SAYLOR, District Judge.
This is a putative class action arising out of the Video Privacy Protection Act ("VPPA"), 18 U.S.C. § 2710. The VPPA, among other things, prohibits the disclosure of "personally identifiable information" of certain consumers of video services. Plaintiff Alexander Yershov has filed suit against defendant Gannett Satellite Information Network, Inc.
Gannett publishes a print and on-line newspaper called USA Today. Gannett has also created a mobile app, called the "USA Today App," that is designed to run on smartphones and other mobile devices, and that permits readers to view the on-line version of the newspaper. Viewers using the App can access video clips on various news, sports, and entertainment topics. Plaintiff alleges that defendant discloses "personally identifiable information" every time a person uses the USA Today App to watch video clips. Specifically, plaintiff alleges that every time a user of the App watches a video, the unique identification number of the user's smartphone is provided to a third-party data-analytics company. Plaintiff contends that by doing so, Gannett violates the VPPA.
On September 19, 2014, defendant filed a motion to dismiss pursuant to Fed. R.Civ.P. 12(b)(1) for lack of subject-matter jurisdiction and Fed.R.Civ.P. 12(b)(6) for failure to state a claim. For the following reasons, defendant's motion will be granted.
Gannett Satellite Information Network, Inc., is based in McLean, Virginia. (Compl. ¶ 6). Gannett is a media company that produces news and entertainment programming. (Id. ¶ 1). It distributes that content to consumers through a variety of media, including its flagship newspaper, USA Today. (Id.). In addition to the print edition of USA Today, Gannett offers content through websites and mobile software applications. (Id.). One of Gannett's mobile applications is the USA Today App. (Id. ¶ 2).
The USA Today App is a mobile software application that allows individuals to access news and entertainment media content. (Id. ¶ 9). It is available for installation on Android mobile devices, among others. (Id.). Android is a mobile device operating system developed by Google. (Id. ¶ 1 n. 1). Smartphones made by a variety of companies, including HTC and Samsung, use the Android operating system. (Id.). Users can install the USA Today App on an Android device by visiting the Google Play Store, the on-line media platform operated by Google. (Id. ¶ 10). Once installed, the App allows users to view articles and video clips organized into sections, such as news and sports. (Id. ¶ 12). Prior to using it for the first time, the App requests permission from users to "push" notifications on their device. (Id. ¶ 10).
There is no charge to install the App or to view video clips after installation. (See Compl. ¶¶ 9-11 (citing USA Today, GOOGLE
The complaint alleges that each time users view video clips on the App, it sends a record of the transaction to Adobe Systems, Inc., an unrelated company that, among other things, performs third-party data-analytics. (Id. ¶ 13).
According to the complaint, Adobe "collects an enormous amount of detailed information about a given consumer's online behavior (as well as unique identifiers associated with a user's devices) from a variety of sources." (Id. ¶ 20). "Once Adobe links a device's Android ID with its owner, it can then connect new information retrieved from Android apps — including the USA Today App — with existing data in the person's profile (which was previously collected by Adobe from other sources)." (Id. ¶ 22). Therefore, when Adobe receives an individual's Android ID and the record of the video transaction from USA Today App, it is able to connect that information with information collected from other sources "to personally identify users and associate their video viewing selections with a personalized profile in its databases." (Id. ¶ 29).
According to the complaint, Alexander Yershov downloaded and began using the USA Today App on his Android device in late 2013. (Id. ¶ 39). He never consented to allowing USA Today to disclose his "personally identifiable information" to third parties. (Id. ¶ 40).
The complaint alleges that "the combination of his device's unique Android ID and the records of videos that [Yershov] viewed ... constitutes `personally identifiable information' ... because it allows Adobe to identify users such as Yershov, and to attribute their video-viewing records to their Adobe-created profiles." (Id. ¶ 57).
