In re Nickelodeon Consumer Privacy Litigation
- Nickelodeon Plaintiffs Ask Supreme Court to Hear Video Privacy Case: The plaintiffs in the In re Nickelodeon class action recently asked the Supreme Court to hear their case. In June, a federal appeals court rejected claims that Viacom and Google violated the Video Privacy Protection Act, holding that static IP and MAC addresses are not “personally identifiable information.” The opinion contradicted a ruling from a different federal appeals court which held that unique IDs are personally identifiable under the video privacy law. EPIC filed an amicus brief in the Nickelodeon case, explaining that Congress defined personal information broadly “to ensure that the underlying intent of the Act—to safeguard personal information against unlawful disclosure—is preserved as technology evolves.” The petition is C.A.F. v. Viacom, case number 16-346. (Sep. 28, 2016)
- Court Misunderstands Internet Tracking in Video Privacy Case: The Third Circuit today rejected claims brought against Nickelodeon under the Video Privacy Protection Act, holding that IP and MAC addresses are not “personally identifiable information.” The opinion contradicts a First Circuit decision from earlier this year, which found that a unique Android ID and GPS coordinates constituted PII under the VPPA. The circuit split increases the possibility of U.S. Supreme Court review. The Court did find that plaintiffs could sue under state privacy law. EPIC filed an amicus brief, arguing that Congress defined PII as “purposefully broad to ensure that the underlying intent of the Act—to safeguard personal information against unlawful disclosure—is preserved as technology evolves.” (Jun. 27, 2016) More top news »
In re Nickelodeon is a class action lawsuit brought in the U.S. District Court for the District of New Jersey in response to the collection of users information by Nick.com. The Plaintiffs, a class of children under the age of thirteen who visited Nick.com, sued Defendants Viacom and Google for violating privacy laws. Specifically, Plaintiffs alleged violations of the Video Privacy Protection Act (VPPA) by Viacom and of the New Jersey Computer Related Offenses (CROA) by both Defendants; the Plaintiffs also brought claims of intrusion upon seclusion against both Defendants. In January 2015, the District Court dismissed the case, finding that Plaintiffs failed to state a plausible claim. Plaintiffs plan to appeal the ruling to the U.S. Court of Appeals for the Third Circuit.
Viacom operates various child directed websites including Nick.com where children are encouraged to register and create personal profiles. Through those profiles, Viacom gathers childrens' information such as their gender, birthday, and unique profile name. When children stream videos or play games on Nick.com, Viacom creates a record of their gender and birthday—called the "rugrat" code-and the name of the video played. Viacom shares that information with Google.
Viacom also places cookies on childrens' computers without consent of the children or their parents. These cookies allow Viacom to gather information about its users including their IP address, device and browser settings, and browsing history. Viacom shares this cookie information with Google. In addition, Viacom permits Google to place its own cookies on Plaintiffs' computers and to access information from these cookies. Google's cookies, alleged Plaintiffs, assign to each Plaintiff a "unique numeric or alphanumeric identifier" that becomes "connected to" the information Viacom discloses to Google about that Plaintiff. The purpose of this information is to sell and conduct targeted advertising.
District Court of New Jersey
In October 2013, Plaintiffs filed a complaint against Viacom and Google alleging seven causes of action. Three were violations of federal statutes: the VPPA, Wiretap Act, and Stored Communications Act (SCA). Four were state law causes of action: California's Invasion of Privacy Act, and New Jersey's CROA, intrusion upon seclusion, and unjust enrichment. Defendants moved to dismiss the case arguing that Plaintiffs' complaint failed to claims upon which relief could be granted. The court agreed, in part, but allowed Plaintiffs to amend the complaint and cure deficiencies regarding the VPPA, CROA, and intrusion upon seclusion claims.
The next year, Plaintiffs filed an amended complaint and, again, Defendants moved to dismiss. The court dismissed the amended claims with prejudice, ruling the Plaintiffs failed to "state a claim for relief that is plausible on its face."Video Privacy Protection Act (VPPA)
A video tape service provider (VTSP) , violates the VPPA if it "knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider . . . ." 18 U.S.C. § 2710(b). Personally identifiable information (PII) under the VPPA "includes information which identifies a person as having requested or obtained specific video materials or services from a [VTSP]." § 2710(a)(3). The court ruled that Plaintiffs failed to make a plausible claim under the VPPA because it was "entirely theoretical." PII, according to the court, "is information which must, without more, itself link an actual person to actual video materials." And the IP addresses and other information collected from Plaintiffs "could not, either individually or in the aggregate, identify a Plaintiff and what video they had watched." Plaintiffs argued that the data collected by Nick.com, combined with Google's troves of data on its registered users, was PII under the VPPA. But even if that were the case, observed the court, Plaintiffs failed to identify any particular plaintiff that had registered for Google's services.
EPIC has an interest in protecting the privacy of consumer information entrusted to businesses. EPIC strongly supports the President's Consumer Privacy Bill of Rights (CPBR), which establishes responsibilities for companies that collect and use personal information, and encourages the FTC to require its implementation when it settles with privacy-violating companies. In the case of video privacy, Congress has made clear through the VPPA, that consumers' video viewing history must be kept private and only disclosed in narrow circumstances.
United States Court of Appeals for the Third Circuit
- Appellants' Brief, Apr. 27, 2015.
- EPIC's Amicus Brief in Support of Appellants, May 4, 2015.
- Viacom's Response Brief (June 16, 2015)
- Google's Response Brief (June 16, 2015)
- U.S. Chamber of Commerce's Amicus Brief in Support of Appellees (June 22, 2015)
- Appellants' Reply Brief (July 28, 2015)
- Third Circuit Opinion
United States District Court for the District of New Jersey
- Opinion Granting Viacom's Motion to Dismiss, Jan. 20, 2015.
- Plaintiffs' Opposition to Viacom's Motion to Dismiss, Nov. 24, 2014.
- Viacom's Motion to Dismiss, Oct. 14, 2014.
- Plaintiffs' Second Amended Complaint, Sept. 11, 2014.
- Order Granting in Part Defendants' Motion to Dismiss, July 2, 2014.
- Master Consolidated Class Action Complaint, Oct. 23, 2013.
- The Video Privacy Protection Act, 18 U.S.C. § 2710
- EPIC: Video Privacy Protection Act
- 1998 Senate Judiciary Committee Report on the VPPA
- The Video Privacy Protection Act: Protecting Viewer Privacy in the 21st Century: Hearings Before the Subcomm. on Privacy, Tech. and the Law of the S. Comm. on the Judiciary, 112th Cong. 112-59 (2012) (statement of Marc Rotenberg)
- EPIC: Online Tracking and Behavioral Profiling
- EPIC: Algorithmic Transparency
- Alex Wolf, High Court Urged To Hear Google, Viacom Child Privacy Row, Law360 (Sep. 23, 2016)
- Joe Mullin, Hulu beats lawsuit claiming it illegally shared user data with Facebook, Ars Technica (Apr. 2, 2015)
- Jonathan Stemple, Google, Viacom win dismissal of children's web privacy lawsuit, Reuters (Jan. 21, 2015)