On April 28, the Northern District of California granted in part and denied in part Hulu’s motion for summary judgment over allegations that it violated the Video Privacy Protection Act (VPPA) by sharing users’ information with comScore and Facebook.  The court granted the motion for the comScore disclosures but denied the motion for the Facebook disclosures.

The VPPA restricts video service providers from disclosing “personally identifiable information” to third parties.  Under the statute, the term “personally identifiable information” means “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.”  In this case, the court drew a distinction between the types of information Hulu was disclosing to comScore and the types of information it was disclosing to Facebook.  The court held that, “[t]he comScore disclosures were anonymous disclosures that hypothetically could have been linked to video watching.  That is not enough to establish a VPPA violation.  As to the Facebook disclosures, there are material issues of fact about whether the disclosure of the video name was tied to an identified Facebook user such that it was a prohibited disclosure under the VPPA.”

According to declarations from Hulu, Hulu’s main source of income is its advertising revenue.  Advertisers pay Hulu to run its commercials during breaks, and the amount they pay is tied to how often an ad is viewed.  Hulu uses analytics providers like comScore to verify those types of metrics.  In Hulu’s case, comScore performed its analytics on the Hulu site and then reported its data to Hulu in the “aggregate and generalized” form.  While the court acknowledged that “comScore doubtless collects as much evidence as it can about what webpages Hulu users visit,” the court held that “there is a VPPA violation only if that tracking necessarily reveals an identified person and his video watching.”  Since there was no evidence that comScore’s tracking did that here, the court granted the motion in Hulu’s favor with respect to the comScore disclosures.

As for the Facebook disclosures, the court’s ruling turned on its determination that “personally identifiable information” was transmitted from Hulu to Facebook via Facebook’s “Like” button.  Each hulu.com watch page has a “Like” button.  During the relevant time period, the URL of each watch page – which was sent to Facebook in order to offer the “Like” button – included the video title that the user watched.  And through Hulu’s cookies associated with the “Like” button, the name of the Facebook user was provided.  Based on these facts, the court found that plaintiff’s VPPA claims for the Facebook disclosures should survive.

The VPPA was amended last year and state iterations of the law have recently given rise to litigation.  With statutory damages of $2,500 per violation, the potential liability under the VPPA can be catastrophic.  Plaintiffs’ counsel has brought VPPA class actions against various content platforms, including Blockbuster, Netflix and Redbox, with mixed results.  The cases against Blockbuster and Netflix each settled.  Redbox’s motion to dismiss was denied by the district court, but on interlocutory appeal the case was dismissed by the Seventh Circuit.

There has also been an recent up-surge of VPPA cases alleging that various news and entertainment organizations violated the VPPA by sharing what consumers watched with third-party analytics companies.  See Perry v. Cable News Network, Inc., et al., Case No. 1:14-cv-01194, N.D. Ill.; Ellis v. The Cartoon Network, Inc., Case No. 1:14-cv-00484, N.D. Ga.; Locklear v. Dow Jones & Co. Inc., Case No. 1:14-cv-00744, N.D. Ga.; Eichenberger v. ESPN, Inc., Case No. 2:2014-cv-00463, W.D. Wash.  These cases are still in the pleading stage and will surely be impacted by this new ruling.