Plaintiff filed the complaint in this action on July 24, 2014, alleging a violation of the Video Privacy Protection Act, 18 U.S.C. § 2710. (Compl.). The complaint is a putative class action; the class is defined as "[a]ll persons in the United States who used the USA Today App to watch videos and had their PII transmitted to Adobe." (Id. ¶ 43). The complaint alleges that all such class members "have had their statutorily
Defendant has moved to dismiss for failure to state a claim upon which relief can be granted.
On a motion to dismiss, the Court "must assume the truth of all well-plead[ed] facts and give ... plaintiff the benefit of all reasonable inferences therefrom." Ruiz v. Bally Total Fitness Holding Corp., 496 F.3d 1, 5 (1st Cir.2007) (citing Rogan v. Menino, 175 F.3d 75, 77 (1st Cir.1999)). To survive a motion to dismiss, the complaint must state a claim that is plausible on its face. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). That is, "[f]actual allegations must be enough to raise a right to relief above the speculative level, ... on the assumption that all the allegations in the complaint are true (even if doubtful in fact)." Id. at 555, 127 S.Ct. 1955 (citations omitted). "The plausibility standard is not akin to a `probability requirement,' but it asks for more than a sheer possibility that a defendant has acted unlawfully." Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quoting Twombly, 550 U.S. at 556, 127 S.Ct. 1955). Dismissal is appropriate if the facts as alleged do not "possess enough heft to show that plaintiff is entitled to relief." Ruiz Rivera v. Pfizer Pharm., LLC, 521 F.3d 76, 84 (1st Cir.2008) (alterations omitted) (internal quotation marks omitted).
The Video Privacy Protection Act ("VPPA"), 18 U.S.C. § 2710, was enacted in 1988. Congress passed the VPPA after a "newspaper in Washington published a profile of [Supreme Court nominee and D.C. Circuit] Judge Robert H. Bork based on the titles of 146 films his family had rented from a video store." S. Rep. 100-599, 2d Sess. at 5 (1988), reprinted in 1988 U.S.C.C.A.N. 4342.
Among other things, the VPPA prohibits "video tape service providers" from "knowingly disclos[ing], to any person, personally identifiable information concerning any consumer of such provider" without the consumer's informed, written consent. 18 U.S.C. § 2710(b). The statute has three relevant definitions:
For present purposes, at least, defendant does not contest that it fits within the statutory definition of a "video tape service provider."
As noted, the VPPA prohibits "video tape service providers" from disclosing "personally identifiable information" ("PII") concerning a "consumer" to third parties. 18 U.S.C. § 2710(b). The complaint alleges that each time users view video clips on the USA Today App, defendant sends a record of the transaction along with the user's GPS coordinates and the Android ID for the user's device.
Any statutory analysis begins with the text of the statute. To some extent, of course, this exercise involves an attempt to place a square peg (modern electronic technology) into a round hole (a statute written in 1988 aimed principally at videotape rental services). Nonetheless, the statute says what it says, and the place to begin is with the words themselves. Again, the VPPA provides that "personally identifiable information" includes "information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider." 18 U.S.C. § 2710(a)(3). Those words must be interpreted in "context and with a view to [their] place in the overall statutory scheme." Davis v. Michigan Dept. of Treasury, 489 U.S. 803, 809, 109 S.Ct. 1500, 103 L.Ed.2d 891 (1989). Here, the statute provides at least two clues as to the meaning of the term.
First, the statute permits disclosure of PII under five specific circumstances. 18 U.S.C. § 2710(b)(2). One of those circumstances is that disclosure may be made "to any person" if "the disclosure is solely of the names and addresses of consumers," but only if the consumer has had an opportunity to prohibit that disclosure, and if the disclosure does not identify the "title, description, or subject matter of the video."
