In re Nickelodeon Consumer Privacy Litig.

• Citation: 827 F.3d 262
• Decision Date: 27 June 2016
• Docket Number: No. 15-1441,15-1441
• Parties: In re: Nickelodeon Consumer Privacy Litigation A.V.; C.A.F.; C.T.F.; M.P.; T.P.; K.T.; N.J.; T.M.; Stephanie Fryar, Appellants
• Court: United States Courts of Appeals. United States Court of Appeals (3rd Circuit)

827 F.3d 262

In re: Nickelodeon Consumer Privacy Litigation

A.V.; C.A.F.; C.T.F.; M.P.; T.P.; K.T.; N.J.; T.M.; Stephanie Fryar, Appellants

No. 15-1441

United States Court of Appeals, Third Circuit.

Argued December 8, 2015
Opinion Filed: June 27, 2016

Jason O. Barnes, Esq. [ARGUED], Barnes & Associates, 219 East Dunklin Street, Suite A, Jefferson City, MO 65101, Douglas A. Campbell, Esq., Frederick D. Rapone, Esq., Campbell & Levine, LLC, 310 Grant Street, Suite 1700, Pittsburgh, PA 15219, Barry R. Eichen, Evan J. Rosenberg, Esq., Eichen Crutchlow Zaslow & McElroy, LLP, 40 Ethel Road, Edison, NJ 08817, James P. Frickleton, Esq., Edward D. Robertson, III, Esq., Bartimus Frickleton Robertson, P.C., 11150 Overbrook Road, Suite 200, Leawood, KS 66211, Edward D. Robertson, Jr., Esq., Mary D. Winter, Esq., Bartimus Frickleton Robertson, P.C., 715 Swifts Highway, Jefferson City, MO 65109, Mark C. Goldenberg, Esq., Thomas Rosenfeld, Esq., Goldenberg Heller Antognoli & Rowland, PC, 2227 South State Route 157, Edwardsville, IL 62025, Adam Q. Voyles, Esq., Lubel Voyles LLP, 5020 Montrose Boulevard, Suite 800, Houston, TX 77006, Attorneys for Appellants

Alan J. Butler, Esq. [ARGUED], Marc Rotenberg, Esq., Electronic Privacy Information Center, 1718 Connecticut Avenue, N.W., Suite 200, Washington, DC 20009,

827 F.3d 266

Attorneys for Amicus Curiae, Electronic Privacy Information Center

Jeremy Feigelson, Esq., Debevoise & Plimpton LLP, 919 Third Avenue, New York, NY 10022, David A. O'Neil, Esq. [ARGUED], Debevoise & Plimpton LLP, 801 Pennsylvania Avenue, N.W., Suite 500, Washington, DC 20004, Seth J. Lapidow, Esq., Stephen M. Orlofsky, Esq., Blank Rome LLP, 301 Carnegie Center, Third Floor, Princeton, NJ 08540, Attorneys for Appellee Viacom, Inc.

Colleen Bal, Esq., Michael H. Rubin, Esq. [ARGUED], Wilson, Sonsini, Goodrich & Rosati, PC, One Market Street, Spear Tower, Suite 3300, San Francisco, CA 94105, Tonia O. Klausner, Esq., Wilson Sonsini Goodrich & Rosati, PC, 1301 Avenue of the Americas, 40th Floor, New York, NY 10019, Jeffrey J. Greenbaum, Esq., Joshua N. Howley, Esq., Sills, Cummis & Gross P.C., One Riverfront Plaza, Newark, NJ 07102, Attorneys for Appellee Google, Inc.

Jeffrey B. Wall, Esq. [ARGUED], Sullivan & Cromwell LLP, 1700 New York Avenue, N.W., Suite 700, Washington, DC 20006, Attorney for Amicus Curiae, Chamber of Commerce of the United States of America

Before: FUENTES, SHWARTZ, and VAN ANTWERPEN, Circuit Judges

OPINION OF THE COURT

FUENTES, Circuit Judge:

