The Video Privacy Protection Act1×1. Pub. L. No. 100-618, 102 Stat. 3195 (1988) (codified at 18 U.S.C. § 2710 (2012)). (VPPA), which prevents “[w]rongful disclosure of video tape rental or sale records,”2×2. Id. was enacted in 1988 by Congress in reaction to a newspaper publishing then–D.C. Circuit Judge Robert Bork’s video rental history during his Supreme Court confirmation hearings.3×3. See S. Rep. No. 100-599, at 5 (1988), as reprinted in 1988 U.S.C.C.A.N. 4342-1, 4342-5. The VPPA, originally aimed at traditional brick-and-mortar video rental stores such as Blockbuster, has seen a newfound applicability in the modern era of streaming video and “big data” analytics.4×4. The VPPA’s extension to modern online video streaming stems from its definition of “video tape service provider,” which includes “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials, or any person or other entity to whom a disclosure is made.” 18 U.S.C. § 2710(a)(4) (emphasis added). A number of cases have applied the VPPA to online video streaming. See, e.g., Locklear v. Dow Jones & Co., 101 F. Supp. 3d 1312 (N.D. Ga. 2015); In re Hulu Privacy Litig., No. C 11-03764, 2012 WL 3282960 (N.D. Cal. Aug. 10, 2012). Recently, in Ellis v. Cartoon Network, Inc.,5×5. 803 F.3d 1251 (11th Cir. 2015). the Eleventh Circuit held that a person who downloads and uses a free mobile application on their smartphone is not a “subscriber” under the VPPA, and is therefore beyond the Act’s protections.6×6. Id. at 1252. The court’s interpretation of “subscriber” limits the scope of whom the VPPA’s protections apply to by focusing on formal indicia of “commitment” such as logging in, registering, or paying for an application. This analysis, necessitated by neither precedent nor logic, does not articulate any sensible distinction between such behavior and installing an application. The court’s interpretation excludes a significant segment of consumers from the VPPA’s protections, allowing these protections to be evaded too easily by content providers — consequences directly at odds with the VPPA’s purpose of protecting personal privacy. Moreover, had the court included these consumers as “subscribers,” it would have had an opportunity to focus on the important question of what constitutes “personally identifiable information” for smartphone applications in triggering VPPA protections.
In 2013, Mark Ellis downloaded Cartoon Network’s free mobile application (“CN app”) onto his Android smartphone.7×7. Ellis v. Cartoon Network, Inc., No. 1:14-CV-484, 2014 WL 5023535, at *1 (N.D. Ga. Oct. 8, 2014). The CN app allows users to watch clips and episodes of TV shows on Cartoon Network, including popular titles such as “Looney Toons” and “Pokémon.”8×8. Ellis, 803 F.3d at 1253. Users can access freely available content without any login information, or they can log in using their television provider information in order to access additional content.9×9. Id. at 1253–54.
Every Android smartphone user is assigned a unique “Android ID” — a random string of letters and numbers — that remains constant for the lifetime of the user’s device.10×10. Id. at 1254. More precisely, an Android ID is a randomly generated 64-bit hex string. Id. The CN app tracks each user’s viewing history and, at the end of any viewing session, sends this history along with the user’s Android ID to Bango, a third-party data analytics company.11×11. Id. The CN app does not at any time prompt users to consent to share or disclose this information with any third party.12×12. Id. Bango specializes in tracking customer behavior across various platforms, compiling information about specific users from a wide variety of websites, applications, and other sources.13×13. See id. As the court’s opinion noted, Bango is “smarter than the average bear,” and able to link Android IDs to specific users and add information such as that gathered from the CN app to a user’s profile.14×14. Id. (quoting The Yogi Bear Show (Hanna-Barbera Prods. 1961)). In other words, Bango is able to associate a user’s viewing history with that specific viewer simply from the user’s ostensibly anonymous Android ID.
