The Video Privacy Protection Act (“VPPA”) was originally drafted to protect an individual from the release of his personal information by his local video store, but developments in technology have forced courts to apply the VPPA in different scenarios. Recent VPPA decisions have frequently addressed what constitutes “personally identifiable information” (“PII”). In a recent New York case (Robinson v. Disney Online d/b/a Disney Interactive, 14-CV-4146), the court determined that information is PII only if the disclosed information alone can be used to identify a specific individual.
A judge in the United States District Court for the Southern District of New York granted Defendant Disney Online’s (“Disney”) Motion to Dismiss Plaintiff’s Complaint in a suit alleging violations of the VPPA. Plaintiff James Robinson claimed that Disney violated the VPPA by disclosing PII – the encrypted serial number of the digital device he used to access Disney video content, as well as his viewing history – to Adobe, a third-party data analytics company. The court concluded that the information disclosed by Disney did not amount to PII under the VPPA because that information by itself could not be used to identify a particular person.
Robinson’s claim involved his use of a Roku digital streaming device to view Disney Channel content through the Disney Channel application. He claimed that each time he used the Disney Channel application, a record of his viewing history, along with the hashed serial number associated with his Roku device was sent to Adobe. Robinson claimed that Adobe aggregated data to personally identify users and associate their video viewing selections with a personalized profile. Ultimately, he claimed that the information disclosed by Disney was PII, and that its unauthorized disclosure amounted to a violation of the VPPA.
The main issue addressed by the Court was the scope of information encompassed by the VPPA’s definition of PII and how precisely the disclosed information must identify a specific individual. Plaintiff did not argue that his viewing activities along with the hashed serial number of his Roku device alone constituted PII, but that this information constituted PII because Adobe was able to identify him by linking the information disclosed by Disney with existing personal information obtained from another source. Disney responded that PII under the VPPA is solely limited to information which, in and of itself, identifies a person. Disney argued that the information it disclosed was insufficient to identify an individual without Adobe using information it obtained elsewhere, and therefore did not constitute PII.
The court ultimately agreed with Disney and granted its motion to dismiss. The court stated that, “it is the information actually disclosed by a video tape service provider, which must itself do the identifying that is relevant for the purposes of the VPPA, and not information disclosed by a provider, plus other pieces of information collected elsewhere by non-defendant third parties.” Specifically, PII under the VPPA is information which itself identifies a particular person as having accessed specific video rentals. In this case, it was not possible for Adobe to identify the Plaintiff based on the hashed serial number of his Roku device. Had Disney disclosed the information here – Plaintiff’s viewing history and hashed serial number – along with a code that enabled Adobe to decrypt the hashed serial number and other information necessary to identify the specific user, then it would be liable under the statute. The court noted that information which is not otherwise PII cannot become PII because of the ability of a third-party to use information from other sources to identify the individual. The view adopted in this case is the majority view held by courts that have previously addressed the issue.