Privacy & Information Security Law Blog

On August 10, 2012, a federal district court in California denied Hulu’s motion to dismiss the remaining claim in a putative class action suit alleging that the online streaming video provider transmitted users’ personal information to third parties in violation of the Video Privacy Protection Act (“VPPA”). The VPPA prohibits a “video tape service provider” from transmitting personally identifiable information of “consumers,” except in certain, limited circumstances. According to the complaint, Hulu allegedly allowed KISSmetrics, a data analytics company, to place tracking codes on the plaintiffs’ computers that re-spawned previously-deleted cookies, and shared Hulu users’ video viewing choices and “personally identifiable information” with third parties, including online ad networks, metrics companies and social media networks.

Hulu argued that (1) it is not subject to the VPPA because it is not a “video tape service provider,” (2) the relevant disclosures were incidental to the ordinary course of Hulu’s business, and (3) the plaintiffs are not “consumers” as defined under the Act. Hulu maintained that it is not a “video tape service provider,” defined in the VPPA as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials” because the definition applies only to businesses that sell or rent physical objects and not to businesses that transmit digital content over the Internet. The court relied both on the plain language and legislative history of the VPPA to conclude that Congress intended the VPAA’s protections to“retain their force even as technologies evolve,” rejecting Hulu’s argument that the VPAA does not expressly cover digital distribution.

The court also considered whether Hulu’s alleged disclosures were incidental to the ordinary course of Hulu’s business (and thus permissible under the VPPA). The VPAA defines “ordinary course of business” to mean “debt collection activities, order fulfillment, request processing, and the transfer of ownership.” Hulu asserted that the relevant disclosures to third parties constituted its use of service providers for internal research, advertising and analytics purposes, which Hulu claimed it could do on its own and thus was permitted to outsource in the “ordinary course of business.” The plaintiffs contended that such uses of information are not in the ordinary course of Hulu’s business of delivering video content to consumers. Although the court deemed this a factual determination, it held that the plaintiffs alleged their claims “specifically enough to give fair notice.”

The court also examined whether the plaintiffs are “consumers,” defined in the VPAA as “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Hulu attempted to limit the scope of this term to individuals who make monetary payments, or at least those that do more than just visit the website. The court disagreed and held that, although the terms “renter” and “buyer” imply payment of money, the term “subscriber” does not.

Read our post on recent cases involving the Video Privacy Protection Act.