The VPPA generally imposes liability upon any “video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider.”15×15. 18 U.S.C. § 2710(b)(1) (2012). Any aggrieved consumer is provided a cause of action under the Act and can recover actual or liquidated damages of at least $2500, punitive damages, attorneys’ fees and costs, and other equitable relief.16×16. Id. § 2710(c). The VPPA defines “personally identifiable information” as including “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider”17×17. Id. § 2710(a)(1) (emphasis added). and “consumer” as “any renter, purchaser, or subscriber of goods or services from a video tape service provider.”18×18. Id. § 2710(a)(3) (emphasis added). These two particular definitions were at issue in Ellis’s case, as Cartoon Network argued in its motion to dismiss that Ellis was not within the scope of the VPPA both because he was not a “consumer” and because the information that Cartoon Network disclosed was not “personally identifiable information.”19×19. See Response Brief of Appellee at 6–9, Ellis, 803 F.3d 1251 (No. 14-15046), 2015 WL 995326.
Ellis brought a putative class action against Cartoon Network “on behalf of himself and others whose Android IDs were disclosed to Bango,” alleging that the Android IDs constituted personally identifiable information that Cartoon Network disclosed in violation of the VPPA.20×20. Ellis v. Cartoon Network, Inc., No. 1:14-CV-484, 2014 WL 5023535, at *1 (N.D. Ga. Oct. 8, 2014). Ellis sought injunctive and monetary relief on behalf of the putative class.21×21. Id. The United States District Court for the Northern District of Georgia granted Cartoon Network’s motion to dismiss for failure to state a claim.22×22. Id. The district court found that Ellis qualified as a “subscriber” and therefore a “consumer” under the VPPA.23×23. Id. at *2. In so finding, the district court relied upon In re Hulu Privacy Litigation,24×24. No. C 11-03764, 2012 WL 3282960 (N.D. Cal. Aug. 10, 2012). another recent VPPA case, to support the proposition that “where a plaintiff pleads more than simply visiting a website, that plaintiff is a subscriber to a service.”25×25. Ellis, 2014 WL 5023535, at *2; see also id. at *2 n.27 (citing In re Hulu, 2012 WL 3282960, at *8). The district court also noted that in order to qualify as a “subscriber,” an individual was not required to be a paid customer, log in, or register.26×26. Id. at *2 & nn.28–29 (citing In re Hulu, 2012 WL 3282960, at *8). However, the district court held that an Android ID was not “personally identifiable information” because it did not “in its own right” link a specific user to that user’s video viewing history “without any additional steps.”27×27. Id. at *3. The district court contrasted Android IDs, randomly generated strings that do not directly identify a specific person, with “Facebook ID[s], which can identify a specific person without any additional steps” and therefore would “qualify as personally identifiable information.” Id.
The Eleventh Circuit affirmed, albeit on different grounds.28×28. See Ellis, 803 F.3d at 1258. Writing for the panel, Judge Jordan29×29. Judge Jordan was joined by Senior Judge Dubina and Senior Judge Goldberg of the United States Court of International Trade, sitting by designation. held that “a person who downloads and uses a free mobile application on his smartphone . . . , without more, is not a ‘subscriber’ . . . under the VPPA.”30×30. Ellis, 803 F.3d at 1252. As a result, the court did not examine what qualified as “personally identifiable information.”31×31. Id. The court also did not address whether Cartoon Network was a “video tape service provider” under the VPPA as this issue was not contested by Cartoon Network. Id. at 1253 n.1. Judge Jordan began his statutory analysis by looking to dictionary definitions of “subscriber” in order to discern the word’s ordinary meaning.32×32. Id. at 1255–56. Having observed that most but not all of the definitions consulted involved payment of some sort, the court determined that payment was not a necessary element of subscription — it was merely a factor.33×33. Id. at 1256. However, the court concluded that the “common thread” among all of the definitions was that they involved “some type of commitment, relationship, or association (financial or otherwise) between a person and an entity.”34×34. Id. The court found “persuasive” the interpretation of “subscriber” from Yershov v. Gannett Satellite Information Network, Inc.35×35. 104 F. Supp. 3d 135 (D. Mass. 2015). : a plaintiff who had downloaded USA Today’s free mobile app to watch news and sports video clips but had neither registered nor directly provided the app with any information was not a subscriber.36×36. Ellis, 803 F.3d at 1256 (citing Yershov, 104 F. Supp. 3d at 137–38, 147–48). The court concluded that this was “the better reasoned of the existing opinions on the issue”37×37. Id. and adopted Yershov’s construction: “Subscriptions involve some or [most] of the following [factors]: payment, registration, commitment, delivery, [expressed association,] and/or access to restricted content.”38×38. Id. (alterations in original) (quoting Yershov, 104 F. Supp. 3d at 147).
