Perry v. CNN

Whether sharing the MAC address and video viewing history collected from a free mobile app violates the Video Privacy Protect Act

Summary

Perry v. CNN, currently before the U.S. Court of Appeals for the Eleventh Circuit, concerns the free CNN App, which plaintiff Ryan Perry downloaded on his phone. Perry alleges that CNN collected and shared his viewing history and device identifiers with a data analytics partner for advertising purposes. Perry sued CNN for violating the Video Privacy Protection Act. The VPPA prohibits a video provider from knowingly disclosing “personally identifiable information” concerning any “consumer” of its service. The lower court found that Perry had standing to sue, but then dismissed his lawsuit for failure to state a claim. The lower court found that a MAC address didn't constitute PII and that by downloading a free app, Perry wasn't a consumer, and Perry appealed. On appeal, CNN has also challenged Perry's standing to sue.

Top News

  • European High Court Rules that Dynamic IP Addresses are Personal Data: The Court of Justice for the European Union has ruled that dynamic IP addresses are personal data subject to protection under data protection law. The Court said that user's identity can still be revealed through use of legal process, even though the numeric address may not be unique to the user. The Court also said that the collection of IP addresses must be limited to the purposes for which they were collected. The Court noted that personal data can be lawfully collected if it is necessary to protect cybersecurity. The European Court of Justice opinion is aligned with EPIC's recommendation for Privacy Enhancing Technologies that minimize or eliminate the collection of personally identifiable information. Internet services that do not retain IP addresses or adopt techniques that are unable to link IP addresses to a particular user may not be subject to the decision, which is binding across Europe. EPIC has made similar arguments about the scope of personal information to US courts as amicus curiae. EPIC argued in the Nickelodeon case that IP addresses and unique devices IDs are personally identifiable information subject to protection under US privacy law. Federal courts are now split on the issue and the US Supreme Court may soon resolve the matter. (Oct. 19, 2016)
  • EPIC Explains to Federal Appeals Court that Mobile App Users Protected by Video Privacy Law: EPIC has filed an amicus brief defending the privacy rights of users of  video apps. In the case, a CNN mobile app users challenged the disclosure of his video viewing history and personal information as a violation of federal privacy. In the brief for the federal appeals court, EPIC explained that that the privacy protections in the Video Privacy Protection Act apply to mobile apps that provide video service. EPIC said that the video privacy law covers the personal information collected by mobile apps, including the unique identifiers of the user’s device, and also that the privacy obligations apply to all companies that collect the viewing records of Internet users.  EPIC previously filed a brief in a similar case concerning the collection of video viewing records. (Jul. 26, 2016)
  • More top news »
  • Court Misunderstands Internet Tracking in Video Privacy Case » (Jun. 27, 2016)
    The Third Circuit today rejected claims brought against Nickelodeon under the Video Privacy Protection Act, holding that IP and MAC addresses are not “personally identifiable information.” The opinion contradicts a First Circuit decision from earlier this year, which found that a unique Android ID and GPS coordinates constituted PII under the VPPA. The circuit split increases the possibility of U.S. Supreme Court review. The Court did find that plaintiffs could sue under state privacy law. EPIC filed an amicus brief, arguing that Congress defined PII as “purposefully broad to ensure that the underlying intent of the Act—to safeguard personal information against unlawful disclosure—is preserved as technology evolves.”
  • EPIC to OPM: "If You Can't Protect It, Don't Collect It" » (May. 25, 2016)
    In comments to the Office of Personnel Management, EPIC urged the federal agency to limit the personal data it collects from job applicants. OPM currently gathers detailed personal information, including biometric data, Social Security numbers, educational history, medical records, foreign travel, drug use, and financial records. In 2015, OPM lost the personal data of 21.5 million people in a massive data breach. The OPM Director and CIO were forced to resign. OPM now proposes to collect even more personal data on more people, including distant relatives of job applicants. EPIC has previously urged the Supreme Court to recognize a right of "information privacy" that would limit the ability of the federal government to collect personal information.
  • EPIC to Defend Privacy Statute in Federal Appellate Case » (Dec. 8, 2015)
    EPIC appears in court today in In re Nickelodeon, a case concerning the Video Privacy Protection Act. The privacy law bars companies from disclosing personally identifiable information about users of Internet video services. Children who watch videos on Nick.com believe that Viacom disclosed their viewing records to Google for adverting purposes. The companies dispute this, claiming that cookies and IP addresses are not personally identifiable. EPIC's "friend of the court" brief argues that the definition of personal information in the privacy law is "purposefully broad to ensure that the underlying intent of the Act--to safeguard personal information against unlawful disclosure--is preserved as technology evolves." EPIC Senior Counsel Alan Butler will represent EPIC before the court.
