The Video Privacy Protection Act1 (VPPA), which prevents “[w]rongful disclosure of video tape rental or sale records,”2 was enacted in 1988 by Congress in reaction to a newspaper publishing then–D.C. Circuit Judge Robert Bork’s video rental history during his Supreme Court confirmation hearings.3 The VPPA, originally aimed at traditional brick-and-mortar video rental stores such as Blockbuster, has seen a newfound applicability in the modern era of streaming video and “big data” analytics.4 Recently, in Ellis v. Cartoon Network, Inc.,5 the Eleventh Circuit held that a person who downloads and uses a free mobile application on their smartphone is not a “subscriber” under the VPPA, and is therefore beyond the Act’s protections.6 The court’s interpretation of “subscriber” limits the scope of whom the VPPA’s protections apply to by focusing on formal indicia of “commitment” such as logging in, registering, or paying for an application. This analysis, necessitated by neither precedent nor logic, does not articulate any sensible distinction between such behavior and installing an application. The court’s interpretation excludes a significant segment of consumers from the VPPA’s protections, allowing these protections to be evaded too easily by content providers — consequences directly at odds with the VPPA’s purpose of protecting personal privacy. Moreover, had the court included these consumers as “subscribers,” it would have had an opportunity to focus on the important question of what constitutes “personally identifiable information” for smartphone applications in triggering VPPA protections.
In 2013, Mark Ellis downloaded Cartoon Network’s free mobile application (“CN app”) onto his Android smartphone.7 The CN app allows users to watch clips and episodes of TV shows on Cartoon Network, including popular titles such as “Looney Toons” and “Pokémon.”8 Users can access freely available content without any login information, or they can log in using their television provider information in order to access additional content.9
Every Android smartphone user is assigned a unique “Android ID” — a random string of letters and numbers — that remains constant for the lifetime of the user’s device.10 The CN app tracks each user’s viewing history and, at the end of any viewing session, sends this history along with the user’s Android ID to Bango, a third-party data analytics company.11 The CN app does not at any time prompt users to consent to share or disclose this information with any third party.12 Bango specializes in tracking customer behavior across various platforms, compiling information about specific users from a wide variety of websites, applications, and other sources.13 As the court’s opinion noted, Bango is “smarter than the average bear,” and able to link Android IDs to specific users and add information such as that gathered from the CN app to a user’s profile.14 In other words, Bango is able to associate a user’s viewing history with that specific viewer simply from the user’s ostensibly anonymous Android ID.
The VPPA generally imposes liability upon any “video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider.”15 Any aggrieved consumer is provided a cause of action under the Act and can recover actual or liquidated damages of at least $2500, punitive damages, attorneys’ fees and costs, and other equitable relief.16 The VPPA defines “personally identifiable information” as including “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider”17 and “consumer” as “any renter, purchaser, or subscriber of goods or services from a video tape service provider.”18 These two particular definitions were at issue in Ellis’s case, as Cartoon Network argued in its motion to dismiss that Ellis was not within the scope of the VPPA both because he was not a “consumer” and because the information that Cartoon Network disclosed was not “personally identifiable information.”19
Ellis brought a putative class action against Cartoon Network “on behalf of himself and others whose Android IDs were disclosed to Bango,” alleging that the Android IDs constituted personally identifiable information that Cartoon Network disclosed in violation of the VPPA.20 Ellis sought injunctive and monetary relief on behalf of the putative class.21 The United States District Court for the Northern District of Georgia granted Cartoon Network’s motion to dismiss for failure to state a claim.22 The district court found that Ellis qualified as a “subscriber” and therefore a “consumer” under the VPPA.23 In so finding, the district court relied upon In re Hulu Privacy Litigation,24 another recent VPPA case, to support the proposition that “where a plaintiff pleads more than simply visiting a website, that plaintiff is a subscriber to a service.”25 The district court also noted that in order to qualify as a “subscriber,” an individual was not required to be a paid customer, log in, or register.26 However, the district court held that an Android ID was not “personally identifiable information” because it did not “in its own right” link a specific user to that user’s video viewing history “without any additional steps.”27