The decision in Ellis illustrates the difficulties in applying old statutes to new and constantly evolving technology. The Eleventh Circuit’s opinion adopted an interpretation of “subscriber” that prescribes which individuals who watch videos on a free mobile application fall within the scope of the VPPA’s protections in a rigidly formal manner: absent logging in or registering, according to the court, the user has not made a “commitment.” However, the court’s conclusion that downloading and installing an application onto one’s smartphone did not amount to “commitment” in this case was necessitated by neither precedent nor logic; the opinion did not articulate any sensible distinction between installing an application and creating an account with a video provider. Such an interpretation excludes a significant segment of consumers from the VPPA’s protections, and potentially allows these statutory protections to be too easily evaded — consequences directly at odds with the purpose of the VPPA: ensuring the personal privacy of consumers’ video histories. Moreover, had the court’s definition of “subscriber” included these consumers, the court would have had an opportunity to weigh in on the important question of what, for the purposes of triggering VPPA protections, constitutes “personally identifiable information” for smartphone applications.
At the district court level in the Eleventh Circuit, both decisions examining the question of who qualified as a “subscriber” — Ellis and a subsequent case, Locklear v. Dow Jones & Co.45×45. 101 F. Supp. 3d 1312 (N.D. Ga. 2015). — had interpreted “subscriber” as applying to users of applications.46×46. See id. at 1313, 1315–16 (holding that a user of the on-demand “Wall Street Journal Live Channel” application on a Roku streaming device qualified as a “subscriber” and therefore a “consumer” under the VPPA). Both district court interpretations largely relied upon the Northern District of California’s decision in In re Hulu. See In re Hulu Privacy Litig., No. C 11-03764, 2012 WL 3282960 (N.D. Cal. Aug. 10, 2012) (holding that users visiting Hulu’s website and viewing its video content qualified as “subscribers” and therefore “consumers” under the VPPA). Rather than adopting this interpretation from its lower courts, however, the Eleventh Circuit found the interpretation from Yershov to be “better reasoned.”47×47. Ellis, 803 F.3d at 1256. As mentioned above, the court noted that if Congress had intended to apply the term “subscriber” more broadly, it could have “employed broader terms in defining ‘consumer’ when it enacted the VPPA . . . or when it amended the Act . . . but it did not.” Id. at 1256–57. While this comment does not focus on this part of the opinion’s reasoning, the suggestion that the 2012 amendment signaled any intention to restrict the application of “subscriber” is also susceptible to the criticism that legislative inaction should not carry any meaning in statutory interpretation. See generally William N. Eskridge, Jr., Interpreting Legislative Inaction, 87 Mich. L. Rev. 67 (1988) (analyzing the Supreme Court’s treatment of legislative inaction). If anything, congressional inaction at the time of the amendment in 2012 seems to suggest precisely the opposite. Congress amended the statute in light of recent developments in online video, particularly the rise of Netflix, yet did not amend the definition of “consumer,” arguably indicating that Congress thought the existing definition clearly applied to those developments. See, e.g., Julianne Pepitone, New Video Law Lets You Share Your Netflix Viewing on Facebook, CNN: Money (Jan. 10, 2013, 9:50 PM), http://money.cnn.com/2013/01/10/technology/social/netflix-vppa-facebook [http://perma.cc/Q7VT-52SH]. The decision in Yershov distinguished a subscriber from someone who merely visits a website48×48. Yershov v. Gannett Satellite Info. Network, Inc., 104 F. Supp. 3d 135, 148 (D. Mass. 2015) (“The App appears to merely be a more convenient form of visiting the USA Today website.”). — an analogy that the Ellis opinion embraced.49×49. Ellis, 803 F.3d at 1257. Yershov separated downloaders of a free app from subscribers to a YouTube channel or podcast or those paying recurring fees for a subscription to an application.50×50. See Yershov, 104 F. Supp. 3d at 147–48. The Ellis court agreed, noting that Ellis did not form “any commitment or . . . any relationship” to CN merely by downloading its free app.51×51. See Ellis, 803 F.3d at 1257.
