Whether sharing the MAC address and video viewing history collected from a free mobile app violates the Video Privacy Protect Act
Perry v. CNN, currently before the U.S. Court of Appeals for the Eleventh Circuit, concerns the free CNN App, which plaintiff Ryan Perry downloaded on his phone. Perry alleges that CNN collected and shared his viewing history and device identifiers with a data analytics partner for advertising purposes. Perry sued CNN for violating the Video Privacy Protection Act. The VPPA prohibits a video provider from knowingly disclosing “personally identifiable information” concerning any “consumer” of its service. The lower court found that Perry had standing to sue, but then dismissed his lawsuit for failure to state a claim. The lower court found that a MAC address didn’t constitute PII and that by downloading a free app, Perry wasn’t a consumer, and Perry appealed. On appeal, CNN has also challenged Perry’s standing to sue.
- Does Perry have standing to sue CNN for alleged violations of the VPPA?
- Does downloading a free mobile app make the user a “consumer” under the VPPA?
- Does a MAC address constitute “personally identifiable information” under the VPPA?
Plaintiff Ryan Perry is an individual who has downloaded and used the CNN App, a free mobile application published by CNN Interactive Group, Inc., a subsidiary of Cable News Network, Inc. Plaintiff sued CNN Interactive and CNN for violating the VPPA by collecting and sharing his viewing history and device identifiers with a data analytics partner for advertising purposes.
CNN operates several mobile apps, including its flagship App (currently the third most popular news app in the iOS App Store). Users can download the App to consume CNN programming and receive breaking news alerts.
When users view news stories, video clips, and headlines, CNN allegedly creates a record of their viewing history, compiles it with their unique device media access control (“MAC”) addresses, and sends the profile to a British platform called Bango. The Plaintiff describes Bango as a “data analytics company specializing in tracking individual user behaviors via the Internet and mobile applications.” Specifically, Bango is a payment and marketing platform for mobile apps, basically linking user accounts across apps via “billable identities.”
When CNN discloses user profiles, Bango allegedly associates the app data with preexisting datasets to “identify and track specific users across multiple electronic devices, applications, and services” – all without consent.
Procedural Background and Lower Court Opinion
In February 2014, Plaintiff Ryan Perry filed a complaint in the Northern District of Illinois against CNN and CNN Interactive alleging a violation of the VPPA. Defendants moved to transfer the case to the Northern District of Georgia where CNN is headquartered, so as to better coordinate with a similar suit against Cartoon Network, which is owned by CNN’s parent company. The court granted defendants’ motion to transfer venue.
Defendants then moved to dismiss the case arguing that Plaintiff’s complaint failed to state a claim upon which relief could be granted. The court granted the motion. The claim failed because the court found (1) Plaintiff failed to allege he qualified as a “consumer” within the VPPA, and (2) the disclosed information did not sufficiently constitute personally identifiable information (“PII”) under the VPPA.
The complaint alleged that Plaintiff qualified as a “consumer” because he downloaded the CNN App, agreed to its terms, and used it to download and watch videos. Specifically, Perry argued that the download and use of the app qualified him as a “subscriber,” and CNN granting him a temporary license to watch video in exchange for targeted advertising made him a “renter.”
However, the court concluded that Plaintiff was neither, and so did not qualify as a consumer under the VPPA. Following the Eleventh Circuit’s decision in Ellis v. Cartoon Network, the court found that simply downloading and using a free app to watch free content without other indicators of an ongoing commitment or relationship did not make him a “subscriber.” It found that downloading a free app also fell outside “renter,” construing the term to require monetary payment. The court then denied Plaintiff’s motion to amend the complaint to demonstrate he was a “subscriber,” finding (1) the independent PII deficiency would not be cured; and (2) the proposed amendments would not alter the applicability of the Eleventh Circuit’s definition of “subscriber.”
The complaint also alleged that the viewing history and MAC address constituted PII, enabling Bango to track specific users across multiple devices, applications, and services, and permitting it to infer “extremely precise” information, including:
- Phone number
- Purchase history
- Payment details
- Application activity history
However, the court dismissed this argument on the grounds that the MAC address and associated video logs did not qualify as personally identifiable information because they allegedly do not identify, without more, a specific person or a name. It found the plaintiff had not “pled any facts to establish that the video history and MAC address were tied to an actual person and disclosed by Defendants.”
Perry has filed an appeal with the U.S. Court of Appeals for the Eleventh Circuit challenging the dismissal of the claim.
The Video Privacy Protection Act (VPPA) prohibits a video provider from knowingly disclosing “personally identifiable information” concerning any “consumer” of its service. The VPPA’s definition of personally identifiable information “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.”
