Yershov v. Gannett Satellite Information Network, Inc.
Filing
30
Judge F. Dennis Saylor, IV: ORDER entered. MEMORANDUM AND ORDER granting #14 Motion to Dismiss for Failure to State a Claim. (FDS, law4)
<![CDATA[
UNITED STATES DISTRICT COURT
DISTRICT OF MASSACHUSETTS
____________________________________
)
ALEXANDER YERSHOV,
)
individually and on behalf of all
)
others similarly situated,
)
)
Plaintiff,
)
)
v.
)
)
GANNETT SATELLITE
)
INFORMATION NETWORK, INC.,
)
dba USA TODAY,
)
)
Defendant.
)
____________________________________)
Civil Action No.
14-13112-FDS
MEMORANDUM AND ORDER ON
DEFENDANT’S MOTION TO DISMISS
SAYLOR, J.
This is a putative class action arising out of the Video Privacy Protection Act (“VPPA”),
18 U.S.C. § 2710. The VPPA, among other things, prohibits the disclosure of “personally
identifiable information” of certain consumers of video services. Plaintiff Alexander Yershov
has filed suit against defendant Gannett Satellite Information Network, Inc.
Gannett publishes a print and on-line newspaper called USA Today. Gannett has also
created a mobile app, called the “USA Today App,” that is designed to run on smartphones and
other mobile devices, and that permits readers to view the on-line version of the newspaper.
Viewers using the App can access video clips on various news, sports, and entertainment topics.
Plaintiff alleges that defendant discloses “personally identifiable information” every time a
person uses the USA Today App to watch video clips. Specifically, plaintiff alleges that every
time a user of the App watches a video, the unique identification number of the user’s
smartphone is provided to a third-party data-analytics company. Plaintiff contends that by doing
so, Gannett violates the VPPA.
On September 19, 2014, defendant filed a motion to dismiss pursuant to Fed. R. Civ. P.
12(b)(1) for lack of subject-matter jurisdiction and Fed. R. Civ. P. 12(b)(6) for failure to state a
claim. For the following reasons, defendant’s motion will be granted.
I.
Background
A.
The USA Today App
Gannett Satellite Information Network, Inc., is based in McLean, Virginia. (Compl. ¶ 6).
Gannett is a media company that produces news and entertainment programming. (Id. ¶ 1). It
distributes that content to consumers through a variety of media, including its flagship
newspaper, USA Today. (Id.). In addition to the print edition of USA Today, Gannett offers
content through websites and mobile software applications. (Id.). One of Gannett’s mobile
applications is the USA Today App. (Id. ¶ 2).
The USA Today App is a mobile software application that allows individuals to access
news and entertainment media content. (Id. ¶ 9). It is available for installation on Android
mobile devices, among others. (Id.). Android is a mobile device operating system developed by
Google. (Id. ¶ 1 n.1). Smartphones made by a variety of companies, including HTC and
Samsung, use the Android operating system. (Id.). Users can install the USA Today App on an
Android device by visiting the Google Play Store, the on-line media platform operated by
Google. (Id. ¶ 10). Once installed, the App allows users to view articles and video clips
organized into sections, such as news and sports. (Id. ¶ 12). Prior to using it for the first time,
2
the App requests permission from users to “push” notifications on their device. (Id. ¶ 10).1 The
App does not otherwise seek a user’s consent to disclose personal information to third parties for
any purpose. (Id. ¶ 11).
There is no charge to install the App or to view video clips after installation.
(See Compl. ¶¶ 9-11 (citing USA Today, GOOGLE PLAY, https://play.google.com/store/apps/
details?id=com.usatoday.android.news&hl=en (last visited July 2, 2014))). There is no
registration requirement (such as a requirement that the user provide a name and e-mail contact).
(See id.). After responding to the request for permission to “push” notifications, the user is not
required to provide any other information in order to use the App. (See id.).
B.
Alleged Transmittal of PII
The complaint alleges that each time users view video clips on the App, it sends a record
of the transaction to Adobe Systems, Inc., an unrelated company that, among other things,
performs third-party data-analytics. (Id. ¶ 13).2 Along with the record of the transaction, the
App sends a user’s GPS coordinates and the Android device’s unique identification number (the
“Android ID”). (Id. ¶ 13). The Android ID is a “64-bit number (as a hex string) that is randomly
generated when the user first sets up the device and should remain constant for the lifetime of the
user’s device.” (Id. ¶ 13 n.3 (citing Settings.Secure, ANDROID DEVELOPERS,
http://developer.android.com/reference/android/provider/Settings.Secure.html#Android_ID)).
Android IDs are unique to specific devices and users. (Id. ¶ 16). It is not precisely clear what
1
“Push” notifications are alerts that inform app users of relevant activity related to the app even when the
user is not actively using it. USA Today App users may decline to receive “push” notifications. (See id. ¶ 10).
2
The complaint characterizes Adobe as a data-analytics company that “provides insights into the behaviors
and demographics for the App’s user base.” (Id. ¶ 19).
3
the “record of the transaction” includes, but it appears from the complaint that it includes an
identification of the video watched by the user. (See id. ¶¶ 42, 54, 57).