  • Massive Breach Impacts Millions of Government Employees » (Jun. 10, 2015)
    The Office of Personnel Management has announced a massive data breach in the federal government's employee database. According to the agency, the breach exposed the sensitive personal information - including home addresses, SSNs, and financial information - of 4 million government employees. Although 432 million online accounts were hacked in 2014, Congress has failed to update US privacy laws or pass cybersecurity legislation. EPIC has urged the White House and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information.
  • Pew Survey: Vast Majority of Americans Feel Strongly About Privacy, Want Control Over Personal Information » (May. 20, 2015)
    The Pew Research Center has published a new privacy poll on Americans' Views About Data Collection and Security. According to the Pew survey, 74% of Americans believe control over personal information is "very important," yet only 9% believe they have such control.Americans also value having the ability to share confidential matters with another trusted person. The vast majority of Americans want limits on how long companies retain records about their activities. And 65% of American adults believe there are not adequate limits on the telephone and internet data that the government collects.
  • EPIC Defends Privacy of Nickelodeon Viewers » (May. 5, 2015)
    EPIC has filed an amicus brief in In re Nickelodeon, a case involving the Video Privacy Protection Act. The Act protects the privacy of a consumer's personally identifiable information ("PII"). Viacom, which offers Nickelodeon and other cable channels, claimed that personal identifiers such as IP addresses and unique device IDs are not PII and could be routinely disclosed to Google for commercial purposes without any restriction. EPIC filed in opposition to Google/Viacom and explained that the definition of PII in the Act is "purposefully broad to ensure that the underlying intent of the Act– to safeguard personal information against unlawful disclosure– is preserved as technology evolves."
  • NIST Seeks Comments on De-identification Report » (Apr. 20, 2015)
    The National Institute of Standards and Technology has released a draft report on "De-Identification of Personally Identifiable Information." The agency is requesting comments by May 15. The NIST report reviews de-identification techniques and research, including work by EPIC Advisory Board members Cynthia Dwork and Latanya Sweeney. Last year, in response to a similar request for comments, EPIC recommended Privacy Enhancing Technologies that "minimize or eliminate the collection of personally identifiable information." EPIC also expressed support for Fair Information Practices and the Consumer Privacy Bill of Rights.
  • Gunter Grass Dies at 87, Nobel Novel Basis of US Privacy Case » (Apr. 13, 2015)
    Famed German novelist and social critic Gunter Grass passed at age 87. Grass's first novel, The Tin Drum, was adapted for film and won the 1979 Palme d'Or and the Academy Award for Best Foreign Language Film. Grass later received the Nobel Prize in literature. The Tin Drum was also the center of a dispute concerning the privacy of video rental records. Following a complaint that the film constituted "child porn" in violation of Oklahoma law, the police sought the names of all the people who had rented the Oscar winning film. Citing the Video Privacy Protection Act, a federal court ruled the search illegal and awarded damages.
  • Court Dismisses Video Privacy Case Against Redbox » (Nov. 5, 2014)
    A federal court of appeals has ruled that a lawsuit against Redbox will not continue. The plaintiffs argued that Redbox's disclosure of personal information to a customer service center violated the Video Privacy Protection Act of 1988. The Seventh Circuit ruled that since customer service is part of Redbox's "ordinary course of business," the disclosure is permissible under the Act. The Court also determined that the statute created standing and that it was unnecessary to show additional harm. Earlier this year, a federal court ruled that a privacy class action lawsuit against Hulu, the video streaming service, could continue. In that case, Hulu shared user data with Facebook for advertising purposes, in violation of the VPPA. EPIC has supported the Video Privacy law since its inception and has defend the statute in Congressional testimony and amicus briefs. For more information, see EPIC: Harris v. Blockbuster; EPIC: Lane v. Facebook; and EPIC: Video Privacy Protection Act.
  • Court Denies Hulu's Motion to Dismiss Privacy Case » (May. 1, 2014)
    A federal court has ruled that a privacy class action lawsuit against Hulu, the video streaming service, may continue. Hulu users allege that the company violated the Video Privacy Protection Act by transferring personally identifiable information to both Facebook and the advertising company comScore. The Judge ruled that Hulu's transfer to Facebook of unique IDs, including the user's IP address and Facebook ID, as well as specific video titles would violate the video privacy law. However, the judge determined that Hulu only transmitted anonymized user IDs to comScore and that therefore there could be no legal violation. In 2009, EPIC filed an amicus brief in a similar case in which a company disclosed consumers' identities and video rental histories to Facebook. For more information, see Harris v. Blockbuster and EPIC: Video Privacy Protection Act.
