Last week, the Second Circuit affirmed dismissal of a putative class action under the Video Privacy Protection Act (VPPA), holding that the alleged transmission of code containing video titles and a unique user ID to a third-party is not a disclosure of “personally identifiable information” (PII). The decision, Solomon v. Flipps Media, Inc., 23‐7597 (2d Cir. May 1, 2025), aligns the Second Circuit with the Third and Ninth Circuits in holding that the VPPA only prohibits the disclosure of information that would “readily permit an ordinary person to identify a specific individual’s video-watching behavior.”
Plaintiff, a subscriber to FITE TV, had alleged that the streaming service sent two pieces of information to a third-party each time she streamed a video: (1) a sequence of characters that, “if correctly interpreted, would identify the title and url of the video,” and (2) “a unique sequence of numbers linked to her Facebook profile.” The district court held that this information was not PII as defined by the VPPA, which covers only information that “identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 18 U.S.C. § 2710(a)(3).
On appeal, the Second Circuit recognized that courts have held that PII under the VPPA includes “more than just information that identifies an individual, but also information that can be used to identify an individual.” Yet two different approaches have emerged for determining whether transmitted information can be used to identify an individual. The First Circuit has established a “reasonable foreseeability” standard, holding that PII includes information that is “reasonably and foreseeably likely” to reveal which videos a plaintiff has obtained. Under this standard, plaintiffs have argued that information is PII if a technology company could use the information to identify an individual’s viewing history. In contrast, the Third and Ninth Circuits have adopted the “ordinary person” standard, under which information constitutes PII only if an ordinary person could readily use it to identify an individual’s viewing history.
The Second Circuit concluded that the “ordinary person” standard is more consistent with VPPA’s text, context, and history. The Court explained that the VPPA focuses on what information the disclosing party reveals, not what a third party might be capable of deducing from that information. The Court reasoned that it would “not make sense” for liability to “turn on circumstances outside of” the defendant’s “control and the level of sophistication of a third party.” The Court also observed that, at the time the VPPA was enacted in 1988, the Internet had not transformed how consumer data was used.
Applying the ordinary person standard, the Court held that Plaintiff failed to plausibly allege disclosure of PII because the strings of dense, unlabeled code allegedly disclosed by Defendant would not reveal Plaintiff’s viewing history or identity to an ordinary person.
The Second Circuit’s common-sense approach has the potential to narrow exposure under the VPPA, affirming that companies should not have to guess what third parties may hypothetically attempt to uncover from transmitted data.