Full opinion text
OPINION OF THE COURT FUENTES, Circuit Judge: Table of Contents I.Background... 267 . A. Internet Cookie Technology.. .268 B. Factual Allegations.. .268 C. Procedural History in the District Court.. .270 II. Arguments and Claims Foreclosed by Our Decision in Google.. .271 A. Article III Standing.. .272 B. The Federal Wiretap Act.. .274 C. The California Invasion of Privacy Act.. .276 D. The Federal Stored Communications Act.. .276 E. The New Jersey Computer Related Offenses Act.. .277 III. Claims Raising Issues Beyond Those We Addressed in Google.. .278 A. The Video Privacy Protection Act.. .278 1. Whether Google is an Appropriate Defendant under the Act.. .279 2. Whether Viacom Disclosed “Personally Identifiable Information”.. .281 B. Intrusion upon Seclusion.. .290 1. The Plaintiffs’ Intrusion Claim Is Not Preempted.. .291 2. The Plaintiffs Have Adequately Alleged an Intrusion Claim.. .293 IV. Conclusion.. .295 Most of us understand that what we do on the Internet is not completely private. How could it be? We ask large companies to manage our email, we download directions from smartphones that can pinpoint our GPS coordinates, and we look for information online by typing our queries into search engines. We recognize, even if only intuitively, that our data has to be going somewhere. And indeed it does, feeding an entire system of trackers, cookies, and algorithms designed to capture and monetize the information we generate. Most of the time, we never think about this. We browse the Internet, and the data-collecting infrastructure of the digital world hums along quietly in the background. Even so, not everything about our online behavior is necessarily public. Numerous federal and state laws prohibit certain kinds of disclosures, and private companies often promise to protect their customers’ privacy in ways that may be enforceable in court. One of our decisions last year, In re Google Inc. Cookie Placement Consumer Privacy Litigation, addressed many of these issues. This case addresses still more. This is a multidistrict consolidated class action. The plaintiffs are children younger than 13 who allege that the defendants, Viacom and Google, unlawfully collected personal information about them on the Internet, including what webpages they visited and what videos they watched on Viacom’s websites. Many of the plaintiffs’ claims overlap substantially with those we addressed in Google, and indeed fail for similar reasons. Even so, two of the plaintiffs’ claims — one for violation of the federal Video Privacy Protection Act, and one for invasion of privacy under New Jersey law — raise questions of first impression in our Circuit. The Video Privacy Protection Act, passed by Congress in 1988, prohibits the disclosure of personally identifying information relating to viewers’ consumption of video-related services. Interpreting the Act for the first time, we hold that the law permits plaintiffs to sue only a person who discloses such information, not a person who receives such information. We also hold that the Act’s prohibition on the- disclosure of personally identifiable information applies only to the kind of information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior. In our view, the kinds of disclosures at issue here, involving digital identifiers like IP addresses, fall outside the Act’s protections. The plaintiffs also claim that Viacom and Google invaded their privacy by committing the tort of intrusion upon seclusion. That claim arises from allegations that Viacom explicitly promised not to collect any personal information about children who browsed its websites and then, despite its assurances, did exactly that. We faced a similar allegation of deceitful conduct in Google, where we vacated the dismissal of state-law claims for invasion of privacy and remanded them for further proceedings. We reach a similar result here, concluding that, at least as to Viacom, the plaintiffs have adequately alleged a claim for intrusion upon seclusion. In so doing, we hold that the 1998 Children’s Online Privacy Protection Act, a federal statute that empowers the Federal Trade Commission to regulate websites that target children, does not preempt the plaintiffs’ state-law privacy claim. Accordingly, we will affirm the District Court’s dismissal of most of the plaintiffs’ claims, vacate its dismissal of the claim for intrusion upon seclusion against Viacom, and remand the case for further proceedings. I. Background We begin by summarizing the allegations in the plaintiffs’ complaints. A. Internet Cookie Technology When a person uses a web browser to access a website, the browser sends a “GET” request to the server hosting that site. So, for example, if a person types “www.nick.com” into the address bar of his or her web browser, the browser contacts the server where Nick.com is hosted and transmits data back to the user’s computer. In addition to other content, Nick.com may also display ads from third parties. These ads typically reside on a different server. To display the ad, the Nick.com server will direct the user’s browser to send another “GET” request to the third-party server, which will then transmit the ad directly to the user’s computer. From the user’s perspective, all of this appears to happen simultaneously, and all the visual information on Nick.com appears to originate from a single source. In reality, the Nick.com website is an assemblage of content from multiple servers hosted by different parties. An Internet “cookie” is a small text file that a web server places on a user’s computing device. Cookies allow a website to “remember” information about a user’s browsing activities (such as whether or not the user is logged-in, or what specific pages the user has visited). We can distinguish between first-party cookies, which are injected into a user’s computer by a website that the user chooses to visit {e.g., Nick.com), and third-party cookies, which are placed on a user’s computer by a server other than the one that a person intends to visit {e.g., by an ad company like Google). Advertising companies use third-party cookies to help them target advertisements more effectively at customers who might be interested in buying a particular product. Cookies are particularly powerful if the same company hosts ads on more than one website. In those circumstances, advertising companies are able to follow a user’s browsing habits across multiple websites that host the company’s ads. Given Google’s dominance in the Internet advertising market, the plaintiffs claim that Google is able to use cookies to track users’ behavior across large swaths of the Internet. B. Factual Allegations Defendant Viacom owns the children’s television station Nickelodeon. It also operates Nick.com, a website geared towards children that offers streaming videos and interactive games. A child registers to use Nick.com by signing up for an account and choosing a username and password. During the registration process, a child provides his or her birthdate and gender to Viacom, and Viacom then assigns the child a code based on that information. The plaintiffs also assert that Viacom’s registration form includes a message to children’s parents: “HEY GROWN-UPS: We don’t collect ANY personal