Online video provider Hulu has decisively beaten charges claiming that it violated the Video Privacy Protection Act (VPPA), a law that dates back to 1998. It penalizes the “wrongful disclosure of video tape rental or sale records,” with a fine of $2,500.
In 2011, plaintiffs filed a complaint that claimed that Hulu broke the law by providing Facebook data about what videos its customers were watching. The suit sought class-action status, but the judge rejected the plaintiffs’ first attempt to certify a class.
In an order published in the beginning of April 2015, US Magistrate Judge Laurel Beeler said that Hulu was in the clear. Hulu did send to Facebook user data in the form of a cookie called “c_user,” which identified users who had logged into Facebook in the last four weeks via a “Like” button on Hulu video places. Hulu also sent URLs of “watch pages” to Facebook, which relate to individual videos, so that Facebook would know where to send code related to the “Like” button. However, there was nothing in the record to suggest that Hulu knew that the watch page data and the c_user cookie would be combined, she found.
The VPPA came into existence in the late 1980s, when a Washington, DC weekly obtained and published the video rental history of Supreme Court nominee Robert Bork, who ultimately was not confirmed by the Senate.
Sending along certain user IDs and data of videos didn’t mean the two pieces of data were necessarily connected. According to Judge Beeler, “By sending those two items Hulu did not thereby connect them in a manner akin to connecting Judge Bork to his video-rental history.”
The data Hulu was shipping to Facebook wasn’t like the list of Bork’s videos the reporter dug up, Beller found. There is also no evidence that Facebook ever did anything with the “c_user” cookies that were sent by Hulu.
According to Hulu GC Chadwick Ho, “This decision validates our willingness, as a matter of principle, to prove the integrity of our business practices, even if it means spending nearly four years in litigation.”
Plaintiff’s attorney Scott Kamber told the legal newspaper that he plans to appeal. “We think the order of the lower court would undermine fundamental statutory privacy rights if allowed to stand.”
The detailed factual basis for Hulu’s win suggests that the case won’t have a wide-ranging effect or wipe out other video-privacy lawsuits. Internet privacy laws range from murky to non-existence, but that hasn’t stopped the proliferation of digital privacy-related litigation in recent years.
Back in 2009, Facebook settled a lawsuit related to its failed Beacon program for $9.5 million, which included VPPA and other privacy claims. Plaintiffs in that case (Lane v. Facebook), were also represented by Kamber. In 2012, Netflix settled a VPPA case about retaining the data of its former users for $9 million.
In 2012, Congress adjusted the VPPA to make it clear that Netflix and other web video companies could publish to Facebook after securing user consent. It isn’t clear that change would have had any effect on this lawsuit, which involved claims related to users who hadn’t given any kind of clear consent.
This article talks about the recent Hulu win, after claims that it had violated the 1988 Video Privacy Protection Act (VPPA).
CIPP Exam Preparation
In preparation for the Certification Information Privacy Professional/United States (CIPP/US) exam, a privacy professional should be comfortable with topics related to this post, including:
- Video Privacy Protection Act of 1988 (II.E.f.)