A class action alleging Viacom illegally obtained and disclosed personally identifiable information from children under the age of thirteen through the Nickelodeon website recently reached the end of line (almost) when the class’ petition for writ of certiorari was denied by the Supreme Court this month. The high court chose not to further define the contours of what constitutes “personally identifiable information” and “disclosure.”
The drafters of the 1988 Video Privacy Protection Act (“the Act”) likely had no idea that the law passed nearly thirty years ago would be raised to challenge the practice we each encounter hundreds of times per week—tracking of our IP addresses through the use of cookies on websites. The law prohibits disclosure of personally identifying information relating to viewers’ consumption of video-related services. When passed, lawmakers probably envisioned video rental clerks being prohibited from sharing the list of videos a particular renter selected with others. Now, in a world where the number of viewers and followers is equivalent to profits for all who sell, information gained from IP addresses makes it possible for companies to target individuals in a way that was probably never imagined.
The Third Circuit decided as a matter of first impression that Viacom had not disclosed personally identifiable information in violation of the Act when it shared IP addresses, collected through cookies, with Google for its use in targeted advertising. The court did identify that there is a split of authority regarding whether or not “static digital identifiers,” such as IP addresses, constituted personally identifiable information because they could, in theory, be combined with other information to identify an individual. Other courts, including the First Circuit, have held that any unique identifier, including an IP address combined with GPS coordinates, could constitute personally identifying information. This decision also stands in contrast with a recent EU ruling, Breyer v. Bundesrepublik Deutschland, E.C.J., No. C-582/14, which held that under certain circumstances IP addresses could constitute personal data protected under EU data protection law. However, in the Nickelodeon case, the court determined the information could not be used to identify a specific individual without extraordinary effort and that the information had not been disclosed.
Advice for Businesses
Businesses striving to not run afoul of the Act can learn valuable lessons from this case. First, do not think narrowly when identifying “personal information.” It is not always as straightforward as a Social Security number or bank account number. Think about combinations of information that could enable another person or entity to identify a specific individual. Second, use caution when sharing information about customers or employees—even when it might seem innocuous or unlikely that specific individuals could be identified. Third, do not promise more privacy or data security that you actually provide. The class claim alleging Viacom collected personal information about children, despite its promise not to do so, lives on and the court described that violation as “highly offensive.”