information about your kids. Which means we couldn’t share it even if we wanted to!” The plaintiffs allege that Viacom and Google unlawfully used cookies to track children’s web browsing and video-watching habits on Viacom’s websites. They claim that the defendants collected information about children in at least four ways. First, when a user visits one of Viacom’s websites, Viacom places its own first-party cookie on that user’s computer. This permits Viacom to track a child’s behavior, including which games a child plays and which videos a child watches. Second, Google contracts with Viacom to place advertisements on Viacom’s websites. As a result, Google is able to place third-party cookies on the computers of persons who visit those websites, including children. Third, the plaintiffs claim that, “[u]pon information and belief, Viacom also provided Google with access to the profile and other information contained within Viacom’s first-party cookies.” Fourth, the plaintiffs assert that, once Google places a cookie on a person’s computer, it can track that person across any website on which Google displays ads. Google uses so-called “Doubleclick.net cookies” to accomplish this task. In addition, Google offers its own collection of online services to Google account-holders and other web users, including Gmail, Google Maps, and YouTube (which Google owns). The plaintiffs claim that Google combines information that it collects from people using its websites with information it gleans from displaying ads on others’ websites. They also claim that ‘Viacom is aware of Google’s ubiquitous presence on the Internet and its tracking of users.” In the aggregate, the plaintiffs claim that Viacom discloses to Google, and Google collects and tracks, all of the following information about children who visit Viacom’s websites: (1) the child’s username/alias; (2) the child’s gender; (3) the child’s birthdate; (4) the child’s IP address; (5) the child’s browser settings; (6) the child’s unique device identifier; (7) the child’s operating system; (8) the child’s screen resolution; (9) the child’s browser version; (10) the child’s web communications, including but not limited to detailed URL requests and video materials requested and obtained from Viacom’s children’s websites; and (11) the Doubleclick persistent cookie identifiers. The purpose of all of this information gathering is to sell targeted advertising based on users’ web browsing. In fact, the plaintiffs claim that targeting advertisements to children is more profitable than targeting advertising to adults “because children are generally unable to distinguish between content and advertisements.” They cite a Wall Street Journal article stating that “popular children’s websites install more tracking technologies on personal computers than do the top websites aimed at adults.” The plaintiffs also allege a' number of facts about online tracking more generally. They claim that it is surprisingly easy for advertising companies to identify web users’ offline identities based on their online browsing habits. They cite a Stanford professor, Arvind Narayanan, for the proposition that “re-identification” of web users based on seemingly anonymous data is possible based on users’ commercial transactions, web browsing, search histories, and other factors. The plaintiffs also claim that companies can use “browser fingerprinting” to identify website visitors based on the configuration of a user’s browser and operating system. Using these techniques, the plaintiffs claim that Google and Viacom “are able to link online and offline activity and identify specific users, including the Plaintiffs and children that form the putative class.” Lastly, the plaintiffs allege a number of facts in order to demonstrate that the defendants’ behavior violated contemporary social norms. Tb that end, they claim that Google is a member of an organization called the Interactive Advertising Bureau that promulgates a Code of Conduct for its members. That Code is said to prohibit members from collecting “personal information” from children “they have actual knowledge are under the age of 13.” ‘The plaintiffs also cite a survey of more than 2,000 adults conducted by the Center for Digital Democracy. According to the survey, 80 percent of respondents oppose the tracking of children even where an advertiser does not “know a child’s name and address,” and 91 percent believe advertisers should receive a parent’s permission before placing tracking software on a minor child’s computing device. C. Procedural History in the District Court In June of 2013, the Judicial Panel on Multidistrict Litigation transferred six privacy-related suits against Viacom and Google to the District of New Jersey for consolidation. The plaintiffs in these cases seek to represent two classes. The first is a class of “[a]ll children under the age of 13 in the United States who visited the website Nick.com and had Internet cookies that tracked their communications placed on their computing devices by Viacom and Google.” The second is a class of “[a]ll children under the age of 13 in the United States who were registered users of Nick, com and who engaged with one or more video materials on such site, and who had their video viewing histories knowingly disclosed by Viacom to Google.” The proposed classes are not bounded by any time period, although the plaintiffs do note that Viacom “revamped its Nick.com website” in August of 2014 so that it “no longer discloses the particular video viewing or game histories of individual users of Nick, com to Google.” Shortly after transfer to the District of New Jersey, the plaintiffs filed their first consolidated complaint. It raised six claims, including violations of (i) the Wiretap Act, (ii) the Stored Communications Act, (iii) the California Invasion of Privacy Act, (iv) the Video Privacy Protection Act, (v) the New Jersey Computer Related Offenses Act, and (vi) a claim under New Jersey common law for intrusion upon seclusion. The District Court granted the defendants’ motion to dismiss all of the plaintiffs’ claims, three of them with .prejudice. The District Court nonetheless permitted the plaintiffs to file an amended complaint revising their claims under the Video Privacy Protection Act, the New Jersey Computer Related Offens'es Act, and for intrusion upon seclusion. The plaintiffs did so, the defendants again moved to dismiss, and the District Court dismissed the case in its entirety. The plaintiffs now appeal. Our Court’s review of a decision dismissing a complaint is plenary. II. Arguments and Claims Foreclosed by Our Decision in Google Google came down in November of 2015, several months after briefing in this case was complete but before oral argument. We therefore asked the parties to submit their views about Google’s effect on the present litigation. As will become clear, we conclude that Google is fatal to several of the plaintiffs’ claims. The Google plaintiffs consisted of a class of persons who used two web browsers: Apple’s Safari and Microsoft’s Internet Explorer. These browsers came with cookie-blocking options designed to protect users’ privacy while they browsed the Internet. In February of 2012, a Stanford graduate student revealed that Google