According to the complaint, Adobe “collects an enormous amount of detailed
information about a given consumer’s online behavior (as well as unique identifiers associated
with a user’s devices) from a variety of sources.” (Id. ¶ 20). “Once Adobe links a device’s
Android ID with its owner, it can then connect new information retrieved from Android
apps—including the USA Today App—with existing data in the person’s profile (which was
previously collected by Adobe from other sources).” (Id. ¶ 22). Therefore, when Adobe
receives an individual’s Android ID and the record of the video transaction from USA Today
App, it is able to connect that information with information collected from other sources “to
personally identify users and associate their video viewing selections with a personalized profile
in its databases.” (Id. ¶ 29).
According to the complaint, Alexander Yershov downloaded and began using the USA
Today App on his Android device in late 2013. (Id. ¶ 39). He never consented to allowing USA
Today to disclose his “personally identifiable information” to third parties. (Id. ¶ 40).
The complaint alleges that “the combination of his device’s unique Android ID and the
records of videos that [Yershov] viewed . . . constitutes ‘personally identifiable information’ . . .
because it allows Adobe to identify users such as Yershov, and to attribute their video-viewing
records to their Adobe-created profiles.” (Id. ¶ 57).
C.
Procedural Background
Plaintiff filed the complaint in this action on July 24, 2014, alleging a violation of the
Video Privacy Protection Act, 18 U.S.C. § 2710. (Compl.). The complaint is a putative class
4
action; the class is defined as “[a]ll persons in the United States who used the USA Today App
to watch videos and had their PII transmitted to Adobe.” (Id. ¶ 43). The complaint alleges that
all such class members “have had their statutorily defined right to privacy violated.” (Id. ¶ 62).
Defendant has moved to dismiss for failure to state a claim upon which relief can be
granted.
II.
Legal Standard
On a motion to dismiss, the Court “must assume the truth of all well-plead[ed] facts and
give . . . plaintiff the benefit of all reasonable inferences therefrom.” Ruiz v. Bally Total Fitness
Holding Corp., 496 F.3d 1, 5 (1st Cir. 2007) (citing Rogan v. Menino, 175 F.3d 75, 77 (1st Cir.
1999)). To survive a motion to dismiss, the complaint must state a claim that is plausible on its
face. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). That is, “[f]actual allegations must
be enough to raise a right to relief above the speculative level, . . . on the assumption that all the
allegations in the complaint are true (even if doubtful in fact).” Id. at 555 (citations omitted).
“The plausibility standard is not akin to a ‘probability requirement,’ but it asks for more than a
sheer possibility that a defendant has acted unlawfully.” Ashcroft v. Iqbal, 556 U.S. 662, 678
(2009) (quoting Twombly, 550 U.S. at 556). Dismissal is appropriate if the facts as alleged do
not “possess enough heft to show that plaintiff is entitled to relief.” Ruiz Rivera v. Pfizer
Pharm., LLC, 521 F.3d 76, 84 (1st Cir. 2008) (alterations omitted) (internal quotation marks
omitted).
III.
Analysis
The Video Privacy Protection Act (“VPPA”), 18 U.S.C. § 2710, was enacted in 1988.
Congress passed the VPPA after a “newspaper in Washington published a profile of [Supreme
5
Court nominee and D.C. Circuit] Judge Robert H. Bork based on the titles of 146 films his
family had rented from a video store.” S. Rep. 100-599, 2d Sess. at 5 (1988), reprinted in 1988
U.S.C.C.A.N. 4342.
Among other things, the VPPA prohibits “video tape service providers” from “knowingly
disclos[ing], to any person, personally identifiable information concerning any consumer of such
provider” without the consumer’s informed, written consent. 18 U.S.C. § 2710(b). The statute
has three relevant definitions:
•
the term “video tape service provider” means “any person, engaged in the
business, in or affecting interstate or foreign commerce, of rental, sale, or delivery
of prerecorded video cassette tapes or similar audio visual materials . . . ,” 18
U.S.C. § 2710(a)(4);
•
the term “personally identifiable information” “includes information which
identifies a person as having requested or obtained specific video materials or
services from a video tape service provider,” 18 U.S.C. § 2710(a)(3); and
•
the term “consumer” “means any renter, purchaser, or subscriber of goods or
services from a video tape service provider.” 18 U.S.C. § 2710(a)(1).
For present purposes, at least, defendant does not contest that it fits within the statutory
definition of a “video tape service provider.”3 Defendant contends, however, that the complaint
should be dismissed because (1) defendant did not disclose “personally identifiable information”
within the meaning of the statute, (2) plaintiff is not a “consumer” within the meaning of the
3
Although defendant contends that plaintiff’s “VPPA claim will ultimately fail for the additional,
independent, reason that Gannett is not a ‘video tape service provider’ under the VPPA,” it does not challenge “the
sufficiency of [p]laintiff’s pleading” of this issue at this stage of litigation. (Defs.’ Mem. Support Mot. Dismiss 7
n.4).
6
statute, and (3) plaintiff lacks standing because he has not pleaded an injury in fact.
A.
