A class action alleging Viacom illegally obtained and disclosed personally identifiable information from children under the age of thirteen through the Nickelodeon website recently reached the end of line (almost) when the class’ petition for writ of certiorari was denied by the Supreme Court this month. The high court chose not to further define the contours of what constitutes “personally identifiable information” and “disclosure.”
The Third Circuit decided as a matter of first impression that Viacom had not disclosed personally identifiable information in violation of the Act when it shared IP addresses, collected through cookies, with Google for its use in targeted advertising. The court did identify that there is a split of authority regarding whether or not “static digital identifiers,” such as IP addresses, constituted personally identifiable information because they could, in theory, be combined with other information to identify an individual. Other courts, including the First Circuit, have held that any unique identifier, including an IP address combined with GPS coordinates, could constitute personally identifying information. This decision also stands in contrast with a recent EU ruling, Breyer v. Bundesrepublik Deutschland, E.C.J., No. C-582/14, which held that under certain circumstances IP addresses could constitute personal data protected under EU data protection law. However, in the Nickelodeon case, the court determined the information could not be used to identify a specific individual without extraordinary effort and that the information had not been disclosed.
Advice for Businesses
Businesses striving to not run afoul of the Act can learn valuable lessons from this case. First, do not think narrowly when identifying “personal information.” It is not always as straightforward as a Social Security number or bank account number. Think about combinations of information that could enable another person or entity to identify a specific individual. Second, use caution when sharing information about customers or employees—even when it might seem innocuous or unlikely that specific individuals could be identified. Third, do not promise more privacy or data security than you actually provide. The class claim alleging Viacom collected personal information about children, despite its promise not to do so, lives on and the court described that violation as “highly offensive.”