Author: Linda Priebe, Partner in Washington, DC
On June 17th the US District Court for the Northern District of California rejected Hulu users’ arguments that they met the criteria for a federal class action regarding their claims that Hulu shared their personally identifying information (PII) and the videos they watched with online data analytics company comScore and Facebook. For now that is, stay tuned.
In the meantime, if you host videos on websites, and use a service to analyze your video viewing audience and/or include a Facebook “like” button or other social plug-in, there is already plenty to learn from the Hulu privacy case. And the stakes are high. Hulu users sued Hulu under the Video Privacy Protection Act (VPPA) for sharing their PII and the videos they watched with comScore and Facebook. Under the VPPA, sharing PII and what video is watched is subject to a minimum of $2500.00 statutory damages per person not including actual damages, court costs, attorney fees and even punitive damages.
In April, the court reviewed Hulu’s motion for summary judgment. Hulu asserted that the information it shared with comScore and Facebook was (1) anonymous user IDs which never linked the Hulu user’s ID to the user’s legal name or address; (2) Hulu did not “knowingly” share PII; and (3) and Facebook users had consented to the disclosures by Hulu to Facebook through Facebook’s terms of use.
The court granted Hulu’s summary judgment motion regarding comScore but not Facebook. According to the court to violate the VPPA the information disclosed must identify a specific person (but not necessarily by their legal name) and tie that person to videos the person watched. The court found that Hulu’s disclosures to comScore were anonymous disclosures thatcould have been linked to a Hulu viewer’s video watching but that there was no evidence that comScore had made that connection. As a result, the court determined that Hulu’s disclosures to comScore did not violate the VPPA.
Hulu disclosed user information to comScore by sending two “Web beacons” to comScore. One Web beacon came from the Hulu video viewing page (i.e., “watch page”) and included (1) the user ‘s unique 7-digit Hulu User ID; (2) a web browser ID; (3) an advertisement ID; and (4) the video name or title from the URL of the Hulu watch page. The second Web beacon related to registered Hulu users and their Hulu profile page and included (1) the Hulu user ID; and (2) the first and last name the user provided when registering with Hulu. The second Web beacon did not include any video viewing information, but with the Hulu user ID in both beacons, comScore had the “key” to link a registered user’s first and last name from the second beacon with the videos they viewed from the first beacon. Ultimately however, the court found no evidence that comScore had combined the two beacons to connect Hulu registered users’ first and last names with videos they watched. As a result, the court found the VPPA was not violated and dismissed the Hulu user’s claims regarding comScore.
Hulu’s disclosures to Facebook were a whole different matter. Hulu user information was transmitted from Hulu to Facebook when the Facebook “Like” button loaded on a Hulu watch page. Until June 7, 2012, when a web browser loaded a Facebook “Like” button on a Hulu watch page, it automatically sent Facebook the URL of the Hulu watch page including the name of the video being watched along with the IP address of the Hulu registered user’s computer. Hulu also sent Facebook the datr cookie identifying the Hulu user’s browser; the lu cookie identifying the Facebook user using that browser to login to Facebook during the previous 2 years; and the c_user cookie for any Facebook user who logged in using the Facebook default settings during the past 4 weeks. The court noted this is a stark contrast to the situation where a Hulu user clicks on the Facebook “Like” button regarding a Hulu video they are watching. That would not be a VPPA violation because the Hulu user would be exercising their choice to share their personal video viewing choices with others via Facebook. The court concluded that the information from the Facebook “Like” button loading Hulu sent to Facebook at the same time as the lu, c_user and datr cookies combined disclosed to Facebook who the Hulu user is on Facebook and the videos they watched.
Since the VPPA requires that the disclosures of PII and video content viewed must be “knowing” or excused by written consent of the viewer, the Hulu privacy case will continue for Hulu and Facebook to present evidence on those questions.
What to do now: Review your websites with videos to make sure that they are in compliance with the VPPA.
- Be sure to include your compliance, legal, IT and marketing teams in your review and pay particular attention to the types of digital information being collected, and how it is combined, stored and disclosed to third parties.
- Review your websites with Facebook “Like” buttons and thoroughly understand the button’s configuration and how it operates on your websites.
- Revisit your user terms of service and especially your consent provisions and forms.
- Review your contracts with your analytics service providers to determine whether and how they address combining or linking datasets.
- Train your employees and staff to prevent communications with analytics companies connecting non-PII data with PII data.