Second, the list of statutory definitions uses the word "means" in three out of four instances (in other words, the definitions are formatted to provide that the term "x" means "y"). See 18 U.S.C. § 2710(a)(1), (2), (4). As to PII, however, the statute provides that "the term `personally identifiable information' includes information which identifies a person...." Id. § 2710(a)(3) (emphasis in original). This suggests that the statutory term may have a broader definition than what is provided in the text, which may be a mere example of a possible form of PII.
Without question, a person's name, social security number, and date of birth are PII. See In re Pharmatrak, Inc., 329 F.3d 9 (1st Cir.2003) (finding that the definition of "contents" in Electronic Communication Privacy Act encompasses "personally identifiable information such as a party's name, date of birth, and medical condition").
It requires no great leap of logic to conclude that the unique identifier of a person's smartphone or similar device — its "address," so to speak — is also PII. A person's smartphone "address" is an identifying piece of information, just like a residential address. Indeed, it is in many ways a more significant identifier. Smartphones typically contain "vast quantities of personal information." Riley v. California, ___ U.S. ___, 134 S.Ct. 2473, 2485, 189 L.Ed.2d 430 (2014). "[A] cell phone collects in one place many distinct types of
Defendant makes two principal objections to that conclusion. First, it contends that the Android ID cannot be PII because it identifies an object, rather than a human being. But that contention cannot be correct. A home address describes an object, not a person, but there can be little doubt that it is PII. Indeed, and as noted, the VPPA expressly refers to the "addresses of consumers," in a context clearly indicating that an address is PII. And that is true even though multiple persons may share a residence.
Next, defendant contends that the Android ID cannot be PII because that information cannot be linked to a specific person without access to certain additional information — specifically, the information that a particular phone is used by a particular person. But that is true of every identifier other than a person's name. For example, a social security number is a string of nine numbers that only takes on meaning if it can be identified as the number of a specific person. Likewise, a date in a calendar is meaningless as an identifier, unless it is identified as a specific person's date of birth. Even a person's name may be of limited use as an identifier without further information; there may be hundreds, or thousands, of persons with the same or a similar name.
At oral argument, defendant conceded that a home address qualifies as PII even though it requires an extra step to link it to a specific person. Defendant contended, however, that home addresses qualify as PII because there are public record databases that can link home addresses to individuals, but there is no such publicly accessible database that links an Android ID to a person. Defendant therefore contended that in isolation the Android ID is a meaningless number. But the same could also be said for social security numbers. There is no publicly accessible database that links those numbers to individuals, but a social security number is nonetheless unquestionably the type of information that fits within the definition of PII.
It is also noteworthy that Gannett transmits the GPS coordinates of the user along with the Android ID. Presumably, that information would be sufficient to identify a very specific location (such as a building) from which the user viewed the video. It therefore appears possible to identify, with a relatively high degree of accuracy, the residential address of users at the same time as their Android ID. Indeed, in areas of relatively low-density housing, the GPS
Finally, defendant notes that the substantial weight of authority points in the opposite direction. Of particular relevance is the Northern District of Georgia's ruling in Ellis v. Cartoon Network, Inc., 2014 WL 5023535 (N.D.Ga. Oct. 8, 2014), because its facts are very similar to the facts of the present case.
In Ellis, the court examined whether the Cartoon Network App's transmission of a user's video history along with the user's Android ID to a third party constituted a violation of the VPPA. Id. at *2. For purposes of the motion to dismiss, the court accepted that the third party was able to reverse engineer the consumer's identities from the Android ID, using information previously collected from other sources. Id. at *1. In its analysis, the court found that PII "is that which, in its own right, without more, `link[s] an actual person to actual video materials.'" Id. at *3 (quoting In re Nickelodeon, 2014 WL 3012873, *10 (D.N.J. July 2, 2014)). The court determined that the Android ID does not identify a specific person without the third party taking extra steps. Id. As a result, it concluded that "the disclosure of an Android ID alone ... does not qualify as personally identifiable information under the VPPA." Id. It relied on district court decisions in In re Hulu Privacy Litigation, 2014 WL 1724344 (N.D.Cal. Apr. 28, 2014), and In re Nickelodeon Consumer Privacy Litigation, 2014 WL 3012873 (D.N.J. July 2, 2014), to come to its conclusion.