and several other advertising companies had devised ways to evade these cookie-blocking options, even while touting publicly that they respected their users’ choices about whether to take advantage of cookie-blocking technology. The Google plaintiffs then filed a federal lawsuit alleging violations of the Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act. They also brought claims for violation of the California Invasion of Privacy Act and for intrusion upon seclusion and invasion of privacy under California law. The district court dismissed those claims in their entirety. We affirmed the dismissals of all claims except those for invasion of privacy and intrusion upon seclusion. With respect to those claims, we determined that “[a] reasonable factfinder could conclude that the means by which defendants allegedly accomplished their tracking, i.e., by way of a deceitful override of the plaintiffs’ cookie blockers, marks the serious invasion of privacy contemplated by California law.” With this background in mind, we turn to Google’s effect on the present litigation. A. Article III Standing “To establish Article III standing, a plaintiff must demonstrate ‘(1) an injury-in-fact, (2) a sufficient causal connection between the injury and the conduct complained of, and (3) a likelihood that the injury will be redressed by a favorable decision.’ ” To allege an injury-in-fact, “a plaintiff must claim ‘the invasion of a concrete and particularized legally protected interest’ resulting in harm ‘that is actual or imminent, not conjectural or hypothetical.’ ” A harm is “particularized” if it “affect[s] the plaintiff in a personal and individual way.” It is “concrete” if it is “ ‘de facto’; that is, it must actually exist” rather than being only “abstract.” The defendants assert that Article III standing is lacking in this case because the disclosure of information about the plaintiffs’ online activities does not qualify as an injury-in-fact. Google rejected a similar argument, stating that, when it comes to laws that protect privacy, a focus on “economic loss is misplaced.” Instead, in some cases an injury-in-fact “may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing.” Applying this principle, other courts have found standing in cases arising from allegedly unlawful disclosures similar to those at issue here. The Supreme Court’s recent decision in Spokeo, Inc. v. Robins does not alter our prior analysis in Google. The plaintiff there alleged that Spokeo, an online background check company, reported inaccurate information about him to its customers. The plaintiff then sued Spokeo under the Fair Credit Reporting Act. The Ninth Circuit concluded that the plaintiffs “personal interests in the handling of his credit information,” coupled with the purported “violations of statutory rights created by the [Act],” were sufficient to satisfy the injury-in-fact requirement of Article III standing. The Supreme Court granted certio-rari in Spokeo to address the question of “[wjhether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on a bare violation of a federal statute.” Rather than answer that question directly, the Supreme Court vacated the judgment of the Ninth Circuit and remanded the case for further proceedings. In doing so, the Supreme Court explained that the Ninth Circuit erred in its standing analysis by focusing only on whether the plaintiffs purported injury was “particularized” without also assessing whether it was sufficiently “concrete.” In reaching this conclusion, the Court noted that even certain kinds of “intangible” harms can be “concrete” for purposes of Article III. When evaluating whether such a harm qualifies as an injury-in-fact, judges should consider whether the purported injury “has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Congress’s judgment on such matters is “also instructive and important,” meaning that Congress may “elevat[e] to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate in law.” Intangible harms that may give rise to standing also include harms that “may be difficult to prove or measure,” such as unlawful denial of access to information subject to disclosure. What a plaintiff cannot do, according to the Court, is treat a “bare procedural violation ... [that] may result in no harm” as an Article III injury-in-fact. The Court provided two examples, including a defendant’s failure to comply with a statutory notice requirement and, in the context of the Fair Credit Reporting Act, the dissemination of inaccurate information about a plaintiff, such as an incorrect zip code, that does not “cause harm or present any material risk of harm.” None of these pronouncements calls into question whether the plaintiffs in this case have Article III standing. The purported injury here is clearly particularized, as each plaintiff complains about the disclosure of information relating to his or her online behavior. While perhaps “intangible,” the harm is also concrete in the sense that it involves a clear de facto injury, i.e., the unlawful disclosure of legally protected information. Insofar as Spokeo directs us to consider whether an alleged injury-in-fact “has traditionally been regarded as providing a basis for a lawsuit,” Google noted that Congress has long provided plaintiffs with the right to seek redress for unauthorized disclosures of information that, in Congress’s judgment, ought to remain private. Accordingly, we conclude that the plaintiffs have alleged facts which, if true, are sufficient to establish Article III standing. B. The Federal Wiretap Act The plaintiffs bring a claim against both Viacom and Google under the federal Wiretap Act. A plaintiff pleads a prima facie case under the Wiretap Act by showing that the defendant “(1) intentionally (2) intercepted, endeavored to intercept or procured another person to intercept or endeavor to intercept (3) the contents of (4) an electronic communication, (5) using a device.” The District Court rejected the plaintiffs’ wiretapping claim for two reasons. First, it concluded that Google’s conduct was not unlawful in view of how Google allegedly communicated with the plaintiffs’ computers. The Wiretap Act does not make it unlawful “for a person to ‘intercept ... electronic communication’ if the person ‘is [1] a party to the communication or [2] where one of the parties to the communication has given prior consent to such interception ....’” Here, Google was either a party to all communications with the plaintiffs’ computers or was permitted to communicate with the plaintiffs’ computers by Viacom, who was itself a party to all such communications. Accordingly, the plaintiffs failed to state a legally sufficient wiretapping claim. Second, the District Court concluded that the information Google allegedly intercepted was not of the kind protected by the statute. The Wiretap Act prohibits “interception]” of “any wire, oral, or electronic communication,” and defines “interception]” as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” The plaintiffs alleged that, insofar as Viacom permitted Google to access URLs that revealed which videos a child watched, such as “http://www.nick.com/shows/ penguins-of-madagasear,” Google intercepted the “contents” of the plaintiffs’ communications. The