The Eleventh Circuit’s reasoning on who falls within the statutory definition of “subscriber,” adopted largely from Yershov, does not articulate any sensible distinction between the installation of an application and the examples that the court offered for what would qualify as sufficient “commitment.” The Ellis court emphasized that “some type of commitment, relationship, or association” was required — and implied that creating an account or paying recurring fees would satisfy such a commitment requirement.52×52. See id. at 1256. Yet it is unclear why downloading and installing an application fails to meet this level of commitment. While payment or registration of an account provides courts with an easy way to categorically identify a “subscriber,” neither precedent nor logic mandates that those expressions are the absolute outer limits of the term. Moreover, as a factual matter, installing the CN app seems closer to the court’s examples of “commitment” than it does to bookmarking a website on an Internet browser, which the Ellis court would not count as “commitment.”53×53. See id. at 1257. The use of the CN app requires download and installation that makes it a fixture on a user’s phone, where it remains permanently unless deleted. This action seems more akin to, if not more involved than, simply clicking “subscribe” on a YouTube channel or podcast — which the Yershov opinion provided as an example of subscribing — than it does to saving or “favoriting” a link.54×54. See id. (“The downloading of an app, we think, is the equivalent of adding a particular website to one’s Internet browser as a favorite, allowing quicker access to the website’s content.”). In fact, Android users can separately “favorite” or “bookmark” a webpage to their home screens as an icon that resembles an application, but instead of that icon serving as a shortcut to a permanent software fixture, it simply links directly to a particular webpage on their smartphone’s existing Internet browser.55×55. Nicole Cozma, Add Chrome Bookmarks to the Android Home Screen, CNET (Aug. 25, 2015, 1:08 PM), http://www.cnet.com/how-to/adding-one-touch-bookmarks-to-your-androids-home-screen [http://perma.cc/3MK9-38BV]. This is not what Mark Ellis did though. Installed applications indicate permanence: the application is a dedicated platform to view a particular provider’s content that has become, quite literally, a part of one’s phone.56×56. See, e.g., Raluca Budiu, Mobile: Native Apps, Web Apps, and Hybrid Apps, Nielsen Norman Group (Sept. 14, 2013), http://www.nngroup.com/articles/mobile-native-apps (noting that “apps live on the device[,] . . . are installed through an application store,” and “can take full advantage of all the device features — they can use the camera, the GPS, . . . the list of contacts, and so on”); Joel Sutherland, The Difference Between Apps and Mobile Websites, New Media Campaigns: Blog (Apr. 6, 2011), http://www.newmediacampaigns.com/blog/the-difference-between-apps-and-mobile-websites [http://perma.cc/856F-A28L] (comparing apps, which “can’t be found directly on the web [and] require more ‘investment’ for a customer to download,” with mobile websites, which customers can “bookmark” but which “cannot access all of the phone[’s] features (camera, etc[.]) that are available to apps”). Adding this platform to one’s phone seems like a commitment in its own right, far beyond saving a link on a browser, which merely allows a user to visit a website more conveniently.
