Online video streaming company Hulu must face consumer claims of privacy violations by sharing movie viewing details with Facebook.
U.S. Magistrate Judge Laurel Beeler narrowed the class action but she refused Hulu’s request to completely dismiss the case Monday. She eliminated one of the data-gathering firms from the lawsuit but retained Facebook.
Consumers had accused Hulu improperly shared their viewing history with a variety of data gathering companies and Facebook.
The case represents the first time a court has subjected a video streaming company to the Video Privacy Protection Act, (VPPA). The law prohibits a “video tape service provider” from knowingly disclosing personally identifiable information about a consumer to third parties.
The impetus for Congress passing the law in 1988 came in response to a newspaper’s obtaining a list of video tapes that U.S. Supreme Court nominee and D.C. Circuit Judge Robert Bork rented from his local video store and then publishing an article about his preferences, Beeler states.
Hulu argued it did not violate VPPA because it only disclosed anonymous user IDs and never linked those user IDs to identifying data, such as a name or address and it did not disclose the information “knowingly.”
The consumers narrowed an earlier version of the class claims against Hulu, but limiting the third parties to comScore, a metrics company that analyzes Hulu’s viewing audience and provides reports that Hulu uses to get media content and sell advertising. And the class included social networking company Facebook.
Hulu also contends its customers, who also use Facebook, consented to Facebook terms that permitted disclosure.
Beeler’s order grants Hulu’s request to dismiss comScore but denies it to the Facebook disclosures. She described comScore as providing reports on the size of the audience from particular program on Hulu.com but not using individual user names or identities.
By contrast, Facebook collects information and processes content shared by its users, then provides that information to marketers when it sells them its product, the Facebook Ads, according to Beeler. Facebook shares member information with marketers so that marketers may target ad campaigns.
During a period from April 2010 to June 2012, when a Hulu watch page loaded with a Facebook “like” button, a user’s web browser transmitted the watch page addres, or URL, and Facebook code, known as “cookies” to Facebook-controlled servers, according to Beeler. It was during this period that the watch page from Hulu included the title of the video, so Facebook would know the title of the video being watched, she said.
“No case has addressed directly the issues raised by plaintiffs: the disclosure of their unique identifiers and the videos they are watching,” she wrote. She noted that a person may be identified in numerous ways other than by name, by picture, employee number, workstation location or by someone pointing to an individual and stating what “that person” rented.
The plaintiffs allege Hulu wrote the code that sent the information “cookies” stored on Hulu user’s computer that had information about the Hulu user’s actual identity on Facebook.
“The process was an electronic transmission of the Hulu user’s actual identity on Facebook and the video that the Facebook user was watching,” Beeler wrote. “Depending on Hulu’s knowledge, that could be a VPPA violation,” she said.
Emails show Hulu knew that cookies with identifying ifnromation were sent and that vendors could collect the data and us it to build a profile and that Hulu recognized the VPPA implications, she said.
“These points suggest purposefulness about allowing the use of vendor cookies to track Hulu users,” she said. “The court denies Hulu’s summary judgment motion regarding the disclosures to Facebook.”
Case: In re: Hulu Privacy Litigation, No. C11-3764LB