District Court disagreed. It concluded that a URL is more akin to a telephone number (whose interception cannot support a Wiretap Act claim) than a substantive conversation (whose interception can give rise to such a claim). The District Court dismissed the plaintiffs’ Wiretap Act claim on this ground as well. Google vindicated the District Court’s reasoning as to one-party consent, but not with respect to the definition of “contents.” We there concluded that companies that place cookies on a computing device are, at least on facts analogous to those alleged here, “parties to any communications that they acquired,” meaning that such companies are not liable under the Wiretap Act. We also concluded that “some queried URLs qualify as content,” reasoning that a URL may convey “substantive information” about web browsing activity instead of mere “dialing, routing, addressing, or signaling information.” The first holding is fatal to the plaintiffs’ claim. The plaintiffs try to resist this conclusion. They contend that the one-party consent language in the Wiretap Act does not apply here because the plaintiffs were minors who were incapable of consenting at all. We agree with the District Court that the plaintiffs “have cited no authority for the proposition that the Wiretap Act’s one-party consent regime depends on the age of the non-consenting party.” Given the vast potential for unexpected liability whenever a minor happened to browse an Internet site that deployed cookies, we decline to adopt such a reading of the Act here. The plaintiffs also argue that, even if Google and Viacom were parties to any intercepted communications, they nonetheless acted unlawfully because the Wiretap Act imposes liability whenever someone intercepts information “for the purpose of committing ... [a] tortious act.” Here, the plaintiffs allege that the defendants’ use of cookies amounted to the common law tort of intrusion upon seclusion. We rejected a similar argument in Google, reasoning that the “tortious act” provision of the wiretapping statute only applies when “the offender intercepted the communication for the purpose of a tortious or criminal act that is independent of the intentional act of recording.” Consistent with our reasoning in Google, we will affirm the District Court’s dismissal of the plaintiffs’ wiretapping claim. C. The California Invasion of Privacy Act The California Invasion of Privacy Act “broadly prohibits the interception of wire communications and disclosure of the contents of such intercepted communications.” Google affirmed the dismissal of a claim under the California Act on the view that, like the federal wiretapping statute, the California Act does not apply when the alleged interceptor was a party to the communications. For the same reason, we will affirm the District Court’s dismissal of the plaintiffs’ similar claim here. D. The Federal Stored Communications Act Passed in 1986, the Stored Communications Act aims to prevent “potential intrusions on individual privacy arising from illicit access to ‘stored communications in remote computing operations and large data banks that stored emails.’ ” A person violates the Stored Communications Act whenever he or she “(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.” In Google, we affirmed dismissal of a claim under the Stored Communications Act because, in our view, personal computing devices were not protected “facilities” under the statute. For the same reason, we will affirm dismissal of the plaintiffs’ Stored Communications Act claim here. E. The New Jersey Computer Related Offenses Act The New Jersey Computer Related Offenses Act makes it unlawful to alter, damage, access, or obtain data from a computer without authorization. It also permits “[a] person or enterprise damaged in business or property” to sue for compensatory and punitive damages, as well as fees and costs. The plaintiffs allege that Viacom and Google violated the New Jersey Act by using Internet cookies to “access[ ] Plaintiffs’ and Class Members’ computers in order to illegally harvest Plaintiffs’ and Class Members’ personal information” without their consent. The District Court dismissed this claim because, in its view, the plaintiffs failed to allege that they had been “damaged in business or property,” as the plain text of the New Jersey Act requires. The plaintiffs believe that the District Court erred by failing to credit their theory of damage&emdash;namely, that the defendants’ appropriation of their personal information, without compensation, constituted unjust enrichment. The plaintiffs concede that “unjust enrichment has never been used as a measure of damages” under the New Jersey Act, but nonetheless encourage us to embrace this novel theory now. We decline to do so. In the first place, we have previously said that a claim under the New Jersey Act “require[s] proof of some activity vis-a-vis the information other than simply gaining access to it,” and the plaintiffs allege the defendants did no more than “gain access” to their information here. In addition, crediting this novel theory of injury would be inconsistent with our treatment of similar allegations in Google. The plaintiffs there brought claims for violation of the federal Computer Fraud and Abuse Act, which, like the New Jersey Act, requires a private plaintiff to show proof of “damage or loss.” The Google plaintiffs failed to satisfy this requirement because they “allege[d] no facts suggesting that they ever participated or intended to participate in the market [for sale of their information], or that the defendants prevented them from capturing the full value of their internet usage information for themselves.” Nor did they ever assert that “they sought to monetize information about their internet usage, nor that they ever stored their information with a future sale in mind.” The plaintiffs’ claim here fails for the same reason. To be sure, the New Jersey courts are free to interpret the requirement to show “damage[] in business or property” under the New Jersey Act differently than federal courts interpret the analogous requirement in the Computer Fraud and Abuse Act. But the plaintiffs have pointed us to no authority indicating that federal and state courts understand the two laws differently. In fact, the opposite appears to be true: courts seem to have interpreted the New Jersey Act in harmony with its federal counterpart. Because we conclude that the plaintiffs have failed to allege the kind of injury that the New Jersey Act requires, we will affirm the District Court’s dismissal of their claim. III. Claims Raising Issues Beyond Those We Addressed in Google While our spadework in Google goes a long way towards resolving this case, it does not do so entirely. The plaintiffs bring two claims — one for violation of the Video Privacy Protection Act, and one for intrusion upon seclusion under New Jersey law — that require us to break new ground. A. The Video Privacy Protection Act Congress passed the Video Privacy Protection Act in 1988 after the Washington City Paper published Supreme Court nominee Robert Bork’s video rental history. “The paper had obtained (without Judge Bork’s knowledge or consent) a list of the 146 films that the Bork family had rented from a Washington, D.C.