Every company that hosts videos on its websites or mobile apps and includes a “Like” button or other social networking plug-in should pay very close attention to a unique case that continues in the Northern District of California.
Since July 2011, Hulu has vigorously defended the consumer class-action in which four plaintiffs initially alleged that Hulu violated the VPPA by engaging third parties such as Scorecard (the research arm of comScore) and Google Analytics (companies that appear on many websites’ Ad Choices links) to perform web analytics on Hulu’s website. The technology requires the web analytics companies to tag users—via web beacons or cookies—to track their behavior on Hulu’s website as well as third-party sites.
Plaintiffs were seeking to certify a class-action case against Hulu, which now centers around the question of whether the technology (i.e., cookies) associated with the Like button, programmed by Facebook, constitutes a violation of the Video Privacy Protection Act (VPPA) by disclosing users’ viewing habits without their consent.
The case popped back up in the news this week when the court denied the plaintiffs’ putative class-action lawsuit, without prejudice. However, the case continues on the behalf of the initial four plaintiffs, and considering the judge’s open invitation for the plaintiffs to retry certification as sub-classes, it would be surprising if they didn’t file again for class certification using different definitions.
Background
In the Hulu litigation, the plaintiffs originally claimed that commonplace functions like using Google Analytics or comScore to perform web analytics, or Kissmetrics for ad serving, could be an unlawful disclosure of their video viewing, with liquidated damages to be calculated at $2,500 per violation under the statute.
The web analytics and ad serving were done by collecting Hulu’s unique identifier, a random set of numbers assigned to a user’s device by Hulu, along with the URL for the page where the video appears. A unique ID could be a series of letters and/or numbers randomly assigned by the website operator.
The URL for the watch pages are often coded to include the video’s name like this fictitious sample:
http://video.fictiouswebsitepublisher.com/watch/themagnificentsamplevideotitlehere
Eventually, the plaintiffs voluntarily dropped their claims regarding Google Analytics and Kissmetrics. On April 28, the court dismissed on summary judgment the plaintiffs’ claims of alleged disclosures of Hulu unique identification numbers and video titles to comScore for analytic purposes.
The court concluded that unique identifiers, on their own and without more, were not sufficient to identify a specific person.
What remains are the plaintiffs’ claims that Hulu violated the VPPA by disclosing their video viewing selections and personal-identification information to Facebook simply by enabling the “Like” button functionality on Hulu’s website.
After denying Hulu’s prior motions to dismiss and motion for summary judgment based on lack of harm, the Northern District determined on April 28 that there were triable issues of fact regarding whether Hulu violated the VPPA by configuring its website to enable the “Like” button.
The issue?
Facebook’s cookies permit it to collect a Facebook user ID and the “referrer URL” value, or the URL of the page from which the request was issued. The Hulu court said the Facebook ID was sufficiently specific to identify a person and, in that respect, was akin to a user’s name. At oral argument preceding the final ruling on the motion for summary judgment, Magistrate Judge Beeler said a Facebook ID was even more personal than a user’s name because it led directly to a user’s Facebook profile that could reveal marital status, friends, photographs and political interests.
In this respect, Magistrate Judge Beeler concluded that the Facebook ID was in some respects even more personal than a name.
Yet, in adding a “Like” button to a video on its website, Hulu is in the company of legions of other websites that do the exact same thing. Emboldened by the prospect of a Facebook class, five other putative class-actions have been filed in the first half of 2014 in varying jurisdictions; Atlanta, Illinois, the Western District of Washington and, most recently, in the Southern District of New York. In each of the cases, the plaintiffs are undoubtedly tantalized by the prospect of millions of alleged violations—every time the Like button sends cookie information to Facebook—and the prospect of $2,500 per violation.
Court’s decision to deny class certification turned on “lack of ascertainability”
In its class-certification motion, plaintiffs in the Hulu case proposed the following class definition:
On May 8, 2014, the Judge Beeler called a hearing to determine how her ruling would impact the upcoming hearing on class certification. At that time, plaintiffs’ stated they would narrow the Facebook class to “disclosures of information involving the c_user cookie contained in the logged-in Hulu user’s Facebook ID and the watch page/refer header containing video titles.” The restriction of the class to the c_user Facebook ID, according to Magistrate Judge Beeler, “in effect limits the class to registered Hulu users who at least once during the class period watched a video on hulu.com having used the same computer and web browser to log into Facebook in the previous four weeks using default settings.”
Although ascertainability is not an explicit requirement under Rule 23(a), some courts have held that a proposed class must also be adequately ascertainable—a group of plaintiffs whose members can be identified with some particularity.
