Ending a four-year battle that has helped define the parameters of the Video Privacy Protection Act’s (VPPA) application to new technologies, on March 31, 2015, Northern District of California Magistrate Judge Laurel Beeler dismissed with prejudice the In re: Hulu Privacy Litigation. In doing so, Judge Beeler found that there was simply no evidence that Hulu knowingly disclosed plaintiffs’ video viewing selections and personal identification information (PII) to a third party. Many companies and privacy professionals were following this case closely because of the significant potential exposure for violations of the VPPA. Specifically, Plaintiffs alleged millions of violations (per day), and the plaintiffs sought recovery of $2,500 in statutory liquidated damages per violation.
The VPPA prohibits video service providers from knowingly disclosing PII to third parties. Plaintiffs, users of Hulu’s online video services, claimed that Hulu violated the VPPA by disclosing their video viewing history and their PII through its interaction with Facebook and the placement of the Facebook “Like” button on Hulu.com watch pages. More specifically, Plaintiffs alleged that if a Hulu user had recently logged into Facebook using certain settings, the “Like” button would cause a “c_user cookie” to be sent to Facebook. The “c_user cookie” contained the user’s Facebook user ID, among other information, which Facebook could then link to a particular user.
In granting Hulu’s summary judgment motion, the court held that Hulu did not violate the VPPA because “Hulu did not actually know that Facebook might “read” the c_user cookie and video title together.” (Order at 9-10.) Judge Beeler stressed that the VPPA implicitly requires that a connection exist between the user’s identity and that of the disclosed video material. In Hulu’s case, there was simply a lack of a known connection between “a user’s identity, sent in the c_user cookie, and the title of the videos that that user watched, contained in the watch-page address.” (Order at 10.) Without that connection, plaintiffs lacked a triable claim under the VPPA. (Order at 13.)
Hulu filed its motion for summary judgment on August 26, 2014, arguing there was no evidence that it knew Facebook’s “c_user cookie” contained personally identifiable data—i.e., the Facebook user ID—or that it knew that Facebook would combine that data with video watch information it separately received from Hulu’s watch page URL. The plaintiffs opposed Hulu’s motion, arguing that the evidence demonstrated that Hulu did in fact have the VPPA’s requisite knowledge and had received legal advice concerning information sharing and assumed the risk of sharing information. See In re Hulu Privacy Litig., No. 3:11-cv-3764-LB at 12 (N.D. Cal. Jan. 22, 2015) [ECF No. 194].
In the end, the court sided with Hulu, holding that the plaintiffs had failed to make the requisite showing that Hulu knew it was disclosing a user’s identity, the identity of the video material and the connection between the two—i.e., that the given user had requested or obtained the given video material. Notably, prior to her March 31, 2015 ruling, Judge Beeler had acknowledged and reiterated that a violation of the VPPA requires a video service provider’s knowing disclosure of personally identifiable information (PII). She restated her position at the February 26 summary judgment hearing: “In the end the knowing standard that Hulu outlines I think is the correct one.” For purposes of the VPPA—as Hulu noted—that means actual knowledge that PII is being disclosed, a heightened standard more stringent than “willfulness” or “recklessness.”
In its March 31 opinion, the court noted that there was insufficient evidence to raise a triable issue of fact that Hulu knew what information Facebook’s cookie would disclose to Facebook as this was only known to Facebook. Specifically, the court reasoned that Hulu did not have the requisite knowledge of the operation of the “c_user cookie” that is associated with the Facebook “Like” button. The fact that the disclosures occurred automatically and that Facebook tied the Facebook user ID with users’ video viewing on Hulu’s websites was insufficient to implicate Hulu as having knowledge that Facebook’s cookies would do this.
The court also held that the email evidence reflecting Hulu employees’ general knowledge that data sets may be combined by vendors and even Facebook to discern users did not create triable issues because: (1) they were associated with Facebook’s “show friends” functionality that Hulu did not use; (2) the emails in certain instances related to Facebook Connect, a tool that Hulu was not using; and (3) the colloquy associated with Hulu’s work with the Nielsen ad network revealing that Facebook could identify users did not reflect that Facebook could identify the video viewing of users which is necessary to trigger the VPPA.
You can also read “Court Sides with Hulu in VPPA Case, Grants Summary Judgment with Prejudice,” published in IAPP’s Privacy Tracker, for a detailed discussion of the Hulu decision and its implications. For more information about the case’s background, including a detailed discussion of the c_user cookie and the underlying technology, please see Alston & Bird’s previous alerts on this case:
- Privacy & Security Advisory: Northern District Court Grants Summary Judgment in Favor of Hulu as to the comScore Claims but Denies Summary Judgment as to the Facebook Claims ( April 28, 2014)
- Northern District of California to Decide in the In re Hulu Privacy Litigation Whether Disclosing Anonymized Data to a Web Analytics Company and Use of the Facebook “Like” Button Violate the Video Privacy Protection Act (February 27, 2014)
- 2013 Ends with a Bang – Northern District of California Denies Hulu’s Motion for Summary Judgment in Video Tracking Case (January 7, 2014)
- Privacy & Security/Class Action Advisory: Hulu: The Northern District of California Denies Class Certification without Prejudice on Grounds Class Not Ascertainable (June 19, 2014)