Handing Hulu a defeat, a judge ruled on Friday that users don't need to show they sustained a financial loss in order to proceed with a privacy lawsuit against the company.
The lawsuit centers on allegations that the streaming service wrongly shared data about users with comScore and Facebook, in violation of the Video Privacy Protection Act. That law prohibits movie rental companies from disclosing information about people's video-watching history without their explicit consent.
Hulu sought summary judgment in its favor, arguing that the consumers shouldn't be able to proceed with their case unless they had been injured by the alleged disclosures. The company based its argument on the wording of the law, which specifies that people who are “aggrieved” by violations can sue for $2,500 in damages. Hulu contended that this language meant that consumers can't recover any money unless they have been injured as a result of disclosures.
U.S. District Court Judge Laurel Beeler in San Francisco rejected Hulu's interpretation of the law. She wrote in an 18-page opinion that consumers need only show “a wrongful disclosure” in order to recover damages.
The lawsuit against Hulu dates to 2011, when researchers reported that the analytics company KISSmetrics used ETag technology -- a type of “supercookie” -- to track people even when they deleted their cookies. ETags store information in users' browser caches, so that even when users erase their cookies, the information contained in them can be recreated.
Hulu was among the companies that allegedly worked with KISSmetrics. The consumers who sued Hulu made a host of allegations, but the only one that gained traction centered on whether the company violated the federal Video Privacy Protection Act by sharing information about users' history with comScore and Facebook.
Hulu acknowledged in court papers that it discloses data to third parties like comScore, but said it never linked users' names to their movie-watching history. Instead, it assigned users a seven-digit User ID, and then transmited data about that User ID.
The consumers contend that Hulu's system didn't adequately protect people's privacy. They say that third parties can figure out people's identities from their User IDs, given that Hulu included the User ID in the Web page addresses of users' profile pages. Hulu, which stopped transmitting User IDs two years ago, countered that there's no proof that any third parties were able to figure out users' identities.
The consumers also say that Hulu disclosed information about them to Facebook via the “like” button, but Hulu counters that the “like” widget only allows Facebook to receive information from cookies that it set. “Thus, Hulu is not the party disclosing that data,” Hulu argues.
Beeler issued a key ruling in the case last year, when she said that the federal video law applies to companies that stream video on the Web. She said in a written decision that the law is designed to protect the privacy of people who watch video, regardless of technical format. That ruling marked the first time that a court explicitly ruled that streaming video services are covered by the 1988 privacy law, which was passed after a newspaper in Washington obtained and published the video rental records of Supreme Court nominee Robert Bork.