Every company that hosts videos on its websites or mobile apps and includes a “Like” button or other social networking plug-in should pay very close attention to a unique case that continues in the Northern District of California.

Since July 2011, Hulu has vigorously defended the consumer class-action in which four plaintiffs initially alleged that Hulu violated the VPPA by engaging third parties such as Scorecard (the research arm of comScore) and Google Analytics (companies that appear on many websites’ Ad Choices links) to perform web analytics on Hulu’s website. The technology requires the web analytics companies to tag users—via web beacons or cookies—to track their behavior on Hulu’s website as well as third-party sites.

Plaintiffs were seeking to certify a class-action case against Hulu, which now centers around the question of whether the technology (i.e., cookies) associated with the Like button, programmed by Facebook, constitutes a violation of the Video Privacy Protection Act (VPPA) by disclosing users’ viewing habits without their consent.

The case popped back up in the news this week when the court denied the plaintiffs’ putative class-action lawsuit, without prejudice. However, the case continues on the behalf of the initial four plaintiffs, and considering the judge’s open invitation for the plaintiffs to retry certification as sub-classes, it would be surprising if they didn’t file again for class certification using different definitions.


In the Hulu litigation, the plaintiffs originally claimed that commonplace functions like using Google Analytics or comScore to perform web analytics, or Kissmetrics for ad serving, could be an unlawful disclosure of their video viewing, with liquidated damages to be calculated at $2,500 per violation under the statute.

The web analytics and ad serving were done by collecting Hulu’s unique identifier, a random set of numbers assigned to a user’s device by Hulu, along with the URL for the page where the video appears. A unique ID could be a series of letters and/or numbers randomly assigned by the website operator.

The URL for the watch pages are often coded to include the video’s name like this fictitious sample:


Eventually, the plaintiffs voluntarily dropped their claims regarding Google Analytics and Kissmetrics. On April 28, the court dismissed on summary judgment the plaintiffs’ claims of alleged disclosures of Hulu unique identification numbers and video titles to comScore for analytic purposes.

The court concluded that unique identifiers, on their own and without more, were not sufficient to identify a specific person.

What remains are the plaintiffs’ claims that Hulu violated the VPPA by disclosing their video viewing selections and personal-identification information to Facebook simply by enabling the “Like” button functionality on Hulu’s website.

After denying Hulu’s prior motions to dismiss and motion for summary judgment based on lack of harm, the Northern District determined on April 28 that there were triable issues of fact regarding whether Hulu violated the VPPA by configuring its website to enable the “Like” button.

The issue?

Facebook’s cookies permit it to collect a Facebook user ID and the “referrer URL” value, or the URL of the page from which the request was issued. The Hulu court said the Facebook ID was sufficiently specific to identify a person and, in that respect, was akin to a user’s name. At oral argument preceding the final ruling on the motion for summary judgment, Magistrate Judge Beeler said a Facebook ID was even more personal than a user’s name because it led directly to a user’s Facebook profile that could reveal marital status, friends, photographs and political interests.

In this respect, Magistrate Judge Beeler concluded that the Facebook ID was in some respects even more personal than a name.

Yet, in adding a “Like” button to a video on its website, Hulu is in the company of legions of other websites that do the exact same thing. Emboldened by the prospect of a Facebook class, five other putative class-actions have been filed in the first half of 2014 in varying jurisdictions; Atlanta, Illinois, the Western District of Washington and, most recently, in the Southern District of New York. In each of the cases, the plaintiffs are undoubtedly tantalized by the prospect of millions of alleged violations—every time the Like button sends cookie information to Facebook—and the prospect of $2,500 per violation.

Court’s decision to deny class certification turned on “lack of ascertainability”

In its class-certification motion, plaintiffs in the Hulu case proposed the following class definition:

  • Facebook Disclosure Class: All persons residing in the United States and its territories who, from April 21, 2010 through June 7, 2012, were registered users of hulu.com (including, but not limited to, paying subscribers, also known as Hulu Plus subscribers) while being members of Facebook and requested and/or obtained video materials and/or services on hulu.com during the Class Period.

On May 8, 2014, the Judge Beeler called a hearing to determine how her ruling would impact the upcoming hearing on class certification. At that time, plaintiffs’ stated they would narrow the Facebook class to “disclosures of information involving the c_user cookie contained in the logged-in Hulu user’s Facebook ID and the watch page/refer header containing video titles.” The restriction of the class to the c_user Facebook ID, according to Magistrate Judge Beeler, “in effect limits the class to registered Hulu users who at least once during the class period watched a video on hulu.com having used the same computer and web browser to log into Facebook in the previous four weeks using default settings.”

Although ascertainability is not an explicit requirement under Rule 23(a), some courts have held that a proposed class must also be adequately ascertainable—a group of plaintiffs whose members can be identified with some particularity.

Plaintiffs argued that this requirement was met because: “All class members must be (1) Registered Users of Hulu, (2) [that] have requested and/or obtained video services and (3) during the class periods.”