Plaintiffs argued that this requirement was met because: “All class members must be (1) Registered Users of Hulu, (2) [that] have requested and/or obtained video services and (3) during the class periods.”
They argued Hulu has the information to identify class members because “in order to become a rregistered user of Hulu, users must provide their ‘name, e-mail address, birth date, gender and address.’” Plaintiffs also argued that class members can likely identify themselves from their own records. Plaintiffs cited Harris v. comScore, Inc. for the proposition that where the “bulk of the class membership will likely be determined by comScore’s records … evaluation of any additional plaintiffs claiming membership by affidavit [is] manageable.”
The comScore case involved the certification of a 10-million user class at $10,000 per violation that was upheld by the 7th Circuit in June 2013. The comScore court approved the final settlement on May 30, 2014.
The Hulu court rejected the plaintiffs’ arguments, but left open the possibility that plaintiffs could re-file their class certification motion and address concerns in the order via subclasses. In denying the plaintiff’s motion for class certification, without prejudice, Magistrate Beeler stated, “[w]hether these issues could be resolved by narrowing the class definition, by defining subclasses, by reference to objective criteria, by a damages analysis that addresses pecuniary incentives, or otherwise, the undersigned cannot tell.”
The bases for the magistrate’s denial of class certification were multifold. First, she was concerned that self-identification of class members through affidavits would require the plaintiffs to remember uneventful details like whether they had an ad blocker on, or whether they had cleared cookies before viewing files on Hulu’s site.
Second, she expressed concern that the amount of statutory damages could incentivize plaintiffs to claim inclusion in the class and therefore render affidavits unreliable.
Third, she was concerned that neither Facebook nor Hulu would have accurate records of critical information that would form the basis of class inclusion—i.e., whether ad blockers were used or cookies cleared. As such, the fact that Hulu and Facebook would have e-mail records of account holders was not persuasive to her.
In briefing, Hulu relied on Carrera v. Bayer Corp., rejecting the use of class member affidavits, noting that “a defendant must be able to challenge class membership,” especially “where the named plaintiff’s deposition testimony suggested that individuals will have difficulty accurately recalling” key details. The magistrate took issue with this reasoning in the decision. Although recognizing that the class was not ascertainable based upon the record before her, she left open the possibility that affidavits may be sufficient to identify a class if the motion is re-filed: “Proof by affidavit does not necessarily defeat ascertainability. The reason is that if consumers always had to prove purchases, they that would defeat many consumer class actions.”
With regard to the other class action factors, the court largely stated, in dicta that the burden had been met, except for the question of “predominance” of common issues. The Court rejected many of Hulu’s arguments relating to predominance. For example, she found that the fact that some account holders used pseudonyms instead of their real names did not create individual issues. Nor did the user’s potential behavior of watching videos while logged into Facebook, or posting videos on Facebook constitute consent under the VPPA such that individual issues were created.
The court stated that “the main issue with predominance is cookie clearing or blocking.” She went on to point out the myriad individual issues that would have to be decided, like whether a user used ad blockers or cleared cookies manually, among others. The court left open the door, however, that these issues could be addressed with a re-definition of the class: “Perhaps subclasses could address the use (or lack of use) of ad-blockers or browser technologies, or whether users stayed logged into Facebook. Plaintiffs have not proposed that subclassing.”
What Should You Do?
The Hulu litigation has been ongoing since 2011. To potentially avoid exposure, companies should focus on compliance best practices with regard to videos on their websites. Compliance legal teams, IT and marketing should have a thorough understanding of the information they are collecting and disclosing to third-party service providers as well as the timing for those disclosures. Further, companies should explore methods for obtaining consent under the statute. The risks are significant – i.e., $2500 per violation and—in many cases—millions of alleged violations, sometimes per day, depending on the website or online service.
Best Practices for Web Analytic (comScore- type) Disclosures
In the April 28 summary judgment decision, Magistrate Judge Beeler left open the question of whether unique identifiers could still be PII depending upon context. Because comScore web beacons were not linked, and there was no evidence that comScore actually linked them, there was not context to find PII under these circumstances.
For compliance and to avoid the risk that ID number disclosures could constitute PII, companies should:
Best Practices For Compliance: Social Networking (e.g., Facebook) Disclosures
Since July 2011, Hulu has vigorously defended the consumer class-action in which four plaintiffs initially alleged that Hulu violated the VPPA by engaging third parties such as Scorecard (the research arm of comScore) and Google Analytics (companies that appear on many websites’ Ad Choices links) to perform web analytics on Hulu’s website. The technology requires the web analytics companies to tag users—via web beacons or cookies—to track their behavior on Hulu’s website as well as third-party sites.
