On February 2, 2026, the U.S. District Court for the Northern District of Illinois denied a motion to dismiss a putative class action alleging that a video distributor unlawfully shared its customers’ viewing and purchase information with Facebook through the Facebook Pixel, in violation of the federal Video Privacy Protection Act (VPPA).
The Allegations: Facebook Pixel and Video Purchase Data
Plaintiffs allege that:
- Defendant installed the Facebook Pixel on its ecommerce site.
- When a logged‑in Facebook user purchased video content (movies or TV shows) from the site, the Pixel worked with Facebook cookies in the user’s browser to:
- Capture the user’s video purchase information; and
- Transmit that information to Facebook, tied to the user’s Facebook ID.
- Facebook allegedly used that linked data to target advertisements back to those users.
Plaintiffs assert that this practice violates the VPPA’s prohibition on the knowing disclosure of personally identifiable information (PII) about an individual’s video viewing or purchase history without consent.
Defendant moved to dismiss for lack of standing, failure to state a claim, and on First Amendment grounds. The court rejected each argument.
Standing: Data Sharing for Ad Targeting Can Be a Concrete Privacy Injury
Defendant argued that plaintiffs lacked Article III standing because they had not alleged a “concrete” injury. Relying on the Supreme Court’s TransUnion framework (requiring a close common‑law analogue), the court held:
- The alleged harm—nonconsensual disclosure of private viewing information to Facebook for ad targeting—has a close analogy in the common‑law tort of public disclosure of private facts, even if the information was not made broadly “public.”
- The court distinguished the Seventh Circuit’s 2023 decision in Nabozny v. Optio Solutions (which found no standing where a debt collector shared data with a purely ministerial vendor):
- In Nabozny, the third party was merely a “ministerial intermediary.”
- Here, Facebook is not ministerial; it allegedly pays for the data and uses it to shape users’ media environment through targeted ads.
Plaintiffs allege injury to their “privacy.” See R. 1 at 2 (¶ 7). Shout argues that the “only possibly relevant” common law analogue is the tort of “public disclosure.” See R. 41 at 5. Shout argues further that Plaintiffs fail to allege the tort of public disclosure because they do not allege that Shout “publicized” the information about Plaintiffs’ video purchases, but merely that Shout shared it with “discrete companies … for business purposes.” Id. According to Shout, “there is nothing to suggest that anyone at Facebook … ever reviewed or appreciated the combination of Plaintiffs’ Facebook IDs and information about videos they purchased—and certainly no allegations that information about Plaintiffs’ movie purchases was exposed to the public.” Id.
Shout also contends that its argument is supported by the Seventh Circuit’s decision in Nabozny v. Optio Sols. LLC, 84 F.4th 731 (7th Cir. 2023). In Nabozny, the plaintiff claimed a violation of the Fair Debt Collection Practices Act based on allegations that a debt collector disclosed information about the plaintiff’s debt to a third party hired to assist the debt collector in preparing and sending letters to its debtors. The Seventh Circuit held that the closest common law privacy tort was “public disclosure of private facts.” Id. at 735. But the court also held that the plaintiff failed to allege that the debt collector publicized the plaintiff’s information, “or even that [the third party] read or appreciated [the plaintiff’s] information.” Id. at 736. Ultimately, according to the Seventh Circuit, the “transmission of information to a single ministerial intermediatory does not remotely resemble the publicity element” necessary to the tort of public disclosure. See id.
*2 Shout’s reliance on Nabozny, however, ignores the Seventh Circuit’s emphasis that the “distinction between public and private communication … is a qualitative inquiry, not a quantitative one.” Id. at 736. In other words, the “transmission of information to a single ministerial intermediary” did not constitute publication, not because it was made to a single entity, but because the entity was merely a ministerial intermediary.
Here, it is not plausible to describe Facebook—one of the world’s largest social media corporations—as a ministerial entity. Far from it, Plaintiffs allege that Facebook paid Shout to disclose Plaintiffs’ video purchases to Facebook so that Facebook could use that information to target advertisements at Plaintiffs. This is not a ministerial transaction unrelated to Plaintiffs’ privacy interests.
- The court emphasized that qualitatively, selling or transferring video‑viewing data to a major social media platform for behavioral advertising purposes is a modern privacy intrusion.
Citing recent Second and D.C. Circuit decisions involving similar data‑sharing and ad‑tech practices, the court concluded that plaintiffs had plausibly alleged a concrete privacy injury and therefore had standing.
Damages: VPPA Liquidated Damages Available Without Proof of Actual Harm
The VPPA authorizes “actual damages but not less than liquidated damages in an amount of $2,500” per violation. Defendant argued that plaintiffs must allege and prove actual damages to recover the $2,500 statutory amount. The court disagreed, reasoning:
- The Supreme Court’s Doe v. Chao decision (which required actual damages under the federal Privacy Act) turned on specific statutory language limiting recovery to those “entitled to recovery” based on actual damages.
