Opinion
Case No. 11–cv–03764–LB
2015-01-01
The number 426520 in this URL is the video ID. (JSUF # 24.) where “[User ID]” is the Hulu User ID. Id. After August 1, 2011, the Hulu User ID was encrypted. (JSUF # 13.) An example is:
ORDER GRANTING SUMMARY JUDGMENT
[Re: ECF No. 230]
, United States Magistrate Judge
INTRODUCTION
The plaintiffs are viewers of online video content through Hulu, LLC's Internet-based service. They allege that Hulu wrongfully disclosed their video viewing selections and personal-identification information to a third party: specifically, the social-networking website, Facebook. The plaintiffs claim that Hulu thereby violated the Video Privacy Protection Act of 1988 (“VPPA”), 18 U.S.C. § 2710. ( See generally 2d Am. Compl.—ECF No. 83.) The VPPA prohibits a “video tape service provider” from “knowingly” disclosing a user's “personally identifiable information” to third parties (with certain exceptions that do not apply here). See18 U.S.C. § 2710. “The term ‘personally identifiable information’ includes information that identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 18 U.S.C. § 2710(a)(3).
Record citations are to material in the Electronic Case File (“ECF”); pinpoint citations are to the ECF-generated page numbers at the tops of the documents.
Hulu has moved for summary judgment. (ECF No. 230.) It argues, in sum, that it did not “knowingly” send Facebook information that could identify Hulu users, and it did not know that Facebook might read the information that Hulu sent so as to yield “personally identifiable information” under the VPPA.
For the reasons elaborated below, the court grants Hulu's motion for summary judgment. In particular, the court finds dispositive the absence of any issue of material fact that Hulu actually knew that Facebook might combine information that identified Hulu users with separate information specifying which video that user was watching, so as to “identif[y] a person as having requested or obtained specific video materials.” The court therefore dismisses the Second Amended Complaint (ECF No. 83) with prejudice.
STATEMENT
The basic facts about the parties, and how Hulu's and Facebook's services and software work and interact, are undisputed. The parties' disagreement concerns what Hulu knew, or did not know, about information that passed between Hulu and Facebook.
I. THE PARTIES
Hulu provides on-demand, online access to television shows, movies, and other pre-recorded video content from networks and studios through its website, www.hulu.com. ( See generally 2d Am. Compl. ECF No. 83, ¶¶ 1, 17.) It offers a free service at hulu.com that allows users to watch video content on their computers. ( See ECF No. 178—Joint Statement of Undisputed Facts (“JSUF”) # 1.) It also offers a paid service called “Hulu Plus” that has more content and allows viewers to watch Hulu content on other devices such as tablets and smart phones. (Yang Decl.—ECF No. 125–6, ¶¶ 2, 6.) Plaintiffs Joseph Garvey, Sandra Peralta, Paul Torre, Joshua Wymyczak, and Evan Zampella each are all registered Hulu users. ( See 2d Am. Compl. ¶¶ 1–6.)
This JSUF was submitted to support Hulu's previous summary-judgment motion (ECF No. 130). The court uses it here to discuss descriptive background facts that apply equally to the present motion.
II. HOW HULU WORKS
Hulu pays license fees to studios, networks, and other rights holders to obtain the video content that it offers to its users. ( See Yang Decl.—(Yang Decl.—ECF No. 125–6, ¶ 10.) Hulu allows users to register for a free Hulu account. ( See JSUF # 1.) A Hulu user does not need to register for a Hulu account to watch videos on hulu.com using a personal computer. ( See id. ¶ 4.) To register for a Hulu account, the user enters a first and last name, birth date, gender, and an email address. (JSUF # 1.) Users are not required to provide their legal first and last name during registration. (JSUF # 2.) In fact, Plaintiff Joseph Garvey registered for his Hulu account in a name other than his legal name. ( See JSUF # 3.) Hulu does not verify the accuracy of the identifying information but stores it in a secure location. (Yang Decl.—ECF No. 125–6, ¶ 6.) To register for Hulu Plus, the user must provide the same information as a registered Hulu user, along with payment information and a billing address. ( Id., ¶ 7.) Hulu assigned each new registered Hulu user a “User ID,” which is a unique numerical identifier ( e.g., 50253776). (JSUF # 6; see Tom Dep.—ECF No. 157–11 at 37:9–38:12.)
Videos on hulu.com are displayed on a video player that appears on a webpage. Hulu calls these webpages “watch pages.” ( See Yang Decl.—ECF No. 125–6, ¶ 3; JSUF # 24.) Hulu wrote and deployed the code for its watch pages. (Tom Dep. ECF No. 157–11 at 108:23–109:8, 175:9–16; Wu Dep.—ECF No. 157–6 at 80–84.) The code downloaded to registered Hulu users' browsers when they visited a watch page so that the browser could display the requested web page or video content. (Tom Dep. ECF No. 157–11 at 112:19–113:5.) As described in more detail below, the code also allowed information to be transmitted to Facebook. Until June 7, 2012, the URL (uniform resource locator, meaning, the web address) of Hulu's watch pages included the name of the video on that page. For example, a watch-page URL might look like this:
http://www.hulu.com/watch/426520/saturday-night-live-the-californians-thanksgiving
The number 426520 in this URL is the video ID. (JSUF # 24.)
