A federal appellate court will consider early next month whether the Video Privacy Protection Act (VPPA) makes an “Android ID” – a device identifier used in Google’s smartphones –personally identifiable information (PII). The Eleventh Circuit has scheduled oral argument in the case, Ellis v. Cartoon Network, Inc., for June 3, 2015.
The plaintiff in the putative class action, Mark Ellis, downloaded the Cartoon Network app, which he used to watch video clips on his Android device. With each use of the app, the user’s video history and Android ID are transmitted to a third-party data analytics provider, Bango, based in the United Kingdom. Bango could use the information to identify Ellis by combining its information with information collected from other sources. The question is whether the Android ID constitutes PII under the VPPA. An Atlanta federal district court previously ruled against Ellis, dismissing his case and finding that an “Android ID, without more, is not [PII].” Ellis v. Cartoon Network, Inc., Case No. 1:14-CV-484-TWT (N.D. Ga. Oct. 8, 2014).
In several recent similar cases, judges have ruled that the serial number for a Roku TV box (a video streaming device) was not PII under the VPPA (see Locklear v. Dow Jones & Co., Case No. 1:14-cv-007445-MHC (N.D. Ga. Jan. 23, 2015); Eichenberger v. ESPN, Inc., Case No. C14-463 TSZ (W.D. Wash. May 7, 2015)); that “anonymous user IDs, a child’s gender and age, and information about the computer used to access Viacom’s websites” likewise were not PII under the VPPA (see In re Nickelodeon Consumer Privacy Litig., No. Civ. A. 12-07829 (D.N.J. July 2, 2014)); and that a comScore anonymous identifier used by Hulu was not PII under the VPPA (see In re Hulu Privacy Litig., No. C 11-03764 LB (N.D. Cal. Apr. 28, 2014).
With this history, it would not be unexpected for the court to rule in favor of Cartoon Network in this case. An appellate ruling in favor of the defendant here would be a welcome narrowing of potential VPPA claims, which have proliferated as of late given the growth of over-the-Internet streaming video services. A related complexity for those offering kid-oriented apps, however, are provisions in the FTC’s Children’s Online Privacy Protection Act (COPPA) Rule, which does define device IDs as PII when associated with individually identifiable information, but exempts such collection from parental consent requirements when used to support internal operations.
Regardless of how the court rules, the evolving nature of technology means that questions of whether and when device or other IDs should be considered “PII” will continue to pose thorny issues. Broad categorization of such identifiers as PII could result in significant restrictions on collection of the type of data designed to improve services and offer appropriate content, so the case bears close watching.