IAPP-GDPR Web Banners-300x250-FINAL

Every company that hosts videos on its websites or mobile apps and includes a “Like” button or other social networking plug-in should pay very close attention to a unique case that continues in the Northern District of California.

Since July 2011, Hulu has vigorously defended the consumer class-action in which four plaintiffs initially alleged that Hulu violated the VPPA by engaging third parties such as Scorecard (the research arm of comScore) and Google Analytics (companies that appear on many websites’ Ad Choices links) to perform web analytics on Hulu’s website. The technology requires the web analytics companies to tag users—via web beacons or cookies—to track their behavior on Hulu’s website as well as third-party sites.

Plaintiffs were seeking to certify a class-action case against Hulu, which now centers around the question of whether the technology (i.e., cookies) associated with the Like button, programmed by Facebook, constitutes a violation of the Video Privacy Protection Act (VPPA) by disclosing users’ viewing habits without their consent.

The case popped back up in the news this week when the court denied the plaintiffs’ putative class-action lawsuit, without prejudice. However, the case continues on the behalf of the initial four plaintiffs, and considering the judge’s open invitation for the plaintiffs to retry certification as sub-classes, it would be surprising if they didn’t file again for class certification using different definitions.


In the Hulu litigation, the plaintiffs originally claimed that commonplace functions like using Google Analytics or comScore to perform web analytics, or Kissmetrics for ad serving, could be an unlawful disclosure of their video viewing, with liquidated damages to be calculated at $2,500 per violation under the statute.

The web analytics and ad serving were done by collecting Hulu’s unique identifier, a random set of numbers assigned to a user’s device by Hulu, along with the URL for the page where the video appears. A unique ID could be a series of letters and/or numbers randomly assigned by the website operator.

The URL for the watch pages are often coded to include the video’s name like this fictitious sample:


Eventually, the plaintiffs voluntarily dropped their claims regarding Google Analytics and Kissmetrics. On April 28, the court dismissed on summary judgment the plaintiffs’ claims of alleged disclosures of Hulu unique identification numbers and video titles to comScore for analytic purposes.

The court concluded that unique identifiers, on their own and without more, were not sufficient to identify a specific person.

What remains are the plaintiffs’ claims that Hulu violated the VPPA by disclosing their video viewing selections and personal-identification information to Facebook simply by enabling the “Like” button functionality on Hulu’s website.

After denying Hulu’s prior motions to dismiss and motion for summary judgment based on lack of harm, the Northern District determined on April 28 that there were triable issues of fact regarding whether Hulu violated the VPPA by configuring its website to enable the “Like” button.

The issue?

Facebook’s cookies permit it to collect a Facebook user ID and the “referrer URL” value, or the URL of the page from which the request was issued. The Hulu court said the Facebook ID was sufficiently specific to identify a person and, in that respect, was akin to a user’s name. At oral argument preceding the final ruling on the motion for summary judgment, Magistrate Judge Beeler said a Facebook ID was even more personal than a user’s name because it led directly to a user’s Facebook profile that could reveal marital status, friends, photographs and political interests.

In this respect, Magistrate Judge Beeler concluded that the Facebook ID was in some respects even more personal than a name.

Yet, in adding a “Like” button to a video on its website, Hulu is in the company of legions of other websites that do the exact same thing. Emboldened by the prospect of a Facebook class, five other putative class-actions have been filed in the first half of 2014 in varying jurisdictions; Atlanta, Illinois, the Western District of Washington and, most recently, in the Southern District of New York. In each of the cases, the plaintiffs are undoubtedly tantalized by the prospect of millions of alleged violations—every time the Like button sends cookie information to Facebook—and the prospect of $2,500 per violation.

Court’s decision to deny class certification turned on “lack of ascertainability”

In its class-certification motion, plaintiffs in the Hulu case proposed the following class definition:

  • Facebook Disclosure Class: All persons residing in the United States and its territories who, from April 21, 2010 through June 7, 2012, were registered users of hulu.com (including, but not limited to, paying subscribers, also known as Hulu Plus subscribers) while being members of Facebook and requested and/or obtained video materials and/or services on hulu.com during the Class Period.

On May 8, 2014, the Judge Beeler called a hearing to determine how her ruling would impact the upcoming hearing on class certification. At that time, plaintiffs’ stated they would narrow the Facebook class to “disclosures of information involving the c_user cookie contained in the logged-in Hulu user’s Facebook ID and the watch page/refer header containing video titles.” The restriction of the class to the c_user Facebook ID, according to Magistrate Judge Beeler, “in effect limits the class to registered Hulu users who at least once during the class period watched a video on hulu.com having used the same computer and web browser to log into Facebook in the previous four weeks using default settings.”

Although ascertainability is not an explicit requirement under Rule 23(a), some courts have held that a proposed class must also be adequately ascertainable—a group of plaintiffs whose members can be identified with some particularity.

Plaintiffs argued that this requirement was met because: “All class members must be (1) Registered Users of Hulu, (2) [that] have requested and/or obtained video services and (3) during the class periods.”