In March 2009, Hulu began providing each registered user with a profile web page. (JSUF # 9.) The first and last name the user provided during registration appears on the page and in the page title. (JSUF # 10.) Hulu did not allow registered users to decline to share their first and last names on their public profile pages. Until August 1, 2011, a user's profile-page URL included the user's unencrypted Hulu User ID. (JSUF # 12.) An example is:
http://www.hulu.com/profiles/u/[User ID]
where “[User ID]” is the Hulu User ID. Id. After August 1, 2011, the Hulu User ID was encrypted. (JSUF # 13.) An example is:
http://www.hulu.com/profiles/u/wxu2RqZLhrBtVjYKEC_R4
( Id.) Hulu did not provide a separate search function (for example, through a search box) to allow a user to use a Hulu User ID to find the profile page of another user. (JSUF # 11.) On May 30, 2013, Hulu discontinued the user profile pages. (JSUF # 14.)
Hulu makes money from advertising revenue and from monthly premiums paid by Hulu Plus members. (Yang Decl.—ECF No. 125–6, ¶ 11.) Its main source of income is advertising revenue. ( Id.) Advertisers pay Hulu to run commercials at periodic breaks during video playback. ( Id. ¶ 12.) Advertisers pay Hulu based on how many times an ad is viewed. ( Id. ¶ 13.) Hulu must thus gather information about its “audience size.” ( Id.)
III. HOW HULU INTERACTS WITH FACEBOOK
Facebook collects information and processes content “shared by its users,” and it provides that information to marketers ( See generally ECF No. 157–12 at 4, 6–9.) Facebook shares its members' information with marketers so that they can target their ad campaigns. ( See id.) Marketers can “specify the types of users they want to reach based on information that users choose to share.” ( Id.) Advertisement revenue is how Facebook makes money. ( See id.)
In April 2010, Facebook launched its “Like” button; that August, Hulu added a Facebook Like button to each hulu.com watch page. (JSUF # 18–19.) Certain information was transmitted from hulu.com to Facebook via the “Like” button. (JSUF # 18.) Hulu wrote code for its watch pages that specified where the “Like” button should be located on the page and where (from facebook.com ) to obtain the code that loads and operates the button. (JSUF # 20.) When the user's browser executed this code, the browser sent the request to Facebook to load the Like button on the watch page. (JSUF # 21.) Hulu sent Facebook the watch page's address, so that Facebook knew where to send code for the Like button so that it could be downloaded, displayed on the watch page, and used. ( See Wu Decl.—ECF No. 230–5, ¶¶ 16–20, 25.) From April 2010 to June 7, 2012, the address for each watch page included the title of the video displayed on that watch page. ( See JSUF # 18.) An example is the address containing the Saturday Night Live episode that was mentioned in the preceding section.
If the Hulu user had logged into Facebook using certain settings within the previous four weeks, the Like button would cause a “c_user” cookie to be sent to Facebook; c_user contains (among other things) the logged-in user's Facebook user ID expressed in a numeric format. (JSUF # 22; Calandrino Decl. ECF No. 280–7, ¶ 71.) An example is “c_ user=55431124”; Facebook can identify this number as a particular Facebook user. (Richard Decl.—ECF No. 287–3, ¶ 40.) Hulu did not send Facebook the Hulu User ID or the Hulu user's name when the user's browser executed the code to load the Like button. (JSUF # 23.)
A “cookie” is a file on a user's computer. (Wu Decl. ECF No. 230–5, ¶ 13.) Cookies contain information that identifies the domain name of the webserver that wrote the cookie ( e.g., hulu.com or facebook.com). ( Id. ¶ 18.) Cookies have information about the user's interaction with a website. ( Id.) Examples include how the website should be displayed, how many times a user has visited the website, what pages he visited, and authentication information. ( Id. ¶ 13.) Each web browser on a computer ( e.g., Internet Explorer or Chrome) stores the cookies that are created during a user's use of the browser in a folder on the user's computer that is unique to that browser. ( Id. ¶ 14.) When a user types a website address into her browser, the browser sends: (a) a request to load the page to the webserver for that website address; and (b) any cookies on the user's computer that are associated with the website (such as the cookies for hulu.com or facebook.com ). ( Id. ¶ 15.) The remote website server returns the requested page and can update the cookies or write new ones. ( Id.) The only servers that can access a particular cookie are those associated with the domain that wrote the cookie. ( Id. ¶¶ 18, 21.) In other words, Hulu can read only hulu.com cookies, while Facebook can read only facebook.com cookies; the companies cannot read or write to cookies associated with the other service. ( Id.)
There is no evidence that Facebook took any action with the c_user cookie. ( See, e.g., JSUF # 25.) That said, from April 2010 until June 7, 2012, when the Like button loaded, it would prompt the user's browser to send Facebook both the user's numeric Facebook ID (from the c_user cookie) and the title of the video that the user was watching (contained in the Hulu watch-page address). ( Id., # # 20–22, 24.) The plaintiffs' expert opines that this transmission enabled Facebook to link information identifying the user and the user's video choices to other information about the particular user. ( See Calandrino Decl. ECF No. 280–7, ¶¶ 57–81.) Again, when a Hulu watch page loaded with the Facebook Like button, the page prompted a user's web browser to transmit the watch-page address and Facebook c_user cookie to Facebook-controlled servers. ( Id. ¶ 58.) This happened with the initial Hulu-prompted request from the user's browser to Facebook before the browser received any information from Facebook. ( Id. ¶ 59.) The two items most salient for this lawsuit, then—the c_user cookie and the watch-page URL—were sent to Facebook before the Hulu user did anything other than load the Hulu watch page.
GOVERNING LAW
I. SUMMARY JUDGMENT
The court must grant a motion for summary judgment if the movant shows that there is no genuine dispute as to any material fact and the moving party is entitled to judgment as a matter of law. Fed. R. Civ. P. 56(a); Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 247–48, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986). Material facts are those that may affect the outcome of the case. Anderson, 477 U.S. at 248, 106 S.Ct. 2505. A dispute about a material fact is genuine if there is sufficient evidence for a reasonable jury to return a verdict for the non-moving party. Id. at 248–49, 106 S.Ct. 2505.