Personally Identifiable Information
As noted, the VPPA prohibits “video tape service providers” from disclosing “personally
identifiable information” (“PII”) concerning a “consumer” to third parties. 18 U.S.C. § 2710(b).
The complaint alleges that each time users view video clips on the USA Today App, defendant
sends a record of the transaction along with the user’s GPS coordinates and the Android ID for
the user’s device.4 The first issue is whether that information sent to Adobe qualifies as
“personally identifiable information.”
Any statutory analysis begins with the text of the statute. To some extent, of course, this
exercise involves an attempt to place a square peg (modern electronic technology) into a round
hole (a statute written in 1988 aimed principally at videotape rental services). Nonetheless, the
statute says what it says, and the place to begin is with the words themselves. Again, the VPPA
provides that “personally identifiable information” includes “information which identifies a
person as having requested or obtained specific video materials or services from a video tape
service provider.” 18 U.S.C. § 2710(a)(3). Those words must be interpreted in “context and
with a view to [their] place in the overall statutory scheme.” Davis v. Michigan Dept. of
Treasury, 489 U.S. 803, 809 (1989). Here, the statute provides at least two clues as to the
meaning of the term.
First, the statute permits disclosure of PII under five specific circumstances. 18 U.S.C. §
4
The complaint alleges that “even ‘[w]hen a device has multiple users [] each user appears as a completely
separate device, so the ANDROID_ID value is unique to each user.” (Compl. ¶ 17 (citing Settings.Secure, ANDROID
DEVELOPERS, https://developer.android.com/reference/android/provider/Settings.Secure.html#ANDROID_ID (last
visited July 15, 2014)). As a result, each device user has a unique Android ID. (See id.). It further alleges that
Adobe is able to use the Android ID “to identify [plaintiff] and attribute his video viewing records to an
individualized profile of [him] in its databases.” (Id. ¶ 42).
7
2710(b)(2). One of those circumstances is that disclosure may be made “to any person” if “the
disclosure is solely of the names and addresses of consumers,” but only if the consumer has had
an opportunity to prohibit that disclosure, and if the disclosure does not identify the “title,
description, or subject matter of the video.”5 Id. § 2710(b)(2)(D). That suggests (1) that a
consumer’s name and address are both PII, and (2) that the universe of PII is greater than the
consumer’s name and address.
Second, the list of statutory definitions uses the word “means” in three out of four
instances (in other words, the definitions are formatted to provide that the term “x” means “y”).
See 18 U.S.C. § 2710(a)(1), (2), (4). As to PII, however, the statute provides that “the term
‘personally identifiable information’ includes information which identifies a person . . . .” Id. §
2710(a)(3) (emphasis in original). This suggests that the statutory term may have a broader
definition than what is provided in the text, which may be a mere example of a possible form of
PII.6
With that framework in mind, the Court turns to the question whether the information
sent to Adobe constitutes PII. When a user requests a video clip, Gannett discloses three kinds
of information: (1) a record of the transaction (presumably, information concerning the precise
video selected for viewing); (2) the user’s GPS coordinates (that is, the precise location of the
user); and (3) the Android ID of the user’s smartphone or other device. There is no question that
5
The statute provides an exception, such that “the subject matter of such materials may be disclosed if the
disclosure is for the exclusive use of marketing goods and services directly to the consumer.” 28 U.S.C. §
2710(b)(2)(D)(ii).
6
While the Court places very limited weight on legislative history, that history supports such a conclusion.
According to the Senate Report, Congress’s purpose in enacting the VPPA was “[t]o preserve personal privacy with
respect to the rental, purchase, or delivery of video tapes or similar audio visual materials.” S. Rep. 100-599, 2d
Sess. at 5 (1988), reprinted in 1988 U.S.C.C.A.N. 4342. at *1. The Senate Report specifically notes that the
definition of PII “uses the word ‘includes’ to establish a minimum, but not exclusive, definition . . . .” Id. at *11.
8
the information transmitted to Adobe identifies the “specific video materials or services”
requested or obtained by the consumer. See 18 U.S.C. § 2710(a)(1)(3). The issue is whether that
information also identifies a specific person.
Without question, a person’s name, social security number, and date of birth are PII. See
In re Pharmatrak, Inc., 329 F.3d 9 (1st Cir. 2003) (finding that the definition of “contents” in
Electronic Communication Privacy Act encompasses “personally identifiable information such
as a party’s name, date of birth, and medical condition”).7 Similarly, a person’s home address is
PII, under the statutory construction noted above and as a matter of common sense.8 Similar
types of information, such as a place of birth, a mother’s maiden name, an automobile license
plate number, or a home telephone number, could also be PII under at least some circumstances;
for example, celebrities and public officials often have unlisted telephone numbers and
“blocked” license plate numbers in order to protect their privacy and security.
It requires no great leap of logic to conclude that the unique identifier of a person’s
smartphone or similar device—its “address,” so to speak—is also PII. A person’s smartphone
7
Several federal statutes contain provisions that specifically use the term “personally identifiable
information” or similar terms. See, e.g., 20 U.S.C. § 1232g (Family Educational Rights and Privacy Act); 47 U.S.C.
