Eichenberger v. ESPN

• Background|
• EPIC's Interest|
• Legal Documents|
• News

Summary

Eichenberger v. ESPN, Inc., No. 15-35499, concerns whether consumers have standing to sue companies for violating the Video Privacy Protection Act (“VPPA”). The VPPA prohibits videotape service providers from knowingly disclosing personally identifiable information (“PII”) concerning a consumer. 18 U.S.C. § 2710(b)(1). PII includes “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 18 U.S.C. § 2710(a)(3). Eichenberger alleges that ESPN disclosed PII related to every video he viewed on the “WatchESPN Channel” through his Roku media-streaming device to an unrelated third party, in violation of the VPPA. The lower court dismissed the case with prejudice and determined that PII can never “extend to anonymous IDs, usernames, or device numbers.” On appeal, the Ninth Circuit is evaluating the scope of the PII provision in the VPPA and considering the applicability of Spokeo v. Robbins, No. 11-56843, for standing purposes.

Top News

• EPIC Urges Appeals Court to Protect Consumers Against Invasive Cookie Tracking Practices: EPIC has filed an amicus brief with the Ninth Circuit Court of Appeals in In re: Facebook, Inc. Internet Tracking Litigation. At issue is whether Facebook violated the privacy rights of users by tracking their web browsing even after they logged out of the platform. EPIC explained that cookies "no longer serve the interests of users" and instead "tag, track, and monitor users across the Internet." EPIC said a lower court wrongly concluded that users should develop countermeasures to assert their privacy rights. EPIC responded that it would be absurd to expect users to compete in a "technical arms race" when "Facebook's tracking techniques are designed to escape detection and the company routinely ignores users' privacy protections." EPIC first identified the privacy risks of cookie tracking in a 1997 report "Surfer Beware: Personal Privacy and the Internet." EPIC frequently participates as amicus curiae in consumer privacy cases, including hiQ Labs v. LinkedIn and Eichenberger v. ESPN. (Jun. 27, 2018)
• EPIC Urges Appeals Court to Deny Immunity for Dating App that Ignores Egregious Abuse: EPIC has filed an amicus brief in a case about whether a dating app should be liable for failing to remove false profiles, including name and likeness, that posed a danger to personal safety. In Herrick v. Grindr, LLC, EPIC told the Second Circuit Court of Appeals that Section 230, a provision in the Communication Decency Act, was intended to "encourage internet service providers to police their platforms," not to "give platforms carte blanche to ignore harassment and abuse." EPIC emphasized that a lower court opinion "would not advance the speech-promoting policy of the statute." EPIC explained that victims may be subjected to ongoing "psychological, social, and financial harm" if Internet services are not accountable for harassment and abuse. EPIC frequently participates as amicus curiae in cases concerning emerging privacy and civil liberties issues, including hiQ Labs v. LinkedIn and Eichenberger v. ESPN. (Jun. 1, 2018)
More top news »
Appeals Court Revives Data Breach Suit Against Zappos » (Mar. 9, 2018)

A federal appeals court has ruled that consumers affected by a Zappos.com data breach have the right to sue the online retailer. The 2012 breach exposed the personal data of more than 24 million Zappos customers. A lower court previously held that the consumers lacked "standing" to bring a lawsuit against Zappos because their injuries were merely "conjectural." But the Ninth Circuit Court of Appeals reversed that decision and allowed the case to continue. "With each new hack comes a new hacker, each of whom independently could choose to use the data to commit identity theft," the court wrote. EPIC regularly files amicus briefs defending standing in consumer privacy cases, most recently in Eichenberger v. ESPN (where the Ninth Circuit also held for consumers), Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation.