The party moving for summary judgment has the initial burden of informing the court of the basis for the motion and identifying those portions of the pleadings, depositions, answers to interrogatories, admissions, or affidavits that demonstrate the absence of a triable issue of material fact. Celotex Corp. v. Catrett, 477 U.S. 317, 323, 106 S.Ct. 2548, 91 L.Ed.2d 265 (1986). To meet its burden, “the moving party must either produce evidence negating an essential element of the nonmoving party's claim or defense or show that the nonmoving party does not have enough evidence of an essential element to carry its ultimate burden of persuasion at trial.” Nissan Fire & Marine Ins. Co. v. Fritz Cos., 210 F.3d 1099, 1102 (9th Cir.2000); see Devereaux v. Abbey, 263 F.3d 1070, 1076 (9th Cir.2001) (“When the nonmoving party has the burden of proof at trial, the moving party need only point out ‘that there is an absence of evidence to support the nonmoving party's case.’ ”) (quoting Celotex, 477 U.S. at 325, 106 S.Ct. 2548).
If the moving party meets its initial burden, the burden shifts to the non-moving party, which must go beyond the pleadings and submit admissible evidence supporting its claims or defenses and showing a genuine issue for trial. SeeFed. R. Civ. P. 56(e); Celotex, 477 U.S. at 324, 106 S.Ct. 2548; Nissan Fire, 210 F.3d at 1103; Devereaux, 263 F.3d at 1076. If the non-moving party does not produce evidence showing a genuine issue of material fact, the movant is entitled to summary judgment. See Celotex, 477 U.S. at 323, 106 S.Ct. 2548.
In ruling on a motion for summary judgment, inferences drawn from the underlying facts are viewed in the light most favorable to the non-moving party. Matsushita Elec. Indus. Co. v. Zenith Radio Corp., 475 U.S. 574, 587, 106 S.Ct. 1348, 89 L.Ed.2d 538 (1986).
II. THE VIDEO PRIVACY PROTECTION ACT
The VPPA in relevant part states: “A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person....” 18 U.S.C. § 2710(b)(1) (emphasis added). The court has already determined that Hulu is a “video tape service provider,” and that the plaintiffs were “consumers,” within the VPPA's meaning. (ECF No. 68 at 7–9, 11–12.) “Personally identifiable information” (PII) under this statute “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider....” 18 U.S.C. § 2710(a)(3).
This basic VPPA standard requires two elaborative points. First, the term “knowingly” connotes actual knowledge. It is not enough, as the plaintiffs suggest, that a disclosure be merely “voluntary” in the minimal sense of the defendant's being “aware of what he or she is doing and ... not act[ing] because of some mistake or accident.” ( See ECF No. 279 at 17–20.) The court has already decided that “ ‘knowingly’ means consciousness of transmitting the private information. It does not merely mean transmitting the code.” (ECF No. 194 at 23.) This is consistent with cases that have explained the knowledge requirement under the Electronic Communications Privacy Act of 1986, on which the VPPA was modeled. See Freedman v. Am. Online, Inc., 329 F.Supp.2d 745 (E.D.Va.2004); Worix v. MedAssets, Inc., 857 F.Supp.2d 699 (N.D.Ill.2012); see also Mollett v. Netflix, Inc., 2012 WL 3731542 (N.D.Cal. Aug. 17, 2012) (defendant did not knowingly violate VPPA by streaming video-watching history to devices that bystanders might view).
The second point is to notice that, apart from its knowledge requirement, the VPPA has three factual components. For there to be an actionable VPPA violation, the video provider must have knowingly disclosed: 1) a consumer's identity; 2) the identity of “specific video materials”; and 3) the fact that the person identified “requested or obtained” that material. See18 U.S.C. § 2710(a)(3). There are, in other words, three distinct elements here: the consumer's identity; the video material's identity; and the connection between them. The point of the VPPA, after all, is not so much to ban the disclosure of user or video data; it is to ban the disclosure of information connecting a certain user to certain videos. Or, in the statute's exact terms, what is barred is disclosing information that “identifies a person as having requested or obtained specific video materials.” 18 U.S.C. § 2710(a)(3) (emphasis added). This may seem obvious. It is nonetheless worth drawing out, to show exactly how the videotape-era VPPA applies to the Internet service involved here—and to clearly establish what a triable VPPA claim must include in a situation like this.
The nature of the third element—the connection—distances this Internet-streaming case from the situations for which the VPPA was enacted. The paradigmatic case, the case that prompted the VPPA, involved a video store's giving a Washington Post reporter a list of the videos that Circuit Judge Robert Bork had rented. ( See ECF No. 194 at 12–13 (discussing Judge Bork case).) In that type of case, the connection between a specific user and the material that he “requested or obtained” is obvious. If I hand someone a slip of paper with John Doe's name above a list of recently rented videotapes, the connection between the two will generally be apparent. This is all the more so because the information is passed between humans in a natural language. The recipient can immediately read the note and see the connection. There is an immediate disclosure of PII.
This case is different. The user's identity and that of the video material were transmitted separately (albeit simultaneously). By sending those two items Hulu did not thereby connect them in a manner akin to connecting Judge Bork to his video-rental history; that is, Hulu did not disclose information that “identifie[d] a person as having requested or obtained specific video materials.” Unlike in the paradigmatic Judge Bork case, the connection here would be established, if at all, by an act of the recipient. This means that, even if both elements were sent to Facebook, they did not necessarily disclose a user “as having requested or obtained specific video materials” unless Facebook combined the two pieces of information. Without Facebook forging that connection there is no “disclosure” of “personally identifiable information” under the terms of the VPPA.