The Eleventh Circuit affirmed, albeit on different grounds.28 Writing for the panel, Judge Jordan29 held that “a person who downloads and uses a free mobile application on his smartphone . . . , without more, is not a ‘subscriber’ . . . under the VPPA.”30 As a result, the court did not examine what qualified as “personally identifiable information.”31 Judge Jordan began his statutory analysis by looking to dictionary definitions of “subscriber” in order to discern the word’s ordinary meaning.32 Having observed that most but not all of the definitions consulted involved payment of some sort, the court determined that payment was not a necessary element of subscription — it was merely a factor.33 However, the court concluded that the “common thread” among all of the definitions was that they involved “some type of commitment, relationship, or association (financial or otherwise) between a person and an entity.”34 The court found “persuasive” the interpretation of “subscriber” from Yershov v. Gannett Satellite Information Network, Inc.35: a plaintiff who had downloaded USA Today’s free mobile app to watch news and sports video clips but had neither registered nor directly provided the app with any information was not a subscriber.36 The court concluded that this was “the better reasoned of the existing opinions on the issue”37 and adopted Yershov’s construction: “Subscriptions involve some or [most] of the following [factors]: payment, registration, commitment, delivery, [expressed association,] and/or access to restricted content.”38
The decision distinguished In re Hulu by emphasizing that the users in that case had signed up for Hulu accounts, registered, received Hulu IDs, and created Hulu profiles.39 Further, the court noted, if Congress had intended to apply the term “subscriber” more broadly, it “could have employed broader terms in defining ‘consumer’ when it enacted the VPPA . . . or when it later amended the Act . . . , but it did not.”40 Therefore, the court ruled that Ellis was not a subscriber under the VPPA as he did not sign up for an account, provide any personal information, make any payment, establish a profile, or make any commitment or establish a relationship that would have allowed access to restricted content.41 Ellis had merely watched video clips on a free app without commitment — he was “free to delete the app without consequences whenever he like[d], and never access its content again.”42 Therefore, Ellis’s installation of the app was akin to adding a “website to one’s Internet browser as a favorite.”43 Simply put, the court held, “the free downloading of a mobile app on an Android device to watch free content, without more, does not a ‘subscriber’ make.”44
The decision in Ellis illustrates the difficulties in applying old statutes to new and constantly evolving technology. The Eleventh Circuit’s opinion adopted an interpretation of “subscriber” that prescribes which individuals who watch videos on a free mobile application fall within the scope of the VPPA’s protections in a rigidly formal manner: absent logging in or registering, according to the court, the user has not made a “commitment.” However, the court’s conclusion that downloading and installing an application onto one’s smartphone did not amount to “commitment” in this case was necessitated by neither precedent nor logic; the opinion did not articulate any sensible distinction between installing an application and creating an account with a video provider. Such an interpretation excludes a significant segment of consumers from the VPPA’s protections, and potentially allows these statutory protections to be too easily evaded — consequences directly at odds with the purpose of the VPPA: ensuring the personal privacy of consumers’ video histories. Moreover, had the court’s definition of “subscriber” included these consumers, the court would have had an opportunity to weigh in on the important question of what, for the purposes of triggering VPPA protections, constitutes “personally identifiable information” for smartphone applications.
