In re: Nickelodeon Consumer Privacy Litig. — civil — partial affirmance — Fuentes

The opinion’s cogent introduction:

Most of us understand that what we do on the Internet is not completely private. How could it be? We ask large companies to manage our email, we download directions from smartphones that can pinpoint our GPS coordinates, and we look for information online by typing our queries into search engines. We recognize, even if only intuitively, that our data has to be going somewhere. And indeed it does, feeding an entire system of trackers, cookies, and algorithms designed to capture and monetize the information we generate. Most of the time, we never think about this. We browse the Internet, and the data-collecting infrastructure of the digital world hums along quietly in the background.

Even so, not everything about our online behavior is necessarily public. Numerous federal and state laws prohibit certain kinds of disclosures, and private companies often promise to protect their customers’ privacy in ways that may be enforceable in court. One of our decisions last year, In re Google Inc. Cookie Placement Consumer Privacy Litigation, addressed many of these issues. This case addresses still more.

This is a multidistrict consolidated class action. The plaintiffs are children younger than 13 who allege that the defendants, Viacom and Google, unlawfully collected personal information about them on the Internet, including what webpages they visited and what videos they watched on Viacom’s websites. Many of the plaintiffs’ claims overlap substantially with those we addressed in Google, and indeed fail for similar reasons. Even so, two of the plaintiffs’ claims—one for violation of the federal Video Privacy Protection Act, and one for invasion of privacy under New Jersey law—raise questions of first impression in our Circuit.

The Video Privacy Protection Act, passed by Congress in 1988, prohibits the disclosure of personally identifying information relating to viewers’ consumption of video-related services. Interpreting the Act for the first time, we hold that the law permits plaintiffs to sue only a person who discloses such information, not a person who receives such information. We also hold that the Act’s prohibition on the disclosure of personally identifiable information applies only to the kind of information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior. In our view, the kinds of disclosures at issue here, involving digital identifiers like IP addresses, fall outside the Act’s protections.

The plaintiffs also claim that Viacom and Google invaded their privacy by committing the tort of intrusion upon seclusion. That claim arises from allegations that Viacom explicitly promised not to collect any personal information about children who browsed its websites and then, despite its assurances, did exactly that. We faced a similar allegation of deceitful conduct in Google, where we vacated the dismissal of state-law claims for invasion of privacy and remanded them for further proceedings. We reach a similar result here, concluding that, at least as to Viacom, the plaintiffs have adequately alleged a claim for intrusion upon seclusion. In so doing, we hold that the 1998 Children’s Online Privacy Protection Act, a federal statute that empowers the Federal Trade Commission to regulate websites that target children, does not preempt the plaintiffs’ state-law privacy claim.

Accordingly, we will affirm the District Court’s dismissal of most of the plaintiffs’ claims, vacate its dismissal of the claim for intrusion upon seclusion against Viacom, and remand the case for further proceedings.

Joining Fuentes were Shwartz and Van Antwerpen. Arguing counsel were Jason Barnes for the appellants, David O’Neil of Debevoise & Plimpton and Michael Rubin of Wilson Sonsini for appellees, and Alan Butler of the Electronic Privacy Information Center and Jeffrey Wall of Sullivan & Cromwell for amici.