Privacy

Court grants Hulu’s motion for summary judgment in VPPA class action

Published: Apr. 03, 2015

Updated: Oct. 05, 2020

After four years of litigation, a California district court granted summary judgment for Hulu in its defense against alleged violations of the Video Privacy Protection Act (“VPPA”), finding that Plaintiffs could not establish that Hulu knowingly disclosed any of its users’ video preferences.

The litigation arose due to Hulu’s placement of Facebook “Like” buttons next to individual videos hosted on Hulu’s website. When a video page containing a Like button was displayed to a user, Hulu transmitted to Facebook the unique URL of the video being watched by the user. Additionally, if the viewer was logged into Facebook, the Like button transmitted a cookie previously placed on the user’s browser by Facebook containing the user’s unique Facebook ID. Both of these transmissions occurred even when the user did not interact with the Facebook button. Plaintiff alleged that by combining the unique video URL and the cookie containing the Facebook ID, Facebook could determine the identity of the user and tie that identity to the specific video being watched by the user. Thus, Plaintiffs argued, Hulu violated the VPPA prohibition on giving third parties personally identifiable information tied to a user’s viewing behavior.

The Court disagreed, finding that Hulu’s separate transmission of the video URL and the Facebook cookie could not constitute a knowing disclosure of personally identifiable information unless Plaintiffs could establish that Hulu knew that Facebook would combine the data to ascertain viewing behavior of specific individuals. Absent such knowledge, the transmission of the Facebook ID and the video URL was not a violation of the VPPA. The court found the circumstantial evidence presented by Plaintiff’s lawyers (that Hulu likely knew or should have known that the Facebook Like button was transmitting a Facebook ID, and that this ID could be used to identify those watching videos on the site) to be mere speculation insufficient to allow their claim to survive summary judgment.

The ruling provides some protection for online video service providers who share purportedly anonymized data with third parties, suggesting that as long as a video service provider does not know the data it sends is being used to identify a person, the provider cannot be liable under the VPPA. Of course, this does not mean providers can—or should—stay willfully blind with respect to how third-parties are using their data. Rather, video service providers who send third parties anonymized data regarding their users viewing behaviors should seek assurances that the third parties will not take efforts to de-anonymize that data. And, if a video service provider gains actual knowledge that data sent to third parties is being de-anonymized in manner that links real identities to video preferences, it should take action to modify or discontinue the arrangement.

Photo by Official GDC from Flickr