They argued Hulu has the information to identify class members because “in order to become a rregistered user of Hulu, users must provide their ‘name, e-mail address, birth date, gender and address.’” Plaintiffs also argued that class members can likely identify themselves from their own records. Plaintiffs cited Harris v. comScore, Inc. for the proposition that where the “bulk of the class membership will likely be determined by comScore’s records … evaluation of any additional plaintiffs claiming membership by affidavit [is] manageable.”

The comScore case involved the certification of a 10-million user class at $10,000 per violation that was upheld by the 7th Circuit in June 2013. The comScore court approved the final settlement on May 30, 2014.

The Hulu court rejected the plaintiffs’ arguments, but left open the possibility that plaintiffs could re-file their class certification motion and address concerns in the order via subclasses. In denying the plaintiff’s motion for class certification, without prejudice, Magistrate Beeler stated, “[w]hether these issues could be resolved by narrowing the class definition, by defining subclasses, by reference to objective criteria, by a damages analysis that addresses pecuniary incentives, or otherwise, the undersigned cannot tell.”

The bases for the magistrate’s denial of class certification were multifold. First, she was concerned that self-identification of class members through affidavits would require the plaintiffs to remember uneventful details like whether they had an ad blocker on, or whether they had cleared cookies before viewing files on Hulu’s site.

Second, she expressed concern that the amount of statutory damages could incentivize plaintiffs to claim inclusion in the class and therefore render affidavits unreliable.

Third, she was concerned that neither Facebook nor Hulu would have accurate records of critical information that would form the basis of class inclusion—i.e., whether ad blockers were used or cookies cleared. As such, the fact that Hulu and Facebook would have e-mail records of account holders was not persuasive to her.

In briefing, Hulu relied on Carrera v. Bayer Corp., rejecting the use of class member affidavits, noting that “a defendant must be able to challenge class membership,” especially “where the named plaintiff’s deposition testimony suggested that individuals will have difficulty accurately recalling” key details. The magistrate took issue with this reasoning in the decision. Although recognizing that the class was not ascertainable based upon the record before her, she left open the possibility that affidavits may be sufficient to identify a class if the motion is re-filed: “Proof by affidavit does not necessarily defeat ascertainability. The reason is that if consumers always had to prove purchases, they that would defeat many consumer class actions.”

With regard to the other class action factors, the court largely stated, in dicta that the burden had been met, except for the question of “predominance” of common issues. The Court rejected many of Hulu’s arguments relating to predominance. For example, she found that the fact that some account holders used pseudonyms instead of their real names did not create individual issues. Nor did the user’s potential behavior of watching videos while logged into Facebook, or posting videos on Facebook constitute consent under the VPPA such that individual issues were created.

The court stated that “the main issue with predominance is cookie clearing or blocking.” She went on to point out the myriad individual issues that would have to be decided, like whether a user used ad blockers or cleared cookies manually, among others. The court left open the door, however, that these issues could be addressed with a re-definition of the class: “Perhaps subclasses could address the use (or lack of use) of ad-blockers or browser technologies, or whether users stayed logged into Facebook. Plaintiffs have not proposed that subclassing.”

What Should You Do?

The Hulu litigation has been ongoing since 2011. To potentially avoid exposure, companies should focus on compliance best practices with regard to videos on their websites. Compliance legal teams, IT and marketing should have a thorough understanding of the information they are collecting and disclosing to third-party service providers as well as the timing for those disclosures. Further, companies should explore methods for obtaining consent under the statute. The risks are significant – i.e., $2500 per violation and—in many cases—millions of alleged violations, sometimes per day, depending on the website or online service.

Best Practices for Web Analytic (comScore- type) Disclosures

In the April 28 summary judgment decision, Magistrate Judge Beeler left open the question of whether unique identifiers could still be PII depending upon context. Because comScore web beacons were not linked, and there was no evidence that comScore actually linked them, there was not context to find PII under these circumstances.

For compliance and to avoid the risk that ID number disclosures could constitute PII, companies should:

  • Determine whether the disclosures to analytic companies contain, within one cookie, a unique identifier, video viewing and some other potentially identifying information equivalent to a name, including any type of “look up” table that would correlate the user id to a specific account.
  • Adequately train staff and employees to avoid communications between analytic companies and staff that could imply knowledge that non-PII data (e.g., unique identifiers) will be linked with PII.
  • Review existing agreements with analytic companies to determine whether agreements authorize linking of datasets.

Best Practices For Compliance: Social Networking (e.g., Facebook) Disclosures

  • Consider the technological functionality of the social networking plug-in. Is the cookie configured such that data will be relayed before the user hits the plug-in symbol. If so, considering the steps below.
  • Consider whether the video title needs to be included in the watch page.
  • Consider whether there is a basis to code the videos by subject matter for marketing purposes to take advantage of the VPPA’s express permission for same.
  • If so, consider obtaining informed written consent as permitted under the statute.
  • Consider other ways to anonymize specific video viewing data from URLs.


Written By

Dominique Shelton, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»