By Steve Kramarsky

In 1987, D.C. Circuit Court Judge Robert Bork, Ronald Reagan’s nominee for the Supreme Court, was facing a difficult (and ultimately unsuccessful) confirmation hearing. Judge Bork was a controversial pick for numerous reasons, including his view of personal privacy, which he saw as extremely limited under the Constitution.

A reporter for the Washington City Paper named Michael Dolan realized that he and Judge Bork frequented the same D.C. video rental store and decided to test the limits of that view. He asked the store for Judge Bork’s video rental history and, because there was no law protecting that information at the time, he received a list of 146 tapes the Judge had checked out over the previous two years.

Other than the number of titles the list was not very interesting – there were no salacious titles, and Judge Bork’s taste was fairly middle-brow – but Dolan’s somewhat snarky article, and the fact that he was able to get the information, became the talk of Washington.

Congress acted with unusual speed (perhaps motivated by members with rental histories more interesting than Judge Bork’s) and within a year enacted the Video Privacy Protection Act, 18 U.S.C. §2710, (the VPPA).

The VPPA was intended to preserve personal privacy regarding the consumption of video tapes and similar audio-visual material. Like many early privacy statutes, it attempts to be both narrowly focused (on the issue of video privacy) and broadly applicable (to whatever technology may come along).

Unfortunately, as numerous courts have noted, the statute is not well drafted and its definition of personally identifiable information is unclear, leading to differing judicial interpretations.

Despite these challenges, the VPPA has survived. Video stores are gone, but VPPA cases are enjoying a resurgence as a favorite tool of the class action bar. These new class action cases are generally based on “tracking pixels,” a widely-used web technology that silently transmits data about a user’s browsing habits to an advertising service provider (such as Google or Meta) for data aggregation and user analytics purposes.

Most commercial websites use some form of tracking technology (most often the Facebook Pixel, now known as the Meta Pixel), and many users are not aware that it exists. Generally, websites do not offer an opt-out for this kind of tracking, and the familiar “reject cookies” dialog box may or may not prevent it, depending on how the site is configured.

Plaintiffs in these cases have been quick to point out the scope of deployment of this technology and its potential privacy implications. On the flip side, the kind of data transmitted by tracking pixels is not what would traditionally be called “personally identifiable information,” nor is it in a form that could have been anticipated when the VPPA was passed in 1988.

Courts have struggled to strike a balance between protecting the privacy of users and enabling web business to function efficiently and economically. A recent Second Circuit decision reflects the effort to strike that balance and apply the plain text of the VPPA in the tracking pixel context. Solomon v. Flipps Media, Inc., No. 23-7597-CV, 2025 WL 1256641 (2d Cir. May 1, 2025).

Solomon Case Background

The facts in Solomon have become familiar in recent years, as “the VPPA has generated extensive litigation” across the country. Defendant FITE (now rebranded as Triller TV) is a digital media company that provides subscribers with video content through its website and applications, including pre-recorded videos, pay-per-view, and live streaming events.

Facebook (now called Meta) is an “unrelated third party” involved in the case through its ad service business. Facebook creates and sells tracking products such as the “Facebook Pixel” (the Pixel), which website operators can use to collect information about their subscribers.

The Pixel is a piece of code that a website owner can add to its website that relays information to Facebook about a user’s browsing for aggregation and reporting back to the website owner. The information collected includes “whether consumers initiate purchases, what items they view, and the content consumers access on a particular webpage.”

Facebook uses this information to generate a detailed user profile, which it provides to the website owner to enable targeted advertising.

FITE deployed the Pixel on its website and configured it to include “Page View,” an optional feature that allows the Pixel to capture “the URL and title of each video that a user accesses on a provider’s website,” along with a unique Facebook ID (the FID), which “identifies the individual more precisely than a name or email address.”

Following implementation of the Pixel, each time a FITE user accessed a video on a FITE application or website, FITE sent Facebook certain information about the user and their viewing history through the Pixel.

The court’s opinion in Solomon includes a screenshot of the “GET request” generated and sent to Facebook each time a user accesses a video, and while the information is complex and difficult to read, it is possible to find the video title and unique user ID in the block of information.

The opinion notes that this information is sent to Facebook regardless of whether the user is logged on to Facebook, and “even after they clear their browser histories,” and that FITE does not disclose the Pixel in its terms of use or provide and opt-out.

Solomon was a Facebook user and FITE subscriber who brought a consumer privacy class action in 2022 on behalf of similarly situated FITE subscribers and customers. FITE moved to dismiss, and the district court granted the motion (and denied leave to amend) on the grounds that Solomon could not plausibly allege that FITE disclosed “personally identifiable information” to Facebook in violation of the VPPA. The Second Circuit agreed and, after a lengthy analysis, affirmed.

