On April 29, 2016, the U.S. Court of Appeals for the First Circuit handed down its widely anticipated opinion in Yershov v. Gannett Satellite Information Network, Inc., in which it expanded the reach of the Video Privacy Protection Act (“VPPA” or “Act”) in the digital media context. The court held that (1) “personally identifiable information” (“PII”) includes the GPS coordinates of a device; and (2) a user of a mobile application – even one who does not pay or otherwise register to use the app – qualifies as a “consumer” under of the Act.
The decision may not be far out of step with a slew of prior federal district court decisions holding that a consumer’s personal data, when disclosed, must identify a particular individual, without more, to qualify as PII. It does, however, significantly expand most other courts’ limited interpretation of “consumers” under the Act, which have generally held there must be some ongoing commitment by the consumer beyond merely downloading an app or using a service.
The First Circuit acknowledged that its conclusions (as an appellate court) on Yershov’s status as a “subscriber” and Gannett’s violations of the VPPA could both be changed by the district court after remand and discovery. Nonetheless, the Yershov decision will no doubt give plaintiffs incentive to file new cases now.
Adding fuel to plaintiffs’ fire, the Yershov decision may be bolstered by a recent blog entry posted by Federal Trade Commission Director Jessica Rich, in which she stated that the FTC “regard[s] data as ‘personally identifiable,’ and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device.” The contours of how easy or difficult it should be to “link” an identifier in order to qualify as PII will likely be a hotly contested issue in pending and future VPPA cases.
As information proliferates and the definitions of PII and “personal information” evolve, legacy statutes designed in an era where it was difficult to correlate data points to identify actual people become problematic. To address this problem, Michigan recently amended its state version of the VPPA to both (1) eliminate the $5,000 per person statutory damage provision and require actual damages as a result of an alleged violation; and (2) permit the disclosure of PII in the ordinary course of business, including when marketing goods and services to customers or potential customers, when written notice is provided.
As this body of case law develops, it is important for companies who disclose consumer viewing data coupled with other identifiers to consider approaches that reduce the plausible “linkage” between such identifiers and a person’s actual identity.
Please read our full advisory discussing these developments here.