Eichenberger v. ESPN
Eichenberger v. ESPN, Inc., No. 15-35499, concerns whether consumers have standing to sue companies for violating the Video Privacy Protection Act (“VPPA”). The VPPA prohibits videotape service providers from knowingly disclosing personally identifiable information (“PII”) concerning a consumer. 18 U.S.C. § 2710(b)(1). PII includes “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 18 U.S.C. § 2710(a)(3). Eichenberger alleges that ESPN disclosed PII related to every video he viewed on the “WatchESPN Channel” through his Roku media-streaming device to an unrelated third party, in violation of the VPPA. The lower court dismissed the case with prejudice and determined that PII can never “extend to anonymous IDs, usernames, or device numbers.” On appeal, the Ninth Circuit is evaluating the scope of the PII provision in the VPPA and considering the applicability of Spokeo v. Robbins, No. 11-56843, for standing purposes.
- Appeals Court Revives Data Breach Suit Against Zappos: A federal appeals court has ruled that consumers affected by a Zappos.com data breach have the right to sue the online retailer. The 2012 breach exposed the personal data of more than 24 million Zappos customers. A lower court previously held that the consumers lacked "standing" to bring a lawsuit against Zappos because their injuries were merely "conjectural." But the Ninth Circuit Court of Appeals reversed that decision and allowed the case to continue. "With each new hack comes a new hacker, each of whom independently could choose to use the data to commit identity theft," the court wrote. EPIC regularly files amicus briefs defending standing in consumer privacy cases, most recently in Eichenberger v. ESPN (where the Ninth Circuit also held for consumers), Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation. (Mar. 9, 2018)
- Supreme Court Leaves Data Breach Decision In Place: The Supreme Court has denied a petition for a writ of certiorari in Carefirst, Inc. v. Attias, a case concerning standing to sue in data breach cases. Consumers had sued health insurer Carefirst after faulty security practices allowed hackers to obtain 1.1 million customer records. EPIC filed an amicus brief backing the consumers, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches." The federal appeals court agreed with EPIC and held that consumers may sue companies that fail to safeguard their personal data. Carefirst appealed the decision, but the Supreme Court chose not to take the case. EPIC regularly files amicus briefs defending standing in consumer privacy cases, most recently in Eichenberger v. ESPN, where the Ninth Circuit also held for consumers, as well as Gubala v. Time Warner Cable and In re SuperValu Customer Data Security Breach Litigation. (Feb. 20, 2018) More top news »
Factual and Procedural Background
Defendant ESPN, Inc. operates on a number of platforms and produces sports-related news and entertainment programming. The platform in question here is the “WatchESPN Channel” for the Roku digital media-streaming device, which allows users to view videos and other content on their televisions via the Internet. Plaintiff Eichenberger downloaded the Watch ESPN Channel in early 2013 and alleged that every time he viewed a video using the Channel on his Roku device, defendant knowingly disclosed PII “in the form of his unique Roku device serial number, along with the videos he viewed” to a third party, Adobe Analytics. Eichenberger claimed that he did not consent for defendant to share this information with a third party.
On November 24, 2014, the lower court dismissed plaintiff’s first amended complaint, finding that the disclosure of the Roku device serial number alone was not sufficient to establish a VPPA violation. Plaintiff’s second amended complaint added that once the serial number was sent to Adobe, Adobe was able to identify plaintiff through existing user information possessed by Adobe, including email addresses, account information, or Facebook profile information such as photos and usernames. Because Adobe can associate the Roku serial number with corresponding user information that is already in its possession, WatchESPN’s disclosure identified Eichenberger to Adobe as having watched specific video materials.
In February 2015, defendant filed a motion to dismiss plaintiff’s second amended complaint with prejudice, arguing that it similarly failed to plead facts that could plausibly give rise to a violation of the VPPA as did in the first amendment complaint. The lower court found that Eichenberger failed to sufficiently allege disclosure of “personally identifiable information” required to state a claim under the VPPA. As a result, the court dismissed plaintiff’s complaint with prejudice.
Legal Background - Standing
Article III of the U.S. Constitution grants the federal courts judicial power over “cases” and “controversies.” In order to show standing, plaintiffs must establish that they have (1) suffered an injury-in-fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) is likely to be redressed by a favorable judicial decision. Injury-in-fact itself requires the plaintiff suffer an invasion of a legally protected interest that is (1) concrete, (2) particularized, and (3) actual or imminent, not conjectural or hypothetical.
Legal Background - VPPA
The Video Privacy Protection Act (VPPA) prohibits a video provider from knowingly disclosing “personally identifiable information” concerning any “consumer” of its service. The VPPA’s definition of personally identifiable information “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.”
Congress passed the VPPA in 1988 in response to a newspaper article leaking Supreme Court nominee Robert Bork’s video rental records. The VPPA “protect[s] certain personal information of an individual who rents video materials from disclosure.” The Act “allows consumers to maintain control over personal information divulged and generated in exchange for receiving services from video tape service providers.”
EPIC Amicus Briefs on Standing
EPIC has a strong interest in ensuring privacy lawsuits proceed to redress the harms of privacy violations and ensure greater privacy protections thereafter. Post-Spokeo v. Robins and Amnesty v. Clapper, courts have interpreted standing differently across the country and EPIC aims to clarify the doctrine and how it relates to consumer protection.