Supreme Court Leaves Data Breach Decision In Place » (Feb. 20, 2018)

The Supreme Court has denied a petition for a writ of certiorari in Carefirst, Inc. v. Attias, a case concerning standing to sue in data breach cases. Consumers had sued health insurer Carefirst after faulty security practices allowed hackers to obtain 1.1 million customer records. EPIC filed an amicus brief backing the consumers, arguing that if "companies fail to invest in reasonable security measures, then consumers will continue to face harm from data breaches." The federal appeals court agreed with EPIC and held that consumers may sue companies that fail to safeguard their personal data. Carefirst appealed the decision, but the Supreme Court chose not to take the case. EPIC regularly files amicus briefs defending standing in consumer privacy cases, most recently in Eichenberger v. ESPN, where the Ninth Circuit also held for consumers, as well as Gubala v. Time Warner Cable and In re SuperValu Customer Data Security Breach Litigation.

Federal Appeals Court Dismisses Privacy Case Against Connected Car Makers » (Dec. 21, 2017)

A federal appeals court has ruled that consumers don't have the right to seek legal relief from automakers whose connected cars endanger their privacy because the risk of remote hacking is "speculative." EPIC filed an amicus brief in the case warning that connected cars "expose American drivers to the risks of data breach, auto theft, and physical injury." EPIC urged the court to allow consumers to "the opportunity to present legal claims stemming from the defendants' sale of vehicles that place them at risk." But the court wrongly downplayed the consumers' privacy injuries and dismissed the case. EPIC recently urged the Supreme Court to reject warrantless searches of rental cars, which today collect vast troves of personal data. EPIC has filed numerous other amicus briefs defending consumer privacy rights, and EPIC has repeatedly warned the National Highway Traffic Safety Administration, the Federal Trade Commission, and the U.S. Congress about the privacy and consumer safety risks posed by connected vehicles.

EPIC Amicus - Ninth Circuit Holds Violation of Video Privacy Law Establishes 'Standing' » (Nov. 29, 2017)

The Ninth Circuit issued an opinion today that addressed standing — the right to bring a lawsuit — under the Video Privacy Protection Act. The court found that the law protects a "substantive right to privacy that suffers any time a video service provider discloses otherwise private information." The court stated that a "plaintiff need not allege any further harm to have standing." EPIC filed an amicus letter brief in response to the court's request for parties to discuss standing following the Supreme Court decision in Spokeo v. Robbins. EPIC urged the court to recognize that "Congress intended to protect consumers' concrete interests in the confidentiality of their video viewing records." Contrasting with the Spokeo decision concerning the Fair Credit Reporting Act, the federal appeals court agreed that the video privacy law protects a "substantive interest." However, the court found that "personally identifiable information" was not disclosed by ESPN. EPIC has filed amicus briefs defending consumers in several cases after the Spokeo decision, including in Attias v. Carefirst, Gubala v. Time Warner Cable, and In re SuperValu Customer Data Security Breach Litigation.

EPIC to Ninth Circuit: Don't Turn the Channel on Video Privacy Case » (Sep. 28, 2017)

EPIC has filed a letter brief in a video privacy case concerning ESPN’s collection of viewer data. The court in Eichenberger v. ESPN, Inc. is trying to determine whether consumers can bring lawsuits based on a violation of federal privacy law after the Supreme Court’s decision in Spokeo v. Robins, a case about “standing” to sue. EPIC filed a brief in support of Eichenberger, arguing that "the history and judgement of Congress leaves little doubt that Congress believed a violation of the Act would be a concrete injury." EPIC also explained "a court is not empowered to override congressional judgments as to which injuries should be legally protected.” EPIC testified before the Senate about the history and purpose of the Video Privacy Protection Act. EPIC has also filed several amicus briefs on standing to sue in consumer privacy cases.

Background

Factual and Procedural Background

Defendant ESPN, Inc. operates on a number of platforms and produces sports-related news and entertainment programming. The platform in question here is the “WatchESPN Channel” for the Roku digital media-streaming device, which allows users to view videos and other content on their televisions via the Internet. Plaintiff Eichenberger downloaded the Watch ESPN Channel in early 2013 and alleged that every time he viewed a video using the Channel on his Roku device, defendant knowingly disclosed PII “in the form of his unique Roku device serial number, along with the videos he viewed” to a third party, Adobe Analytics. Eichenberger claimed that he did not consent for defendant to share this information with a third party.