§ 551(a)(2) (Cable Communications Policy Act); see also 15 U.S.C. § 6809(4)(A) (The Gramm-Leach Billey
Financial Modernization Act) (referring to “nonpublic personal information”).
8
The Family Education and Records Privacy Act of 1974 (“FERPA”) prohibits educational entities from
releasing or providing access to “any personally identifiable information in education records.” 20 U.S.C. §
1232g(b)(2). The statute does not provide a definition for PII. However, the regulation implementing the statute
provides the following definition:
The term includes, but is not limited to—(a) The student’s name; (b) The name of the student’s parent
or other family members; (c) The address of the student or student’s family; (d) A personal identifier,
such as the student’s social security number, student number, or biometric record; (e) Other indirect
identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name; (f) Other
information that, alone or in combination, is linked or linkable to a specific student that would allow
a reasonable person in the school community, who does not have personal knowledge of the relevant
circumstances, to identify the student with reasonable certainty . . . .
34 C.F.R. § 99.3.
9
“address” is an identifying piece of information, just like a residential address. Indeed, it is in
many ways a more significant identifier. Smartphones typically contain “vast quantities of
personal information.” Riley v. California, 134 S. Ct. 2473, 2485 (2014). “[A] cell phone
collects in one place many distinct types of information—an address, a note, a prescription, a
bank statement, a video—that reveal much more in combination than any isolated record.” Id.
Therefore, the type of information that could be ascertained from a smartphone could potentially
be devastating to an individual’s privacy interests. A person with access to a smartphone’s
unique identifer could potentially learn a huge quantity of personal information about the user of
that smartphone. Furthermore, a smartphone may be more directly connected to a specific
individual that even a residential address; for example, people are much more likely to share
their homes with other persons than their smartphones.
Defendant makes two principal objections to that conclusion. First, it contends that the
Android ID cannot be PII because it identifies an object, rather than a human being. But that
contention cannot be correct. A home address describes an object, not a person, but there can be
little doubt that it is PII. Indeed, and as noted, the VPPA expressly refers to the “addresses of
consumers,” in a context clearly indicating that an address is PII. And that is true even though
multiple persons may share a residence.9 The identity of an object—its unique “address,”
whether in the physical world or in cyberspace—can therefore constitute PII, at least under some
circumstances.
Next, defendant contends that the Android ID cannot be PII because that information
9
Similarly, an automobile license plate number or a home telephone number may identify an object (a
motor vehicle or a telephone) that several persons (for example, spouses or teenage children of the owner) may
share. Nonetheless, that type of information could be a personal identifier under many circumstances, and thus fit
within the definition of the statute.
10
cannot be linked to a specific person without access to certain additional
information—specifically, the information that a particular phone is used by a particular person.
But that is true of every identifier other than a person’s name. For example, a social security
number is a string of nine numbers that only takes on meaning if it can be identified as the
number of a specific person. Likewise, a date in a calendar is meaningless as an identifier,
unless it is identified as a specific person’s date of birth. Even a person’s name may be of
limited use as an identifier without further information; there may be hundreds, or thousands, of
persons with the same or a similar name.
At oral argument, defendant conceded that a home address qualifies as PII even though it
requires an extra step to link it to a specific person. Defendant contended, however, that home
addresses qualify as PII because there are public record databases that can link home addresses
to individuals, but there is no such publicly accessible database that links an Android ID to a
person. Defendant therefore contended that in isolation the Android ID is a meaningless
number. But the same could also be said for social security numbers. There is no publicly
accessible database that links those numbers to individuals, but a social security number is
nonetheless unquestionably the type of information that fits within the definition of PII.
It is also noteworthy that Gannett transmits the GPS coordinates of the user along with
the Android ID. Presumably, that information would be sufficient to identify a very specific
location (such as a building) from which the user viewed the video. It therefore appears possible
to identify, with a relatively high degree of accuracy, the residential address of users at the same
time as their Android ID. Indeed, in areas of relatively low-density housing, the GPS
coordinates of the user are essentially identical to a residential address.
11
Finally, defendant notes that the substantial weight of authority points in the opposite
direction. Of particular relevance is the Northern District of Georgia’s ruling in Ellis v. Cartoon
Network, Inc., 2014 WL 5023535 (N.D. Ga. Oct. 8, 2014), because its facts are very similar to
the facts of the present case.
In Ellis, the court examined whether the Cartoon Network App’s transmission of a user’s
video history along with the user’s Android ID to a third party constituted a violation of the
VPPA. Id. at *2. For purposes of the motion to dismiss, the court accepted that the third party
was able to reverse engineer the consumer’s identities from the Android ID, using information
previously collected from other sources. Id. at *1. In its analysis, the court found that PII “is
that which, in its own right, without more, ‘link[s] an actual person to actual video materials.’”
