Providing Serial Number of Device Not Enough to Trigger a VPPA Violation

(November 29, 2017) It’s not a violation of the Video Privacy Protection Act (“VPPA”) for a video service provider to send to a third party vendor the serial number of a video device and identify the video being watched by a viewer of a digital streaming channel—even if the third party vendor can then link the device to personally identifiable information of the viewer.

The Ninth Circuit affirmed the dismissal of the case because the video service provider did not “knowingly disclose” personally identifiable information to the third party vendor. Rather, the court said, the third party vendor identified the individual using its “Visitor Stitching technique.”

VPPA prohibits a video service provider from knowingly disclosing personally identifiable information concerning any consumer of the provider’s service. VPPA was enacted in reaction to a newspaper’s disclosure of Supreme Court nominee Robert Bork’s video rental history.

The current case concerns the WatchESPN Channel, which is available via digital streaming. ESPN provides the serial number of the Roku device and the name of each video watched to Adobe, which then uses its database to obtain the email addresses, account information, Facebook profile information, user names, and other personally identifiable information of the viewer. Adobe, in turn, then provides ESPN with the aggregated information to give to its advertisers.

The appellate court found that in determining if personally identifiable information is “knowingly disclosed,” it adopts the perspective of the disclosing party using an “ordinary person” standard. If an ordinary person cannot readily obtain personal information from what is disclosed, then it is not a violation of VPPA to disclose the information. In addition, VPPA “looks to what information a video service provider discloses, not to what the recipient of that information decides to do with it.” The appellate court reasoned that because the serial number of the device, standing alone, “cannot identify an individual unless it is combined with other data in Adobe’s possession—data that ESPN never disclosed and apparently never even possessed,” there was no violation of the act.

However, the appellate court said “modern technology may indeed alter—or may already have altered—what qualifies under the statute. A Facebook link or an email address may very well readily enable an ‘ordinary person’ to identify an individual. We need not and do not opine on the merits of those theories.”

Eichenberger v. ESPN, Inc., Ninth Cir. No. 15-35449, issued November 29, 2017.