-area video store.” According to the Senate Report accompanying the law’s passage, Congress passed the Act “[t]o preserve personal privacy with respect to the rental, purchase or delivery of video tapes or similar audio visual materials.” The Act creates a private cause of action for plaintiffs to sue persons who disclose information about their video-watching habits. Unfortunately, as the Seventh Circuit has noted, the Act “is not well drafted,” requiring us to begin by summarizing a bit of legislative jargon. The Act defines several key terms: • Consumer: “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” • Video tape service provider: “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.” • Personally identifiable information: “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider » To state a claim under the Act, a plaintiff must allege that “[a] video tape service provider ... knowingly disclose[d], to any person, personally identifiable information concerning any consumer of such provider.” The Act (i) sets a minimum penalty of $2,500 per violation, (ii) permits a plaintiff to recover punitive damages, reason-, able attorneys’ fees, and litigation costs, and (iii) empowers district courts to provide appropriate equitable relief. The plaintiffs allege that Viacom disclosed to Google URL information that effectively revealed what videos they watched on Nickelodeon’s websites, and static digital identifiers (such as IP addresses, browser fingerprints, and unique device identifiers) that enabled Google to link the watching of those videos to their real-world identities. They bring claims under the Act against both defendants. 1. Whether Google is an Appropriate Defendant under the Act The first question we confront is whom, exactly, the Act permits the plaintiffs to sue. The plaintiffs contend that the Act allows them to sue both a video tape service provider who discloses personally identifiable information and a person who receives that information. To put it another way, the parties seem to agree that the video clerk who leaked Judge Bork’s rental history clearly would have been liable under the Act had it been in force at the time — but what about the reporter at the Washington City Paper to whom he leaked the information? The plaintiffs say he would have been liable as well. Google (standing-in for the reporter in our fact pattern) disagrees. The text of the statute is not clear on this point. Subsection (b) states that a “video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person for the relief provided in subsection (c).” Subsection (c), in turn, creates a private cause of action. It states that “[a]ny person aggrieved by any act of a person in violation of this section may bring a civil action in a United States district court.” But what constitutes a “violation of this section”? Google claims that the Act is violated only when a video tape service provider discloses personally identifiable information, as proscribed in subsection (b). The plaintiffs, by contrast, insist that they are just as “aggrieved” when a third party receives personally identifiable information as when a video tape service provider discloses it. In support of this argument, the plaintiffs rely exclusively on a somewhat dated case from a district court in our Circuit, Dirkes v. Borough of Runnemede. We find the plaintiffs’ reliance on Dirkes unpersuasive. Dirkes was a former police officer who was suspected of stealing pornographic videos from a citizen’s apartment. The allegations led local prosecutors to indict Dirkes for committing misconduct and led the local police department to open disciplinary proceedings. Even though Dirkes was eventually acquitted of the misconduct charge, the Borough’s inquiry continued. A Borough investigator learned from a video store clerk that Dirkes had rented several pornographic movies, and information about Dirkes’ video rental history was included in an internal affairs memorandum. That memorandum “was distributed to the Borough’s special counsel, who in turn distributed it in connection with Plaintiff Dirkes’ disciplinary hearing and in a proceeding before the Superior Court of New Jersey, Camden County.” In response to the dissemination of information about his video rental history, Dirkes and his wife sued the investigator, the police department, and the Borough for violating the Video Privacy Protection Act. The district court rejected the defendants’ argument that, as non-disclosing parties, they could not be liable under the Act. Instead, it reasoned that Congress’s broad remedial purposes in passing the statute would best be served by allowing plaintiffs to sue “those individuals who have come to possess (and who could disseminate) the private information.” No other court has interpreted the Act this way. As the Sixth Circuit explained in Daniel v. Cantrell, the better view is that subsection (b) makes certain conduct — the disclosure of personally identifiable information by a video tape' service provider — unlawful, and subsection (c) creates a cause of action against persons who engage in such conduct. Indeed, “if any person could be liable under the Act, there would be no need for the Act to define a [video tape service provider] in the first place.” Rejecting Dirkes’ focus on the Act’s remedial purposes, Cantrell observed that “[j]ust because Congress’ goal was to prevent the disclosure of private information, does not mean that Congress intended the implementation of every conceivable method of preventing disclosures.” The Seventh Circuit adopted the same reading of the Act in Sterk v. Redbox Automated Retail, LLC, concluding that “the more plausible interpretation is that [subsection (c) ] is limited to enforcing the prohibition of disclosure.” We agree with our colleagues in the Sixth and Seventh Circuits. Because we conclude that only video tape service providers that disclose personally identifiable information can be liable under subsection (c) of the Act, and because Google is not alleged to have disclosed any such information here, we will affirm the District Court’s dismissal of the claim against Google. 2. Whether Viacom Disclosed “Personally Identifiable Information” Viacom also argues that it never disclosed “personally identifiable information” about children who viewed videos on its websites. As we shall see, what counts as personally identifiable information under the Act is not entirely clear. The plaintiffs claim that Viacom disclosed to Google at least eleven pieces of information about children who browsed its websites. Three, in particular, are central to their claim under the Act. The first is a user’s IP address, “a number assigned to each device that is connected to the Internet” that permits computer-specific online tracking. The second is a user’s browser and operating system settings, which comprise a so-called “browser fingerprint.” The plaintiffs claim that these profiles are so detailed that the odds of two people having the same browser fingerprint are 1 in 286,777. The third is a computing device’s “unique device identifier.” What these pieces of information have in common is that they allegedly permit Google to track the same computer across time. So, for example, if someone with a Google