Id. at *3 (quoting In re Nickelodeon, 2014 WL 3012873, *10 (D.N.J. July 2, 2014)). The court
determined that the Android ID does not identify a specific person without the third party taking
extra steps. Id. As a result, it concluded that “the disclosure of an Android ID alone . . . does not
qualify as personally identifiable information under the VPPA.” Id. It relied on district court
decisions in In re Hulu Privacy Litigation, 2014 WL 1724344 (N.D. Cal. Apr. 28, 2014), and In
re Nickelodeon Consumer Privacy Litigation, 2014 WL 3012873 (D.N.J. July 2, 2014), to come
to its conclusion.10
10
Two other decisions that defendant cites in support of its motion to dismiss also rely on the Hulu and the
Nickelodeon decisions to conclude that information similar to the Android ID is not PII. See Locklear v. Dow Jones
& Company, Inc., 1:14-cv-00744-MHC (N.D. Ga. Jan 23, 2015) (relying on the Hulu, Nickelodeon, and Ellis
decisions to conclude that disclosure of Roku serial number and titles of videos does not violate the VPPA because
the Roku serial number without more is not PII); Eichenberger v. ESPN, Inc., C14-463 TSZ (W.D. Wash. Nov. 24,
2014) (relying on the Hulu decision to conclude that disclosure of Roku serial number and viewing records does not
violate the VPPA because the Roku serial number is not PII). After the court in Eichenberger dismissed the first
amended complaint, the plaintiff in that case filed a second amended complaint. See Eichenberger v. ESPN, Inc., C14-463 TSZ (W.D. Wash. May 7, 2015). The second amended complaint alleged that the third party, Adobe, was
able to “automatically correlate[] [the Roku device serial number] with existing user information possessed by
Adobe, and therefore identif[y] Eichenberger as having watched specific video material . . . .” Id. at 3. In an
12
The Nickelodeon case involved a class of children under the age of thirteen who sued
Viacom for violating the VPPA. The case involved plaintiffs who visited “certain Viacomowned websites and willingly provide[d] Viacom with their gender and age when they
register[ed] as users of the sites.” Id. at *2. When the plaintiffs went to these websites, Viacom
also placed a “cookie” on their computer without their consent or that of their parents.” Id. The
“cookie” allowed Viacom to acquire certain information about each plaintiff, including their “‘IP
address’; ‘browser settings’; ‘unique device identifier’; ‘operating system’; ‘screen resolution’;
‘browser version’; and certain ‘web communications,’ specifically ‘detailed URL . . . requests
and video materials requested and obtained from Viacom children’s websites.” Id. at *1.
Whenever registered users watched video on Viacom’s websites, Viacom made a record of that
activity and shared it with Google. Id. at *1-2. The court refused to credit allegations in the
complaint that Viacom and Google were able to link online activity and information with offline
activity and information, and thereby “identify specific users.” Id. at *2 n.3. Against that
backdrop, the court examined whether Viacom’s disclosures to Google of “anonymous
usernames; IP address; browser setting; ‘unique device identifier’; operating system; screen
resolution; browser version; and ‘detailed URL requests and video materials requested and
obtained’ from the Viacom websites, requests which presumably contain” gender and age
information and the title of a video, violated the VPPA. 2014 WL 3012873, at *10. The court
cited the Hulu decision as holding that “PII is information that must link ‘a specific, identified
opinion issued on May 7, 2015, the Eichenberger court engaged in a more thorough analysis of PII by looking to the
statutory text, “its legislative history, and the growing line of cases that have considered this issue.” Id. at 6-12. The
court cited the Nickelodeon, Hulu, Ellis, and Locklear decisions, and concluded that plaintiff’s complaint did not
sufficiently plead that the defendant had disclosed PII. Id. at 10. The court found that the allegation that Adobe
could combine the Roku device serial number with other information already in its possession “also fails to assert a
plausible claim to relief under the VPPA.” Id.
13
person and his video habits’—what the Hulu [c]ourt characterizes as any information ‘akin’ to a
name.” Id. at *10 (quoting Hulu, 2014 WL 1724344, at *12, 14). The Nickelodeon court
concluded that “PII is information which must, without more itself link an actual person to actual
video materials.” Id. The court found that “all Google knows from the disclosure of this
information . . . is ‘a child’s username, sex, age, type of computer,’ and IP address.” Id. at *11.
It is not enough that “information might one day serve as the basis of personal identification after
some effort on the part of the recipient” because “the same could be said for nearly any type of
personal information; this [c]ourt read the VPPA to require a more tangible, immediate link.” Id.