Table of Contents

I. Background...267

A. Internet Cookie Technology...268

B. Factual Allegations...268

C. Procedural History in the District Court...270

II. Arguments and Claims Foreclosed by Our Decision in Google ...271

A. Article III Standing...272

B. The Federal Wiretap Act...274

C. The California Invasion of Privacy Act...276

D. The Federal Stored Communications Act...276

E. The New Jersey Computer Related Offenses Act...277

III. Claims Raising Issues Beyond Those We Addressed in Google ...278

A. The Video Privacy Protection Act...278

1. Whether Google is an Appropriate Defendant under the Act...279

2. Whether Viacom Disclosed “Personally Identifiable Information”...281

B. Intrusion upon Seclusion...290

1. The Plaintiffs' Intrusion Claim Is Not Preempted...291

2. The Plaintiffs Have Adequately Alleged an Intrusion Claim...293

IV. Conclusion...295

Most of us understand that what we do on the Internet is not completely private. How could it be? We ask large companies to manage our email, we download directions from smartphones that can pinpoint our GPS coordinates, and we look for information online by typing our queries into search engines. We recognize, even if only intuitively, that our data has to be going somewhere. And indeed it does, feeding an entire system of trackers, cookies, and algorithms designed to capture and monetize the information we generate. Most of the time, we never think about this. We browse the Internet, and the data-collecting infrastructure of the digital world hums along quietly in the background.

827 F.3d 267

Even so, not everything about our online behavior is necessarily public. Numerous federal and state laws prohibit certain kinds of disclosures, and private companies often promise to protect their customers' privacy in ways that may be enforceable in court. One of our decisions last year, In re Google Inc. Cookie Placement Consumer Privacy Litigation,¹ addressed many of these issues. This case addresses still more.

This is a multidistrict consolidated class action. The plaintiffs are children younger than 13 who allege that the defendants, Viacom and Google, unlawfully collected personal information about them on the Internet, including what webpages they visited and what videos they watched on Viacom's websites. Many of the plaintiffs' claims overlap substantially with those we addressed in Google, and indeed fail for similar reasons. Even so, two of the plaintiffs' claims—one for violation of the federal Video Privacy Protection Act, and one for invasion of privacy under New Jersey law—raise questions of first impression in our Circuit.

The Video Privacy Protection Act, passed by Congress in 1988, prohibits the disclosure of personally identifying information relating to viewers' consumption of video-related services. Interpreting the Act for the first time, we hold that the law permits plaintiffs to sue only a person who discloses such information, not a person who receives such information. We also hold that the Act's prohibition on the disclosure of personally identifiable information applies only to the kind of information that would readily permit an ordinary person to identify a specific individual's video-watching behavior. In our view, the kinds of disclosures at issue here, involving digital identifiers like IP addresses, fall outside the Act's protections.

The plaintiffs also claim that Viacom and Google invaded their privacy by committing the tort of intrusion upon seclusion. That claim arises from allegations that Viacom explicitly promised not to collect any personal information about children who browsed its websites and then, despite its assurances, did exactly that. We faced a similar allegation of deceitful conduct in Google, where we vacated the dismissal of state-law claims for invasion of privacy and remanded them for further proceedings. We reach a similar result here, concluding that, at least as to Viacom, the plaintiffs have adequately alleged a claim for intrusion upon seclusion. In so doing, we hold that the 1998 Children's Online Privacy Protection Act, a federal statute that empowers the Federal Trade Commission to regulate websites that target children, does not preempt the plaintiffs' state-law privacy claim.

Accordingly, we will affirm the District Court's dismissal of most of the plaintiffs' claims, vacate its dismissal of the claim for intrusion upon seclusion against Viacom, and remand the case for further proceedings.

I. Background

We begin by summarizing the allegations in the plaintiffs' complaints.²

827 F.3d 268

A. Internet Cookie Technology

When a person uses a web browser to access a website, the browser sends a “GET” request to the server hosting that site. So, for example, if a person types “www.nick.com” into the address bar of his or her web browser, the browser contacts the server where Nick.com is hosted and transmits data back to the user's computer.³ In addition to other content, Nick.com may also display ads from third parties. These ads typically reside on a different server. To display the ad, the Nick.com server will direct the user's browser to send another “GET” request to the third-party server, which will then transmit the ad directly to the user's computer. From the user's perspective, all of this appears to happen simultaneously, and all the visual information on Nick.com appears to originate from a single source. In reality, the Nick.com website is an assemblage of content from multiple servers hosted by different parties.⁴

An Internet “cookie” is a small text file that a web server places on a user's computing device.⁵ Cookies allow a website to “remember” information about a user's browsing activities (such as whether or not the user is logged-in, or what specific pages the user has visited). We can distinguish between first-party cookies, which are injected into a user's computer by a website that the user chooses to visit (e.g. , Nick.com), and third-party cookies, which are placed on a user's computer by a server other than the one that a person intends to visit (e.g. , by an ad company like Google).⁶

Advertising companies use third-party cookies to help them target advertisements more effectively at customers who might be interested in buying a particular product. Cookies are particularly powerful if the same company hosts ads on more than one website. In those circumstances, advertising companies are able to follow a user's browsing habits across multiple websites that host the...