On April 28, 2014, in In re: Hulu Privacy Litigation, the US District Court for the Northern District of California, in an order granting in part and denying in part Hulu's motion for summary judgment, ruled that a unique anonymous identifier (ID) disclosed with other information or in circumstances that render it not anonymous may fall under the Video Privacy Protection Act's (VPPA) definition of "personally identifiable information" (PII) (No. 11-03764 (N.D. Cal. Apr. 28, 2014)).

The VPPA prohibits video tape service providers from knowingly disclosing to third parties information that identifies a person as having requested or obtained specific video materials or services. The plaintiffs brought this putative class action asserting claims that Hulu violated the VPPA by wrongfully disclosing to metrics companies and social networks its users' video viewing selections and personal identification information, and sought class certification for certain hulu.com registered users based on disclosures made to:

The disclosures at issue were made through cookie and beacon technology when a user accessed a video viewing page (watch page) on hulu.com. Specifically, during the relevant period for the comScore class, when a user visited a watch page, Hulu transmitted to comScore information that included:

During the relevant period for the Facebook class, each watch page displayed a Facebook "like" button. When a user visited a watch page, information was transmitted to Facebook that included:

Hulu filed a motion for summary judgment, arguing that it did not violate the VPPA because:

As an initial issue, the district court found that a unique numeric identifier tied to video watching may qualify as PII under the VPPA if the context renders it not anonymous and the equivalent of a specific person's identification. Rejecting Hulu's argument that a violation requires disclosure of a person's name, the court found that the statute's plain language covers other ways of identifying a person. Noting that the statute is ambiguous on whether it covers anonymous identifiers, the court found the legislative history supported its conclusion. The court was further persuaded by the Tenth Circuit opinion addressing the scope of PII under the Cable Act in Pruit v. Comcast Cable Holdings, LLC, which the district court characterized as suggesting that a unique ID may constitute PII if it is disclosed to a person who can understand it (100 Fed. Appx. 713 (10th Cir. 2004)).

The district court concluded that the disclosures to comScore did not violate the VPPA and granted summary judgment on those claims. The court rejected the plaintiffs' arguments that the disclosures gave comScore sufficient information for it to access Hulu users' profile pages to obtain their names, noting that there was no evidence that comScore had done so.

However, the court denied summary judgment on the Facebook class claims, finding there to be issues of fact on whether the disclosures to Facebook violated the VPPA. In contrast with the comScore disclosures, the court found that the information disclosed to Facebook could be PII. Although the disclosure also involved an anonymous identifier, the Facebook user ID transmitted by Facebook's cookies revealed the Hulu user's identity on Facebook. This information was transmitted with the watch page URL that included the video name. Therefore, there was a transmission identifying an actual Facebook identity and the video the Facebook user was watching. The court distinguished this case from a situation where the transmission is the user's decision. For example, if the cookies were transmitted when a user pressed the "like" button, it would be a necessary part of expressing his opinion and not a VPPA violation.

The court also found there to be issues of material fact about Hulu's knowledge, and no evidence on the record to conclude that there was consent.