That a connection is needed for a PII disclosure becomes clearer when we notice that the connection can break down even in the paradigmatic older case. Let us say that a video-store clerk gives a local reporter a slip of paper showing only someone's name. Weeks later, someone else hands the reporter a list of video titles. There is no obvious connection between the two. In the VPPA's terms, no one has tied a person to specific videos. There is consequently no actionable disclosure of PII. Unless, that is, additional evidence reestablishes the link between name and titles. If extrinsic proof shows that the reporter and video provider had agreed to separate the disclosures in place and time, so that the clerk would hand over only the renter's name, while the video titles would arrive later by a third-party courier—but that both parties understood how the name and titles were related—that would supply the connection. The connection in any case must exist. It is a necessary element of the VPPA—maybe somewhat implicit, as the statute is written, but still indispensable.
Consider too the role of natural language. No one would deny that I would violate the VPPA by passing someone an encrypted list of Judge Bork's video rentals—if my recipient and I both understood that we would use a mutually intelligible code. If, instead, I hand someone only a garbled collection of alphanumeric strings (which I alone understand to contain someone's encrypted video-rental history), there is likely no actionable disclosure. For a disclosure to arise in the latter scenario, there generally must be proof of further action by the recipient; they must know that I have used a code and they must at least have the capacity to decode and read the contents. At the very least, there must be some mutual understanding that there has been a disclosure. Moving away from natural language, in other words—as we do in this case—requires the recipient to more actively participate to yield a VPPA-actionable “disclosure.”
The upshot of all this describes the VPPA plaintiff's burden in an Internet-video case like this one. To state an actionable claim under the VPPA, a plaintiff must prove that the video-service provider actually knew that it was disclosing: 1) a user's identity; 2) the identity of the video material; and 3) the connection between the two— i.e., that the given user had “requested or obtained” the given video material. In terms of this case, if Hulu did not actually know that Facebook might “read” the c_user cookie and video title together (yielding something akin to the list of Judge Bork's videos), then there cannot be a VPPA violation. This is the conclusion that the court earlier reached. ( See ECF No. 194 at 23–24.)
ANALYSIS
The dispositive point in this case lies in the connection between a user's identity, sent in the c_user cookie, and the title of the videos that that user watched, contained in the watch-page address. Or, rather, the dispositive point lies in the lack of a known connection between those things. More precisely, there is no evidence that Hulu knew that Facebook might combine a Facebook user's identity (contained in the c_user cookie) with the watch-page address to yield “personally identifiable information” under the VPPA. There is consequently no proof that Hulu knowingly disclosed any user “as having requested or obtained specific video materials or services.” See18 U.S.C. § 2710(a)(3).
The Governing Law section, above, explains why the VPPA requires proof that three things were disclosed: a consumer's identity; the identity of “specific video materials”; and a connection between the two—that is, that the consumer “requested or obtained” those videos. Before reviewing the evidence and the parties' arguments, it may be worth stating that three-part requirement even more concretely in the terms of this particular case. Hulu's motion for summary judgment does this well, and the court borrows Hulu's explanation:
Neither the watch page URL nor the Facebook c_user cookie by itself constitutes PII as defined by the VPPA. Hulu's watch page URL contains no user data at all, let alone identifying information; the URL is the same for every user who requests that same video. ( See Wu Decl. ¶¶ 27–30.) And the Facebook c_user cookie does not contain any video watch information. Thus, even if Hulu knew that the c_user cookie transmitted the Facebook User ID to Facebook ... Hulu could not have “knowingly” disclosed PII to Facebook unless it knew that Facebook was combining the Facebook User ID with the video title embedded in Hulu's watch page URL.
(ECF 230 at 9–10.) Because there is no evidence of the last element, there is no genuine issue of material fact on that element, and the court grants summary judgment in Hulu's favor.
I. THE PLAINTIFFS OFFER NO PROOF ON THE CONNECTION ELEMENT
The plaintiffs do not establish a genuine issue of material fact showing either that Facebook combined the c_user and watch-page information to yield PII, or (more important) that Hulu knew that Facebook might combine those discrete things to reconstruct PII. The plaintiffs indeed identify no proof in this regard. They instead argue that they do not have to prove this. (ECF No. 279 at 19–21.) They write: “Plaintiffs need only demonstrate that Hulu voluntarily provided user-specific information and videos watched to a third party; there is no requirement that Plaintiffs allege—much less prove that Hulu knew—what that third party might do with that information.” ( Id. at 19.)
The plaintiffs first argue that the court has already “expressly rejected” the idea that Hulu must have known that Facebook would combine the user- and video-identifying data. ( Id. at 20.) Their underlying point seems to be that transmitting both components to Facebook was itself enough. They write: “this Court has previously held that ... the data transmitted to Facebook was not ‘two separate pieces of data.’ ” ( Id. at 20 (citing ECF No. 194 at 22).) They then quote the court's statement that, “if a video store knowingly hands a list of Judge Bork's rented videos to a Washington Post reporter, it arguably violates the VPPA even if the reporter does not look at the list.” (ECF No. 279 at 20 (quoting ECF No. 194 at 23).)
