In Re Nickelodeon Consumer Privacy Litigation
827 F.3d 262
| 3rd Cir. | 2016

Background

  • Plaintiffs are children under 13 (and their parents) who used Nickelodeon’s Nick.com and allege Viacom and Google tracked and shared their video-watching and browsing data via first- and third-party cookies and persistent identifiers.
  • Plaintiffs allege Viacom (owner/operator of Nick.com) assured parents on its registration page that it collected “ANY personal information” about kids, but nonetheless (per the complaints) disclosed browsing/video URLs plus static identifiers (IP address, device IDs, browser fingerprints, cookie IDs) to Google.
  • Plaintiffs assert multiple statutory and common-law claims: Wiretap Act, Stored Communications Act, California Invasion of Privacy Act, New Jersey Computer Related Offenses Act, Video Privacy Protection Act (VPPA), and New Jersey tort of intrusion upon seclusion.
  • The District Court dismissed all claims; plaintiffs appealed. This Court applied its earlier Google cookie-tracking decision and resolved several claims on that basis, while addressing novel issues under the VPPA and New Jersey intrusion tort.
  • Holding summary: most statutory claims (Wiretap, SCA, CA privacy statute, NJ computer statute) were affirmed dismissed; VPPA claims were dismissed (Google not liable as recipient; Viacom’s disclosures not "personally identifiable information" as defined by the VPPA); intrusion upon seclusion against Google dismissed but against Viacom revived and remanded (plausible deceit/expectation-of-privacy theory; COPPA does not preempt).

Issues

Issue Plaintiff's Argument Defendant's Argument Held
Article III standing Disclosure of private online-video/browsing data is a concrete, particularized injury sufficient for standing No concrete injury; at best statutory/abstract violations Standing pleaded: injury is particularized and concrete under Spokeo guidance; standing sustained
Wiretap Act liability Google and Viacom intercepted content (URLs) and are not protected by one-party consent because minors cannot consent Cookie-placing parties are parties to the communication or have consent via the website (one-party consent); tort-purpose exception inapplicable Affirmed dismissal: companies placing cookies are parties to the communications (one-party consent); wiretap claim fails
Stored Communications Act & CA Invasion of Privacy Act Defendants unlawfully accessed/stored communications and intercepted wire communications Personal devices not SCA "facilities"; CA statute inapplicable to party interceptors Affirmed dismissal: SCA and CA Act claims not viable given prior Google precedent
NJ Computer Related Offenses Act (state CFAA analog) Unauthorized access/damage; taking kids’ data constitutes property/business damage (unjust enrichment) Plaintiffs fail to allege damage in business or property as statute requires Affirmed dismissal: plaintiffs didn’t plead the required business/property damage
VPPA — Who is liable (discloser vs recipient)? Both the video service (Viacom) and recipients (Google) are liable VPPA liability applies only to a video tape service provider who discloses personally identifiable information; recipients are not independently liable under §2710(c) Rejected plaintiffs: only a discloser (video tape service provider) may be sued under VPPA; claim against Google dismissed
VPPA — What is "personally identifiable information"? Static digital identifiers (IP, device IDs, browser fingerprints, cookie IDs) and URLs that reveal viewed videos qualify because recipients (e.g., Google) can re-identify users VPPA protects information that, by itself, readily identifies a particular person’s video-watching—static identifiers do not, and Act aimed at classical rental-record disclosures Plaintiffs’ VPPA claim against Viacom dismissed: "personally identifiable information" under the VPPA means information that would readily let an ordinary recipient identify the person tied to specific videos; static identifiers here were too attenuated
Intrusion upon seclusion (NJ common law) — preemption by COPPA Claim barred by federal COPPA regime governing collection of kids’ data COPPA preempts inconsistent state-law liability for commercial activities COPPA does not preempt: plaintiffs’ theory is traditional state tort policing deceitful collection practices, compatible with COPPA
Intrusion upon seclusion — merits Defendants’ cookie-tracking is a standard commercial practice, not highly offensive Viacom assured parents it collected no personal info; collecting anyway was intentional and deceitful and therefore highly offensive Split result: claim dismissed as to Google (ordinary cookie use not sufficiently offensive at pleading stage); claim survives as to Viacom (allegations that Viacom knowingly misrepresented privacy and collected kids’ data plausibly state intentional, offensive intrusion)

Key Cases Cited

  • In re Google Inc. Cookie Placement Consumer Privacy Litig., 806 F.3d 125 (3d Cir. 2015) (prior panel ruling on cookies, standing, Wiretap Act, SCA; key precedent applied throughout)
  • Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (U.S. 2016) (clarified that Article III injury requires concrete as well as particularized harm)
  • Katz v. United States, 389 U.S. 347 (U.S. 1967) (Fourth Amendment wiretap context; content vs. addressing distinction informing analysis)
  • Smith v. Maryland, 442 U.S. 735 (U.S. 1979) (pen register/third-party numbers are non-content—analog used in Wiretap Act analysis)
  • Sterk v. Redbox Automated Retail, LLC, 672 F.3d 535 (7th Cir. 2012) (VPPA interpretation; limits on who is liable under VPPA)
  • Daniel v. Cantrell, 375 F.3d 377 (6th Cir. 2004) (interpreting VPPA as applying to disclosers, not mere recipients)
  • Ellis v. Cartoon Network, Inc., 803 F.3d 1251 (11th Cir. 2015) (addressed device identifier as VPPA-related issue; illustrative of circuit split)
  • O’Donnell v. United States, 891 F.2d 1079 (3d Cir. 1989) (framework for intentional intrusion and role of consent in intrusion upon seclusion)
Read the full case