Hulu Victorious in Facebook Data Sharing Lawsuit

Hulu Facebook Lawsuit

April 5, 2015

After four years of litigation, this past week a federal judge dismissed a lawsuit against Hulu alleging that the streaming video service illegally shared what users were watching on the site with Facebook.

In the complaint, filed in 2011, plaintiffs claimed that Hulu violated their privacy when their Facebook accounts would update every time they clicked a “Like” button next to a Hulu video.

In particular, plaintiffs contended that Hulu violated the 1988 Video Privacy Protection Act (VPPA), which makes it illegal for video service providers to disclose users’ viewing choices and provides for a $2,5000 penalty for every violation.

In determining whether to grant Hulu’s Motion for Summary Judgment, U.S. District Magistrate Judge Laurel Beeler considered whether the plaintiffs met the two conditions required for a finding of violation of the VPPA. The first was whether Hulu was knowingly transmitting the data.

Hulu did send to Facebook user data via a cookie called “c_user,” which contained the Facebook user ID and identified all users who had logged into Facebook in the preceding four weeks through a “Like” button on Hulu. Hulu also sent Facebook URLs of “watch pages,” which were the URL and other information for the video being watched on the Hulu page.

However, Judge Beeler wrote that Hulu’s sharing these two pieces of information with Facebook did not necessarily imply a conscious sharing of personal information.

This is because “knowingly” means “actual knowledge” and “[i]t is not enough, as the plaintiffs suggest, that a disclosure be merely ‘voluntary’ in the minimal sense of the defendant’s being ‘aware of what he or she is doing and…not act[ing] because of some mistake or accident.”

The second standard for applying the VPAA concerned whether Hulu knowingly disclosed “(1) a consumer’s identity, (2) the identity of “specific video materials, or (3) the fact that the person identified “‘requested or obtained’ that material.”

Judge Beeler explained that the point of the VPAA is to ban the disclosure not of user data but of information connecting a certain user to certain videos.

The VPAA was adopted after The Washington City Paper wrote about movies rented by then Supreme Court nominee Robert Bork based on a list provided to a video store.

Though the list of rented videos did not contain anything particularly revealing about Mr. Bork, Congress saw this as an invasion of privacy and passed the VPAA to regulate video rental history records (also known as the “Bork Law”).

 However, Beeler distinguished Bork’s case from the case at hand. In the Bork case, “the connection between a specific user and the material that he ‘requested or obtained’ is obvious. If I hand someone a slip of paper with John Doe’s name above a list of recently rented videotapes, the connection between the two will generally be apparent.”

Though Hulu sent Facebook user ID and information on video materials, these two pieces of information were transmitted separately. “By sending these two items, Hulu did not thereby connect them in a manner akin to connecting Judge Bork to his video-rental history.”

Therefore, Beller found that there was no proof in the record that Hulu’s sending of this information was “connecting” the user to the content and Hulu did not meet the third prong in the second standard for applying the VPAA.

Accordingly, she dismissed the suit with prejudice.

In response, Hulu’s Senior Vice President and General Counsel, Chadwick Ho, stated, “Hulu is deeply committed to protecting our viewers’ personal information, and we are gratified by the court’s ruling. This decision validates our willingness, as a matter of principle, to prove the integrity of our business practices, even if it means spending nearly four years in litigation.” On the other hand, the plaintiffs’ attorney announced that he would be appealing. “We think the order of the law court would undermine fundamental statutory privacy rights if allowed to stand.”

Lawsuits claiming privacy violations are particularly serious in cases like this where the violations can allow marketers to target users with unwanted advertising and allow users’ Facebook friends learn of their viewing preferences.

There has been an increasing number of instances of privacy-related litigation in recent years. In 2009, plaintiffs brought a claim against Facebook under VPPA after it launched Beacon, a program that sent data from external websites to Facebook and resulted in users’ information being posted onto Facebook without their consent.

The lead plaintiff in that case had purchased a surprise wedding ring for his wife from Overstock, and this fact was then broadcast to everyone in his Facebook network, including his wife.

More recently, in 2012, Netflix was sued for violating the VPPA when it retained users’ rental histories even after they had canceled their Netflix subscriptions. Netflix settled the suit for $9 million and changed its policy.

In the same year, Congress also reformed the Video Privacy Protection Act, allowing Netflix and other video companies to publish to Facebook as long as they obtained the user’s consent.

Because of this ruling, we can continue to enjoy watching our Facebook newsfeed filling up with movies and tv episode our friends watch.