Because this information in isolation did not identify a person, the court concluded that
plaintiff’s VPPA claim against Viacom failed. Id. at *9.11
In Hulu, on a motion for summary judgment, the Northern District of California
examined whether three types of disclosures by Hulu were PII. 2014 WL 1724344, at * 9. The
first disclosure, to comScore, was a “watch page” URL web address that contained the video
name and the Hulu user’s unique seven-digit Hulu User ID. Id. Using the user ID, comScore
could access a user’s profile page, which listed the user’s first and last name. Id. The second
disclosure, to comScore, was a “comScore ID” that was unique to each registered user, which
“allowed comScore to link the identified user and the user’s video choices with information that
11
In response to the court’s decision, plaintiffs amended their complaint to “allege that Google could learn
[p]laintiffs’ actual identities by using a ‘DoubleClick cookie identifier,’ and by combining the information Viacom
provides it with data it already gathers from its other websites and services.” In re Nickelodeon Consumer Privacy
Litigation, 2015 WL 248334, *2 (D.N.J. Jan. 20, 2015). In its unpublished opinion in the Nickelodeon case, the
court found that plaintiffs did not allege “new facts which make it plausible that the information collected does
indeed identify [p]laintiffs.” Id. at *3-*4. The court confirmed its previous holding that PII “is information which
must, without more, itself link an actual person to actual video materials.” Id. at *3. Because the complaint alleged
that Google independently gathered information to connect an actual person with actual video materials, the court
concluded that the information disclosed by Viacom did not constitute PII. Id. In any event, the court found that the
complaint included “no allegation that Google can identify the individual [p]laintiffs in this case, as opposed to
identifying people generally, nor any allegation that Google has actually done so here.” Id. at *4. As a result, the
court dismissed the amended complaint. Id.
14
comScore gathered from other websites that the same user visited.” Id. The third disclosure, to
Facebook, included unique identifiers that sometimes consisted of the user’s IP address, the URL
web address with the video name, and the user’s Facebook ID. Id. The court in Hulu found that
“the statute, the legislative history, and the case law do not require a name, instead require the
identification of a specific person tied to a specific transaction, and support the conclusion that a
unique anonymized ID alone is not PII but context could render it not anonymous and the
equivalent of the identification of a specific person.” Id. at *11. It therefore explained that “a
unique anonymized ID could be PII if other evidence renders it the equivalent of identifying a
specific person.” Id. However, it also noted that case law supported a “conclusion that
anonymous identification data alone is not PII.” Id. In examining the three types of disclosures,
the court looked at how the third party used the information. Id. at *12. The court concluded
that the disclosure of the watch page URL containing the video name and a user’s unique sevendigit Hulu User ID was not PII because there was no evidence that suggested any linking of a
specific, identified person and his video habits. Id.. Likewise, the court concluded that the
disclosure to comScore of the comScore ID was not PII on the ground that although “[t]here may
be substantial tracking that reveals a lot of information about a person . . . [,] there is a VPPA
violation only if that tracking necessarily reveals an identified person and his video watching.”
Id. Finally, the court concluded that the disclosure to Facebook of the watch page, the user’s IP
address, and the Facebook user ID was PII because it constituted information that identified the
Hulu user’s actual identity on Facebook. Id. at *13. “If the cookies contained a Facebook ID,
they could show the Hulu user’s identity on Facebook.” Id. at *14.
The Hulu decision does not necessarily support a finding that an Android ID is not PII.
15
The case was decided on a motion for summary judgment, and specifically noted that “a unique
anonymized ID alone is not PII but context could render it not anonymous and the equivalent of
the identification of a specific person.” It is unclear whether the court meant that context could
render it PII if other information provided in the disclosure with the anonymized ID identified a
specific person, or whether context could render it PII if the third party receiving the information
had independent information that helped link the ID with a specific person. No matter what it
holds, it is clear that the inquiry is context-dependent. Based on the logic of the Hulu decision, it
would appear that the factual record would need to be developed before concluding that an
Android ID is not PII.
In any event, Nickelodeon’s conclusion that “PII is information which must, without
more, itself link an actual person to actual video materials” is flawed. That conclusion would
seemingly preclude a finding that a home address or social security number is PII. Surely, that
cannot be correct. Therefore, because it relies on Nickelodeon and Hulu, the holding in Ellis that
an Android ID is not PII is unpersuasive.12
12
Defendant also cites a variety of cases outside of the VPPA that involve PII to support its motion. For
example, defendant cites the Cable Communication Privacy Act cases Pruitt v. Comcast Cable Holdings, LLC, 100
Fed. Appx. 713 (10th Cir. 2004) and Klimas v. Comcast Cable Comm’ns., Inc., 2003 WL 23472182 (E.D. Mich.
July 1, 2003), aff’d on other grounds, 465 F.3d 271 (6th Cir. 2006). Courts have found that the VPPA is analogous
to the Cable Act. See Parker v. Time Warner Entmt’ Co., 1999 WL 1132463, at *9 (E.D.N.Y. Nov. 8, 1999).
In Pruitt, the Tenth Circuit examined whether Comcast information stored within Comcast’s converter
boxes is PII. 100 Fed. Appx. at 716. The court explained that “[i]ndividual subscriber information is not contained
within the converter box, but an identifying number known as a ‘unit address’ allows Comcast to match the
subscriber’s purchases to its billing system.” Id. at 715. The court determined that “the converter box
code—without more—provides nothing but a series of numbers.” Id. at 716. Because “without the billing
information, even Comcast would be unable to identify which individual household was associated with the raw data
in the converter box,” the court concluded that information contained in the boxes is not PII. Id. at 716-17. The
Hulu court found that “Pruitt stands for the proposition that an anonymous, unique ID without more does not
constitute PII. But it also suggests that if an anonymous, unique ID were disclosed to a person who could
understand it, that might constitute PII.” Hulu, 2014 WL 1724344, at *11. Here, the complaint alleges that Adobe is
able to use the Android ID to identify specific individuals.