  • Senate Committee Updates ECPA, Modifies Video Privacy Law » (Nov. 29, 2012)
    The Senate Judiciary Committee approved a bill that updates the Electronic Privacy Communications Act and modifies the Video Privacy Protection Act. The bill generally requires law enforcement to obtain a warrant before accessing email or other electronic communications and allows for blanket consent of video viewing information. An amendment by Senator Feinstein, adopted by the Committee, limited the opt-in to two years or till whenever the user withdraws consent. EPIC previously testified against a proposal that would weaken the consent provision of the Video Privacy Protection Act. EPIC has also favored more extensive updates for ECPA, including coverage of locational information. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Video Privacy Protection Act.
  • Senate Considers Amendment to Weaken Internet Privacy Law » (Sep. 20, 2012)
    A senate committee is today considering changes to the Video Privacy Protection Act, a law which safeguards the video viewing records of Internet users. The amendment would allow companies to obtain blanket consent for the use of customer information in the future, whether or not users knew who would receive the information or why it was being disclosed. In testimony before the Senate in January, EPIC strongly opposed the amendment and recommended instead changes that would update the law to provide greater safeguards for Internet users. A federal court recently held that the video law protects the privacy of Hulu subscribers. As the court explained, "Congress was concerned with protecting the confidentiality of private information about viewing preferences regardless of the business model or media format involved." The amendment is backed by Netflix and various industry lobbyists. For information, see EPIC, Video Privacy Protection Act.
  • Federal Court Applies Video Privacy Law to Streaming Services » (Aug. 20, 2012)
    A federal court recently held that the Video Privacy Protection Act applied to companies that provide video streaming services over the Internet. The opinion, which is the first to address the issue, relies on the forward-looking nature of the law, reasoning that "Congress was concerned with protecting the confidentiality of private information about viewing preferences regardless of the business model or media format involved." EPIC previously testified before the Senate Judiciary Committee and recommended several ways that Congress could strengthen the Act, such as by confirming that it applies to streaming services and allowing users to inspect the information that video providers collect about them. The Senate is considering an amendment that would weaken the consent provision of the law by allowing companies such as Netflix to obtain blanket consent to routinely disclose a consumer’s video viewing records. For more information, see EPIC: Video Privacy Protection.
  • Senate Amendment Would Weaken Video Privacy Act » (Jul. 30, 2012)
    The Senate is considering an amendment that would weaken the consent provision of the Video Privacy Protection Act by allowing companies such as Netflix to obtain blanket consent to routinely disclose a consumer’s video viewing records EPIC previously testified before the Senate Judiciary Committee and recommended that Congress strengthen the consumer privacy law by giving users access to the information collected about them, by extending the scope of coverage, and by increasing the penalties for violations of the law. For more information, see EPIC: Video Privacy Protection.
  • EPIC to Congress: Video Act Amendments Would Weaken Online Privacy » (Dec. 6, 2011)
    In response to a request from Congressman Melvin Watt (D-NC), EPIC sent a letter explaining that HR 2471, a bill to amend the Video Privacy Protection Act, would reduce privacy for Internet users by weakening the consent provision in current law. The proposal, backed by Netflix, would make the personal information of Facebook users more widely available. EPIC’s letter points out that the bill does not “modernize” the video privacy law, it simply makes it more difficult for users to protect their data. The bill is being rushed through Congress without a public hearing or debate. For more information, see EPIC: Video Privacy Protection Act.
  • Netflix Attacks Consumer Privacy Law » (Sep. 22, 2011)
    Today Netflix announced that it has launched a DC lobbbying campaign against a federal privacy law that protects customer video rental information. The company, which is already under fire for dramatic hikes in the subscription price of its once popular DVD rental program, now claims that the privacy law prevents Facebook users from posting information about NetFlix on Facebook. According to OpenSecrets, operated by the Center for Responsive Politics, Netflix has ramped up its Washington influence, spending almost $200,000 in 2011, up from $20,000 in 2009. EPIC has described the Video Privacy Protection Act as "one of the strongest protections of consumer privacy against a specific form of data collection." The law always had an exception for user consent, which means that Facebook users are free to disclose information about the videos they rent. But NetFlix wants "blanket consent" so that all Netflix use will be posted routinely to Facebook. For more information, see EPIC: Video Privacy Protection Act.

