Court Rules That Hulu Didn’t Know It Was Sharing Personal User Info With Facebook

weirdlonersEarlier this week, a federal court in California dismissed a nearly 4-year-old class-action lawsuit against Hulu that alleged the streaming video service illegally shared personal user information with Facebook.

The original complaint [PDF], filed in July 2011, accused Hulu of violating the federal Video Privacy Protection Act (VPPA), which was created to prevent video rental and sales companies from “knowingly” disclosing customers’ “personally identifiable information” to any third party without consent.

“As Plaintiffs… viewed video content on Hulu’s website, Hulu transmitted their viewing choices to a number of third parties,” including Facebook, market research firm Scorecard Research, online ad networks DoubleClick and Quantserve, and Google Analytics.

“In the case of Facebook, Hulu included Plaintiffs and Class Members’ Facebook IDs, connecting the video content information to Facebook’s personally identifiable user registration information,” the complaint contends, arguing that these users reasonably expected that Hulu would not disclose their video choices to third parties, and that these users did not authorize any third-party disclosures.

But Hulu maintained that it wasn’t deliberately or actively sharing this information with Facebook. Rather, this information was (until June 2012) being transmitted via the Facebook “Like” button.

“If the Hulu user had logged into Facebook using certain settings within the previous four weeks, the Like button would cause a “c_user” cookie to be sent to Facebook,” writes the court in its order [PDF] dismissing the lawsuit.

So even if the Hulu user didn’t click the Like button, its mere presence on the Hulu page would send the user’s Facebook ID (in a numerical format that Facebook could understand) along with the URL and other info for the video being watched on that page.

“Hulu did not send Facebook the Hulu User ID or the Hulu user’s name,” writes the judge.

In considering whether to grant Hulu’s motion for a summary dismissal, the court asks whether the plaintiffs met the two conditions to demonstrate a violation of the VPPA.

First, Hulu would have to have knowingly transmitted this data.

“[T]he term ‘knowingly’ connotes actual knowledge,” writes the court. “It is not enough, as the plaintiffs suggest, that a disclosure be merely ‘voluntary’ in the minimal sense of the defendant‘s being ‘aware of what he or she is doing and… not act[ing] because of some mistake or accident.'”

In the court’s opinion, merely being the transmitter of the code doesn’t necessarily imply a conscious sharing of personal information.

The second standard for applying the VPPA is three-pronged, requiring that Hulu knowingly disclosed “1) a consumer‘s identity; 2) the identity of ‘specific video materials’; and 3) the fact that the person identified ‘requested or obtained’ that material.”

“The point of the VPPA, after all, is not so much to ban the disclosure of user or video data,” explains the judge, “it is to ban the disclosure of information connecting a certain user to certain videos.”

The court held that the data transmitted via the Facebook like button is not the same as a video store clerk handing a reporter a list containing customer’s name and their recent rentals.

“The user‘s identity and that of the video material were transmitted separately (albeit simultaneously),” reads the order, explaining that Hulu’s sending of this information is not “connecting” the user to the content. “Hulu did not disclose information that “identifie[d] a person as having requested or obtained specific video materials.”

This connection between the videos and the user would have to be done on the receiving end, contends the court: “This means that, even if both elements were sent to Facebook, they did not necessarily disclose a user ‘as having requested or obtained specific video materials’ unless Facebook combined the two pieces of information.”

“In terms of this case, if Hulu did not actually know that Facebook might “read’ the c_user cookie and video title together… then there cannot be a VPPA violation,” concludes the judge.

Speaking to The Recorder, the lawyer representing the plaintiffs in this case says an appeal is in the works.

“We think the order of the lower court would undermine fundamental statutory privacy rights if allowed to stand,” explained the attorney for the plaintiffs.

[via Ars Technica]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.