The Nickelodeon case involved a class of children under the age of thirteen who sued Viacom for violating the VPPA. The case involved plaintiffs who visited "certain Viacom-owned websites and willingly provide[d] Viacom with their gender and age when they register[ed] as users of the sites." Id. at *2. When the plaintiffs went to these websites, Viacom also placed a "cookie" on their "computer without their consent or that of their parents." Id. The "cookie" allowed Viacom to acquire certain information about each plaintiff, including their "`IP address'; `browser settings'; `unique device identifier'; `operating system'; `screen resolution'; `browser version';
In Hulu, on a motion for summary judgment, the Northern District of California examined whether three types of disclosures by Hulu were PII. 2014 WL 1724344, at *9. The first disclosure, to comScore, was a "watch page" URL web address that contained the video name and the Hulu user's unique seven-digit Hulu User ID. Id. Using the user ID, comScore could access a user's profile page, which listed the user's first and last name. Id. The second disclosure, to comScore, was a "comScore ID" that was unique to each registered user, which "allowed comScore to link the identified user and the user's video choices with information that comScore gathered from other websites that the same user visited." Id. The third disclosure,
The Hulu decision does not necessarily support a finding that an Android ID is not PII. The case was decided on a motion for summary judgment, and specifically noted that "a unique anonymized ID alone is not PII but context could render it not anonymous and the equivalent of the identification of a specific person." It is unclear whether the court meant that context could render it PII if other information provided in the disclosure with the anonymized ID identified a specific person, or whether context could render it PII if the third party receiving the information had independent information that helped link the ID with a specific person. No matter what it holds, it is clear that the inquiry is context-dependent. Based on the logic of the Hulu decision, it would appear that the factual record would need to be developed before concluding that an Android ID is not PII.
In any event, Nickelodeon's conclusion that "PII is information which must, without more, itself link an actual person to actual video materials" is flawed. That conclusion would seemingly preclude a finding that a home address or social security number is PII. Surely, that cannot be correct. Therefore, because it relies on Nickelodeon and Hulu, the holding in Ellis that an Android ID is not PII is unpersuasive.
Likewise, it is unrealistic to refer to PII as "information which must, without more, itself link an actual person to actual video materials." Again, that would appear to preclude a finding that home addresses, social security numbers, and dates of birth are PII. Moreover, drawing a link between the Android ID and a person's name may not be difficult. If, as alleged, Adobe collects information from the USA Today App linking an Android ID and GPS information with a specific video, and collects information from another source (such as GPS information linked to residential addresses, and residential addresses linked to names) — it would be relatively easy for Adobe to link that information to identify a person. It is also possible, of course, that third parties such as Adobe have access to databases that link Android IDs to specific persons.
In short, the information alleged disclosed to Adobe by Gannett, which consists of an Android ID and a GPS location, constitutes "personally identifiable information" within the meaning of the Video Privacy Protection Act.
The VPPA defines a "consumer" as any "renter, purchaser, or subscriber of goods or services from a video tape service provider." 18 U.S.C. § 2710.(a)(1). Plaintiff contends that he is a "subscriber" for purposes of the VPPA because he "downloaded, installed, and watched videos" using the App.
The term "subscriber" is not defined in the statute. Traditionally — and certainly as of 1988, when the statute was enacted — a "subscriber" would have been defined
In the modern electronic world, subscriptions entail a broader spectrum of activity. Certain periodicals allow access (or complete access) to online content only with a subscription. See, e.g., WASHINGTON POST https://subscribe.washingtonpost.com/acquisition/acquisitionapp.html#/offers/promo/digita101 (last visited Apr. 14, 2015); N.Y. TIMES, http://www.nytimes.com/subscriptions/Multiproduct/lp88U46.html?campaignId=4FWFJ&_KEYWORDS_=${keywordText}&_CAMP_=4FWFJ (last visited Apr. 14, 2015). In addition, individuals may subscribe to YouTube channels and podcasts. Subscribe to the Channels You Love, YOUTUBE, https://support.google.com/youtube/answer/4489286?hl=en (last visited Apr. 15, 2015); Discovering Podcasts, APPLE, https://www.apple.com/itunes/podcasts/discover/ (last visited Apr. 15, 2015).
