Watching Big Brother on your Phone Means Big Brother’s Watching You: Limits on Consumer Privacy

The Battle for Privacy

If you have a smartphone, you probably have downloaded an application, such as a game or a social or news platform. When you open the app for the first time, sometimes it will prompt you to register or give permission to the developer to track your activity and send this data back to the developer or third parties. However, most of the time the app will not do this, because usage as written in the terms and conditions of the app provides implied consent, so that every time you access and use the app, you give silent permission for the app to track your usage.

So what may a consumer rely upon for protection of her privacy? The Video Privacy Protection Act of 1988 (“VPPA”) (codified at 18 U.S.C. 2710).

VPA

The VPPA was enacted in response to a newspaper’s published report of Supreme Court nominee Judge Robert H. Bork.

The report contained Judge Bork and his family’s video rental records. The VPPA was passed to “preserve personal privacy with respect to the rental, purchase, or delivery of video tapes or similar audio visual materials.” See Senate Report. In effect, a few important provisions include:

  • A general ban on the disclosure of personally identifiable rental information unless the consumer consents specifically and in writing.
  • Disclosure of “genre preferences” along with names and addresses for marketing, but allowing customers to opt out.
  • The VPPA does not preempt state law. That is, states are free to enact broader protections for individuals’ records.

See Electronic Privacy Information Center.

Privacy Protection Exists for the Consumer-Subscriber

Our interactions with applications today are far more developed than they were back in 2002 when the VPPA was first enacted. Today, video rental records containing someone’s name and what movies she has seen are not the main sources of identifying a person. Apps often pull information such as our GPS coordinates of where we open and use them as well as information of what kind of phone is accessing the app’s server. As a result, many different types of information in addition to the user’s name can easily identify a person.

Does downloading and using a free app make the user a subscriber under the Video Privacy Protection Act?

In Yershov v. Gannett Satellite Info. Network, Inc., (Apr. 29, 2016), the First Circuit found that it does, splitting with the Eleventh Circuit in Ellis v. Cartoon Network, Inc., (Oct. 9, 2015) that found that it does not.

The Split

Textually, the meaning of subscriber is limited to the definition of consumer in the VPPA. However, the Eleventh Circuit found that the definition of “subscriber” includes “some type of commitment, relationship, or association (financial or otherwise) between a person and an entity.” See Ellis at 11. Other aspects to subscribing include actual “payment, registration, commitment, delivery [expressed association,] and/or access to restricted content.” Id.

Additionally, the absence of the above factors including not signing up or establishing an account, making any payments, becoming a registered user, signing up for any periodic services or transmissions, or making any commitment or establishing any relationship that would allow [the user] to have access to exclusive or restricted content thus did not make someone a subscriber. See Ellis at 13-14. In effect, the Eleventh Circuit created a presumption that an application download “is the equivalent of adding a particular web site to one’s Internet browser as a favorite.” Id.

In Yershov v. Gannett Satellite Info. Network, Inc., No. 15-1719 (1st Cir., Apr. 29, 2016), Yershov downloaded and accessed the USA Today app on his smartphone. In his complaint, Yershov claimed that each time he used the app, Gannett, d/b/a USA Today, would send information such as the title of the video watched, an Android unique identifier number, and GPS coordinates to a third party.

In dismissing the complaint and reversing the district court’s ruling, the court broadened the definitions of PII and consumer, finding that (1) GPS coordinates and the unique identifier number of a device fall under the PII umbrella and (2) an app user qualifies as a consumer.

The First Circuit disagreed with the Eleventh Circuit’s ruling in Cartoon Network on the issue of a “subscriber” and its analogy of downloading an app to bookmarking/adding a website to a favorites folder.

In the First Circuit’s view, an app developer would not bother creating an app if bookmarking a website would create the same result. Instead, the court found that an app is a more cost effective version of a “hotline” that a subscriber could call to continuously order videos. The First Circuit found Yershov to be a subscriber because

[t]o use the App, Yershov did indeed have to provide Gannett with personal information, such as his Android ID and his mobile device’s GPS location at the time he viewed a video, each linked to his viewing selections.  While he paid no money, access was not free of a commitment to provide consideration in the form of that information, which was of value to Gannett…[Furthermore, downloading an app is] materially different from what would have been the case had USA Today simply remained one of the millions of sites on the web that Yershov might have accessed through a web browser.

Looking Forward

The First Circuit’s broad view may create issues for developers whose main source of app content includes video streaming, as “its ruling may expand the scope of PII to include situations where device IDs and GPS codes may be used to reverse engineer an individual’s identity using information collected from other sources”[1].

Additionally, since GPS coordinates are analogous to an individual’s street address, whether that is a broad view can be argued further if one compares online streaming and GPS coordinates to addresses pulled from the rental of video tapes and other audio visual materials.

App developers may soon face additional data collection and disclosure issues, and whether the appropriate level of consent is obtained when collecting and sharing precise data location information with third parties. A prima facie VPPA claim could be attached where apps share consumer data with third parties without expressed consent.

For further reading, see the blog posts of firms DWT: (1) and (2) and DLA Piper and the Technology and Marketing Law Blog.

[1] See Christin McMeley and John D. Seiver, 1st Circuit and FTC Address Definitions of “PII,” While Michigan Amends Privacy Law to Remove Statutory Damages, available at http://www.dwt.com/First-Circuit-and-FTC-Address-Definitions-of-PII-While-Michigan-Amends-Privacy-Law-to-Remove-Statutory-Damages-05-11-2016/