Last week, two federal court decisions narrowed the definition of personally identifiable information (“PII”) under the Video Privacy Protection Act, 18 U.S.C. § 2710 (“VPPA”), providing support for a more defendant-friendly interpretation of what data is actionable under the statute.
Solomon v. Flipps Media, Inc., No. 23-7597-CV, (2d Cir. May 1, 2025)
The Second Circuit Court of Appeals ruled in Solomon v. Flipps Media, Inc., No. 23-7597-CV (2d Cir. May 1, 2025), that FITE TV’s disclosure to Meta of URLs of pages with videos plaintiff streamed along with her Facebook ID (“FID”) via the Facebook Pixel did not violate the VPPA because it did not fit the meaning of PII under the statute.
Ordinary Person Standard
The Second Circuit rejected the idea that data qualifies as PII simply because it could possibly be used by someone—anyone—to identify a person. Instead, the Flipps court adopted an “ordinary person” standard, limiting VPPA PII to “information that would allow an ordinary person to identify a consumer’s video-watching habits, but not information that only a sophisticated technology company could use to do so.”1 Interpreting the VPPA’s plain text, the court noted that not only does the VPPA “more naturally read” as referring to an ordinary person’s abilities, but the alternate interpretation plaintiff advanced, which asked whether a recipient might be able to use information to identify a person, focused improperly on the recipient rather than the disclosing party.
As the Second Circuit explained, the ordinary person standard “better informs video service providers of their obligations under the VPPA,” as providers can focus on what information they disclose, rather than the recipient’s technological sophistication.2 Further, at the time that the VPPA was enacted in 1988, it was intended to prevent disclosure of straightforward information about what videos someone had rented, not complex data that requires specialized knowledge to decipher.
Application
Applying the ordinary person standard to the URL disclosed through FITE’s use of the Pixel, the court explained it was “implausible” that an ordinary person would understand multiple lines of code containing the URL of a page to be a video title.3 Similarly, the court found that it was “not plausible that an ordinary person [without assistance] would see the ‘c_user’ phrase on FITE’s servers and conclude that the phrase was a person’s FID.”4 The FID is “just one phrase embedded in many other lines of code,” and the complaint failed to plausibly allege how someone could identify the plaintiff through the code.5 Accordingly, the court affirmed dismissal.
Therrien v. Hearst Television, Inc., No. CV 23-10998-RGS (D. Mass. Apr. 25, 2025)
Additionally, in Therrien v. Hearst Television, Inc., No. CV 23-10998-RGS (D. Mass. Apr. 25, 2025), the U.S. District Court for the District of Massachusetts ruled at summary judgment that Hearst did not violate the VPPA by sending users’ email addresses and Android Advertising IDs (“AAIDs”) to certain third parties.
Email Addresses
As to the alleged sharing of email addresses, the court contrasted the case with the First Circuit decision, Yershov v. Gannett Satellite Info. Network, Inc., 820 F.3d 482 (1st Cir. 2016), which held a disclosure of data could violate the VPPA if the receiving entity can link that data to information that reveals a subscriber’s identity.6 In Yershov, plaintiff alleged that defendant sent users’ geolocation data to a third party that could link that data to a specific device’s identifying information—and thereby discover what individuals watched. But in Hearst, there was no evidence in the summary record that the receiving entity had a system to link the email addresses it received “to a certain person by name, address, phone number, and more.”7
The court further found that because the plaintiff “purposefully” shared his email address, “signed up to receive newsletters and updates,” and could have opted out at any time, the disclosure of his email address to a user analytics platform was “incident to the ordinary course of business” and therefore exempt from the VPPA’s ambit. 8
AAIDs
As to the AAIDs allegedly disclosed by Hearst, the Court held that “[w]hile AAIDs can uniquely distinguish a device at a point in time, they do not provide data that identifies any individual person.”9 Without additional contextual information, such as a home address or name, the Court concluded, an AAID is not actionable PII because it alone cannot identify a person.
Conclusion
The Solomon court’s adoption of the ordinary person standard and application of that standard to find that page view URLs and FIDs are not VPPA PII meaningfully narrows plaintiffs’ means to pursue VPPA claims based on the Meta Pixel in the Second Circuit, which is particularly important because of the large percentage of VPPA cases filed within that Circuit. Solomon narrows the scope of what plaintiffs can allege as PII by re-focusing on the concerns that motivated the statute’s passage in 1988. Defendants, especially those utilizing the Meta Pixel or similar technologies, will likely have a stronger foothold going forward when faced with allegations that sharing URL information with advertisers constitutes a VPPA violation.
The Hearst decision illustrates the risk to plaintiffs that even if they can survive a motion to dismiss based on a theory, they need to be able to provide evidence that what they said happened actually happened, which is often not the case, particularly when it comes to a third-party vendor actually identifying a user. It likewise provides support for the argument that a court should consider whether a plaintiff’s sign-up and opt-in decisions constitute requests for which a video tape service provider must disclose PII in order to fulfill its obligations in the “ordinary course of business” — as opposed to a disclosure made only to drive additional revenue. While the decision is something of an outlier, given few VPPA cases have reached summary judgment, it offers a basis for an alternative, more defendant-friendly interpretation of a key VPPA requirement.