On November 24, 2014, the lower court dismissed plaintiff’s first amended complaint, finding that the disclosure of the Roku device serial number alone was not sufficient to establish a VPPA violation. Plaintiff’s second amended complaint added that once the serial number was sent to Adobe, Adobe was able to identify plaintiff through existing user information possessed by Adobe, including email addresses, account information, or Facebook profile information such as photos and usernames. Because Adobe can associate the Roku serial number with corresponding user information that is already in its possession, WatchESPN’s disclosure identified Eichenberger to Adobe as having watched specific video materials.

In February 2015, defendant filed a motion to dismiss plaintiff’s second amended complaint with prejudice, arguing that it similarly failed to plead facts that could plausibly give rise to a violation of the VPPA as did in the first amendment complaint. The lower court found that Eichenberger failed to sufficiently allege disclosure of “personally identifiable information” required to state a claim under the VPPA. As a result, the court dismissed plaintiff’s complaint with prejudice.

Legal Background - Standing

Article III of the U.S. Constitution grants the federal courts judicial power over “cases” and “controversies.” In order to show standing, plaintiffs must establish that they have (1) suffered an injury-in-fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) is likely to be redressed by a favorable judicial decision. Injury-in-fact itself requires the plaintiff suffer an invasion of a legally protected interest that is (1) concrete, (2) particularized, and (3) actual or imminent, not conjectural or hypothetical.

Legal Background - VPPA

The Video Privacy Protection Act (VPPA) prohibits a video provider from knowingly disclosing “personally identifiable information” concerning any “consumer” of its service. The VPPA’s definition of personally identifiable information “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.”

Congress passed the VPPA in 1988 in response to a newspaper article leaking Supreme Court nominee Robert Bork’s video rental records. The VPPA “protect[s] certain personal information of an individual who rents video materials from disclosure.” The Act “allows consumers to maintain control over personal information divulged and generated in exchange for receiving services from video tape service providers.”

EPIC's Interest

EPIC Amicus Briefs on Standing

EPIC has a strong interest in ensuring privacy lawsuits proceed to redress the harms of privacy violations and ensure greater privacy protections thereafter. Post-Spokeo v. Robins and Amnesty v. Clapper, courts have interpreted standing differently across the country and EPIC aims to clarify the doctrine and how it relates to consumer protection.

In October 2016, EPIC filed an amicus brief in Gubala v. Time Warner Cable, urging the Seventh Circuit Court of Appeals to recognize that post-Spokeo, injury in fact is a legal injury, distinct from consequential harm. Therefore, Time Warner Cable caused a legal injury when it violated Mr. Gubala’s rights under the Protection of Subscriber Privacy after collecting his data.

In September 2015, EPIC filed an amicus brief in the Supreme Court case Spokeo v. Robins, which concerns whether courts have jurisdiction to review cases brought based on violations of federal statutory rights. Plaintiff Robins sued Spokeo for violating the Fair Credit Reporting Act by disclosing inaccurate information about him. EPIC filed an amicus brief, advising the Court that now is not the time “to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress.” EPIC highlighted the need for robust privacy and consumer protection laws by demonstrating that “Americans consumers today face an epidemic of privacy harms, including data breaches, identity theft, and financial fraud.” In 2015 alone, data breaches have “exposed more than one hundred and forty million records of personally identifiable information.” And according to the most recent Department of Justice report, “identity theft cost American consumers more than twenty-four billion dollars” in 2012. In May 2016, the Supreme Court concluded that the U.S. Court of Appeals for the Ninth Circuit had failed to analyze whether Robins's allegations were "concrete," and remanded the case to the lower court. Upon remand, the Ninth Circuit determined that Robin’s allegations were sufficiently “concrete” to warrant standing.

