Ninth Circuit's Decision Chips Away At Consumer Privacy Protections
Litigation arising from the disclosure of personal information has exploded as technology allows consumers to interface with various media platforms and make purchases in ways never before. But what really is “personal information”? Courts and legislatures have made clear that certain pieces of information are clearly personal information, such as your name, social security number, date of birth, credit profile, and even biographical information such as facial markers taken from your digital photos. See generally
15 U.S.C.A. § 1681b et seq. (regarding the permissible purposes of sharing consumer report information); Rivera v. Google Inc.,
238 F. Supp. 3d 1088 (N.D. Ill. 2017) (finding Illinois Biometric Information Privacy Act applies to face templates taken from digital photos).
There is even a law called the Video Privacy Protection Act, 18 U.S.C. § 2710 et seq. (“VPPA”), that prohibits the disclosure of information that can specifically identify you and the videos you have watched, i.e., “personally identifiable information” or “PII” for short. What constitutes PII under the VPPA has been litigated over the years, and federal courts have created two different standards: (1) information reasonably and foreseeably
likely to reveal who you are and the videos you watched; and (2) information that readily allows an ordinary person
to identify you and the videos you watched. Compare Yershov v. Gannett Satellite Info. Network, Inc.,
820 F.3d 482, 486 (1st Cir. 2016) (GPS coordinate along with identity of video was PII) with In re Nickelodeon Consumer Privacy Litig.,
827 F.3d 262, 290 (3d Cir. 2016) (unique IP address was not PII).
The first standard focuses on what the discloser should reasonably expect if the information is disclosed to a given person, while the second standard focuses on the nature of the disclosed information itself and whether an ordinary person could discern the identity of the person about whom the information pertains. The result has been that the first standard is broader and is more likely to lead to liability.
Just last month, the Ninth Circuit Court of Appeals decided to enter the fight and adopted the second, “ordinary person” standard. Eichenberger v. ESPN, Inc.,
Appeal No. 15-35449 (9th Cir. Nov. 29, 2017). In Eichenberger
, the plaintiffs filed a lawsuit alleging that ESPN violated VPPA because it disclosed to Adobe analytics, without his consent, the serial number on his Roku – a media streaming device – and the videos he watched. Adobe analytics then matched that information to other information in Adobe’s database, such as email addresses and Facebook profiles.
The lower court granted ESPN’s motion to dismiss under Federal Rule of Civil Procedure 12(b)(6), finding that the information ESPN sent to Adobe was not “personally identifiable information.” The Ninth Circuit agreed, noting that the plaintiff conceded that, without Adobe’s database, the information provided by ESPN cannot
identify an individual. The court justified its finding by looking to how VPPA would have operated at the time of its enactment:
In 1988, the Internet had not yet transformed the way that individuals and companies use consumer data—at least not to the extent that it has today. Then, the VPPA's instructions were clear. The manager of a video rental store in Los Angeles understood that if he or she disclosed the name and address of a customer—along with a list of the videos that the customer had viewed—the recipient of that information could identify the customer. By contrast, it was clear that, if the disclosure were that “a local high school teacher” had rented a particular movie, the manager would not have violated the statute. That was so even if one recipient of the information happened to be a resourceful private investigator who could, with great effort, figure out which of the hundreds of teachers had rented the video. Plaintiff’s Roku device serial number is like the information in the latter scenario. It creates a sizable “pool” of possible viewers—here, Roku users—just as the information in the latter example does—there, high school teachers.
This author thinks the Ninth Circuit’s scenario is flawed. It fails to consider whether the video store manager would know that the person to whom the information was disclosed could identify who the teacher was. What if, for example, the recipient knew there was only one high school teacher, or knew the preferences of a group of local teachers to the extent that they know which movie a person would watch? The equities are upset if the manager can escape liability by tailoring his disclosure so that people who know about the customer can identify the customer, but people who do not know about the customer cannot.
Further, the Ninth Circuit acknowledged in its opinion that “modern technology may indeed alter—or have already altered—what qualifies [as PII].” The technology exists, reflected by Adobe’s capabilities in Eichenberger
Thus, the issue is not the technology itself, but how prevalent that technology is and who has it. Under the Ninth Circuit’s ruling, so long as corporations can identify persons by means not available to the average person, they get a free pass on violating the VPPA.