The plaintiffs are mistaken in two ways. First, the plaintiffs misunderstand the court's point when it suggested that, “[i]n contrast to comScore”—another vendor previously relevant in this case—“where the user was not tied to the video in one transmission, the transmission to Facebook included the video name and Facebook user cookies.” ( See ECF No. 194 at 22.) The court did not “reject” the idea that a connection between user and video identification is a necessary element under the VPPA, or assert that “the data [that Hulu] transmitted to Facebook was not ‘two separate pieces of data.’ ” (Strictly speaking, the court's order did not use the term “two separate pieces of data”; the source of that quotation is unclear.) In reasoning through the parties' arguments, and the available facts, the court meant only to contrast the data that had been supplied to comScore with that supplied to Facebook. Unlike the transmission to comScore, the court wrote, the “transmission to Facebook included the video name and Facebook user cookies,” so that in the Facebook situation “the link between user and video was more obvious.” (ECF No. 194 at 22.) The court did not say that that link had been conclusively established. To the contrary, the court immediately observed that whether the link between the two was “disclosed” under the VPPA “depends on the facts,” facts that the court said had not yet developed because discovery was still open. ( Id. at 22, 26.) The court also noted Hulu's countervailing point: “that the information really was not disclosed to Facebook in the sense that the information about Judge Bork's video viewing was disclosed to the Washington Post.” ( Id.) More simply, the evidence has always shown and the court has always understood that, although both were sent to Facebook, the c_ user cookie and the watch-page address are distinct things. ( See, e.g., id.) Whether the transmission is actionable depends on whether the “connection” of the two creates the “disclosure” of PII that VPPA requires.
Second, even in the “arguably” actionable, hypothetical case in which the Washington Post reporter “does not look” at the list of Judge Bork's rentals ( id. at 23), the posited list contains all three VPPA elements: the user's identity; the identity of the videos; and the connection between them (that is, the fact that the consumer has “requested or obtained” the listed videos). The court did not “expressly reject” a connection requirement under the VPPA.
This ties in to the plaintiffs' next point. The plaintiffs write: “Hulu's argument”— i.e., that the plaintiffs must prove that Hulu knew that Facebook might combine the c_user and watch-page data—“is nearly identical to the argument rejected in” Senne v. Village of Palatine, Ill., 695 F.3d 597 (7th Cir.2012) ( en banc ). In Senne, the Seventh Circuit held that placing “personal information” on parking tickets that were then placed on windshields, and were thus in public view, was a disclosure violating the Driver's Privacy Protection Act, regardless of whether anyone actually viewed the ticket. But nothing in Senne indicates that, in a VPPA case like this one, a plaintiff need not prove that the consumer's identity was linked to “specific” videos as those that she “requested or obtained.” Again, as the court wrote in its earlier order, “disclosure[s] of information on traffic tickets in public view,” like the one in Senne, “transmit obvious PII.” (ECF No. 194 at 23.) Like the list of Judge Bork's videos, but unlike the ultimately separate c_user and watch-page data here, the connection between the plaintiff driver and his “personal information” was immediately apparent in Serine: both were written together on one parking ticket. See Senne, 695 F.3d at 599.
The plaintiffs do not go beyond their legal arguments on this point to offer proof that Hulu knew that Facebook might combine the c_user and watch-page data to construct information that would identify a user “as having requested or obtained specific video materials or services.” Without that proof, there is no knowing disclosure of PII. For its part, Hulu has offered affirmative proof that it did not know what, if anything, Facebook would do with the user-identifying information in the c_user cookie, on the one hand, and, on the other, the video title that could be gleaned from watch-page addresses. (Tom Dep.—ECF No. 230–7 at 130–31, 283, 285–86; Wu Dep.—ECF No. 280–8 at 96.) For this reason alone, the plaintiffs do not have a triable claim under the VPPA.
These citations are to the original page numbers of the Tom and Wu depositions.
II. FACTS CONCERNING HULU'S TRANSMISSION OF USER IDENTITIES
The plaintiffs cite various facts to show, more basically, that Hulu knew that it was sending Facebook users' identities through the c_user cookie. (ECF No. 279 at 21–28.) Hulu denies that it knew this. ( E.g., ECF No. 285 at 7.) Again, there is no dispute that from April 2010 to June 2012 the titles of videos being watched appeared in Hulu's watch-page addresses. The plaintiffs do not cite the facts discussed below to show Hulu's knowledge that Facebook might combine these things to yield PII under the VPPA. They marshal these facts to show only that Hulu knew that, when the Like button loaded, the c_user cookie would send user-identifying information to Facebook. ( See ECF No. 279 at 21–28.) That is, again, only one element of an actionable VPPA claim. The court addresses these facts to fully account for the evidence before it, and so to fully consider whether—apart from the issue of a connection between the c_ user and watch-page data—those facts somehow raise a triable claim under the VPPA.
A. ShowFaces
The plaintiffs first point to the “ show_faces ” attribute of the Like button. (ECF No. 279 at 21–23.) Show_faces is a Facebook-designed feature within the Like button that Hulu could set to either show_faces=true or show_ faces=false. ( See id. at 21–22; Richard Decl.—ECF No. 280–8 at 9–10, ¶ 23.) When the Like button loads, if show_faces=true, then “Facebook identifies the logged-in user” and “identifies which of the user's Facebook friends have like[d] the web page” (ECF No. 279 at 21–22), which necessarily means that they liked the specific video that the user was watching. Facebook then sends to the Hulu user's web page the Like button along with pictures of the user's Facebook friends who have liked the page. ( Id. at 22.) Having been aware of this feature, the plaintiffs' argument essentially runs, Hulu must have known that Facebook could identify Hulu users through the Like button; that is inherent in locating the user's friends. ( See id. at 22–23.) Moreover, say the plaintiffs, whether this feature is set to true ox false is “not relevant.” ( Id. at 22.) Facebook would identify the user in either case. The true ox false setting “merely affected how Facebook used [the] identifier in responding to the Like button request”—meaning, whether Facebook sent a user's friends' pictures to load alongside the Like button. ( See id.; Richard Decl. ECF No. 287–3 at 11, ¶ 28.1.)
