Hulu’s year-long effort to dodge a lawsuit for sharing its users viewing habits hit a brick wall this week when a California judge rejected the company’s motion to dismiss the suit. The Hulu privacy case is now one step closer to trial, and the question of who can share your video playlist is about to break wide open.
The plaintiffs, a handful of Hulu users in what is now a class action suit, argued that by contracting with a tracking company called KISSmetrics to install code that revived deleted cookies and shared viewing records and personal data with the third parties like Google Analytics, DoubleClick, and Scorecard Research, the video streaming service went beyond expected uses of browsing data. Instead, the plantiffs argued, Hulu’s actions amounted to a “hack” of their online experience.
Step back from that San Francisco courtroom for a moment, and the Hulu privacy case offers a peek into why companies like Hulu, Netflix, and others in the online video streaming business are right now scrambling in Washington D.C. to change the Video Privacy Protection Act, or VPPA, a decades-old privacy law that governs what video companies can do with the data they collect.
Passed in the late 1980s after a Washington, DC, video store leaked the rental records of Supreme Court nominee Robert Bork, the video privacy law is, by general consensus, dated. Floating around Washington is the notion that the law needs to be adjusted so that companies like Hulu and Netflix can allow their users to, say, easily share with their Facebook friends the last TV show or movie they watched online. The VPPA, the argument goes, puts video streaming businesses at a serious disadvantage on the social web, especially when you compare them to, say, audio streamers like Pandora and Spotify.
But the California case suggests that the stakes are much higher than simple Facebook integration. Behind-the-scenes tracking of user data is a core part of the business logic of video streaming. That points to a tension between what people might like to share with their friends on social networks and their wariness about having their behavioral data traded to pay for it all.
In their bid to get the case tossed out of court, Hulu argued that the existing video privacy law doesn’t apply here. Read the Reagan-era VPPA’s fine print, attorneys for the company contended, and you’ll see that it has little to do with the way users, say, kill an evening streaming back-to-back episodes of Family Guy.
For one thing, Hulu argued, the company doesn’t qualify as a “video tape service provider,” as covered by the law, nor does it provide “similar audio visual material.” Material is physical stuff, the company contended, not digital bits.
On that point, Magistrate Judge Laurel Beeler consulted the Oxford English Dictionary and found that material can come in “printed or electronic form.” What’s more, Beeler reasoned, there’s little reason to believe that Congress cared whether the movies protected by the law were delivered on tape or through digital streaming – which, of course, wasn’t the way people were getting their video content back in 1988.
For another thing, Hulu argued, the plaintiffs don’t count as “consumers” or “subscribers” of their videos, the population covered by the law, especially since they hadn’t upgraded to the paid Hulu Plus service and instead stuck to ad-supported free content.
On that point, Judge Beeler found that, even without paying a nickel, the plaintiffs were indeed Hulu consumers under any rational understanding of the concept. They hadn’t simply stumbled upon Hulu.com. They’d actually engaged the site in exactly its business purpose, which was connecting users to streaming video.
Hulu argued that passing along user data to companies like Google and DoubleClick was “incident to the ordinary course of business,” which is permissible under the video privacy law. After all, it could have engaged in the sort of data analysis and ad serving those companies provided; it was simply outsourcing some of the work.
But Judge Beeler decided that whether Hulu’s sharing of user data is an “ordinary” part of its video streaming business is a question of fact, not law – precisely the sort of thing trials are meant to determine.
And that sets up a fascinating dynamic. To win in court, Hulu might be called upon to explain exactly how and why its business model requires making extensive use the data on who its users are and what they’re watching.
Meanwhile, back in Washington, the debate goes on over upgrading video privacy laws for the streaming-video age. Some in Congress, egged on by tech industries lobbyists (particularly those from Netflix), are pushing to amend the VPPA to let users opt-in just once to sharing their viewing data, rather than the repeated consent now required under the law. The House recently passed a law to do just that. A Senate provision to do the same failed earlier this month with the collapse of negotiations over a major cybersecurity bill.
Others in Congress, though, would like to see a wholesale upgrade to video privacy law rather than just targeted tweaks.
It might be time. After all, in the Hulu and Netflix and Facebook era, the privacy of our viewing data is several degrees more complex than when the biggest worry was a local video clerk handing a reporter a hand-written list of what you’d checked out on VHS.
(Special thanks to Venkat Balasubramani)