Hulu privacy action breathes new life into outmoded privacy law

PIG Tales

You can learn a lot about somebody from the movies and TV shows he or she watches. But under the Video Privacy Protection Act (VPPA), it's none of your business. The VPPA prohibits a "video tape service provider" from knowingly disclosing information that "identifies a person as having requested or obtained specific video materials or services."

The VPPA was enacted in the 1980s, when "video tape" seemed almost futuristic. Now, as we stream our way through the Internet age and struggle to balance social networking and virtual privacy, this Reagan-era statute is taking on a whole new meaning. That's why privacy lawyers across the country have been eyeing In re Hulu Privacy Litigation, a 2011 putative class action in the Northern District of California in which viewers of Hulu's online streaming service claim Hulu wrongfully disclosed their private video selections to third parties.

Previously, Hulu failed to convince the court that the VPPA does not apply to the Internet at all. This came as no surprise to some industry observers because the statute broadly defines "video tape service provider" as any business that sells, rents or delivers prerecorded video cassette tapes "or similar audio visual materials." But Hulu seemed much better positioned on the more interesting question of whether video choices and anonymous user IDs - rather than actual customer names - qualify as "information which identifies a person as having requested or obtained specific video materials or services." After all, the whole point of using anonymous IDs instead of actual names is to protect users' privacy.

Last week, the court granted in part and denied in part Hulu's much-anticipated summary judgment motion. The motion focused on Hulu's alleged practice of sharing video picks and anonymous user IDs with two Internet heavyweights: comScore, an Internet analytics company that captures and sells data about Internet usage to websites and advertisers, and Facebook, the world's largest social network.

When a registered Hulu user visited the "watch page" for a particular video on Hulu's website, the title of the TV episode or movie and the viewer's "Hulu User ID" (a unique number assigned to each registered Hulu user) were transmitted to comScore. Hulu never shared actual names with comScore. But the plaintiffs argued that comScore could easily look up a registered Hulu user's profile page on the Hulu website using her Hulu User ID because the Hulu User ID was part of the web address (or "URL") for each user's profile page. In other words, by employing this extra step, comScore could figure out the actual identity of each Hulu user (assuming she registered using his or her real name) and what she watched. Hulu also allowed comScore to use its own cookies and a "comScore ID" to link each Hulu user and his or her video choices when the user visited other websites where comScore collects data.

During this same time period, Hulu also embedded Facebook's well-known "Like" button on its video watch pages. With some exceptions, Hulu's software coding for this feature supposedly caused the user's video selections to be transmitted to Facebook and also allowed Facebook to access the user's Facebook ID (a string of numbers and letters). Interestingly, this information was transmitted to Facebook when the viewer selected a video to watch and before he or she actually pressed the Facebook "Like" button (a fact that seemed troubling to the court because it undermines viewer consent). Hulu never shared actual user names with Facebook.

Relying on the language of the statute and legislative history, the court concluded that disclosure of video viewing information "must be pegged to an identifiable person (as opposed to an anonymous person)" to be actionable. This "does not require identification by a name." The court explained that "[o]ne can be identified in many ways: by a picture, by pointing, by an employee number, by the station or office cubicle where one works, [or] by telling someone what 'that person' rented." However, the court held that even though "a unique anonymized ID alone" is not personally identifiable information, "context could render it not anonymous and the equivalent of the identification of a specific person." For example, a video provider cannot skirt liability under the VPPA "by disclosing a unique identifier and a correlated look-up table."

After taking a deep dive into the technology and facts, the court applied its dicey definition by splitting the VPPA baby. It found that sharing Hulu User IDs with comScore was not a VPPA violation. The court was unpersuaded by plaintiffs' argument that comScore could capture a Hulu User ID and then plug it into a web browser's URL to access the user's Hulu profile (and possibly his or her name). The court found no evidence of this sort of "reverse engineering" and no evidence that Hulu's transfer of information to comScore linked a specific, identified person to his or her viewing habits.

Applying the same reasoning, the court held that Hulu also did not violate the VPPA by causing a user's comScore ID and video selections to be sent to comScore. Even though this information apparently allowed comScore to "recognize users and track their visits to other websites where comScore collects data," this did not sufficiently identify a person. The court seemed comfortable with "tracking that reveals a lot of information" for the purpose of Internet metrics and targeted advertising, an encouraging message for the burgeoning behavioral advertising business.

By contrast, the court found that disclosing a user's video choices and his or her Facebook ID to Facebook violated the VPPA. It reasoned that because Facebook knows its own users (including their real names) based on Facebook IDs, Hulu was providing Facebook with the user's "actual identity on Facebook." Despite no evidence that Facebook actually deciphered any real names tied to video selections, the court emphasized that a "Facebook User ID is more than a unique anonymous identifier. It personally identifies a Facebook user."

The court's distinction between sharing Hulu User IDs, comScore IDs and Facebook User IDs is sure to cause some confusion - and litigation - down the road. But a few things are clear. Unless a viewer clearly consents, download and streaming services should not share a user's video choices and anonymous ID with someone who knows the actual user behind the ID. It also appears that sharing video viewing information and anonymous user IDs with companies that anonymously track website metrics and behavior falls outside of the VPPA. So, if you watch a lot of sports online and start noticing sporting goods ads when you surf the web, your video habits may still be "anonymous" under the VPPA even if it feels like you are being tracked.

Last week's ruling is also a warning to video streaming sites that incorporate Facebook's "Like" button. Lawyers and programmers are no doubt scrambling to avoid the coding traps that snagged Hulu. But the most important lesson is that streaming services who share users' video selections tied to anonymous IDs must carefully consider whether the receiving party can easily figure out the actual users associated with those IDs. This includes paying close attention to the type of information that appears in URLs.

Whether the court's contextual approach to anonymous IDs will lead to better compliance or more confusion remains to be seen. But, for now, last week's ruling offers enough guidance for streaming sites to reduce their risk of liability. And the prospect of large class actions, statutory damages and a legal test that invites fact-intensive disputes provides more than enough incentive to make these changes now.