On June 16, the Northern District of California denied a motion for class certification in In re Hulu Privacy Litigation, No. C 11-03764 LB, ECF No. 111. The plaintiffs in that action alleged that Hulu violated the Video Privacy Protection Act (“VPPA”) by disclosing personal identification information (“PII”) to third parties, including Facebook. Hulu provides its users with online, on-demand access to video content, such as television programs and movies. The PII allegedly disclosed was the plaintiffs’ video viewing selections on Hulu. The Court denied the motion without prejudice, holding that the class was not ascertainable because the plaintiffs proposed to rely on self-reporting affidavits to prove class membership.
This decision represents an interesting contrast between allegations of high-tech data privacy violations and low-tech methods of proof. As discussed below, the plaintiffs’ failure to corroborate their self-reporting affidavits by reference to the defendant’s records was fatal to their proposed identification of class members. This failure is especially noticeable in a case where the alleged violations involve transmissions of electronic data identifying the plaintiffs. Moreover, because internet based services like Hulu and Facebook reach millions of customers, the potential damage awards can soar into the billions of dollars. This is especially true in the context of the VPPA, which provides for a relatively large statutory damage award of $2,500 per person. As the Court reasoned in this case, such a large pot of gold can distort the purpose of both class actions and statutory damages, and further increases the importance of objective forms of proof at the class certification stage.
Plaintiffs’ Disclosure Theory
The named plaintiffs claimed that their PII was disclosed to Facebook as a result of Hulu’s inclusion of a Facebook “Like” button on its “watch page.” A watch page is a unique webpage generated each time a Hulu user selects video content to view on hulu.com. Specifically, the plaintiffs claimed that when they selected video content to view on hulu.com, Hulu loaded a watch page that included the Like button. The mere loading of the Like button caused certain information to be automatically sent to Facebook, including the uniform resource locator (“URL”), or web address of the watch page. During the class period, the URL of Hulu’s watch pages included the title of the video content the Hulu user selected. This alone, however, did not disclose the identity of the Hulu user to Facebook. In order for Facebook to connect the title of the video to a specific Facebook user, an additional piece of information was required in the form of a “c_user” web cookie. The c-user cookie, which contained the Hulu users’ Facebook ID, would automatically be sent to Facebook when the Like button on the watch page loaded. This only occurred, however, when a Hulu user watched a video on the same computer and web browser used to access Facebook in the previous four weeks, while using the default settings.
Ascertaining the Putative Class
In order for a class to be certified, as the Court instructed, it must “be sufficiently definite and ‘clearly ascertainable’ by reference to objective criteria ‘so that it is administratively feasible for a court to determine whether a particular person is a class member and thus bound by the judgment.” Here, the Court found the class is comprised of users of both Facebook and Hulu during the class period who actually had their PPI transmitted to Facebook.
Although the plaintiffs did not suggest it, the Court opined that the first part of this question—identifying users of both Faceboook and Hulu during the class period—could be easily determined by cross-referencing the user email addresses of both services. Determining which of those users actually had their PII transmitted to Facebook, however, is not so simple.
There was no dispute that relevant disclosure was the transmission of the c-user cookie. If the c-user cookie had been cleared from a particular Hulu users’ computer, it could not be transmitted to Facebook when the Like button loaded, and there was no disclosure in violation of the VPPA. The Court found that there are various situations where the c-user cookie would be cleared from a Hulu user’s web browser. For example, the c_user cookie would not be sent if the Hulu user logged out of Facebook, used different web browsers to access Facebook and Hulu, manually cleared the cookies on their web browser, or used software that blocked cookies.
Accordingly, in order to define the class, the plaintiffs would have to show that each class member: (i) logged onto Hulu and Facebook from the same browser; (ii) did not log out of Facebook; (iii) did not set their browsers to clear cookies; and (iv) did not use software to block cookies. The plaintiffs only proposed method for determining the class members was self-reporting affidavits. To that end, the named plaintiffs submitted declarations attesting that they were Facebook users who accessed Facebook on the same computer they used to watch videos on Hulu.com. They also claimed that they had not cleared their cookies in some time nor used any ad-blocking software.
The Court rejected this method of defining the class members, reasoning that because the potential damages for each plaintiff are relatively high, some form of verification beyond a self-reporting affidavit is required. It explained that “objective criteria (such as corroboration by reference to a defendant’s records or provision of some proof of purchase) are important to establishing class membership as opposed to relying only on potential members’ say-so and subjective memories that may be imperfect.”
The Court likened the plaintiffs’ reliance on the memory of the potential class members here to subjective estimates of smokers’ long term smoking habits in Xavier v. Philip Morris USA Inc., 787 F.Supp. 2d 1075 (N.D. Cal. 2011), where a court denied class certification. The Court also reasoned that the incentive of a relatively high statutory damage award of $2,500 per class member is relevant to analyzing the credibility of the plaintiffs’ self-reporting affidavits.
Because the self-reporting affidavits were the only proposed method the plaintiffs offered to identify class members, the Court denied their class certification motion holding that they failed to define an ascertainable class.
Low-Tech Proof In a High-Tech World
Paradoxically, in attempting to define a class of plaintiffs aggrieved through high-tech, electronic communications that are largely invisible to the end user, the plaintiff relied on the very low-tech and unreliable method of self-reporting. The Court did not shy away from delving deep into the weeds of how electronic communications, such as cookies and URLs, are transmitted in determining whether the plaintiffs could adequately define a class.
It also, apparently, did not lose sight of the key issues of fact that would need to be determined: (i) whether Hulu transmitted information to Facebook that allowed Facebook to identify a specific person and connect their identity to the specific video materials they requested or viewed; and (ii) if so, whether Hulu did so knowingly.
Presumably, Hulu would only have knowingly disclosed such information to Facebook in support of some business purpose. As the Court noted, Hulu’s main source of income is advertising revenue. Facebook’s business model is similarly based on advertising revenue. This was not lost on the Court, which noted that there was no evidence that Facebook took any action with the information it allegedly received from Hulu.
Had Hulu or Facebook used the alleged PII in support of their respective businesses there would presumably be some record. For example, one would expect there to be business records such as emails and legal agreements memorializing the purpose of Hulu transferring the alleged PII to Facebook. Additionally, there would also likely be some type of electronic record created by Facebook’s collection and use of the alleged PII. A reference to such records would have provided “objective criteria” corroborating the plaintiffs’ self-reporting affidavits. This is precisely what that the Court found was lacking from the plaintiffs’ proposed method of defining the class. Indeed, had the plaintiffs been able to reference electronic records showing that Facebook actually collected and used the PII—which by definition contains the Hulu users’ identities—that alone would have likely defined the class.
There is also little question that the potentially enormous damage award in this case played into the Court’s refusal to rely on the plaintiff’s self-reporting affidavits. As the Court stated, “[t]he possibility of substantial pecuniary gain affects the analysis [of the affidavits’ credibility]. That incentive . . . makes this case different than the small-ticket consumer protection class actions that this district certifies routinely.” The Court did not stop there, however, discussing the potential damage award again in response to due process concerns raised by Hulu.
Hulu claimed that the statutory damage award of $2,500 per class member would result in an aggregated damage award of billions of dollars, and argued that this ran afoul of due process. The court agreed noting that such an “award is wildly disproportionate to any adverse effects class members suffered, and it shocks the conscience.” Moreover, the Court reasoned, such an enormous damage award “potentially distorts the purpose of both statutory damages and class actions” and “may induce an unfair settlement.” Ultimately, the Court declined to address this issue, finding that it is “best addressed after a class is certified.”