In Klimas, 2003 WL 23472182, the plaintiff brought a class action alleging that Comcast “secretly
16
The opinions cited above seem to take an unrealistic view of the nature of personal
identifiers, and how readily different databases or pieces of information can be linked together.
The courts appear to frame the issue in large part by referring to these identifiers as “anonymous
identifiers,” which is unhelpful and possibly misleading. Again, a social security number or a
date of birth, in isolation, is anonymous. However, it would be absurd to conclude that a social
security number is not PII, simply because there is no publicly-available database linking those
numbers with names.
Likewise, it is unrealistic to refer to PII as “information which must, without more, itself
link an actual person to actual video materials.” Again, that would appear to preclude a finding
that home addresses, social security numbers, and dates of birth are PII. Moreover, drawing a
link between the Android ID and a person’s name may not be difficult. If, as alleged, Adobe
collects information from the USA Today App linking an Android ID and GPS information with
a specific video, and collects information from another source (such as GPS information linked
to residential addresses, and residential addresses linked to names)—it would be relatively easy
for Adobe to link that information to identify a person. It is also possible, of course, that third
parties such as Adobe have access to databases that link Android IDs to specific persons.
In short, the information alleged disclosed to Adobe by Gannett, which consists of an
Android ID and a GPS location, constitutes “personally identifiable information” within the
meaning of the Video Privacy Protection Act.
intercept[ed], cop[ied], stor[ed], and otherwise collect[ed] all the information sent to and from its subscribers over
the Internet” in violation of the Cable Act. Comcast admitted storing IP and URL information. The issue the court
considered was whether dynamic IP addresses constitute PII. Id. at *4. The court found that “a dynamic IP address
cannot constitute PII [because] [u]nlike a subscriber’s name, address, social security number, etc., a dynamic IP
address is constantly changing.” Id. at *5. It is undisputed that the Android ID is static.
17
B.
Plaintiff Is Not a “Subscriber”
The VPPA defines a “consumer” as any “renter, purchaser, or subscriber of goods or
services from a video tape service provider.” 18 U.S.C. § 2710.(a)(1). Plaintiff contends that he
is a “subscriber” for purposes of the VPPA because he “downloaded, installed, and watched
videos” using the App.
The term “subscriber” is not defined in the statute. Traditionally—and certainly as of
1988, when the statute was enacted—a “subscriber” would have been defined principally as a
person who has signed up to receive a periodical or a commercial service, typically having
agreed to make a regular payment. See, e.g., WEBSTER’S NINTH NEW COLLEGIATE DICTIONARY
1176 (Frederick C. Mish, et al., eds., 1991) (defining “subscribe” as “to enter one’s name for a
publication or service; also: to receive a periodical or service regularly on order”); Subscriber
Definition, THE OXFORD ENGLISH DICTIONARY (online ed.), http://oed.com/view/Entry/
192954?redirectedFrom=Subscriber#eid (last visited Apr. 2, 2015) (defining “subscriber” as “a
person who makes a regular payment in return for entitlement to receive a periodical,
membership of a society, access to a commercially provided service, etc.”).13 The traditional
subscription business model involves an individual making periodic payments in exchange for
delivery of magazines, newspapers, or other content. See, e.g., Subscribe to Home Delivery,
BOSTON GLOBE, http://services.bostonglobe.com/subscribers/homedelivery.aspx?id=5278 (last
visited Apr. 14, 2015).
In the modern electronic world, subscriptions entail a broader spectrum of activity.
13
Other definitions of “subscriber,” such a person who signs one’s name to a document, pledges a gift or
contribution in writing, or agrees to purchase an offering of securities, are clearly not relevant here. See Subscribe
Definition, MERRIAM-WEBSTER (online ed.), www.merriam-webster.com/dictionary/subscriber (last visited May 5,
2015).
18
Certain periodicals allow access (or complete access) to online content only with a subscription.
See, e.g., WASHINGTON POST https://subscribe.washingtonpost.com/acquisition/
acquisitionapp.html#/offers/promo/digital01 (last visited Apr. 14, 2015); N.Y. TIMES,
http://www.nytimes.com/subscriptions/Multiproduct/lp88U46.html?campaignId=4FWFJ&__KE
YWORDS__=${keywordText}&__CAMP__=4FWFJ (last visited Apr. 14, 2015). In addition,
individuals may subscribe to YouTube channels and podcasts. Subscribe to the Channels You
Love, YOUTUBE, https://support.google.com/youtube/answer/4489286?hl=en (last visited Apr.
15, 2015); Discovering Podcasts, APPLE, https://www.apple.com/itunes/podcasts/discover/ (last
visited Apr. 15, 2015).14 A “subscriber” has also been defined as “a person who adds his or her
details to an electronic newsgroup mailing list, etc., in order to receive, or contribute to, its
contents; a person who has signed up to receive messages or other information from a
newsgroup, mailing list, etc.” Subscriber Definition, THE OXFORD ENGLISH DICTIONARY (online
ed.), http://oed.com/view/Entry/192954?redirectedFrom=Subscriber#eid (last visited Apr. 2,
2015).