Further, the CN app can collect significant amounts of personal information that the court failed to recognize in its “commitment” analysis. As part of its reasoning, the court stated that Ellis “did not provide any personal information to Cartoon Network.”57×57. Ellis, 803 F.3d at 1257. Although Ellis may not have directly typed in and sent his personal information, by installing the CN app, he provided personal information to Cartoon Network in a way that merely visiting its website would not have. Mobile applications are generally able to collect data about users including Internet history, location data, and other usage information.58×58. See, e.g., Understanding Mobile Apps, Fed. Trade Commission (Sept. 2011), http://www.consumer.ftc.gov/articles/0018-understanding-mobile-apps [http://perma.cc/22DB-H3SB]. The Federal Trade Commission warns consumers that applications can access the address book, call logs, and calendar data, among other items — regardless of whether this data is necessary for the application to function or “related to the purpose of the app.”59×59. See id. As the New York Times and other outlets have reported, even the most popular smartphone applications routinely engage in such behavior, to the point where it has become described as an “industry best practice.”60×60. See Nicole Perlroth & Nick Bilton, Mobile Apps Take Data Without Permission, N.Y. Times: Bits (Feb. 15, 2012, 10:09 PM), http://bits.blogs.nytimes.com/2012/02/15/google-and-mobile-apps-take-data-books-without-permission; see also Linda Musthaler, How Mobile Apps Can Take Whatever Data They Want from a Smartphone, Network World (Jan. 25, 2013, 12:02 PM), http://www.networkworld.com/article/2163048/infrastructure-management/how-mobile-apps-can-take-whatever-data-they-want-from-a-smartphone.html [http://perma.cc/KB95-WW99] (citing an expert, Domingo Guerra, to note that it has become “common for permissions to be written so generically that it’s not explicit what the user is granting access to”). The Ellis court focused on the fact that “a user is free to delete the app without consequence whenever he likes, and never access its content again” to evince a lack of commitment in the same manner as closing out of a visited webpage.61×61. See Ellis, 803 F.3d at 1257. However, the transfer of data upon downloading and installing an application seems to be such a consequence. Further, data aside, the same ability to leave without consequence is true of many subscriptions that the court would have accepted, such as an application that requires registration and other forms of digital subscription like to a YouTube channel or podcast to which users can unsubscribe at the click of a button. The reality of the relationship between those who provide mobile apps and those who install them thus calls into question the court’s justification for drawing the line between subscribers and mere users where it did.
Because it limits the scope of who can receive the VPPA’s protections, the court’s decision restricts the VPPA’s ability to further the policy interest behind its enactment and potentially allows its protections to be easily evaded. The VPPA, quite simply, is intended to “preserve personal privacy” of one’s video history.62×62. Id. at 1253 (quoting 134 Cong. Rec. 2361 (1988)). The Senate Report for the VPPA stressed the importance of privacy interests, emphasizing that people should be free to consume books and films without scrutiny of their particular reading or viewing habits — that such an “intimate process should be protected” as such content consumption provides “intellectual vitamins that fuel the growth of individual thought.”63×63. S. Rep. No. 100-599, at 7 (1988), as reprinted in 1988 U.S.C.C.A.N. 4342-1, 4342-7 (quoting Representative Al McCandless, the sponsor of the first Video Privacy Bill). The Senate Report noted that many parties would be interested in such information: “[p]rivate commercial interests want personal information to better advertise their products,” others would seek it for “political surveillance,” and, of course, “the intelligence community” would want it “to protect our national security.”64×64. Id. (quoting Janlori Goldman, counsel for the ACLU). But as the report eloquently explained: “The danger here is that a watched society is a conformist society, in which individuals are chilled in their pursuit of ideas and their willingness to experiment with ideas outside of the mainstream.”65×65. Id. (quoting Janlori Goldman, counsel for the ACLU). Although watching clips of Cartoon Network content may not reach the intellectual level of exploring ideas outside of the mainstream, the privacy interest at stake is the same: the VPPA expresses the societal commitment to prioritizing the privacy of one’s content consumption. Just as Judge Bork’s viewing history ultimately proved noncontroversial,66×66. The reporter who obtained Judge Bork’s video rental history, Michael Dolan, found its contents “pretty boring . . . . [T]he most surprising thing about his rental history was the 146 tapes he checked out in less than two years — making him ideal for the job of ‘Supreme Couch Potato.’” Andrea Peterson, How a Failed Supreme Court Bid is Still Causing Headaches for Hulu and Netflix, Wash. Post: The Switch (Dec. 27, 2013), https://www.washingtonpost.com/news/the-switch/wp/2013/12/27/how-a-failed-supreme-court-bid-is-still-causing-headaches-for-hulu-and-netflix [http://perma.cc/2D3A-GU2J]. As the article notes: “His video rental history probably didn’t hurt his [failed] nomination.” Id. it was the fear that he would not have been free to view more controversial content in the privacy of his home if he had wanted to that drove the enactment of the VPPA.