Congress passed the VPPA in 1988 in response to a newspaper article leaking Supreme Court nominee Robert Bork’s video rental records. The VPPA “protect[s] certain personal information of an individual who rents video materials from disclosure.” The Act “allows consumers to maintain control over personal information divulged and generated in exchange for receiving services from video tape service providers.”
EPIC has a strong interest in protecting the privacy of consumers and their information, and ensuring this data is not disclosed to third parties. EPIC has specifically worked to protect the privacy rights for consumers that were established by the VPPA.
In 2015, EPIC filed an amicus curiae brief in In re Nickelodeon, urging the Third Circuit Court of Appeals to support a robust understanding of PII and the VPPA, given the crucial nature of unique identifiers in data transmission, and the difficulty of anonymizing transactional information. Users of a Viacom website sued over its practice of profiling the video history, gender and age of child users, and sharing it with Google.
In 2010, EPIC wrote to the U.S. District Court for the Northern District of California, urging the court to reject a proposed settlement that would have deprived Facebook users of remedies under the video privacy law. EPIC urged the court to reject a settlement that would have resulted in no direct compensation for users, despite the law’s $2,500 statutory damages provision. EPIC also observed that the settlement would have deprived users of meaningful privacy protections by directing all settlement funds to a Facebook-controlled entity.
In 2009, EPIC filed an amicus curiae brief supporting strong privacy safeguards for consumers’ video rental data. EPIC’s brief urged the Fifth Circuit Court of Appeals to enforce the law’s protections for Facebook users who rented videos from Blockbuster, a Facebook business partner. Facebook users filed the lawsuit after Blockbuster made public consumers’ private video rental information.
EPIC also opposed an effort in 2011 to undermine the VPPA. In a letter to House members on H.R. 2471 EPIC urged careful consideration of the impact that the proposed change would have on users of Internet-based services. EPIC asked the Committees considering the legislation to hold a hearing so that that all views on the matter could be considered. Before a Senate Subcommittee in January 2012, EPIC President Marc Rotenberg, urged Congress to amend the definition of PII to expressly include IP addresses and account identifiers.
EPIC also has an interest in protecting online privacy and anonymity. Companies that gather consumer data often do so without knowledge or consent of the consumers, implicating privacy interests because consumers have the right to know how and what kind of information is being used and disclosed to third parties. And as technology evolves, information that might be “anonymous” today, may become PII in the future. To effectively enforce the VPPA, courts must understand the evolving online landscape in which consumer information is collected, stored, and shared. For years, EPIC has driven the public debate on these issues.
The National Telecommunications and Information Administration (NTIA) of the Department of Commerce and the Federal Trade Commission (FTC) held a public workshop on online privacy in 1999. EPIC submitted comments on “the online profiling industry’s self-regulatory efforts to protect consumers’ privacy online.” EPIC described the way in which websites and online advertisers routinely combine “anonymous” consumer profiles with data sets from other sources to create secret, identifiable consumer profiles. In follow-up comments, EPIC illustrated the issue by highlighting the merger of DoubleClick, Inc. and Abacus Direct, at the time the world’s largest catalog database firm. The merger allowed DoubleClick to combine its troves of non-PII with Abacus’ “88 million 5-year buying profiles that contain such personal information such as name, addresses, and family makeup.”
EPIC has written about the deployment of Internet Protocol, Version 6 (IPv6) and what it means for consumer privacy. EPIC submitted comments to the National Institute of Standards and Technology in 2004, in which EPIC described how early IPv6 implementations used an addressing scheme that threatened user privacy by tying a user’s IPv6 address to the embedded network hardware access address. This mechanism had the effect of creating an unchangeable, unique identifier that could be used to correlate “seemingly unrelated activity” and allow a system and user to be traced across multiple unrelated networks. The Internet Engineering Task Force developed an extension—RFC 3040—that allowed users to periodically randomize their IPv6 address as well as generate temporary addresses, thus preventing the creation of a unique, unchangeable IPv6 address assigned to a specific person. EPIC urged the DOC to push for all implementations of IPv6 to meet the requirements of RFC 3040. In 2013, EPIC reiterated this recommendation to the FTC in comments regarding the Internet of Things.
U.S. Court of Appeals for the Eleventh Circuit, No. 16-13031
- Appellee CNN Motion to Dismiss for Lack of Standing
- Appellant Perry Response to CNN Motion to Dismiss for Lack of Standing
- Appellee CNN Reply in Support of its Motion to Dismiss for Lack of Standing
- Appellant Perry Motion for Sanctions For Filing Frivolous and Improper Motion
- Appellee CNN Response to Perry Motion for Sanctions
- Appellant Perry Reply in Support of its Motion for Sanctions
- Appellant Perry Opening Brief
- Appellee CNN Response
- Appellant Perry Reply
- Oral Argument
- Eleventh Circuit Opinion