At the district court level in the Eleventh Circuit, both decisions examining the question of who qualified as a “subscriber” — Ellis and a subsequent case, Locklear v. Dow Jones & Co.45 — had interpreted “subscriber” as applying to users of applications.46 Rather than adopting this interpretation from its lower courts, however, the Eleventh Circuit found the interpretation from Yershov to be “better reasoned.”47 The decision in Yershov distinguished a subscriber from someone who merely visits a website48 — an analogy that the Ellis opinion embraced.49 Yershov separated downloaders of a free app from subscribers to a YouTube channel or podcast or those paying recurring fees for a subscription to an application.50 The Ellis court agreed, noting that Ellis did not form “any commitment or . . . any relationship” to CN merely by downloading its free app.51
The Eleventh Circuit’s reasoning on who falls within the statutory definition of “subscriber,” adopted largely from Yershov, does not articulate any sensible distinction between the installation of an application and the examples that the court offered for what would qualify as sufficient “commitment.” The Ellis court emphasized that “some type of commitment, relationship, or association” was required — and implied that creating an account or paying recurring fees would satisfy such a commitment requirement.52 Yet it is unclear why downloading and installing an application fails to meet this level of commitment. While payment or registration of an account provides courts with an easy way to categorically identify a “subscriber,” neither precedent nor logic mandates that those expressions are the absolute outer limits of the term. Moreover, as a factual matter, installing the CN app seems closer to the court’s examples of “commitment” than it does to bookmarking a website on an Internet browser, which the Ellis court would not count as “commitment.”53 The use of the CN app requires download and installation that makes it a fixture on a user’s phone, where it remains permanently unless deleted. This action seems more akin to, if not more involved than, simply clicking “subscribe” on a YouTube channel or podcast — which the Yershov opinion provided as an example of subscribing — than it does to saving or “favoriting” a link.54 In fact, Android users can separately “favorite” or “bookmark” a webpage to their home screens as an icon that resembles an application, but instead of that icon serving as a shortcut to a permanent software fixture, it simply links directly to a particular webpage on their smartphone’s existing Internet browser.55 This is not what Mark Ellis did though. Installed applications indicate permanence: the application is a dedicated platform to view a particular provider’s content that has become, quite literally, a part of one’s phone.56 Adding this platform to one’s phone seems like a commitment in its own right, far beyond saving a link on a browser, which merely allows a user to visit a website more conveniently.
Further, the CN app can collect significant amounts of personal information that the court failed to recognize in its “commitment” analysis. As part of its reasoning, the court stated that Ellis “did not provide any personal information to Cartoon Network.”57 Although Ellis may not have directly typed in and sent his personal information, by installing the CN app, he provided personal information to Cartoon Network in a way that merely visiting its website would not have. Mobile applications are generally able to collect data about users including Internet history, location data, and other usage information.58 The Federal Trade Commission warns consumers that applications can access the address book, call logs, and calendar data, among other items — regardless of whether this data is necessary for the application to function or “related to the purpose of the app.”59 As the New York Times and other outlets have reported, even the most popular smartphone applications routinely engage in such behavior, to the point where it has become described as an “industry best practice.”60 The Ellis court focused on the fact that “a user is free to delete the app without consequence whenever he likes, and never access its content again” to evince a lack of commitment in the same manner as closing out of a visited webpage.61 However, the transfer of data upon downloading and installing an application seems to be such a consequence. Further, data aside, the same ability to leave without consequence is true of many subscriptions that the court would have accepted, such as an application that requires registration and other forms of digital subscription like to a YouTube channel or podcast to which users can unsubscribe at the click of a button. The reality of the relationship between those who provide mobile apps and those who install them thus calls into question the court’s justification for drawing the line between subscribers and mere users where it did.
