In 2014, Chad Eichenberger sued the Entertainment and Sports Programming Network (“ESPN”) in a class action lawsuit claiming that the company gave away the personal information of consumers who used the WatchESPN app to Adobe Systematics Inc.1 Eichenberger accessed the WatchESPN channel through his Roku Box (a digital-media streaming device). Eichenberger claimed that every time he watched the channel, ESPN gave his personal information away in the form of his unique Roku serial ID and listed the videos he watched.2 The complaint alleged that once Adobe had this information it could cross-reference it with information Adobe already had (e-mails and profile information) to identify Eichenberger specifically through a process known as visitor stitching.3 Ultimately, the complaint alleged that WatchESPN’s disclosures subject ESPN to liability under the Video Privacy Protection Act.
The Video Privacy Protection Act (“VPPA”) was enacted in 1988 and is codified at 18 U.S.C. § 2710. The VPPA was adopted in reaction to a newspaper publishing Robert Bork’s video rental history during Bork’s Supreme Court nomination.4 The purpose of the VPPA was to preserve personal privacy with respect to the rental, purchase, or delivery of video tapes or similar audio-visual materials. Under the VPPA, video service providers are prohibited from knowingly disclosing personally identifiable information concerning any consumer. “Personally identifiable information” (“PII”) includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider. The act gives anyone aggrieved by the disclosure a right of civil action in district court and, if successful, the court can award actual damages, punitive damages, attorney fees, and any other relief the court deems suitable.5
The main issue the 2015 court looked at was whether Eichenberger’s claims sufficiently alleged that ESPN disclosed PII under the VPPA. To satisfy this issue, it was critical to determine whether Eichenberger’s Roku device serial number and video viewing history constituted PII.6 Since the VPPA gives a minimum, but not exclusive definition of PII, the court looked at other cases to determine the ordinary meaning of the term.7 In Pruitt v. Cable Holdings, LLC, the court was faced with the issue of whether an identification code unique to each device and a list of pay-per-view viewing history constituted PII.8 In Johnson v. Microsoft Corp., the court discussed whether the disclosure of someone’s IP address should be considered PII. The court held that it should not, as it only identifies a computer. Thus, the court in Johnson concluded that case history points to a definition of PII that requires an actual individual person be identified.9
The court in Eichenberger also examined the legislative history of the VPPA. A senate report that accompanied the VPPA stated that the term PII meant information that identifies a specific person that has engaged in a transaction. The court concluded that “in light of the VPPA’s text and legislative history, ‘personally identifiable information’ under the VPPA means information that identifies a specific individual and is not merely an anonymous identifier”.10
Eichenberger tried to counter this argument by stating that the visitor stitching conducted by Adobe took the serial numbers and enabled it to identify him. Accordingly, Eichenberger believed he should be entitled to damages under the VPPA.11 The court rejected this argument, pointing out that previous courts had denied this exact same argument. Specifically, the court in In re Nickelodeon Consumer Privacy Litig. held that the defendant could not be held liable under the VPPA based on the allegation that the third-party recipient of the plaintiff’s anonymous user ID might be able to use that information to identify the plaintiff. It went on to say that the VPPA required a more tangible link. In Locklear v. Dow Jones Co., the court looked at a very similar fact pattern. The plaintiff argued that the actions of the third party that took a Roku device serial number and converted it should be subject to liability under the VPPA. The court denied the claims because extra steps had to be taken by the third party to turn the serial number into information that actually identified the person.12 Likewise, Eichenberger’s claim posited that Adobe took the same additional steps that doomed the other cases and the court dismissed his complaint.
Eichenberger appealed the court’s decision and the Court of Appeals for the Ninth Circuit recently decided the case. The court looked at the fact that the definition of PII used the word “includes”, making the definition inherently more expansive than just the listed examples in the definition. Thus, it is information that is capable of identifying an individual and doesn’t have to be information that, standing alone, identifies a person.13
However, the court went on to say that the real question is what information Congress intended to be capable of identifying an individual? The court looked at two different ways this question had been answered. One view was that PII included information that made it reasonably and foreseeably likely that a person’s video purchase history would be identified. The other view interpreted the term to refer to any information that would allow an ordinary person to identify the individual. The Ninth Circuit believed the “ordinary person” test was more apt. Under this test, the court affirmed the lower court’s decision and dismissed Eichenberger’s lawsuit.14
In an age of increasingly advanced ways to obtain someone’s personal information, the Ninth Circuit’s ruling may have enormous effects. While the court may have interpreted the VPPA correctly, the statute clearly failed to contemplate the tremendous technological advances that have occurred in recent years. The companies that receive information are not ordinary people and have specialized employees that are able to personally identify individuals with information that would seem meaningless to an ordinary person. If Congress intended to protect against the types of visitor stitching practices that are occurring, it should seek to amend the statute.
Eichenberger v. ESPN, Inc., No. C14-463 TSZ, 2015 U.S. Dist. LEXIS 157106 (W.D. Wash. May 7, 2015). ↩
Id. at 2. ↩
Id. at 3 ↩
Id. at 5. ↩
18 U.S.C.S. § 2710. ↩
Eichenberger, 2015 U.S. Dist. LEXIS 157106, at *6, *7. ↩
Id. at 7 ↩
Pruitt v. Comcast Cable Holdings, LLC, 100 F. App’x 713 (10th Cir. 2004).) The statute at issue in that case, the 1984 Cable Communications Act, also did not have an exhaustive list of definitions for the term. The court came to the conclusion that there was no disclosure of PII since the disclosure only contained a series of numbers and nothing about the individual. ((Id. at 716. ↩
Johnson v. Microsoft Corp., No. C06-0900RAJ, 2009 U.S. Dist. LEXIS 58174, at *4 (W.D. Wash. June 23, 2009). ↩
Eichenberger, 2015 U.S. Dist. LEXIS 157106, at *12, *13. ↩
See id. at 13 ↩
In re Nickelodeon Consumer Privacy Litig., No. 2443 (SRC), 2014 U.S. Dist. LEXIS 91286, at *11 (D.N.J. July 2, 2014). ↩
Eichenberger v. ESPN, Inc., No. 15-35449, 2017 U.S. App. LEXIS 24168, at *11 (9th Cir. 2017). ↩
Id. at 14-15. ↩