Plaintiffs were seeking to certify a class-action case against Hulu, which now centers around the question of whether the technology (i.e., cookies) associated with the Like button, programmed by Facebook, constitutes a violation of the Video Privacy Protection Act (VPPA) by disclosing users’ viewing habits without their consent.
The case popped back up in the news this week when the court denied the plaintiffs’ putative class-action lawsuit, without prejudice. However, the case continues on the behalf of the initial four plaintiffs, and considering the judge’s open invitation for the plaintiffs to retry certification as sub-classes, it would be surprising if they didn’t file again for class certification using different definitions.
Background
In the Hulu litigation, the plaintiffs originally claimed that commonplace functions like using Google Analytics or comScore to perform web analytics, or Kissmetrics for ad serving, could be an unlawful disclosure of their video viewing, with liquidated damages to be calculated at $2,500 per violation under the statute.
The web analytics and ad serving were done by collecting Hulu’s unique identifier, a random set of numbers assigned to a user’s device by Hulu, along with the URL for the page where the video appears. A unique ID could be a series of letters and/or numbers randomly assigned by the website operator.
The URL for the watch pages are often coded to include the video’s name like this fictitious sample:
http://video.fictiouswebsitepublisher.com/watch/themagnificentsamplevideotitlehere
Eventually, the plaintiffs voluntarily dropped their claims regarding Google Analytics and Kissmetrics. On April 28, the court dismissed on summary judgment the plaintiffs’ claims of alleged disclosures of Hulu unique identification numbers and video titles to comScore for analytic purposes.
The court concluded that unique identifiers, on their own and without more, were not sufficient to identify a specific person.
What remains are the plaintiffs’ claims that Hulu violated the VPPA by disclosing their video viewing selections and personal-identification information to Facebook simply by enabling the “Like” button functionality on Hulu’s website.
After denying Hulu’s prior motions to dismiss and motion for summary judgment based on lack of harm, the Northern District determined on April 28 that there were triable issues of fact regarding whether Hulu violated the VPPA by configuring its website to enable the “Like” button.
The issue?
Facebook’s cookies permit it to collect a Facebook user ID and the “referrer URL” value, or the URL of the page from which the request was issued. The Hulu court said the Facebook ID was sufficiently specific to identify a person and, in that respect, was akin to a user’s name. At oral argument preceding the final ruling on the motion for summary judgment, Magistrate Judge Beeler said a Facebook ID was even more personal than a user’s name because it led directly to a user’s Facebook profile that could reveal marital status, friends, photographs and political interests.
In this respect, Magistrate Judge Beeler concluded that the Facebook ID was in some respects even more personal than a name.
Yet, in adding a “Like” button to a video on its website, Hulu is in the company of legions of other websites that do the exact same thing. Emboldened by the prospect of a Facebook class, five other putative class-actions have been filed in the first half of 2014 in varying jurisdictions; Atlanta, Illinois, the Western District of Washington and, most recently, in the Southern District of New York. In each of the cases, the plaintiffs are undoubtedly tantalized by the prospect of millions of alleged violations—every time the Like button sends cookie information to Facebook—and the prospect of $2,500 per violation.
Court’s decision to deny class certification turned on “lack of ascertainability”
In its class-certification motion, plaintiffs in the Hulu case proposed the following class definition:
- Facebook Disclosure Class: All persons residing in the United States and its territories who, from April 21, 2010 through June 7, 2012, were registered users of hulu.com (including, but not limited to, paying subscribers, also known as Hulu Plus subscribers) while being members of Facebook and requested and/or obtained video materials and/or services on hulu.com during the Class Period.
On May 8, 2014, the Judge Beeler called a hearing to determine how her ruling would impact the upcoming hearing on class certification. At that time, plaintiffs’ stated they would narrow the Facebook class to “disclosures of information involving the c_user cookie contained in the logged-in Hulu user’s Facebook ID and the watch page/refer header containing video titles.” The restriction of the class to the c_user Facebook ID, according to Magistrate Judge Beeler, “in effect limits the class to registered Hulu users who at least once during the class period watched a video on hulu.com having used the same computer and web browser to log into Facebook in the previous four weeks using default settings.”
Although ascertainability is not an explicit requirement under Rule 23(a), some courts have held that a proposed class must also be adequately ascertainable—a group of plaintiffs whose members can be identified with some particularity.
Plaintiffs argued that this requirement was met because: “All class members must be (1) Registered Users of Hulu, (2) [that] have requested and/or obtained video services and (3) during the class periods.”
They argued Hulu has the information to identify class members because “in order to become a rregistered user of Hulu, users must provide their ‘name, e-mail address, birth date, gender and address.’” Plaintiffs also argued that class members can likely identify themselves from their own records. Plaintiffs cited Harris v. comScore, Inc. for the proposition that where the “bulk of the class membership will likely be determined by comScore’s records … evaluation of any additional plaintiffs claiming membership by affidavit [is] manageable.”