- The VPPA contains no similar eligibility limitation; instead, it states that actual damages “may” be awarded but “not less than” $2,500 in liquidated damages.
- The Supreme Court in Chao itself used language akin to the VPPA as a hypothetical example of a regime where liquidated damages would be available without actual damages, and other circuits have treated that dicta as persuasive.
- Privacy harms are often intangible and difficult to quantify; statutory liquidated damages are an accepted substitute.
The court also noted that the Seventh Circuit has previously characterized the VPPA as allowing $2,500 in liquidated damages “without need to prove ‘actual damages.’”
What Counts as “Personally Identifiable Information” Under the VPPA?
A core issue was whether the data allegedly shared—Facebook ID plus video titles or purchase details—qualifies as “personally identifiable information” under the VPPA.
Competing Interpretive Approaches
Courts are split on what it means for information to “identify a person” as having requested or obtained specific video materials:
- “Ordinary person” standard (Third and Second Circuits): PII must “readily permit an ordinary person to identify” a specific individual’s video‑watching behavior.
- Under this view, complex code or identifiers embedded in Pixel data may not qualify because an ordinary person would not understand them.
- “Reasonably and foreseeably likely” standard (First Circuit): PII includes data that is reasonably and foreseeably likely to reveal which videos a specific customer acquired—even if additional knowledge or tools are required.
Defendant urged the court to follow the “ordinary person” approach and argued that the Facebook Pixel’s encoded data and numeric Facebook IDs are not intelligible to an ordinary observer.
Court’s Focus: The Disclosing Party’s Actual Knowledge
The court took a different path, emphasizing the VPPA’s “knowing” disclosure requirement:
- The statute looks at what the video service provider knows about how the information will be used, not just what a hypothetical ordinary person could deduce from a single data field.
- Plaintiffs alleged that defendant knew that:
- Facebook would identify site visitors who had Facebook accounts; and
- The defendant was transmitting both user identification (via Facebook ID) and specific video purchase information.
- Because actual knowledge was plausibly alleged, the court found it unnecessary to rely on a constructive “ordinary person” standard.
The court also rejected arguments that:
- It was plaintiffs’ “own browsers,” not the defendant, that disclosed the data. The court characterized the browser’s role as occurring only because the defendant had installed the Pixel code and thereby “commandeered” the browser.
- The disclosure was not “knowing” because defendant didn’t know which specific customers had Facebook accounts. The court held it was enough that the defendant allegedly knew the Pixel would track and identify any of its customers who were Facebook users.
First Amendment Challenge to the VPPA Rejected
Defendant asserted that the VPPA violates the First Amendment, arguing that:
- It is speaker‑based (applies only to “video tape service providers”); and
- It is content‑based (its application depends on the content of the disclosure—video viewing information).
Defendant urged that strict scrutiny should apply, citing recent Supreme Court decisions (Reed and Sorrell) that invalidated content‑ and speaker‑based laws.
Commercial Speech and Intermediate Scrutiny
The court declined to apply strict scrutiny, holding that:
- The disclosures at issue—selling or transmitting consumer video‑viewing data in connection with commerce—are commercial speech.
- Longstanding Supreme Court precedent (Central Hudson) subjects commercial speech regulations to intermediate scrutiny, not strict scrutiny.
- Neither Reed nor Sorrell clearly altered this framework, and numerous courts continue to apply Central Hudson to commercial speech after those cases.
- Other courts evaluating VPPA challenges have similarly treated the statute as regulating commercial speech subject to intermediate scrutiny.
Significant Government Interest and Narrow Tailoring
Applying intermediate scrutiny, the court found:
- Protecting consumer privacy—especially the confidentiality of what individuals watch—is a significant governmental interest that is well established in case law.
- The VPPA also protects consumers’ First Amendment interest in freely receiving information and ideas, by reducing the chilling effect that might occur if viewing choices were tracked and disclosed.
- The statute is appropriately tailored:
- It targets only entities that sell, rent, or deliver video materials—those uniquely positioned to access viewing or purchase data.
- Limiting those entities’ ability to disclose such data directly advances the goal of keeping viewing habits private.
- The statute is not unconstitutionally underinclusive merely because it does not similarly regulate other media (e.g., books). Legislatures may address problems incrementally and focus on particular sectors.
Sam Welbel; Michael Archer; & Dylen Macaluso, individually & on behalf of all others similarly situated, v. Shout! Factory, LLC, No. 24 C 6426, 2026 WL 266561 (N.D. Ill. Feb. 2, 2026).
