On June 4, 2025, the U.S. Court of Appeals for the Second Circuit affirmed the dismissal of a putative class action against a video streaming service provider for alleged violations of the Video Privacy Protection Act (VPPA).
The plaintiff, a subscriber to a digital video streaming service, alleged that the provider violated the VPPA by transmitting her Facebook ID and the titles of videos she watched to Facebook through the use of Facebook’s Pixel tracking tool. The information was used for targeted advertising purposes. The district court dismissed the complaint, finding that the information disclosed did not amount to PII under the VPPA, and denied the plaintiff’s request to amend her complaint.
The central issue on appeal was the scope of “personally identifiable information.” Under the VPPA:
the term “personally identifiable information” includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider….
Two competing standards have emerged in the federal courts:
- The “reasonable foreseeability” standard, which considers whether it is reasonably foreseeable that a third party could use the disclosed information to identify an individual’s video viewing history.
- The “ordinary person” standard, which limits PII to information that would permit an ordinary person, without specialized knowledge or resources, to identify a specific individual’s video-watching behavior.
The Second Circuit adopted the “ordinary person” standard, aligning with the Third and Ninth Circuits. The court reasoned that this approach better informs video service providers of their obligations and avoids imposing liability based on the capabilities of sophisticated third parties, such as large technology companies.
We decline to adopt Yershov‘s reasonable foreseeability standard because it focuses on what a recipient can or cannot reasonably do when given personal information. 820 F.3d at 486. The “classic example” of the “1988 paradigm” is “a video clerk leaking an individual customer’s video rental history,” and the VPPA was not intended to create liability [*27] where a third party is able to “assemble otherwise anonymous pieces of data to unmask the identity of individual [users].” In re Nickelodeon, 827 F.3d at 290; see also Eichenberger, 876 F.3d at 985 ( “‘[P]ersonally identifiable information’ must have the same meaning without regard to its recipient’s capabilities. Holding otherwise would make ‘the lawfulness of a disclosure depend on circumstances outside of a video service provider’s control.’” (quoting Mollett v. Netflix, Inc., 795 F.3d 1062, 1066 (9th Cir. 2015) (alterations adopted)).
Solomon v. Flipps Media, Inc., 136 F.4th 41 (2d Cir. 2025).
