The ongoing case In re Hulu Privacy Litigation is now in its fourth year in Federal court. Since 2011, Hulu has actively and aggressively fought allegations that it violated the Video Privacy Protection Act (VPPA)—legislation enacted to protect the privacy of consumer video rental history. While this case focuses on a business engaged in online video streaming services, it also reveals trends in online consumer privacy concerns and the results of Hulu’s privacy practices, which are fairly common among most online consumer-facing websites today. Any business that uses tracking technology and social networking on their websites should pay attention.
The Origins of the Case
The initial complaint, filed by Joseph Garvey and Stacey Tsan in 2011, used a scattershot approach for a variety of infringement claims and breaches of contract, including violations of the VPPA and the California Unfair Competition Laws. But, the central focus of their case was Hulu’s use of now common forms of online tracking technologies including Adobe Local Stored Objects (LSOs) and HTML5. The plaintiffs alleged that Hulu tracked consumers’ viewing data using these technologies then transferred the data to third parties without their permission.
Back in 2010, Hulu’s privacy policy only covered the use of clear gifs and cookies. The policy didn’t discuss use of HTML5 or LSOs, nor did it discuss Hulu’s relationship to third-party social networking sites, like Facebook, or data analytics sites, like Kissmetrics and Google Analytics. Again, these are all common practices engaged in today by most online companies; however, at the time, Hulu’s privacy policy didn’t provide specifics about their practices.
By 2012, all but one claim was dropped in the plaintiffs’ amended complaint. The only remaining claim was that Hulu violated the VPPA, a law that arose because of the publication of Robert Bork’s video rental history and has now stretched to potentially include all online video services.
Hulu’s Fight Against the VPPA Claim
Hulu raised and continues to raise several challenges to the remaining VPPA claim through a series of pre-trial motions. First, Hulu challenged whether the plaintiffs had standing to sue since sharing their information did not result in a “loss.” The result? U.S. District Judge Laurel Beeler found that the plaintiffs had standing because alleging a privacy violation is sufficient harm.
Hulu then tried to dismiss the case by breaking apart each element of the VPPA.
The VPPA prohibits a “videotape service provider” from:
- Knowingly disclosing “to any person”
- “Personally identifiable information” (PII) concerning any “consumer” of such provider.
The disclosed information must identify a specific person and the video content they specifically watched in order to violate the VPPA.
Judge Beeler has deemed Hulu a “video tape service provider” under the act, and is now requesting more information about whether Hulu “knowingly” disclosed their customer information to a third party.
“Knowingly” and the Facebook “Like” button
Initially, Hulu argued they did not “knowingly” transmit information about their customers to comScore or Facebook, two third parties specifically referenced by the plaintiffs. The main issue is whether the information disclosed to comScore and Facebook used an anonymized ID or actual PII. In their relationship with comScore, Hulu only transferred information using a comScoreID, which Judge Beeler deemed sufficiently anonymous.
In contrast, Facebook collected information and processed content “shared by its users” to provide that information to marketers for targeting ads. When logged into Facebook, registered Hulu users who were also Facebook users would unknowingly share their viewing preferences and history when clicking on the Facebook “Like” button.
Hulu claimed they were unaware that cookies were used to load Facebook’s “Like” button on Hulu’s web pages. However, Judge Beeler found this argument unconvincing because of email conversations between Hulu and Facebook regarding the cookie placement on Hulu’s website.
Judge Beeler requested to hear more on the topic of Facebook later this month because Hulu did not provide sufficient proof about Facebook’s privacy policies during the period of April 21, 2010, to June 7, 2012. The plaintiffs used this period of time to create a more defined and focused group for their class certification as well as specific privacy policies used by Hulu on their website. Hulu’s later privacy policies seem to have corrected the issues that the plaintiffs are litigating.
Unfortunately for the plaintiffs, the court did not grant them class certification for either their comScore disclosure class or their Facebook class. The comScore class was denied because, as stated above, Judge Beeler dismissed the comScore argument. The Facebook class was denied certification because the court found that the class was not “ascertainable”—“the class definition must be sufficiently definite so that it is administratively feasible for the court to determine whether a particular person is a member of the proposed class.”
Lessons Learned
The VPPA statutory drafters probably never contemplated online video services and the potential privacy implications of these new technologies; however, the plaintiffs raised sufficient arguments to convince a federal judge that this act was applicable to their circumstance. The VPPA may now impact how online video service providers conduct business and transfer data to their business partners, and, potentially, providers may be liable for future VPPA actions if they do not anonymize consumer viewing data.
No company wants to spend years in litigation, especially with their own customers. The Hulu case provides lessons that all businesses—not just online video service providers—can apply to their own practices in order to mitigate risk. Here are a few:
First, drafters of company privacy policies need to determine all of the tracking mechanisms used on their domains. Although this may sound like an easy task, it requires careful research and collaborating with engineers to ensure that descriptions of the technologies are accurate and up-to-date. Moreover, companies that have several subdomains and subsidiaries that use the same privacy policy need to consider what tracking technologies these websites use as well.
Second, although many tracking technologies like LSOs have become a standard online practice, consumers still dislike trackers they cannot manage or delete. Opt-out mechanisms such as the Digital Advertising Alliance’s Advertising Option Icon provide users with more control, even if they don’t tend to exercise it.
Third, it's surprisingly easy for information to leak out to business partners. In Hulu’s case, information about a consumer’s video history was transmitted to Facebook unintentionally by the URL address. Simple issues like these can be corrected through ongoing privacy audits. Companies should also be aware of how anonymized data can be aggregated to potentially re-identify a user. For example, MIT researchers found that only four points of data were required to identify 95% of cell phone users in a small European country.
Finally, companies are now learning that they need to take on the roles of both service provider and teacher by educating their consumers about tracking technologies and third party relationships. Although more and more consumers are concerned about protecting their privacy online, they do not entirely know what that means and what, specifically, they are protecting. So, in an effort to be more transparent to consumers, companies should take an educational and explanatory approach to their privacy policies. Policies should be more easily accessible to consumers with more thorough explanations of a company’s practices and relationships with third parties.