This privacy interest should be the same whether someone walks into a brick-and-mortar rental store, subscribes to a YouTube channel, or downloads and installs an application — all three involve a provider that maintains a unique viewing history regarding the user. However, unlike the district court in Ellis, the Eleventh Circuit would allow free applications that do not require registration to evade the VPPA completely. By simply not requiring users to create a username and password, any free application could begin sharing users’ data without fear of VPPA liability. In Ellis, the viewing history was linked only to an ostensibly anonymous Android ID. But under the decision’s reasoning, a similar application would be excluded from the VPPA and thus free to share any clearly personally identifiable information it gathered from one’s phone along with the viewing history — a great value for such content providers when coupled with third-party analytics companies like Bango. This is directly at odds with the mischief that the VPPA was enacted to protect against.
Had the Eleventh Circuit acknowledged that installing a mobile video application made Ellis a “consumer” within the scope of the VPPA, the court could have weighed in on what qualifies as “personally identifiable information.” How the VPPA’s rules concerning the disclosure of personally identifiable information should apply to new technologies like mobile applications is an important statutory interpretation controversy.67×67. See, e.g., John D. Seiver & Bryan Thompson, “And That’s the End!” 11th Circuit Ends VPPA Action in Ellis, but Leaves the Question of What is PII Unresolved, Privacy & Security L. Blog (Nov. 12, 2015), http://www.privsecblog.com/2015/11/articles/litigation-2/and-that’s-the-end-11th-circuit-ends-vppa-action-in-ellis-but-leaves-the-question-of-what-is-pii-unresolved [http://perma.cc/4BDJ-CA32] (“[T]he Eleventh Circuit’s ruling leaves one of the most pressing VPPA question [sic] for digital media companies unresolved — namely, what is personally identifiable information (‘PII’) under the VPPA?”). Additionally, with the Ninth Circuit’s dismissal of In re Hulu, it appears that no federal circuit court is poised to address what constitutes PII “in this context,” and this lack of clarity is particularly troublesome for content providers attempting to navigate this area of the law since Yershov “broke with the other federal district courts that have recently pondered the PII issue.” Id. It is uncertain whether information like an Android ID — an ostensibly anonymous, albeit unique, identifier — qualifies as “personally identifiable information” without more. As Ellis argued, an Android ID is comparable to a Social Security Number, as it is uniquely generated for an individual for the lifetime of the device, and third-party analytics companies, like Bango, can easily “automatically correlate Android IDs with actual people to form comprehensive profiles about consumers’ entire digital lives.”68×68. Plaintiff-Appellant’s Opening Brief at 4, Ellis, 803 F.3d 1251 (No. 14-15046). Companies like Bango assemble “digital dossiers” with information including “individuals’ names, addresses, phone numbers, email addresses, demographics, locations, purchase histories, and other online activities.”69×69. Id. On the other hand, the Android ID is not “personally identifiable information” in and of itself, as the district court emphasized.70×70. See Ellis v. Cartoon Network, Inc., No. 1:14-CV-484, 2014 WL 5023535, at *2–3 (N.D. Ga. Oct. 8, 2014). Although a company like Bango is able to decipher to whom the ID belongs, the ID alone identifies no specific individual without the “extra steps” of collecting other information in order to link that specific person to a particular viewing history.71×71. Id. at *3. The distinctions here are undoubtedly difficult, and beyond the scope of this comment. However, the point remains that a consequence of the outcome in Ellis was a missed opportunity to draw a clear line between what does and does not constitute “personally identifiable information” for the purposes of triggering VPPA protections.
The concern behind enacting the VPPA was protecting the privacy of video history, and the decision in Ellis creates troubling implications for that privacy interest going forward. Under Ellis, the video privacy protections that applied to physical media are no longer available in the digital landscape without either payment or formal registration. The court’s opinion, dictated by neither precedent nor logic, failed to articulate a convincing distinction between installing a free mobile application and creating an account with a content provider. Consequence, the court missed an opportunity to weigh in on the important question of exactly what “personally identifiable information” is today. Given the reality of the technology by which users now consume video content, the ramifications of Ellis for the privacy of video histories — which Congress so clearly prioritized — could be severe: video-content providers will readily be able to operate outside the scope of the VPPA. While the Eleventh Circuit opinion coyly quoted Yogi Bear in its description of Bango, perhaps a more apt citation for video application users in the future would have been to Bugs Bunny: “Eh, I don’t know, but, did you ever have the feeling you was being watched?”72×72. See Merrie Melodies: Hair-Raising Hare (Warner Bros. Pictures, Inc. May 25, 1946).