Hulu makes numerous objections to the testimony of the plaintiffs' expert, Dr. Golden Richard, on the topic of the show_faces feature and other items. ( See ECF No. 285 at 10–11, 13 nn. 2–3, 15 nn. 5–6, 17–18 nn. 7–8.) The court does not rule on these objections. Even considering Dr. Richard's testimony, for the reasons given throughout this order, the court holds that the plaintiffs have not raised a genuine issue for trial.
The show_faces feature does not raise a genuine fact issue on the plaintiffs' VPPA claims. The only proof of how Hulu implemented this feature lies in Hulu's source code. That code shows that Hulu set show_faces not to true but to false. (Richard Decl. (Ex. 43)—ECF No. 280–51 at 2.) There is no evidence of what gets sent to Facebook when show_faces=false. There is no evidence, in particular, that, when this feature is set to false, Hulu sends Facebook both the user's and a video's identity. Even if that information is sent when show_ faces is set to false, there is no proof that Hulu knew this.
The plaintiffs argue that whether Hulu set show_faces to true or false is “not relevant.” (ECF No. 280–4 at 22.) Citing an assertion by their expert, they suggest that user- and video-identifying information would have been sent to Facebook whether this feature was set to true ox false. ( Id.; see Richard Decl. ECF No. 280–8 at 11, ¶ 28.1.) But the plaintiffs' expert never shows this. He does not empirically prove that show_faces=false would send Facebook information amounting to a disclosure of PII. He does not identify documentation stating that show_faces=false would send user-identifying information to Facebook. He did not test the false setting to determine what Hulu would send Facebook in that configuration. ( See id. at 10–11, ¶¶ 26–28.2.) He asserts that the setting “merely affected how Facebook used [a user's] identifier in responding to the Like button request.” ( Id. at 11, ¶ 28.1.) (That is, the false setting would tell Facebook not to display a user's friends' pictures—but Facebook would still combine the user's and video's identifying information.) Assert, however, is all that the plaintiffs' expert does on this point. ( See id.) Raw assertion does not raise a genuine issue under Rule 56. See, e.g., Taylor v. List, 880 F.2d 1040, 1045–46 (9th Cir.1989) (“A summary judgment motion cannot be defeated by relying solely on conclusory allegations unsupported by factual data.”); Hardwick v. Complete Skycap Servs., Inc., 247 Fed.Appx. 42, 44 (9th Cir.2007) (“unsupported assertions” insufficient to overcome summary-judgment motion); see also Warren v. Shaw Grp., Inc., 825 F.Supp.2d 1052, 1053 (D.Nev.2011) (“A principal purpose of summary judgment is ‘to isolate and dispose of factually unsupported claims.’ ” (quoting in part Celotex Corp. v. Catrett, 477 U.S. 317, 323–24, 106 S.Ct. 2548, 91 L.Ed.2d 265 (1986)). There is no proof that goes the necessary—indeed, pivotal—further step of showing that Hulu knew that show_faces=false would disclose that a specific user had watched a specific video.
The plaintiffs, through their expert, next point to three exhibits that they say show that “Hulu implemented the Like button with the attribute of show_faces=true.” (Richard Decl.—ECF No. 280–8 at 11, ¶ 29.) This constitutes part of the evidence showing that “Hulu had direct knowledge that its request to Facebook [to load the Like button] included users' identifiers.” (ECF No. 280–4 at 21.) The exhibits in question (ECF Nos. 280–14 to –16) reproduce lines of Hulu code within which appears the element, show_faces=true. ( E.g., ECF No. 280–14 at 5.) All three documents carry the appellation “site-tf.” Hulu has explained that this “tf” tag shows that the code applies to Hulu's Japanese website (ECF No. 285 at 13); the plaintiffs have not contradicted that assertion. These documents do not prove that Hulu set show_faces to true for the U.S. services involved in this case.
The plaintiffs also point to an email thread in which Hulu employees appear to discuss the aesthetic effects of loading a user's friends' faces around the Like button. ( See ECF No. 280–8 at 11–12, ¶¶ 30–31; ECF No. 280–11 (exhibit).) But, as the plaintiffs' expert himself describes matters, these emails “discuss[ ] the display” of “the Like button with show_faces=true.” (ECF No. 280–8 at 11, ¶ 30.) The only evidence, again, is that when it implemented this feature Hulu set it to false. These emails do not show that Hulu knew anything about what information would be sent to Facebook under the false configuration. These emails do show that Hulu employees were generally aware of how the Like button would display “with show_faces=true,” and, to that extent, the court considers them.
The plaintiffs insist that the show_faces evidence permits a “reasonable inference” that Hulu knew that it was sending Facebook PII. It is, after all, obvious that show_faces=true enables Facebook to determine which videos a specific user is watching; otherwise, it could not display that user's friends as having like that video. More broadly, the plaintiffs urge, “we all know” how these sorts of Internet services work: personal information is constantly shared and connected. The court agrees that it would take willful ignorance to pretend otherwise. But a jury cannot be allowed to pass on liability based on broad hand waves toward what we all know, what we all expect about how our personal information moves around, and how things generally work in the age of the Internet. Triable claims must still be rooted in reasonably specific proof about what in fact was done here, what information was sent and connected here, and what Hulu actually knew about these things. The plaintiffs' efforts to prove a prima facie claim—through the source code, for example, or the quotidian emails among Hulu employees—show that they understand the need to ground their claims in concrete and particular facts. In the end, though, the show_faces evidence suggests at most what Hulu should have known generally about how show_faces=true worked. The evidence does not show that Hulu actually implemented show_faces=true. It does not show what show_faces sends Facebook when set to false. And it does not show that Hulu actually knew, when it implemented show_faces=false, that (under the plaintiffs' hypothesis) it was sending Facebook information connecting an identified user to identified videos. The show_faces evidence therefore does not yield a genuine issue for trial.