The comScore case involved the certification of a 10-million user class at $10,000 per violation that was upheld by the 7th Circuit in June 2013. The comScore court approved the final settlement on May 30, 2014.
The Hulu court rejected the plaintiffs’ arguments, but left open the possibility that plaintiffs could re-file their class certification motion and address concerns in the order via subclasses. In denying the plaintiff’s motion for class certification, without prejudice, Magistrate Beeler stated, “[w]hether these issues could be resolved by narrowing the class definition, by defining subclasses, by reference to objective criteria, by a damages analysis that addresses pecuniary incentives, or otherwise, the undersigned cannot tell.”
The bases for the magistrate’s denial of class certification were multifold. First, she was concerned that self-identification of class members through affidavits would require the plaintiffs to remember uneventful details like whether they had an ad blocker on, or whether they had cleared cookies before viewing files on Hulu’s site.
Second, she expressed concern that the amount of statutory damages could incentivize plaintiffs to claim inclusion in the class and therefore render affidavits unreliable.
Third, she was concerned that neither Facebook nor Hulu would have accurate records of critical information that would form the basis of class inclusion—i.e., whether ad blockers were used or cookies cleared. As such, the fact that Hulu and Facebook would have e-mail records of account holders was not persuasive to her.
In briefing, Hulu relied on Carrera v. Bayer Corp., rejecting the use of class member affidavits, noting that “a defendant must be able to challenge class membership,” especially “where the named plaintiff’s deposition testimony suggested that individuals will have difficulty accurately recalling” key details. The magistrate took issue with this reasoning in the decision. Although recognizing that the class was not ascertainable based upon the record before her, she left open the possibility that affidavits may be sufficient to identify a class if the motion is re-filed: “Proof by affidavit does not necessarily defeat ascertainability. The reason is that if consumers always had to prove purchases, they that would defeat many consumer class actions.”
With regard to the other class action factors, the court largely stated, in dicta that the burden had been met, except for the question of “predominance” of common issues. The Court rejected many of Hulu’s arguments relating to predominance. For example, she found that the fact that some account holders used pseudonyms instead of their real names did not create individual issues. Nor did the user’s potential behavior of watching videos while logged into Facebook, or posting videos on Facebook constitute consent under the VPPA such that individual issues were created.
The court stated that “the main issue with predominance is cookie clearing or blocking.” She went on to point out the myriad individual issues that would have to be decided, like whether a user used ad blockers or cleared cookies manually, among others. The court left open the door, however, that these issues could be addressed with a re-definition of the class: “Perhaps subclasses could address the use (or lack of use) of ad-blockers or browser technologies, or whether users stayed logged into Facebook. Plaintiffs have not proposed that subclassing.”
What Should You Do?
The Hulu litigation has been ongoing since 2011. To potentially avoid exposure, companies should focus on compliance best practices with regard to videos on their websites. Compliance legal teams, IT and marketing should have a thorough understanding of the information they are collecting and disclosing to third-party service providers as well as the timing for those disclosures. Further, companies should explore methods for obtaining consent under the statute. The risks are significant – i.e., $2500 per violation and—in many cases—millions of alleged violations, sometimes per day, depending on the website or online service.
Best Practices for Web Analytic (comScore- type) Disclosures
In the April 28 summary judgment decision, Magistrate Judge Beeler left open the question of whether unique identifiers could still be PII depending upon context. Because comScore web beacons were not linked, and there was no evidence that comScore actually linked them, there was not context to find PII under these circumstances.
For compliance and to avoid the risk that ID number disclosures could constitute PII, companies should:
- Determine whether the disclosures to analytic companies contain, within one cookie, a unique identifier, video viewing and some other potentially identifying information equivalent to a name, including any type of “look up” table that would correlate the user id to a specific account.
- Adequately train staff and employees to avoid communications between analytic companies and staff that could imply knowledge that non-PII data (e.g., unique identifiers) will be linked with PII.
- Review existing agreements with analytic companies to determine whether agreements authorize linking of datasets.
Best Practices For Compliance: Social Networking (e.g., Facebook) Disclosures
- Consider the technological functionality of the social networking plug-in. Is the cookie configured such that data will be relayed before the user hits the plug-in symbol. If so, considering the steps below.
- Consider whether the video title needs to be included in the watch page.
- Consider whether there is a basis to code the videos by subject matter for marketing purposes to take advantage of the VPPA’s express permission for same.
- If so, consider obtaining informed written consent as permitted under the statute.
- Consider other ways to anonymize specific video viewing data from URLs.