Judge Says Hulu Might Have Violated Video Privacy Law

In a mixed decision, a federal judge ruled on Monday that online video company Hulu potentially violated a video privacy law by sharing information about users with Facebook. But U.S. Magistrate Judge Laurel Beeler in San Francisco also ruled that the company didn't violate users' privacy by transmitting “anonymous” information about the movies they watched to comScore.

The 27-page ruling, which partially denied Hulu's motion for summary judgment in the case, means that the 3-year-old lawsuit will continue.

The case centers on whether Hulu ran afoul of the federal Video Privacy Protection Act, a 1988 law that prohibits movie rental companies from disclosing information about which videos people watch. Congress passed the law after a newspaper in Washington obtained and published the video rental records of Supreme Court nominee Robert Bork.

The people who are suing allege that Hulu transmitted too much data about them to comScore and Facebook.

Hulu acknowledged in court papers that it sent some information to both comScore and Facebook, but denied violating the video privacy law. Specifically, Hulu argued that it doesn't transmit users' names to comScore. Instead, Hulu said it assigns users a seven-digit User ID, and then transmits data about that User ID.

The consumers countered that comScore could figure out people's identities from their User IDs, given that Hulu included the User ID in the Web page addresses of users' profile pages. But Hulu -- which no longer includes that data in profile pages -- said that there wasn't any proof that third parties like comScore actually figured out users' identities.

Beeler sided with Hulu on that point, ruling that the consumers hadn't shown that comScore “correlated any information” between people's names and their User IDs. She said that the evidence uncovered by the consumers “does not suggest any linking of a specific, identified person and his video habits.”

But Beeler came to a different conclusion regarding Hulu's data-sharing with Facebook, which occurred via the “Like” button. That button automatically loads when users watch video on Hulu.com. Between April of 2010 and June of 2012, the “Like” button was configured so that it transmitted titles of the videos that people watched to Facebook's server -- regardless of whether users clicked the button to indicate that they “liked” the clips.

The button also transmitted cookies to Facebook that contained a Facebook ID -- which revealed the screen names that people used on Facebook.

Beeler wrote that Hulu potentially was liable for those transmissions, depending on whether it knew what data it was sending to Facebook. “If Hulu never knew that Facebook might 'read' the videos and the Facebook ID cookies together in a manner akin to the disclosure of Judge Bork’s videos, then there is not a VPPA violation,” she wrote.

Internet legal expert Venkat Balasubramani says that Beeler's decision highlights potential pitfalls of implementing new technologies. He says that the implementation of the “Like” button on Hulu “didn't account for the gray areas” relating to privacy laws.

Hulu lost a key battle in this lawsuit two years ago, when Beeler ruled that the federal video law applies to companies that stream video on the Web. She said in her decision that the law is designed to protect the privacy of people who watch video regardless of technical format.

Recommend (4) Print RSS