Are “App Developers Now in Panic Mode?”

William Kellermann
May 10, 2016

In a significant break from a long-standing series of contrary decisions, the First Circuit Court of Appeal revived a plaintiff’s case alleging violation of the Video Privacy Protection Act, (VPPA) 18 U.S.C.§ 2710, against USA Today. Yershov v. Gannett Satellite Information Network, Inc., d/b/a USA Today, No. 15-1719 (1st Cir. Apr. 29, 2016).

At the heart of Alexander Yershov’s case is the allegation that USA Today, through an Android phone app, improperly disclosed personally identifiable information to a third-party, Adobe Systems. The disclosure allowed Adobe to identify and track Yershov and other users of the USA Today app across multiple devices, apps and services. In this instance, USA Today contracted with Adobe to provide third-party analytics services. The USA Today app provides access to in-app video.

The VPPA was originally enacted to provide protection for the viewing habits of consumers in the days of VHS videotapes. The Act specifically targeted practices by video rental outlets, such as the largely forgotten Blockbuster Video, to track and disclose customer video rental preferences. The VPPA came about in reaction to the disclosure of Supreme Court nominee Robert Bork’s video rental records in a newspaper, and protects personally identifiable rental records of “prerecorded video cassette tapes or similar audio visual material.” However the language of the act does not limit enforcement to “renters.” Moreover, modern disputes center on the definition of “similar audio visual material” such that the viewing history of online video qualifies for protection.

The matter came up on appeal after the District Court for the District of Massachusetts granted a motion to dismiss. The district court ruled that while the app collected and disclosed personally identifiable information (PII), as defined by the VPPA, Yershov was not a “renter, purchaser, or subscriber” of, or to, Gannett’s video content, and therefore was not a “consumer” protected by the Act. 18 U.S.C.§ 2710(a)(1), (b)(1). The court of appeal agreed with the district court analysis that the information collected in the app, the unique Android device ID and GPS location coordinates, constituted PII. While neither court illuminated whether or not the device ID or GPS coordinates each independently constitute elements of PII, the circuit court focused on the linkage between the two stating:

“While there is certainly a point at which the linkage of information to identity becomes too uncertain, or too dependent on too much yet-to-be-done, or unforeseeable detective work, here the linkage, as plausibly alleged, is both firm and readily foreseeable to Gannett.”

However, the court of appeal disagreed that Yershov was not a consumer protected by the Act and remanded the case for further proceedings. Yershov limited his allegation to contend he was a “subscriber” under the Act. The court found Congress failed to define the term “subscriber” nor provide a clear indication they had a specific definition of the term in mind. Using dictionary definitions for “subscribe” and “subscription,” where a subscription is defined as an agreement to receive or be given access to electronic texts or services, the court found:

“…Gannett offered and Yershov accepted Gannett’s proprietary mobile device application as a tool for directly receiving access to Gannett’s electronic text and videos…”

The court further held the failure to pay for subscription services is not dispositive of whether or not one is a subscriber. To do so would render the category “subscriber” superfluous in light of the “purchaser” or “renter” categories included in the Act. Further, the PII provided to Gannett had sufficient value to act as consideration for the subscription services.

The Yershov decision signals a circuit split on the definition of PII under the Act. The Ninth Circuit previously held in In re Nickelodeon Consumer Privacy Litigation, 2015 WL 248334, MDL No. 2443 (SRC) (D.N.J. Jan. 20, 2015) that the disclosure of user attributes (such as demographic information, unique identifier and IP address), without more, does not amount to disclosure of someone’s personal identity.

The decision in Yershov also creates a split among the circuits as to the definition of “subscriber” under the VPPA. The Eleventh Circuit previously ruled an app downloader is not a subscriber in Ellis v. The Cartoon Network, Inc., 2015 WL 5904760 (11th Cir. Oct. 9, 2015) analogizing an app to a browser bookmark or “Favorites” link.

This case signals a shift in the views of the federal judiciary as to the application of the Act to cutting edge technology. In addition to the Ellis and Nickelodeon cases, previous courts have generally dismissed cases under the Act on a number of grounds. For example the court dismissed a complaint under the Act alleging failure to purge subscriber information (Sterk v. Redbox, 7th Circuit, March 6, 2012) A district court also dismissed a case alleging unlawful disclosure of viewing history and queue titles through enabled devices (Mollett v. Netflix, N.D. Cal.; Aug 17, 2012). Claims alleging violation of the VPPA traditionally subjected plaintiffs to an up-hill battle. A new paradigm may have significant consequences for in-app advertising as well as big data analytics.

Many companies large and small develop apps to build brand identity and market goods and services. Startups, like Cambridge, Massachusetts’ Media Mob, provide a ready platform linking clients with artists and designers to quickly and cheaply build apps. These apps often use video as a means to communicate about the company. Last, the apps may capture a trove of data about the user, often based on the use of developer templates or tools, and unbeknownst to the company that commissioned or developed the app. Hence the tweet from counsel for Plaintiff Jay Edelman, on receipt of the First Circuit opinion:

“Huge privacy decision just handed down. 1st Cir. holds that Android ID is PII. App Developers now in panic mode. Great job Ryan & @edelsonpc”