A common thread can be distilled from these definitions and examples. Subscriptions
involve some or all of the following: payment, registration, commitment, delivery, and/or access
to restricted content. To download and use the USA Today App, an individual does not have to
pay any money; does not have to register; and does not have to make any commitment of any
14
With a YouTube subscription, a person must register and then login to his or her account. Subscribe to
the Channels You Love, https://support.google.com/youtube/answer/4489286?hl=en (last visited Apr. 15, 2015).
The individual then clicks the “Subscribe” button for a specific channel. Id. Once an individual has subscribed to a
YouTube channel, “the channel is added to [her] guide . . . . [W]henever [she] visits [her] homepage, new videos
from [her] subscriptions will appear in the My Subscriptions feed.” Id. This means that an individual receives
“updates whenever [a channel] upload[s] new videos.” Id. A podcast subscription is similar to a Youtube
subscription. When an individual subscribes to a podcast, he or she will “automatically receive any future episodes.”
Podcasts are automatically delivered to individuals as they are uploaded. Discovering Podcasts, APPLE,
https://www.apple.com/itunes/podcasts/discover/ (last visited Apr. 15, 2015).
19
kind. The complaint does not allege that downloading the App causes individuals to be placed
on an e-mail list or permits individuals to access otherwise restricted content. To watch videos
on the USA Today App, users simply click on the app and click on the video. The App appears
to merely be a more convenient form of visiting the USA Today website.15 Under the
circumstances, an individual who downloads and uses the USA Today is not a “subscriber”
within the meaning of the VPPA. In common parlance, an individual who watches video on the
App is simply known as a “user.”
That conclusion is bolstered by the fact that subscriptions do exist for other forms of
apps. See, e.g., Subscriptions on Google Play, GOOGLE, https://support.google.com/googleplay/
answer/2476088?hl=en (last visited Apr. 15, 2015); Monetize Apps: Paid Apps vs. In-App
Purchases vs. Freemium vs. Subscription, BUILDBLOG BY THINKAPPS, http://thinkapps.com/blog/
post-launch/monetize-apps-paid-apps-vs-app-purchases-vs-freemium-vs-subscription/ (last
visited Apr. 15, 2015). According to Google, a “subscription is when you pay a recurring fee
rather than a one-time price for content on Google Play. You’ll automatically be charged at the
beginning of each subscription term.” Subscriptions on Google Play, supra. In its Buildblog,
ThinkApps (which is an on-demand service for designing and building applications for web,
mobile and wearables) explains that there are many different models for apps. Monetize Apps,
supra. Among those models are paid apps, free apps, and subscription apps. Id. According to
this blogpost, “[s]ubscription apps offer users access to a particular service or content for a
weekly, monthly, or annual fee.” Id. Thus, because there is a recognized concept of a
subscription within the app context—and because users of the USA Today App do not fit within
15
At oral argument, plaintiff appeared to concede that visiting the USA Today website alone would not
make an individual a “subscriber” under the VPPA. (Mot. Hearing Tr. 29-30).
20
that concept—individuals who use the USA Today App are not “subscribers” within the VPPA’s
definition of “consumer.”
Again, however, the weight of authority seems to point in the opposite direction. In Ellis
v. Cartoon Network, the court relied on a 2012 decision in the Hulu case to conclude that an app
user qualifies as a “subscriber.” 2014 WL 5023535, at *2.16 The Ellis court did not look to the
plain meaning of “subscriber,” and appeared to rely on the Hulu court’s analysis as conclusive.
Id. In Hulu, the defendant contended that plaintiff could not be a “subscriber” on the ground that
the ordinary meaning of the term implied the payment of money. 2012 WL 3282960, at *7-8.
The court determined that the plaintiffs in the Hulu case pleaded “more than just visiting Hulu’s
website.” Id. at *8. The court concluded that because the term “subscriber” does not necessarily
imply the payment of money, the plaintiffs in that case could be considered “subscribers.”17
Again, this Court concludes that Hulu, and the cases that follow its reasoning, are not
correctly decided. Here, at least, where there is no payment of money, no registration of
information, no periodic delivery, and no privilege to view restricted content, none of the
necessary elements of a subscription are present. Plaintiff is therefore not a “subscriber” within
the meaning of the VPPA. Accordingly, the complaint fails to state a claim upon which relief
can be granted.18
16
The court in Locklear v. Dow Jones & Co., 14-cv-00744-MHC (N.D. Ga. Jan. 23, 2015), relied on both
Ellis and Hulu to conclude that an individual who downloaded the WSJ Channel and used it to watch video clips
qualified as a “subscriber.”
17
It appears that Hulu involved registered users who received Hulu IDs, established Hulu profiles, and used
Hulu’s video streaming services. 2012 WL 3282960 at *7.
18
The Court does not reach the question of whether the complaint alleges an injury in fact.
21
IV.
Conclusion
For the foregoing reasons, the motion to dismiss is GRANTED.
So Ordered.
/s/ F. Dennis Saylor
F. Dennis Saylor IV
United States District Judge
Dated: May 15, 2015
22
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