B. Hulu's “Internal Testing” And “Session Captures”
The plaintiffs next contend that “session captures” from Hulu's internal testing show that “Hulu knew that Facebook maintained one or more cookies that identified logged-in Facebook users.” (ECF No. 279 at 23–24.) (“Session captures” record the actual data sent between a browser and the Web pages on Hulu.) “For example,” the plaintiffs write, in preparing to launch a “social”-integration feature with Facebook in 2011, a Hulu tester “captured requests sent from his browser while he visited a Hulu web page.” ( Id. at 23.) “The traffic captures show the Hulu developer's own Facebook ID being sent to Facebook in a c_user cookie when he was logged in to Facebook.” ( Id. at 23; see Richard Decl.—ECF No. 280–8 at 14–16, ¶¶ 37–42.)
The court has carefully considered this point and finds Hulu's responsive analysis in all respects correct. ( See ECF No. 285 at 15–16.) First, at least two of the exhibits that the plaintiffs' expert cites do not involve the Like button on Hulu's watch pages; they involve the company's different Facebook Connect feature. (ECF No. 280–19 at 2; ECF No. 280–20 at 2.) This feature is what Hulu was preparing to launch and what it was testing when it generated the subject session captures. The plaintiffs have excluded the Facebook Connect feature from this litigation; the court recognized this when it ruled on class certification. ( See ECF No. 211 at 30.)
Furthermore, the session data do not show that the c_user cookie contained a user's Facebook ID. As Hulu rightly observes, the session captures that the plaintiffs rely upon “include the value ‘c_user=55431124.’ ” (ECF No. 285 at 16; see Richard Decl. 280–8 at 14–16, ¶¶ 39–39.2, 40–41.) As it happens, “55431124” is a Facebook user ID. There is no proof that anyone at Hulu saw this, knew generally what c_user signified, or recognized “55431124” as a Facebook ID—the latter two things being far from obvious from the face of the data. The plaintiffs' expert himself had to conduct additional investigation, though a third website, to determine what “55431124” signified. (Richard Decl.—ECF No. 280–8 at 15–16, ¶ 40.) There is no proof that anyone at Hulu had reason to, or actually did, pursue this determination.
Finally on this point, nothing about the Facebook Connect session-captures suggests—or creates an issue of triable fact—that Hulu knew that the c_user cookie would be sent to Facebook, and would carry user-identifying information, when the Like button loaded on Hulu's watch pages. This is true even as the plaintiffs themselves describe this information. ( See ECF No. 279 at 23–24.)
C. Hulu and Nielsen Ad–Tracking
The plaintiffs contend that Hulu's work with the Nielsen Company “show[s] that Hulu knew that [users'] personal identifiers were being transmitted to Facebook.” (ECF No. 279 at 24.) The plaintiffs explain:
In early 2012, Hulu contracted with the Nielsen Company for services to help measure the effectiveness of Hulu's ad delivery. Richard Decl. [ECF No. 287–3 at 17], 143. Nielsen informed Hulu ... that the ads being measured would cause requests to be routed to Facebook through users' browsers, so Facebook could use its “logged-in cookie” to identify users and provide demographic information about them.
(ECF No. 279 at 24–25.) The plaintiffs continue: “Hulu's understanding of the role of the Facebook cookies in identifying users is confirmed” by the fact that Hulu then “touted” to an advertiser its ability to track advertising effectiveness through Facebook's logged-in cookie. ( Id. at 25.)
This probably does show that Hulu knew that a Facebook cookie could be used to identify Hulu users. But it shows this in connection with Nielsen-tracked ads. It does not involve the Like button that is at issue here. This evidence shows Hulu's knowledge that a Facebook cookie, sufficient to identify a Hulu user, could be triggered by ads that Nielsen was monitoring for Hulu. It does not show that Hulu knew that a user-identifying cookie would be sent to Facebook when the Like button loaded; nor does it show that that cookie might be connected to a watch-page URL.
D. Previously Submitted Evidence
The plaintiffs also argue that the court has already found—and Hulu has “not rebutted”—sufficient “fact issues” to warrant submitting their VPPA claim to a jury. (ECF No. 279 at 26–27; see ECF No. 194 at 24–26.) “For instance,” the plaintiffs correctly write, the court's previous order pointed to Hulu emails establishing that “Hulu knew that vendors can place cookies on the user's computer.” (ECF No. 279 at 26.) Additionally, “[t]he Court also noted that ‘[e]mails also show [that] Hulu knew that cookies with identifying information were sent, [and] Hulu's awareness that vendors could collect data and use it ... to ... ‘identify a user in the real world.’ ” ( Id. (quoting in part ECF No. 194 at 25).) Finally in this vein, and as the court recognized, Hulu's internal emails “suggest that Hulu knew that using beacon technology to disclose user data could result in identification of actual users,” that Hulu “recognized the VPPA implications” of this, and yet chose to “accept the legal risk of passing identifying data” because of “the business benefits of these analytics,” at least “so long as it is not passing unique, identifying information....” (ECF No. 279 at 26–27 (quoting ECF 194 at 25).)