Because it limits the scope of who can receive the VPPA’s protections, the court’s decision restricts the VPPA’s ability to further the policy interest behind its enactment and potentially allows its protections to be easily evaded. The VPPA, quite simply, is intended to “preserve personal privacy” of one’s video history.62 The Senate Report for the VPPA stressed the importance of privacy interests, emphasizing that people should be free to consume books and films without scrutiny of their particular reading or viewing habits — that such an “intimate process should be protected” as such content consumption provides “intellectual vitamins that fuel the growth of individual thought.”63 The Senate Report noted that many parties would be interested in such information: “[p]rivate commercial interests want personal information to better advertise their products,” others would seek it for “political surveillance,” and, of course, “the intelligence community” would want it “to protect our national security.”64 But as the report eloquently explained: “The danger here is that a watched society is a conformist society, in which individuals are chilled in their pursuit of ideas and their willingness to experiment with ideas outside of the mainstream.”65 Although watching clips of Cartoon Network content may not reach the intellectual level of exploring ideas outside of the mainstream, the privacy interest at stake is the same: the VPPA expresses the societal commitment to prioritizing the privacy of one’s content consumption. Just as Judge Bork’s viewing history ultimately proved noncontroversial,66 it was the fear that he would not have been free to view more controversial content in the privacy of his home if he had wanted to that drove the enactment of the VPPA.
This privacy interest should be the same whether someone walks into a brick-and-mortar rental store, subscribes to a YouTube channel, or downloads and installs an application — all three involve a provider that maintains a unique viewing history regarding the user. However, unlike the district court in Ellis, the Eleventh Circuit would allow free applications that do not require registration to evade the VPPA completely. By simply not requiring users to create a username and password, any free application could begin sharing users’ data without fear of VPPA liability. In Ellis, the viewing history was linked only to an ostensibly anonymous Android ID. But under the decision’s reasoning, a similar application would be excluded from the VPPA and thus free to share any clearly personally identifiable information it gathered from one’s phone along with the viewing history — a great value for such content providers when coupled with third-party analytics companies like Bango. This is directly at odds with the mischief that the VPPA was enacted to protect against.
Had the Eleventh Circuit acknowledged that installing a mobile video application made Ellis a “consumer” within the scope of the VPPA, the court could have weighed in on what qualifies as “personally identifiable information.” How the VPPA’s rules concerning the disclosure of personally identifiable information should apply to new technologies like mobile applications is an important statutory interpretation controversy.67 It is uncertain whether information like an Android ID — an ostensibly anonymous, albeit unique, identifier — qualifies as “personally identifiable information” without more. As Ellis argued, an Android ID is comparable to a Social Security Number, as it is uniquely generated for an individual for the lifetime of the device, and third-party analytics companies, like Bango, can easily “automatically correlate Android IDs with actual people to form comprehensive profiles about consumers’ entire digital lives.”68 Companies like Bango assemble “digital dossiers” with information including “individuals’ names, addresses, phone numbers, email addresses, demographics, locations, purchase histories, and other online activities.”69 On the other hand, the Android ID is not “personally identifiable information” in and of itself, as the district court emphasized.70 Although a company like Bango is able to decipher to whom the ID belongs, the ID alone identifies no specific individual without the “extra steps” of collecting other information in order to link that specific person to a particular viewing history.71 The distinctions here are undoubtedly difficult, and beyond the scope of this comment. However, the point remains that a consequence of the outcome in Ellis was a missed opportunity to draw a clear line between what does and does not constitute “personally identifiable information” for the purposes of triggering VPPA protections.
The concern behind enacting the VPPA was protecting the privacy of video history, and the decision in Ellis creates troubling implications for that privacy interest going forward. Under Ellis, the video privacy protections that applied to physical media are no longer available in the digital landscape without either payment or formal registration. The court’s opinion, dictated by neither precedent nor logic, failed to articulate a convincing distinction between installing a free mobile application and creating an account with a content provider. Consequence, the court missed an opportunity to weigh in on the important question of exactly what “personally identifiable information” is today. Given the reality of the technology by which users now consume video content, the ramifications of Ellis for the privacy of video histories — which Congress so clearly prioritized — could be severe: video-content providers will readily be able to operate outside the scope of the VPPA. While the Eleventh Circuit opinion coyly quoted Yogi Bear in its description of Bango, perhaps a more apt citation for video application users in the future would have been to Bugs Bunny: “Eh, I don’t know, but, did you ever have the feeling you was being watched?”72