Children's Streaming Video Site Discloses Viewing Data to 3rd Parties: Class Action
Yippee Entertainment, a faith-based streaming service for children, violates the Video Privacy Protection Act (VPPA) by disclosing the personally identifiable information (PII) of viewers for marketing, advertising and analytics purposes, alleged a class action Friday (docket 3:24-cv-00797) in U.S. District Court for Southern California.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The VPPA prohibits a videotape service provider that knowingly discloses, “to any person, personally identifiable information concerning any consumer of such provider,” said the complaint. “Ironically,” the complaint said, Yippee boasts that its website has no ads, “no algorithms" and is a “wholesome alternative to YouTube.”
But unbeknown to Brittany Morrison of Oceanside, California, and class members, Yippee “knowingly and intentionally discloses” its users' PII -- “including a record of every video viewed by the user -- to unrelated third parties to further its marketing and advertising objectives and increase revenue.” Through the collection of users’ data, Yippee is able to use advertising and content creation “to target California residents,” it said. That allows the media company to boost its number of subscribers and revenue and to “collect and disclose more users’ information.”
Yippee’s TV library has “1,000s of hours of faith filled series” for families to view together, said the complaint. Last month, the website had over 75,000 visitors, it said; subscription fees are $8 per month or $49 per year. Accessing the media company's prerecorded video content is contingent on paying Yippee a subscription or signing up for a seven-day free trial, after which payment is necessary to continue viewing.
Morrison’s counsel retained a private research company in March to conduct a dynamic analysis of Yippee, by recording the transmissions that occur from a user’s device, said the complaint. The analysis revealed the streaming company disclosed information “to at least one third party that was sufficient to identify specific Class Members and the specific videos they watched,” alleged the complaint. The researcher first established that Yippee incorporates at least one application programming interface (API) in its website and app that enables companies “to open up their applications’ data and functionality to external third-party developers, business partners, and internal departments within their companies,” it said.
Yippee incorporates the Segment API, which is owned and operated by customer engagement platform Twilio, the complaint said. When a user views a video on the website or app, Yippee discloses to Twilio via the API the user’s full name, email address, Segment ID, the video ID for the video viewed and the video title, the complaint said. That information is sufficient to “to permit an ordinary person to identify the specific Website or App user and which specific video the user watched,” it said.
The defendant discloses information that allows Twilio, or an ordinary person, to identify “which specific user requested or obtained which specific video,” said the complaint. Accordingly, Yippee discloses PII to third parties, and “common sense dictates that a sophisticated media producer like” Yippee, which includes APIs in its website and app, is “fully aware of the scope of the data Twilio is collecting and is choosing to intentionally provide that data to Twilio,” it said. Twilio’s Segment API is designed to analyze app data and marketing campaigns, “conduct targeted advertising, and ultimately boost Defendant’s revenue from its marketing campaigns,” it said.
Morrison used a web browser to access Yippee TV videos for herself and her children through her account until February. She never consented, agreed or otherwise permitted Yippee to disclose her PII to third parties, but each time she accessed a video on the site, the defendant disclosed her full name, email address, Segment user ID, and video-viewing information in the form of the video title and video ID for each specific video watched, said the complaint.
Using this information, Twilio was able to identify Morrison and attribute her video viewing records to an individualized profile of her in its databases, alleged the complaint. The plaintiff’s PII was also used to create a user profile that included her activity on the app, which Yippee uses for marketing, advertising, and analytics purposes, in violation of the VPPA, it said. Morrison requests awards of statutory and punitive damages, prejudgment interest, injunctive relief, and attorneys’ fees and legal costs. The defendant didn’t comment.