The court does not think that these items raise a genuine issue of material fact on the plaintiffs' specific VPPA claims, however, for several reasons. Primarily, these emails are too general. They are too general in that they discuss “vendors” in the abstract, and what vendors “can” do; they do not specifically name Facebook and what Hulu actually did or knew vis-a-vis Facebook. They are too general again in that none of this information supplies proof of the specific elements involved in the plaintiffs' actual claim for relief. They do not address the Like button, the c_user cookie, the watch-page URLs, or any connection among these things.
With respect to Hulu's recognizing the possible “VPPA implications” of some of its conduct and deciding nonetheless to “accept the legal risk,” as Hulu correctly points out, the relevant email exchange “concerned Nielsen and comScore,” vendors who are “not part of the [plaintiffs'] remaining VPPA claim.” (ECF No. 285 at 12.) The “beacon technology,” too, had to do with the earlier claims concerning comScore; it had nothing to do with sending any information to Facebook. ( See ECF No. 194 at 5–6 (explaining comScore's use of “beacon technology”).) And to the extent that loading the Like button is akin to beacon technology, again, there is no evidence of a connection to the watch-page URLs.
The court continues to adhere to its previous statement that these emails “suggest[ed] fact issues” about Hulu's knowledge. The court made that point, however, in the context of an earlier motion made before discovery was closed and while other claims were still in play. The court did not mean to suggest that these items, taken by themselves, would yield a triable claim under any specific theory of liability—and certainly not under the plaintiffs' remaining theory, which makes specific allegations about the Like button, Facebook's c_user cookie, and the watch-page URLs. The plaintiffs urge the court not to dismiss these facts as “too general or not specific to Facebook.” (ECF No. 279 at 27.) In “fact-intensive inquiries involving questions of ‘knowledge,’ ” the plaintiffs write, “there will seldom be direct evidence of knowledge ... and other types of ... circumstantial evidence come into play.” ( Id.) If this observation is unobjectionable as a general point, it is nonetheless unconvincing here. The emails to which the plaintiffs point are not “circumstantial” proof of the specific allegations that remain in play; they are, at best, general contextual evidence of what Hulu knew, and what steps it took, in other areas that also involved user-identifying information. In the precise context of the claims before the court, these emails do not establish a genuine issue of material fact that allows the court to put the plaintiffs' claims—which, again, make specific assertions about the Like button, the c_user cookie, and the watch-page URLs—before a jury.
E. Hulu's Privacy Policy
The plaintiffs next point to the following language in Hulu's “privacy policy”:
In addition, if you [i.e., the Hulu user] visit Hulu.com while logged into one of these services, the third-party service provider may be able to identify you and to associate the technical information provided by your web browser with other information the service already has about you.
(ECF No. 279 at 26.) “Hulu included [this] statement in a section about connecting with Facebook,” the plaintiffs write, and it constitutes “Hulu's public admission that logged-in users”—meaning those logged into Facebook—“ may be recognized by Facebook.” ( Id. (emphasis added).) This fact “alone,” and certainly when “taken together” with the facts discussed above, sufficiently prove Hulu's knowledge. ( Id.)
This policy might help depict a context generally showing Hulu's knowledge about what sorts of information “may” be transmitted when a Hulu user is connected to Facebook. But it is preliminary evidence, which does not establish anything conclusively (save for garden-variety caution on Hulu's part), and is too general to “alone” raise a genuine issue of material fact on the plaintiffs' specific claims. Neither does it combine with other facts that have been adduced here to create a genuine issue that Hulu knew that the c_user cookie would be sent to Facebook, and would contain information that could identify that user, when the Like button loaded on a Hulu watch page. In the context of what has actually been proved here, this excerpt from Hulu's privacy policy does not erect a triable VPPA claim.
F. Filed Complaint
Finally, the plaintiffs urge that Hulu “cannot legitimately argue that it did not have ‘knowledge’ of its VPPA violations after Plaintiffs filed suit....” (ECF No. 279 at 27.) For this reason, the court “cannot grant summary judgment as to any claims raised after Plaintiffs' initial complaint in this matter was filed.” ( Id. at 27–28.) The plaintiffs' implication seems to be that, if nothing else did, their complaint gave Hulu knowledge that it was (now speaking broadly) violating the VPPA.
The court finds this somewhat unusual argument unavailing. First, the plaintiffs have not cited any authority suggesting that the filing of a complaint can itself provide sufficient evidence of an element necessary to claims raised within that complaint. The court is not aware of any such authority. Maybe a complaint can supply adequate proof of its own allegations. If it can, though, the court would need to see clear precedent allowing that. Absent such authority, the court is not inclined to sign on to this theory.
Second, the complaint is too general to supply the “knowledge” proof that the plaintiffs' existing legal theory would need. The plaintiffs' extant legal theory involves the several specific components that that the court has discussed throughout this order: the Like button; the c_user cookie; and the title-bearing watch-page URLs. None of the plaintiffs' complaints mentions these things. ( See ECF Nos. 1, 13, 37, 83.) All other concerns aside, generally suing Hulu for a “VPPA violation[ ]” does not itself yield knowledge that, when the Like button loaded, the c_user cookie sent Facebook information that amounted to a disclosure of PII under the VPPA.
CONCLUSION
There is no genuine issue of material fact that Hulu knew that Facebook might link the user-identifying information in the c_user cookie with title-bearing watch-page addresses so as to construct “personally identifiable information” as defined by the VPPA. For this reason, the court grants Hulu's motion for summary judgment. The Second Amended Complaint (ECF No. 83) is dismissed with prejudice.
This disposes of ECF No. 230.
IT IS SO ORDERED.