account were to run a Google search from his or her computer, and then that person’s child were to visit Nick.com and watch a video on that same computer, the plaintiffs claim that Google could “match” the data (based on IP address, browser fingerprint, or unique device identifier) to determine that the same computer was involved in both activities. In the plaintiffs’ view, this means that Viacom, by permitting Google to use cookies on its website, effectively disclosed “information which identifies [a particular child] as having requested or obtained specific video materials or services from a video tape service provider,” thereby violating the Act. The plaintiffs also claim that Viacom acted “knowingly,” as the Act requires, because Viacom permitted Google to host ads on its websites despite being “aware of Google’s ubiquitous presence on the Internet and its tracking of users.” Viacom, by contrast, argues that static digital identifiers, such as IP addresses, do not qualify as personally identifiable information. It encourages us to interpret the Act against the backdrop of the problem it was meant to rectify — the disclosure of an actual person’s video rental history. So, for example, Viacom points to the Senate Report, which states that “personally identifiable information is intended to be transaction-oriented,” meaning that it “identifies a particular person as having engaged in a specific transaction with a video tape service provider.” Viacom reads this passage to suggest that the Act’s authors had brick-and-mortar transactions in mind when they crafted the law. In Viacom’s view, the information described by the plaintiffs is not personally identifiable because it does not, by itself, identify a particular person. Rather, it is “coded information, used for decades to facilitate the operation of the Internet, that theoretically could be used by the recipient to identify the location of a connected computer”— not to unmask the identity of a person using that computer. The parties’ contrasting positions reflect a fundamental disagreement over what kinds of information are sufficiently “personally identifying” for their disclosure to trigger liability under the Video Privacy Protection Act. At one end of the spectrum, of course, is a person’s actual name. Then there are pieces of information, such as a telephone number or a physical address, which may not by themselves identify a particular person but from which it would likely be possible to identify a person by consulting publicly available sources, such as a phone book or property records. Further down the spectrum are pieces of information, like social security numbers, which are associated with individual persons but might not be easily matched to such persons without consulting another entity, such as a credit reporting agency or government bureau. The kind of information at issue here— static digital identifiers — falls even further down the spectrum. To an average person, an IP address or a digital code in a cookie file would likely be of little help in trying to identify an actual person. A great deal of copyright litigation, for example, involves illegal downloads of movies or music online. Such suits often begin with a complaint against a “John Doe” defendant based on an Internet user’s IP address. Only later, after the plaintiff has connected the IP address to an actual person by means of a subpoena directed to an Internet service provider, is the complaint amended to reflect the defendant’s name. Numerous district courts have grappled with the question of whether the Video Privacy Protection Act applies to static digital identifiers. Most have followed the rule adopted in In re Hulu Privacy Litigation.. The court there concluded that static digital identifiers that could, in theory, be combined with other information to identify a person do not count as “personally identifiable information” under the Act, at least by themselves. Other decisions are in accord. The district courts have not, however, been unanimous. The plaintiffs direct us to Yershov v. Gannett Satellite Information Network, Inc. The plaintiff there downloaded USA Today’s, free application onto his smartphone. He alleged that Gannett, which publishes USA Today, shared information about videos he watched on his phone with a third-party analytics company, Adobe Systems, Inc. The information did not include the plaintiffs name or address, but rather his cell phone identification number and his GPS coordinates at the time he viewed a particular video. Rejecting the approach taken in Hulu, Yershov concluded that any unique identifier — including a person’s smartphone ID — is personally identifiable information. It recognized that, in asking it to reach this conclusion, the plaintiff was “attempt[ing] to place a square peg (modern electronic technology) into a round hole (a statute written in 1988 aimed principally at videotape rental services).” Even so, the court stated that the Act applied to the disclosure of static identifiers that could theoretically permit a company like Adobe Systems to identify an individual video watcher. The First Circuit recently affirmed that conclusion. In our view, the proper meaning of the phrase “personally identifiable informa-* tion” is not straightforward. As a textual matter, “[t]he precise scope” of such information “is difficult to discern from the face of the statute — whether read in isolation or in its broader statutory context.” As a practical matter, norms about what ought to be treated as private information on the Internet are both constantly in flux and often depend on the novelty of the technology at issue. Even so, we And Viacom’s narrower understanding of what constitutes “personally identifiable information” under the Act more persuasive than the alternative offered by the plaintiffs. We begin with principles of statutory interpretation. We have said that when “the text [of a statute] is ambiguous or does not reveal congressional intent ‘with sufficient precision’ to resolve our inquiry[,] ... ‘a court traditionally refers to the legislative history and the atmosphere in which the statute was enacted in an attempt to determine the congressional purpose.’ ” Likewise, the Supreme Court had instructed us that “[w]hen technological change has rendered its literal terms ambiguous, [a law] must be construed in light of [its] basic purpose.” Our review of the legislative history convinces us that Congress’s purpose in passing the Video Privacy Protection Act was quite narrow: to prevent disclosures of information that would, with little or no extra effort, permit an ordinary recipient to identify a particular person’s video-watching habits. We do not think that, when Congress passed the Act, it intended for the law to cover factual circumstances far removed from those that motivated its passage. This becomes apparent by tracing the Video Privacy Protection Act’s legislative history. The Senate version of the Act was introduced in May of 1988, and the coordinate House bill was introduced about a month later. The two bills were considered in a joint hearing in August of 1988 before the relevant House and Senate subcommittees. The then-extant Senate bill would have punished both disclosures relating to video tape service providers and disclosures relating to library borrowing records. Senator Patrick Leahy, Chairman of the Senate Subcommittee on Technology and the Law, characterized the purpose of the Senate bill as follows: Most of us rent movies at video stores and we check out books from our community libraries. These activities generate an enormous report of personal activity that, if it is going to be disclosed, makes it very, very difficult for a person to protect his or her privacy. It really isn’t anybody’s business what books or what videos somebody gets. It doesn’t make any difference if somebody is up for confirmation as a Supreme Court Justice or they are running the local grocery store. It is not your business. Similarly, Representative Robert Kas-tenmeier, Chairman of the House Subcommittee on Courts, Civil Liberties, and the Administration of Justice, decried “attempts to obtain patrons’ [library] records, under circumstances that .... would violate most peoples’ perceptions of their right to privacy.” He expressed the view that • “American citizens should not have to worry that a government agent, or a reporter, or anyone else, will be able to find out what they are reading,” and argued that [t]hese principles apply as much to customers of video stores as to patrons of libraries.” According to the Senate Report, the provisions of the Act relating to libraries were removed because the Senate Judiciary Committee “was unable to resolve questions regarding the application of such a provision for law enforcement.” Even so, we think that legislators’ initial focus on both libraries and video stores indicates that the Act was meant to prevent disclosures of information capable of identifying an actual person’s reading or. video-watching habits. We therefore agree with our colleagues who have reviewed this same legislative history and concluded that the Act “protects personally identifiable information that identifies a specific person and ties that person to particular videos that the person watched.” The plaintiffs contend that, contrary to our interpretation, Congress intended to pass a'broad statute that would protect consumer privacy even as video-watching technology changed over time. To be fair, there are portions of the legislative history that might be read to support such a view. The text itself is also amenable to such an interpretation. After all, the Act says that personally identifiable information “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider,” and Congress’s, use of the word “includes” could suggest that Congress intended for future courts to read contemporary norms about privacy into the statute’s original text. But we ultimately do not think that the definition of personally identifiable information in the Act is so broad as to cover the kinds of static digital identifiers at issue here. This is not to say that the Act has become a dead letter with the demise of the corner video store. If, for example, Google were to start purposefully leaking its customers’ YouTube video-watching histories, we think such disclosures would almost certainly violate the Act. But trying to analogize between that kind of disclosure and Google’s use of cookies on Viacom’s websites is, at best, a strained enterprise. Nor are we persuaded by the plaintiffs’ citations to other federal privacy laws. For example, the plaintiffs ask us to consider how Congress used the phrase “personally identifiable information” (or its equivalents) in (i) the Children’s Online Privacy Protection Act, (ii) the Gramm-Leach Financial Modernization Act, (iii) the Federal Education Rights and Privacy Act, and (iv) the Health Insurance Portability and Accountability Act. Having done so, we do not think that the language in these other laws is as helpful as the plaintiffs suppose. If anything, the expansion of privacy laws since the Video Privacy Protection Act’s passage demonstrates that, whatever else “personally identifiable information” meant in 1988, it did not encompass the kind of information that Viacom allegedly disclosed to Google. We see this perhaps most clearly by juxtaposing the 1988 Video Privacy Protection Act with the Children’s Online Privacy Protection Act (“COPPA”), which Congress passed a decade later. That statute limits the gathering of personal information from children under the age of 13 on the Internet. It also requires parental consent for the collection, use, or disclosure of children’s personal information online and directs the Federal Trade Commission to issue regulations to that effect. The statute defines “personal information” to include: [A] first and last name; a home or other physical address ...; an e-mail address; a telephone number; a Social Security number; any other identifier that the [Federal Trade Commission] determines permits the physical or online contacting of a specific individual; or information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph. The Federal Trade Commission has promulgated two successive rules under this provision. The first, which became effective in April of 2000, defined “personal information” to include not only the kinds of information enumerated in the text of the law, but also “[a] persistent identifier, such as a customer number held in a cookie or a processor serial number, where such identifier is associated with individually identifiable information.” An updated regulation, effective in July of 2013, expanded this definition to include any “persistent identifier that can be used to recognize a user over time and ■ across different Web sites or online services,” including but not limited to “a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifi-gr ” It seems clear that the Commission’s updated definition of “personal information” comes much closer to capturing, if not wholly covering, the kinds of information at issue in this case. But that is of little help to the plaintiffs’ present claim. Instead, the evolution of these regulations demonstrates that, when Congress passed COPPA, it gave the Federal Trade Commission authority to expand the types of information that count as personally identifying under that law. In this way, Congress built flexibility into the statute to keep pace with evolving technology. The Video Privacy Protection Act, by contrast, does not empower an administrative agency to augment the definition of “personally identifiable information” in light of changing circumstances or new technologies. The meaning of that phrase in the Act is, it would appear, more static. Subsequent developments confirm this view. Congress amended the Video Privacy Protection in 2013, modifying those provisions of the law governing how a consumer can consent to the disclosure of personally identifiable information. The legislative history of the 2013 amendments demonstrates that Congress was keenly aware of how technological changes have affected the original Act. As one Senate report put it: At the time of the [1988 law’s] enactment, consumers rented movies from video stores. The method that Americans used to watch videos in 1988 — the VHS cassette tape — is now obsolete. In its place, the Internet has revolutionized the way that American consumers rent and watch movies and television programs. Today, so-called “on-demand” cable services and Internet streaming services allow consumers to watch movies or TV shows on televisions, laptop computers, and cell phones. Despite this recognition, Congress did not update the definition of personally identifiable information in the statute. What’s more, it chose not to do so despite the fact that the amicus supporting the plaintiffs here, the Electronic Privacy Information Center, submitted written testimony that included the following exhortation: [T]he Act does not explicitly include Internet Protocol (IP) Addresses in the definition [of personally identifiable information]. IP addresses can be used to identify users and link consumers to digital video rentals. They are akin to Internet versions of consumers’ home telephone numbers. ... We would propose the addition of Internet Protocol (IP) Addresses and account identifiers to the definition of [personally identifiable information] .... We think Congress’s decision to retain the 1988 definition of personally identifiable information indicates that the Act serves different purposes, and protects different constituencies, than other, broader privacy laws. We of course appreciate that the passage of time often requires courts to apply old laws in new circumstances. Assessing congressional intent in these cases can be difficult; indeed, Congress may not have considered the temporal problem at all. But here, our task is made easier by the fact that Congress has recently revisited the Video Privacy Protection Act and, despite the passage of nearly thirty years since its enactment, left the law almost entirely unchanged. We have previously explained that “the weight given subsequent legislation and whether it constitutes a clarification or a repeal is a context- and fact-dependent inquiry,” and “we may pay heed to the significance of subsequent legislation when it is apparent from the facts and context that it bears directly on Congress’s own understanding and intent.” We think Congress’s decision to leave the Act’s 1988 definition of personally identifiable information intact, despite recently revisiting the law, is one of those instances. Nor does our decision today create a split with our colleagues in the First Circuit. In interpreting the meaning of personally identifiable information in Yershov, the First Circuit focused on the fact that the defendant there allegedly disclosed not only what videos a person watched on his or her smartphone, but also the GPS coordinates of the phone’s location at the time the videos were watched. In the First Circuit’s view, “[gjiven how easy it is to locate a GPS coordinate on a street map, this disclosure would enable most people to identify what are likely the home and work addresses of the viewer {e.g., Judge Bork’s home and the federal courthouse).” That conclusion merely demonstrates that GPS coordinates contain more power to identify a specific person than, in our view, an IP address, a device identifier, or a browser fingerprint. Yershov itself acknowledges that “there is certainly a point at which the linkage of information to identity becomes too uncertain, or too dependent on too much yet-to-be-done, or unforeseeable detective work” to trigger liability under this statute. We believe the information allegedly disclosed here is on that side of the divide. Of course, what we have said so far addresses the question of what counts as personally identifiable information in the abstract. The wrinkle in this case is that the party to whom the plaintiffs’ information was disclosed is Google, a company whose entire business model is purportedly driven by the aggregation of information about Internet users. The plaintiffs assert that Google can identify web users in the real world, and indeed seem to believe that Google, which purportedly “knows- more details about American consumers than any company in history,” aggregates so much information that it has, in effect, turned the Internet into its own private data collection machine. Or, as the plaintiffs’ amicus, the Electronic Privacy Information Center, puts it, concluding “that Google is unable to identify a user based on a combination of IP address ... and other browser cookie data ... would be like concluding the company that produces the phone book is unable to deduce the identity of an individual based on their telephone number.” Whether or not this is true, we do not think that a law from 1988 can be fairly read to incorporate such a contemporary understanding of Internet privacy. The allegation that Google will assemble otherwise anonymous pieces of data to unmask the identity of individual children is, at least with respect to the kind of identifiers at issue here, simply too hypothetical to support liability under the Video Privacy Protection Act. The argument also lacks a limiting principle. What makes the claim about Google’s ubiquity so intuitively attractive is the size of Google’s user base. Indeed, Google is large enough that we might well suppose that a significant number of its account holders also have children who watch videos on Viacom’s websites. But that seems like distinction without a difference. If an IP address were to count as personally identifiable information, either standing alone or coupled with similar data points, then the disclosure of an IP address to any Internet company with registered users might trigger liability under the Act. Indeed, the import of the plaintiffs’ position seems to be that the use of third-party cookies on any website that streams video content is presumptively illegal. We do not think the Video Privacy Protection Act sweeps quite so broadly. We recognize that our interpretation of the phrase “personally identifiable information” has not resulted in a single-sentence holding capable of mechanistically deciding future cases. We have not endeavored to craft such a rule, nor do we think, given the rapid pace of technological change in our digital era, such a rule would even be advisable. Rather, we have tried to articulate a more general framework. In our view, personally identifiable information under the Video Privacy Protection Act means the kind of information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior. The classic example will always be a video clerk leaking an individual customer’s video rental history. Every step away from that 1988 paradigm will make it harder for a plaintiff to make out a successful claim. Some disclosures predicated on new technology, such as the dissemination of precise GPS coordinates or customer ID numbers, may suffice. But others— including the kinds of disclosures described by the plaintiffs here — are simply too far afield from the circumstances that motivated the Act’s passage to trigger liability. Our decision necessarily leaves some unanswered questions about what kinds of disclosures violate the Video Privacy Protection Act. Such uncertainty is ultimately a consequence of our common-law system of adjudication and the rapid evolution of contemporary technology. In the meantime, companies in the business of streaming digital video are well advised to think carefully about customer notice and consent. Whether other kinds of disclosure will trigger liability under the Act is another question for another da