser and operating settings, and a computing device’s unique device identifier). While Viacom was allegedly aware that Google might be able to combine this information with other data in its possession to identify users, an ordinary person would certainly not be able to do so.
Both the Third and the Ninth Circuits concluded that the situations presented were too far removed from the VPPA’s Congressional purpose. Enacted nearly thirty years ago, the VPPA was designed to address a problem that has been rendered virtually obsolete by modern technology: a video rental store’s disclosure without consent of a list of videos rented by a customer. As explained in the legislative history, a Washington, D.C. newspaper published the video rental history of then-Supreme Court nominee Robert H. Bork, and Congress responded by passing the VPPA “[t]o preserve personal privacy with respect to the rental, purchase or delivery of video tapes or similar audio visual materials.” The statute allows “consumers” to sue a “video service provider,” for “knowingly disclos[ing], to any person, personally identifiable information concerning any consumer of such provider.”
Over the last thirty years, technology has dramatically altered how we watch videos and track viewing habits. While the Blockbuster era is over, video watching and the related privacy concerns are more prevalent than ever. Using a customer’s name to monitor viewing history has been replaced with much less obvious identifiers such as login information or device serial numbers. This raises the question: When is information similar enough to a customer’s name on a video rental list such that disclosure would allow identification of a consumer’s viewing history in violation of the VPPA?
The statute itself offers little help. As the First Circuit observed last year, the statutory definition of “personally identifiable information”—that it “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape provider”—is “awkward and unclear.” Congress had the opportunity to clarify the definition of “personally identifiable information” when it passed an amended version of the VPPA in 2013, but declined to do so. It so far has left this issue for the courts to decide.
Of the three Courts of Appeals to address this issue, two—the Third and Ninth Circuits—applied the “ordinary person” standard described above. However, both courts recognized that there remains uncertainty surrounding how the “ordinary person” standard will apply in future cases. Importantly, under the Third and Ninth Circuit’s approach, whether information is “personally identifiable” can change over time. Technological advances may alter whether an “ordinary person” could identify video users based on certain information, including the specific types of information at issue in prior cases.
The other Court of Appeals to address the definition of “personally identifiable information” in the digital age—the First Circuit—focused on whether information was “reasonably and foreseeably likely” to reveal a user’s identity. In dicta, it suggested that disclosing social security numbers to the government “plainly identifies the person,” and that announcing an athlete’s jersey number would allow anyone with a game program to identify the athletes. These two scenarios seem to depart somewhat from the “ordinary person” standard by considering particular resources available to the receiving party, not just the ordinary person. However, as pointed out by the Third and Ninth Circuits, the actual holding of the First Circuit was consistent with the “ordinary person” approach. It found that the information at issue (GPS coordinates) was “personally identifiable” because “most people” could use it to identify a user. Thus, it remains to be seen if a court would apply a broader definition than the “ordinary person” standard.