In October 2016, EPIC filed an amicus brief in Gubala v. Time Warner Cable, urging the Seventh Circuit Court of Appeals to recognize that post-Spokeo, injury in fact is a legal injury, distinct from consequential harm. Therefore, Time Warner Cable caused a legal injury when it violated Mr. Gubala’s rights under the Protection of Subscriber Privacy after collecting his data.
In September 2015, EPIC filed an amicus brief in the Supreme Court case Spokeo v. Robins, which concerns whether courts have jurisdiction to review cases brought based on violations of federal statutory rights. Plaintiff Robins sued Spokeo for violating the Fair Credit Reporting Act by disclosing inaccurate information about him. EPIC filed an amicus brief, advising the Court that now is not the time “to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress.” EPIC highlighted the need for robust privacy and consumer protection laws by demonstrating that “Americans consumers today face an epidemic of privacy harms, including data breaches, identity theft, and financial fraud.” In 2015 alone, data breaches have “exposed more than one hundred and forty million records of personally identifiable information.” And according to the most recent Department of Justice report, “identity theft cost American consumers more than twenty-four billion dollars” in 2012. In May 2016, the Supreme Court concluded that the U.S. Court of Appeals for the Ninth Circuit had failed to analyze whether Robins's allegations were "concrete," and remanded the case to the lower court. Upon remand, the Ninth Circuit determined that Robin’s allegations were sufficiently “concrete” to warrant standing.
EPIC Amicus Briefs in Cases Concerning Information Privacy and the VPPA
EPIC has a strong interest in protecting the privacy of consumers and their information, and ensuring this data is not disclosed to third parties. EPIC has specifically worked to protect the privacy rights for consumers that were established by the VPPA.
In 2016, EPIC filed and amicus curiae brief in Perry v. Cable New Network, Inc., et al., arguing that the privacy protections in the VPPA apply to mobile apps that provide video service.
In 2015, EPIC filed an amicus curiae brief in In re Nickelodeon, urging the Third Circuit Court of Appeals to support a robust understanding of PII and the VPPA, given the crucial nature of unique identifiers in data transmission, and the difficulty of anonymizing transactional information. Users of a Viacom website sued over its practice of profiling the video history, gender and age of child users, and sharing it with Google.
In 2010, EPIC wrote to the U.S. District Court for the Northern District of California, urging the court to reject a proposed settlement that would have deprived Facebook users of remedies under the video privacy law. EPIC urged the court to reject a settlement that would have resulted in no direct compensation for users, despite the law’s $2,500 statutory damages provision. EPIC also observed that the settlement would have deprived users of meaningful privacy protections by directing all settlement funds to a Facebook-controlled entity.
In 2009, EPIC filed an amicus curiae brief supporting strong privacy safeguards for consumers’ video rental data. EPIC’s brief urged the Fifth Circuit Court of Appeals to enforce the law’s protections for Facebook users who rented videos from Blockbuster, a Facebook business partner. Facebook users filed the lawsuit after Blockbuster made public consumers’ private video rental information.
EPIC also opposed an effort in 2011 to undermine the VPPA. In a letter to House members on H.R. 2471 EPIC urged careful consideration of the impact that the proposed change would have on users of Internet-based services. EPIC asked the Committees considering the legislation to hold a hearing so that that all views on the matter could be considered. Before a Senate Subcommittee in January 2012, EPIC President Marc Rotenberg, urged Congress to amend the definition of PII to expressly include IP addresses and account identifiers.
EPIC also has an interest in protecting online privacy and anonymity. Companies that gather consumer data often do so without knowledge or consent of the consumers, implicating privacy interests because consumers have the right to know how and what kind of information is being used and disclosed to third parties. And as technology evolves, information that might be “anonymous” today, may become PII in the future. To effectively enforce the VPPA, courts must understand the evolving online landscape in which consumer information is collected, stored, and shared. For years, EPIC has driven the public debate on these issues.
United States Court of Appeals for the Ninth Circuit, No. 15-35449
- Oral Argument held in Pasadena on October 3, 2017, 9:00 AM, in Courtroom 1 before Hon. Circuit Judges Graber, Murguia, and Christen. See Audio and Video.
- Clerk Letter Briefing Order (Sept. 8, 2017)
- Plaintiff-Appellant Eichenberger Letter Brief on Standing (Sept. 22, 2017)
- Defendant ESPN Letter Brief on Standing (Sept. 22, 2017)
- Amicus Curiae EPIC Letter Brief on Standing (Sept. 28, 2017)
- Defendant ESPN Supplemental Letter Brief on Standing (Oct. 2, 2017)
United States District Court for the Western District of Washington, No. 14-463
- Order Dismissing the Second Amended Complaint (May 7, 2015)
- Christopher Crosby, Vizio denied 9th Circ. appeal of video privacy decision, Law360 (Oct. 17, 2017)
- Adam Rhodes, ESPN Slams Privacy Watchdog’s Brief In App User’s Suit, Law360 (Oct. 3, 2017)
- Adam Rhodes, ESPN App User Backed y Privacy Watchdog In 9th Circ. Row, (Sept. 19, 2017)
- Jesse M. Brody, Ninth Circuit Examines VPPA Standing, Lexology (Sept. 28, 2017)
- Shayna Posses, ESPN, App User Spar Over Spokeo's Impact On Privacy Suit, Law360 (Sept. 25, 2017)
- Jody Godoy, ESPN App Users Take Privacy Fight To 9th Circ. Law360 (June 8, 2015)
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
Privacy in the Modern Age