EPIC Amicus Briefs in Cases Concerning Information Privacy and the VPPA

EPIC has a strong interest in protecting the privacy of consumers and their information, and ensuring this data is not disclosed to third parties. EPIC has specifically worked to protect the privacy rights for consumers that were established by the VPPA.

In 2016, EPIC filed and amicus curiae brief in Perry v. Cable New Network, Inc., et al., arguing that the privacy protections in the VPPA apply to mobile apps that provide video service.

In 2015, EPIC filed an amicus curiae brief in In re Nickelodeon, urging the Third Circuit Court of Appeals to support a robust understanding of PII and the VPPA, given the crucial nature of unique identifiers in data transmission, and the difficulty of anonymizing transactional information. Users of a Viacom website sued over its practice of profiling the video history, gender and age of child users, and sharing it with Google.

In 2010, EPIC wrote to the U.S. District Court for the Northern District of California, urging the court to reject a proposed settlement that would have deprived Facebook users of remedies under the video privacy law. EPIC urged the court to reject a settlement that would have resulted in no direct compensation for users, despite the law’s $2,500 statutory damages provision. EPIC also observed that the settlement would have deprived users of meaningful privacy protections by directing all settlement funds to a Facebook-controlled entity.

In 2009, EPIC filed an amicus curiae brief supporting strong privacy safeguards for consumers’ video rental data. EPIC’s brief urged the Fifth Circuit Court of Appeals to enforce the law’s protections for Facebook users who rented videos from Blockbuster, a Facebook business partner. Facebook users filed the lawsuit after Blockbuster made public consumers’ private video rental information.

EPIC also opposed an effort in 2011 to undermine the VPPA. In a letter to House members on H.R. 2471 EPIC urged careful consideration of the impact that the proposed change would have on users of Internet-based services. EPIC asked the Committees considering the legislation to hold a hearing so that that all views on the matter could be considered. Before a Senate Subcommittee in January 2012, EPIC President Marc Rotenberg, urged Congress to amend the definition of PII to expressly include IP addresses and account identifiers.

EPIC also has an interest in protecting online privacy and anonymity. Companies that gather consumer data often do so without knowledge or consent of the consumers, implicating privacy interests because consumers have the right to know how and what kind of information is being used and disclosed to third parties. And as technology evolves, information that might be “anonymous” today, may become PII in the future. To effectively enforce the VPPA, courts must understand the evolving online landscape in which consumer information is collected, stored, and shared. For years, EPIC has driven the public debate on these issues.

Legal Documents

United States Court of Appeals for the Ninth Circuit, No. 15-35449

• Oral Argument held in Pasadena on October 3, 2017, 9:00 AM, in Courtroom 1 before Hon. Circuit Judges Graber, Murguia, and Christen. See Audio and Video.
• Clerk Letter Briefing Order (Sept. 8, 2017)
• Plaintiff-Appellant Eichenberger Letter Brief on Standing (Sept. 22, 2017)
• Defendant ESPN Letter Brief on Standing (Sept. 22, 2017)
• Amicus Curiae EPIC Letter Brief on Standing (Sept. 28, 2017)
• Defendant ESPN Supplemental Letter Brief on Standing (Oct. 2, 2017)

United States District Court for the Western District of Washington, No. 14-463

• Order Dismissing the Second Amended Complaint (May 7, 2015)

News

• Christopher Crosby, Vizio denied 9th Circ. appeal of video privacy decision, Law360 (Oct. 17, 2017)
• Adam Rhodes, ESPN Slams Privacy Watchdog’s Brief In App User’s Suit, Law360 (Oct. 3, 2017)
• Adam Rhodes, ESPN App User Backed y Privacy Watchdog In 9^th Circ. Row, (Sept. 19, 2017)
• Jesse M. Brody, Ninth Circuit Examines VPPA Standing, Lexology (Sept. 28, 2017)
• Shayna Posses, ESPN, App User Spar Over Spokeo's Impact On Privacy Suit, Law360 (Sept. 25, 2017)
• Jody Godoy, ESPN App Users Take Privacy Fight To 9th Circ. Law360 (June 8, 2015)