On October 8, 2014, a district court judge in Georgia dismissed with prejudice a Video Privacy Protection Act (VPPA) action against The Cartoon Network (CN), holding that the disclosure of the plaintiff’s Android ID was not actionable because the Android ID did not qualify as “personally identifiable information” (PII). The full order is attached.
In Ellis v. The Cartoon Network, Inc., the plaintiff alleged that he downloaded the Cartoon Network App (“CN App”) and began using it to watch video clips on his Android device. Plaintiff alleged that each time he used the CN App, a complete record of his video history, along with his Android ID number, was transmitted to Bango. Bango, as a third-party analytics company that collects a wide variety of information about consumers from other sources, would then allegedly reverse-engineer the consumers’ identities by using the Android ID.
Plaintiff claimed that CN’s practice of sharing his Android ID and viewing history to Bango without his consent was a violation of the VPPA.
The court dismissed the case with prejudice, finding that the Android ID did not qualify as PII, and thus, CN’s practices of sharing device IDs to Bango did not fall within the purview of the VPPA. Citing to the In re Hulu and In re Nickelodeon cases, the court explained that in order to be considered PII, the information had to link an actual person to actual video materials. Where an anonymous ID was disclosed to a third party but that third party had to take further steps to match that ID to a specific person, no VPPA violation occurred. The court likened this case to the disclosure of cable box codes, which could not identify consumers without corresponding billing records. Here, too, Bango needed to go through an additional step of matching PII gathered from other sources to identify the user. This was not a situation where video viewing habits were linked to a Facebook account, where the specific person could be identified without any additional steps. Accordingly, the court found that the disclosure of an Android ID alone, as happened here, does not qualify as PII under the VPPA, and dismissed the case with prejudice.
The court also considered and rejected arguments by CN that plaintiff had no standing to bring the case because he did not suffer an injury in fact, and that plaintiff was not a “subscriber” to any of CN’s services, and thus, not a “consumer” under the VPPA. The court found that an invasion of a statutorily created right established standing even if no injury would have existed without the statute. Since plaintiff alleged a violation of the VPPA, the court found that plaintiff alleged an injury. The court also found that plaintiff was arguably a subscriber because he downloaded the CN App and used it to watch video clips. However, given that the court ultimately dismissed the case, these rulings would be considered dicta.
With this ruling, courts appear to be drawing a line with regard to applying the VPPA to sharing information with analytics companies. Plaintiffs have certainly been testing the waters with VPPA cases against various news and entertainment organizations (see May 5, 2014 blog post). This ruling demonstrates that the courts are hesitant to push the bounds of the VPPA to include the simple sharing of device IDs without more. Time will tell if the other courts follow suit.