justice scale justice scale justice scale

McKenna Minutes

“The life of the law has not been logic; it has been experience.”

-Oliver Wendell Holmes, Jr.

District Court Dismisses Claim for Unauthorized Disclosure of Personal Identifying Information Under Video Privacy Protection Act


The Video Privacy Protection Act (“VPPA”) was originally drafted to protect an individual from the release of his personal information by his local video store, but developments in technology have forced courts to apply the VPPA in different scenarios. Recent VPPA decisions have frequently addressed what constitutes "personally identifiable information" (“PII”). In a recent New York case (Robinson v. Disney Online d/b/a Disney Interactive, 14-CV-4146), the court determined that information is PII only if the disclosed information alone can be used to identify a specific individual.

A judge in the United States District Court for the Southern District of New York granted Defendant Disney Online’s (“Disney”) Motion to Dismiss Plaintiff’s Complaint in a suit alleging violations of the VPPA. Plaintiff James Robinson claimed that Disney violated the VPPA by disclosing PII – the encrypted serial number of the digital device he used to access Disney video content, as well as his viewing history – to Adobe, a third-party data analytics company. The court concluded that the information disclosed by Disney did not amount to PII under the VPPA because that information by itself could not be used to identify a particular person.

Robinson’s claim involved his use of a Roku digital streaming device to view Disney Channel content through the Disney Channel application. He claimed that each time he used the Disney Channel application, a record of his viewing history, along with the hashed serial number associated with his Roku device was sent to Adobe. Robinson claimed that Adobe aggregated data to personally identify users and associate their video viewing selections with a personalized profile. Ultimately, he claimed that the information disclosed by Disney was PII, and that its unauthorized disclosure amounted to a violation of the VPPA.

The main issue addressed by the Court was the scope of information encompassed by the VPPA’s definition of PII and how precisely the disclosed information must identify a specific individual. Plaintiff did not argue that his viewing activities along with the hashed serial number of his Roku device alone constituted PII, but that this information constituted PII because Adobe was able to identify him by linking the information disclosed by Disney with existing personal information obtained from another source. Disney responded that PII under the VPPA is solely limited to information which, in and of itself, identifies a person. Disney argued that the information it disclosed was insufficient to identify an individual without Adobe using information it obtained elsewhere, and therefore did not constitute PII.

The court ultimately agreed with Disney and granted its motion to dismiss. The court stated that, “it is the information actually disclosed by a video tape service provider, which must itself do the identifying that is relevant for the purposes of the VPPA, and not information disclosed by a provider, plus other pieces of information collected elsewhere by non-defendant third parties.” Specifically, PII under the VPPA is information which itself identifies a particular person as having accessed specific video rentals. In this case, it was not possible for Adobe to identify the Plaintiff based on the hashed serial number of his Roku device. Had Disney disclosed the information here – Plaintiff’s viewing history and hashed serial number – along with a code that enabled Adobe to decrypt the hashed serial number and other information necessary to identify the specific user, then it would be liable under the statute. The court noted that information which is not otherwise PII cannot become PII because of the ability of a third-party to use information from other sources to identify the individual. The view adopted in this case is the majority view held by courts that have previously addressed the issue.

Categories Privacy and Data Security Litigation

Leave a Reply

You must be logged in to post a comment.

Here to help with whatever your legal issues may be, schedule your no-obligation consultation or Simply Call us at.
Chicago: (312) 558-3900 or Woodstock: (815) 334-9694

  • Hidden
  • Hidden

Please do not send confidential information via email. The sending of information by you, and the receipt of it by McKenna Storer, is not intended to, and does not create a lawyer-client relationship.

Privacy Policy | Sitemap © 2021 McKenna Storer
Show Buttons
Hide Buttons