A common thread can be distilled from these definitions and examples. Subscriptions involve some or all of the following: payment, registration, commitment, delivery, and/or access to restricted content. To download and use the USA Today App, an individual does not have to pay any
That conclusion is bolstered by the fact that subscriptions do exist for other forms of apps. See, e.g., Subscriptions on Google Play, GOOGLE, https://support.google.com/googleplay/answer/2476088?hl=en (last visited Apr. 15, 2015); Monetize Apps: Paid Apps vs. In-App Purchases vs. Freemium vs. Subscription, BUILDBLOG BY THINKAPPS, http://thinkapps.com/blog/post-launch/monetize-apps-paid-apps-vs-app-purchases-vs-freemium-vs-subscription/ (last visited Apr. 15, 2015). According to Google, a "subscription is when you pay a recurring fee rather than a one-time price for content on Google Play. You'll automatically be charged at the beginning of each subscription term." Subscriptions on Google Play, supra. In its Buildblog, ThinkApps (which is an on-demand service for designing and building applications for web, mobile and wearables) explains that there are many different models for apps. Monetize Apps, supra. Among those models are paid apps, free apps, and subscription apps. Id. According to this blogpost, "[s]ubscription apps offer users access to a particular service or content for a weekly, monthly, or annual fee." Id. Thus, because there is a recognized concept of a subscription within the app context — and because users of the USA Today App do not fit within that concept — individuals who use the USA Today App are not "subscribers" within the VPPA's definition of "consumer."
Again, however, the weight of authority seems to point in the opposite direction. In Ellis v. Cartoon Network, the court relied on a 2012 decision in the Hulu case to conclude that an app user qualifies as a "subscriber." 2014 WL 5023535, at *2.
Again, this Court concludes that Hulu, and the cases that follow its reasoning, are
For the foregoing reasons, the motion to dismiss is GRANTED.
34 C.F.R. § 99.3.
In Pruitt, the Tenth Circuit examined whether Comcast information stored within Comcast's converter boxes is PII. 100 Fed. Appx. at 716. The court explained that "[i]ndividual subscriber information is not contained within the converter box, but an identifying number known as a `unit address' allows Comcast to match the subscriber's purchases to its billing system." Id. at 715. The court determined that "the converter box code — without more — provides nothing but a series of numbers." Id. at 716. Because "without the billing information, even Comcast would be unable to identify which individual household was associated with the raw data in the converter box," the court concluded that information contained in the boxes is not PII. Id. at 716-17. The Hulu court found that "Pruitt stands for the proposition that an anonymous, unique ID without more does not constitute PII. But it also suggests that if an anonymous, unique ID were disclosed to a person who could understand it, that might constitute PII." Hulu, 2014 WL 1724344, at *11. Here, the complaint alleges that Adobe is able to use the Android ID to identify specific individuals.
In Klimas, 2003 WL 23472182, the plaintiff brought a class action alleging that Comcast "secretly intercept[ed], cop[ied], stor[ed], and otherwise collect[ed] all the information sent to and from its subscribers over the Internet" in violation of the Cable Act. Comcast admitted storing IP and URL information. The issue the court considered was whether dynamic IP addresses constitute PII. Id. at *4. The court found that "a dynamic IP address cannot constitute PII [because] [u]nlike a subscriber's name, address, social security number, etc., a dynamic IP address is constantly changing." Id. at *5. It is undisputed that the Android ID is static.