Questions Presented

  • Does Perry have standing to sue CNN for alleged violations of the VPPA?
  • Does downloading a free mobile app make the user a "consumer" under the VPPA?
  • Does a MAC address constitute "personally identifiable information" under the VPPA?

Background

Factual History

Plaintiff Ryan Perry is an individual who has downloaded and used the CNN App, a free mobile application published by CNN Interactive Group, Inc., a subsidiary of Cable News Network, Inc. Plaintiff sued CNN Interactive and CNN for violating the VPPA by collecting and sharing his viewing history and device identifiers with a data analytics partner for advertising purposes.

CNN operates several mobile apps, including its flagship App (currently the third most popular news app in the iOS App Store). Users can download the App to consume CNN programming and receive breaking news alerts.

When users view news stories, video clips, and headlines, CNN allegedly creates a record of their viewing history, compiles it with their unique device media access control (“MAC”) addresses, and sends the profile to a British platform called Bango. The Plaintiff describes Bango as a “data analytics company specializing in tracking individual user behaviors via the Internet and mobile applications.” Specifically, Bango is a payment and marketing platform for mobile apps, basically linking user accounts across apps via “billable identities.”

When CNN discloses user profiles, Bango allegedly associates the app data with preexisting datasets to “identify and track specific users across multiple electronic devices, applications, and services” - all without consent.

Procedural Background and Lower Court Opinion

In February 2014, Plaintiff Ryan Perry filed a complaint in the Northern District of Illinois against CNN and CNN Interactive alleging a violation of the VPPA. Defendants moved to transfer the case to the Northern District of Georgia where CNN is headquartered, so as to better coordinate with a similar suit against Cartoon Network, which is owned by CNN’s parent company. The court granted defendants’ motion to transfer venue.

Defendants then moved to dismiss the case arguing that Plaintiff’s complaint failed to state a claim upon which relief could be granted. The court granted the motion. The claim failed because the court found (1) Plaintiff failed to allege he qualified as a “consumer” within the VPPA, and (2) the disclosed information did not sufficiently constitute personally identifiable information (“PII”) under the VPPA.

The complaint alleged that Plaintiff qualified as a “consumer” because he downloaded the CNN App, agreed to its terms, and used it to download and watch videos. Specifically, Perry argued that the download and use of the app qualified him as a “subscriber,” and CNN granting him a temporary license to watch video in exchange for targeted advertising made him a “renter.”

However, the court concluded that Plaintiff was neither, and so did not qualify as a consumer under the VPPA. Following the Eleventh Circuit’s decision in Ellis v. Cartoon Network, the court found that simply downloading and using a free app to watch free content without other indicators of an ongoing commitment or relationship did not make him a “subscriber.” It found that downloading a free app also fell outside “renter,” construing the term to require monetary payment. The court then denied Plaintiff’s motion to amend the complaint to demonstrate he was a “subscriber,” finding (1) the independent PII deficiency would not be cured; and (2) the proposed amendments would not alter the applicability of the Eleventh Circuit’s definition of “subscriber.”

The complaint also alleged that the viewing history and MAC address constituted PII, enabling Bango to track specific users across multiple devices, applications, and services, and permitting it to infer “extremely precise” information, including:

  • Location
  • Demographics
  • Phone number
  • Email
  • Purchase history
  • Payment details
  • Application activity history

However, the court dismissed this argument on the grounds that the MAC address and associated video logs did not qualify as personally identifiable information because they allegedly do not identify, without more, a specific person or a name. It found the plaintiff had not “pled any facts to establish that the video history and MAC address were tied to an actual person and disclosed by Defendants.”

Perry has filed an appeal with the U.S. Court of Appeals for the Eleventh Circuit challenging the dismissal of the claim.

Legal Background

The Video Privacy Protection Act (VPPA) prohibits a video provider from knowingly disclosing “personally identifiable information” concerning any “consumer” of its service. The VPPA’s definition of personally identifiable information “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.”

Congress passed the VPPA in 1988 in response to a newspaper article leaking Supreme Court nominee Robert Bork’s video rental records. The VPPA “protect[s] certain personal information of an individual who rents video materials from disclosure.” The Act “allows consumers to maintain control over personal information divulged and generated in exchange for receiving services from video tape service providers.”

EPIC's Interest

EPIC has a strong interest in protecting the privacy of consumers and their information, and ensuring this data is not disclosed to third parties. EPIC has specifically worked to protect the privacy rights for consumers that were established by the VPPA.