They argued Hulu has the information to identify class members because “in order to become a rregistered user of Hulu, users must provide their ‘name, e-mail address, birth date, gender and address.’” Plaintiffs also argued that class members can likely identify themselves from their own records. Plaintiffs cited Harris v. comScore, Inc. for the proposition that where the “bulk of the class membership will likely be determined by comScore’s records … evaluation of any additional plaintiffs claiming membership by affidavit [is] manageable.”

The comScore case involved the certification of a 10-million user class at $10,000 per violation that was upheld by the 7th Circuit in June 2013. The comScore court approved the final settlement on May 30, 2014.

The Hulu court rejected the plaintiffs’ arguments, but left open the possibility that plaintiffs could re-file their class certification motion and address concerns in the order via subclasses. In denying the plaintiff’s motion for class certification, without prejudice, Magistrate Beeler stated, “[w]hether these issues could be resolved by narrowing the class definition, by defining subclasses, by reference to objective criteria, by a damages analysis that addresses pecuniary incentives, or otherwise, the undersigned cannot tell.”

The bases for the magistrate’s denial of class certification were multifold. First, she was concerned that self-identification of class members through affidavits would require the plaintiffs to remember uneventful details like whether they had an ad blocker on, or whether they had cleared cookies before viewing files on Hulu’s site.

Second, she expressed concern that the amount of statutory damages could incentivize plaintiffs to claim inclusion in the class and therefore render affidavits unreliable.

Third, she was concerned that neither Facebook nor Hulu would have accurate records of critical information that would form the basis of class inclusion—i.e., whether ad blockers were used or cookies cleared. As such, the fact that Hulu and Facebook would have e-mail records of account holders was not persuasive to her.

In briefing, Hulu relied on Carrera v. Bayer Corp., rejecting the use of class member affidavits, noting that “a defendant must be able to challenge class membership,” especially “where the named plaintiff’s deposition testimony suggested that individuals will have difficulty accurately recalling” key details. The magistrate took issue with this reasoning in the decision. Although recognizing that the class was not ascertainable based upon the record before her, she left open the possibility that affidavits may be sufficient to identify a class if the motion is re-filed: “Proof by affidavit does not necessarily defeat ascertainability. The reason is that if consumers always had to prove purchases, they that would defeat many consumer class actions.”

With regard to the other class action factors, the court largely stated, in dicta that the burden had been met, except for the question of “predominance” of common issues. The Court rejected many of Hulu’s arguments relating to predominance. For example, she found that the fact that some account holders used pseudonyms instead of their real names did not create individual issues. Nor did the user’s potential behavior of watching videos while logged into Facebook, or posting videos on Facebook constitute consent under the VPPA such that individual issues were created.

The court stated that “the main issue with predominance is cookie clearing or blocking.” She went on to point out the myriad individual issues that would have to be decided, like whether a user used ad blockers or cleared cookies manually, among others. The court left open the door, however, that these issues could be addressed with a re-definition of the class: “Perhaps subclasses could address the use (or lack of use) of ad-blockers or browser technologies, or whether users stayed logged into Facebook. Plaintiffs have not proposed that subclassing.”

What Should You Do?

The Hulu litigation has been ongoing since 2011. To potentially avoid exposure, companies should focus on compliance best practices with regard to videos on their websites. Compliance legal teams, IT and marketing should have a thorough understanding of the information they are collecting and disclosing to third-party service providers as well as the timing for those disclosures. Further, companies should explore methods for obtaining consent under the statute. The risks are significant – i.e., $2500 per violation and—in many cases—millions of alleged violations, sometimes per day, depending on the website or online service.

Best Practices for Web Analytic (comScore- type) Disclosures

In the April 28 summary judgment decision, Magistrate Judge Beeler left open the question of whether unique identifiers could still be PII depending upon context. Because comScore web beacons were not linked, and there was no evidence that comScore actually linked them, there was not context to find PII under these circumstances.

For compliance and to avoid the risk that ID number disclosures could constitute PII, companies should:

  • Determine whether the disclosures to analytic companies contain, within one cookie, a unique identifier, video viewing and some other potentially identifying information equivalent to a name, including any type of “look up” table that would correlate the user id to a specific account.
  • Adequately train staff and employees to avoid communications between analytic companies and staff that could imply knowledge that non-PII data (e.g., unique identifiers) will be linked with PII.
  • Review existing agreements with analytic companies to determine whether agreements authorize linking of datasets.

Best Practices For Compliance: Social Networking (e.g., Facebook) Disclosures

  • Consider the technological functionality of the social networking plug-in. Is the cookie configured such that data will be relayed before the user hits the plug-in symbol. If so, considering the steps below.
  • Consider whether the video title needs to be included in the watch page.
  • Consider whether there is a basis to code the videos by subject matter for marketing purposes to take advantage of the VPPA’s express permission for same.
  • If so, consider obtaining informed written consent as permitted under the statute.
  • Consider other ways to anonymize specific video viewing data from URLs.


Written By

Dominique Shelton, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»