In recent years, there has been a wave of lawsuits alleging violations of the Video Privacy Protection Act (“VPPA”), targeting content providers for allegedly sharing users’ video viewing history data with third parties via website tracking pixels (e.g., the Meta and TikTok pixels). The Second Circuit previously seemed receptive to these claims. Notably, last October, in Salazar v. National Basketball Ass’n, 118 F.4th 533 (2d Cir. 2024), the Second Circuit took a very broad view of the term “consumer” under the VPPA, and expanded the group of plaintiffs with standing to sue.
However, this week, the Second Circuit pulled back significantly in Solomon v. Flipps Media, Inc., No. 23-7597-CV, 2025 WL 1256641 (2d Cir. May 1, 2025), holding that “personally identifiable information” (“PII”) under the VPPA only includes information that would allow an ordinary person—not just sophisticated technology companies—to identify an individual’s video-viewing behavior.
In Solomon, the Second Circuit dismissed a proposed class action accusing digital streaming provider Flipps Media Inc. (dba “FITE”) of violating the VPPA by installing the Meta Pixel on its website that transmitted information to Meta about its subscribers and the videos they were viewing on the platform. Significantly, the Second Circuit held that the disclosure of plaintiff’s Facebook ID, in conjunction with the URLs of the videos plaintiff accessed on FITE’s platform, did not constitute a violation of the VPPA.
By way of brief background, the VPPA is a federal statute that was enacted in 1988 in response to a newspaper article that published Supreme Court nominee Judge Robert Bork’s video rental records without his consent. This caused such an uproar that Congress enacted the VPPA to “preserve personal privacy with respect to the rental, purchase or delivery of video tapes or similar audio visual materials.” S. Rep. No. 100-599, at 1 (1988) (Judiciary Committee). Under the VPPA, “video tape service providers,” which include streaming services providing pre-recorded video content, are prohibited from knowingly disclosing a consumer’s PII to a third party. 18 U.S.C. § 2710(b)(1). Although the VPPA states that PII “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider,” 18 U.S.C. § 2710(a)(3), the statute does not explicitly define or make clear what constitutes PII. Accordingly, many VPPA cases turn on the frameworks that courts use to determine what data/information qualifies as PII.
While the Second Circuit had not previously defined what qualifies as PII under the VPPA, the First, Third, and Ninth Circuits have held that PII constitutes more than just information that identifies an individual, but also information that can be used to identify an individual. However, a circuit split has emerged with respect to what information is “capable of identifying an individual” under the VPPA, with appellate courts taking two different approaches: (1) the reasonable foreseeability standard (First Circuit), and (2) the ordinary person standard (Third and Ninth Circuits). Under the First Circuit’s reasonable foreseeability standard, PII is “not limited to information that explicitly names a person,” but also includes information disclosed to a third party that is “reasonably and foreseeably likely to reveal which ... videos [the plaintiff] has obtained.” Yershov v. Gannett Satellite Info. Network, Inc., 820 F.3d 482, 486 (1st Cir. 2016). On the other hand, the Third and Ninth Circuits’ ordinary person standard limits PII “to the kind of information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior.” In re Nickelodeon Consumer Priv. Litig., 827 F.3d 262, 267 (3d Cir. 2016); see also Eichenberger v. ESPN, Inc., 876 F.3d 979, 985 (9th Cir. 2017) (reasoning that the ordinary person standard was more appropriate because the VPPA “views disclosure from the perspective of the disclosing party” and “looks to what information a video service provider discloses, not to what the recipient of that information decides to do with it.”).
In Solomon, the Second Circuit chose sides and adopted the “ordinary person standard,” much to the relief of digital media companies and content providers. In this case, the plaintiff alleged that through FITE’s use of the Meta Pixel, FITE relayed to Meta a unique string of code that, if correctly interpreted, would identify the titles and URLs of the videos that the plaintiff accessed on FITE’s platform, in addition to the plaintiff’s Facebook ID. FITE moved to dismiss, arguing that the plaintiff failed to state a claim because the complaint did not identify what information on the plaintiff’s Facebook page would lead anyone to connect data in the alleged transmissions to her. The Court agreed.
Rejecting the First Circuit’s reasonable foreseeability standard, the Second Circuit concluded that PII “encompasses information that would allow an ordinary person to identify a consumer’s video-watching habits, but not information that only a sophisticated technology company could use to do so.” Solomon, 2025 WL 1256641 at *9 (emphasis added). The Court highlighted that the VPPA imposes liability on a video tape service provider that knowingly discloses a subscriber’s PII to a third party, which means that it “‘looks to what information a video service provider discloses, not to what the recipient of that information decides to do with it.’” Id. (citing Eichenberger, 876 F.3d at 985). Thus, the Court reasoned that the ordinary person standard is a more suitable framework because it would “not make sense that a video tape service provider’s liability would turn on circumstances outside of its control and the level of sophistication of the third party,” particularly given that the statute was enacted in response to a video clerk leaking an individual customer’s video rental history and before the Internet transformed how individuals and companies use consumer data. Id.
Here, the Court found it to be “implausible” that an ordinary person would look at the complex string of characters disclosed through the Meta Pixel (e.g., “title%22%3A%22-%E2%96%B7%20The%20Roast%20of%- 20Ric%20Flair”) and “understand it to be a video title.” Id. at *10. Similarly, the Court held that the plaintiff could not “plausibly allege that an ordinary person could identify” them through the disclosure of their Facebook ID, which is disclosed as a complex line of code, even if sophisticated Internet companies, like Meta, may be able to do so. Id. Thus, the plaintiff failed to plausibly allege that FITE disclosed PII under the VPPA, and the court affirmed the dismissal of the complaint.
This is a significant win for digital media companies and content providers, which have been the target of thousands of VPPA claims over the last several years, particularly with respect to their use of the Meta Pixel and other similar website tracking tools. This ruling continues a growing trend in the Second Circuit (previously reported on here) of being increasingly unfavorable to plaintiffs asserting violations of privacy laws related to website tracking technologies.