In 2015, EPIC filed an amicus curiae brief in In re Nickelodeon, urging the Third Circuit Court of Appeals to support a robust understanding of PII and the VPPA, given the crucial nature of unique identifiers in data transmission, and the difficulty of anonymizing transactional information. Users of a Viacom website sued over its practice of profiling the video history, gender and age of child users, and sharing it with Google.

In 2010, EPIC wrote to the U.S. District Court for the Northern District of California, urging the court to reject a proposed settlement that would have deprived Facebook users of remedies under the video privacy law. EPIC urged the court to reject a settlement that would have resulted in no direct compensation for users, despite the law’s $2,500 statutory damages provision. EPIC also observed that the settlement would have deprived users of meaningful privacy protections by directing all settlement funds to a Facebook-controlled entity.

In 2009, EPIC filed an amicus curiae brief supporting strong privacy safeguards for consumers’ video rental data. EPIC’s brief urged the Fifth Circuit Court of Appeals to enforce the law’s protections for Facebook users who rented videos from Blockbuster, a Facebook business partner. Facebook users filed the lawsuit after Blockbuster made public consumers’ private video rental information.

EPIC also opposed an effort in 2011 to undermine the VPPA. In a letter to House members on H.R. 2471 EPIC urged careful consideration of the impact that the proposed change would have on users of Internet-based services. EPIC asked the Committees considering the legislation to hold a hearing so that that all views on the matter could be considered. Before a Senate Subcommittee in January 2012, EPIC President Marc Rotenberg, urged Congress to amend the definition of PII to expressly include IP addresses and account identifiers.

EPIC also has an interest in protecting online privacy and anonymity. Companies that gather consumer data often do so without knowledge or consent of the consumers, implicating privacy interests because consumers have the right to know how and what kind of information is being used and disclosed to third parties. And as technology evolves, information that might be “anonymous” today, may become PII in the future. To effectively enforce the VPPA, courts must understand the evolving online landscape in which consumer information is collected, stored, and shared. For years, EPIC has driven the public debate on these issues.

The National Telecommunications and Information Administration (NTIA) of the Department of Commerce and the Federal Trade Commission (FTC) held a public workshop on online privacy in 1999. EPIC submitted comments on “the online profiling industry’s self-regulatory efforts to protect consumers’ privacy online.” EPIC described the way in which websites and online advertisers routinely combine “anonymous” consumer profiles with data sets from other sources to create secret, identifiable consumer profiles. In follow-up comments, EPIC illustrated the issue by highlighting the merger of DoubleClick, Inc. and Abacus Direct, at the time the world’s largest catalog database firm. The merger allowed DoubleClick to combine its troves of non-PII with Abacus’ “88 million 5-year buying profiles that contain such personal information such as name, addresses, and family makeup.”

Following the comments to the NTIA, EPIC filed a complaint with the FTC regarding the DoubleClick-Abacus merger. EPIC alleged that DoubleClick was unlawfully tracking the online activities of Internet users and combining surfing records with detailed personal profiles contained in a national marketing database. EPIC asked the FTC to investigate the practices of the company, to destroy all records wrongfully obtained, to invoke civil penalties, and to enjoin the firm from violating the FTC Act. EPIC argued that the merger of the two databases violated the companies’ assurances that the information it collects on Internet users would remain anonymous, and that the data collection was therefore unfair and deceptive. EPIC also argued that the company engaged in an unfair practice by failing to adhere to its revised privacy policy.

EPIC has written about the deployment of Internet Protocol, Version 6 (IPv6) and what it means for consumer privacy. EPIC submitted comments to the National Institute of Standards and Technology in 2004, in which EPIC described how early IPv6 implementations used an addressing scheme that threatened user privacy by tying a user’s IPv6 address to the embedded network hardware access address. This mechanism had the effect of creating an unchangeable, unique identifier that could be used to correlate “seemingly unrelated activity” and allow a system and user to be traced across multiple unrelated networks. The Internet Engineering Task Force developed an extension—RFC 3040—that allowed users to periodically randomize their IPv6 address as well as generate temporary addresses, thus preventing the creation of a unique, unchangeable IPv6 address assigned to a specific person. EPIC urged the DOC to push for all implementations of IPv6 to meet the requirements of RFC 3040. In 2013, EPIC reiterated this recommendation to the FTC in comments regarding the Internet of Things.

Legal Documents

U.S. Court of Appeals for the Eleventh Circuit, No. 16-13031

U.S. District Court for the Northern District of Georgia, No. 14-cv-02926

News

Resources

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.

#Privacy

EPIC Bookstore

Communications Law and Policy

Communications Law and Policy
Jerry Kang and Alan Butler