Streaming video service Hulu’s decision to use Facebook’s(s fb) “Like” button on its webpages may have violated a federal law that forbids companies from sharing customers’ video histories, according to a San Francisco court decision that could spell trouble for other companies.
In a 27-page ruling full of technological details, U.S. Magistrate Judge Laurel Beeler refused to dismiss a class action complaint that accuses Hulu of violating a 1982 law known as the Video Privacy Protection Act, or VPPA.
While the original purpose of the law was to prevent video stores from sharing their customers’ rental histories, it continues to trip up online media companies like Netflix(s nflx), which paid $9 million in 2012 to settle a VPPA-related lawsuit.
Even though a recent update to the VPPA permits video companies to tell Facebook and other third parties what their customers are watching, Judge Beeler concluded that Hulu did not obtain the required consent.
The ruling is unusual in that it turns on what happens, on a technical level, when a site like Hulu includes Facebook’s “Like” button on its page.
“Code is a language, and languages contain names”
Hulu did not send lists of its subscribers’ viewing habits to Facebook. Instead, the company is in legal trouble because it shared customers’ movie choices indirectly as a result of the “Like” button.
As Judge Beeler explains, companies can choose not only whether to include the Like button in the first place, but also to specify what information the button should relay to Facebook through cookies. In the case of Hulu, the presence of the button conveyed not only basic browser information, but also details about the user’s “watch page” — a personal page that every Hulu user has.
The “watch page” information (including its URL) combined with the Facebook profile amounted to sharing a video history with the social network, the judge ruled:
“Those Facebook ID cookies (the lu and c_user cookies) were transmitted with the watch page and the embedded video name. Thus, the process was an electronic transmission of the Hulu user’s actual identity on Facebook and the video that the Facebook user was watching […] the transmission to Facebook included the video name and Facebook user cookies. Thus, the link between user and video was more obvious.”
The judge noted that the information transfer was not restricted to occasions when a Hulu user “Liked” a video, but rather every time a user watched a video. She also rejected Hulu’s arguments that the sharing process was simply technical and that it was not the same as knowingly sharing the information:
“Code is a language, and languages contain names, and the string is the Facebook user name. There is a material issue of fact that the information transmitted to Facebook was sufficient to identify individual consumers […] In sum, arguing that transmitting cookies is just the normal way that webpages and the Like button load is not enough to negate knowledge.”
The ruling did, however, throw out a separate part of the complaint that accused Hulu of sharing information with the analytics company, comScore(s scor). The judge found that the comScore situation was different because comScore would have had to combine different pieces of information to discover a Hulu user’s identity and what they had watched — whereas the Facebook information arrived in one transmission.
This ruling, which rejected Hulu’s motion for summary judgment, comes after the judge refused to dismiss the case last December. This means the case is now set to go before a jury, where lawyers would have to show examples of Facebook receiving information about specific people’s video histories. Hulu, which did not respond to a request for comment, is likely to appeal or settle the case.
Here’s a copy of the decision, via CourtHouse News, with some of the relevant bits underlined: