“SDNY Examines the Scope of ‘Personal Information’ Under the VPPA”

By Steve Kramarsky & Jack Millson

Privacy regulation is hard. It involves making choices about the delicate balance between security and convenience that will be codified into law. But in the current technology and business environment there is no clear consensus about where those lines should be drawn, beyond obvious cases of misappropriation and abuse. What precisely constitutes personal information? What legal protections should be available to data collected from users, particularly abstracted or aggregated information? And in what contexts should those protections apply?

Informed people can disagree in good faith about these issues, and the stakes are high. The collection, use, and analysis of personal data is central to the business models of many services we rely on every day, including some of the most highly-valued companies in the world. Often those services are provided for free (or apparently free) because those companies are permitted to collect and commercialize our personal information in some form. Getting the balance wrong—especially in a legal or regulatory framework—comes with major implications.

And if this were not enough, any legal regime seeking to address privacy in the online world is faced a familiar problem: Technology moves fast, and the law generally has to play catch-up. In the privacy context, the creation of entirely new kinds of data, and the ability to collect and analyze that material on a massive scale, have created new issues for privacy regulation. Information that would once have been considered anonymous may be more appropriately regulated as personal information. For example, if Facebook records a user login in midtown Manhattan, that information may not seem especially “private.” But aggregating that seemingly innocuous data-point with the vast trove of other “anonymous” information collected by Facebook may enable the creation of a profile that identifies the user with pinpoint accuracy and poses privacy concerns, especially when that profile is shared with third parties who could use it to identify specific users and their preferences.

A recent case out of the Southern District of New York presented Judge Rakoff with these issues. It involved application of a hastily-crafted statute (passed in 1988 to regulate video rental stores) to a TikTok competitor. The court examined the assertion that “anonymized” information provided to Facebook was “identifying” users, because of the other information Facebook could marshal about the users. The court’s opinion on a motion to dismiss is an informative overview of privacy laws and the challenges they present to the modern legal system. Wilson v. Triller, 2022 WL 1138073 (S.D.N.Y. April 18, 2022).

Read more.

This article first appeared in the New York Law Journal on May 16, 2022. Stephen M. Kramarsky, a member of Dewey Pegno & Kramarsky, focuses on complex commercial and intellectual property litigation. Jack Millson is an associate at the firm.