The Complex Question of “Personally Identifiable Information”

The central issue in Solomon, and in similar actions pending across the country, is the appropriate interpretation of the phrase “personally identifiable information” in the context of the VPPA.

The statute is broadly drafted and states that a “video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person”. 18 U.S.C. §2710(b)(1).

It defines “video tape service provider” to include not only the brick-and-mortar videotape stores of the time, but anyone engaged in the “sale, or delivery of prerecorded video cassette tapes or similar audio visual materials,” as well as anyone to whom a disclosure is made. 18 U.S.C. §2710(a)(4).

Thus courts, including those in the Second Circuit, have routinely held that websites that provide pre-recorded video content (as opposed to exclusively live streaming) are subject to regulation under the VPPA. Here, it was undisputed (if a little odd) that FITE is a “video tape service provider” for purposes of the VPPA.

The more complicated issue is the definition of “personally identifiable information” (PII). The VPPA does not specifically define PII, stating only that it “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 18 U.S.C. §2710(a)(3).

The Solomon opinion notes that “courts across the country, including lower courts in this circuit, have observed that the VPPA is ‘not well drafted’ and that its definition of personally identifiable information is ‘oblique’ and not ‘clear.’” Solomon, 2025 WL 1256641, at *5 (internal citations omitted).

The opinion further notes that the Second Circuit has not directly addressed this issue, but that the circuits that have addressed it have adopted two different standards.

Every circuit to consider the scope of PII under the VPPA has held that it includes not only information that directly identifies an individual (such as name and address), but also information that can be used to identify an individual. In Solomon, the Second Circuit agrees.

Based upon the plain language of the statute and the supporting legislative history, the court concludes that “Congress intended the VPPA to cover not just information that, by itself, identifies a consumer’s video-viewing history, but also information capable of being used to do so.”

The remaining question is: used by whom? Should the court consider the capabilities of the party that actually receives the information (here, Facebook, a highly sophisticated technology company with a large database of customer information), or should it examine the information from the point of view of an “ordinary person”?

In the First Circuit, the standard focuses on the “reasonably foreseeable” use of the information by the recipient. If the receiving party is technically sophisticated or can use a proprietary system to identify the user, even if an ordinary person could not do so, then transmittal of the information to that party may violate the VPPA.

That standard, articulated in Yershov v. Gannett Satellite Info. Network, Inc., 820 F.3d 482, 486 (1st Cir. 2016), provides broad protection because it considers the ultimate use of the information by the recipient.

The data transmitted by websites to advertisers (such as Facebook) or licensing providers (such as Adobe in the Yershov case) may be “anonymized” behind a device id or IP address, but the recipient typically has ways to tie the information back to a specific user, which is why it is collected in the first place.

In the Third and Ninth Circuits, the standard is different. Rejecting the “reasonably foreseeable” standard from Yershov, which focuses on the capabilities of the recipient, the Third Circuit has adopted an “ordinary person” standard, under which the VPPA’s protection applies “only to the kind of information that would readily permit an ordinary person to identify a specific individual's video-watching behavior.” In re Nickelodeon Consumer Priv. Litig., 827 F.3d 262, 267 (3d Cir. 2016).

Under this standard, the information at issue in Yershov (GPS coordinates and a Device ID) would not be protected, because it does not directly identify the user without substantial technical work by the sophisticated recipient.

The Ninth Circuit, considering both standards, adopted the Third Circuit’s “ordinary person” test, finding that it “better informs video service providers of their obligations under the VPPA.” Eichenberger v. ESPN, Inc., 876 F.3d 979, 985 (9th Cir. 2017).

In Solomon the Second Circuit examines all three of these decisions and “adopt[s] the Third and Ninth Circuits’ ordinary person standard.” Solomon, 2025 WL 1256641, at *8. Looking at the plain language of the statute, as well as the context in which it was enacted in 1988, the court finds that PII “encompasses information that would allow an ordinary person to identify a consumer's video-watching habits, but not information that only a sophisticated technology company could use to do so.”

Specifically, the court notes it would be unfair to impose liability on a service provider based on the level of sophistication of the third party, and that the “ordinary person” framework informs service providers of their obligations without impermissibly broadening the VPPA to include the disclosure of “technological data.”

In short, it provides a middle ground between privacy protection and the operational realities of the modern internet.

In addition, the court notes that the “ordinary person” standard is more in keeping with the statute’s legislative history. It is unlikely that, in 1988, when the statute was passed, Congress was thinking about the way consumer data would be collected and processed by sophisticated data-aggregation engines today.

The court notes that, when the VPPA was amended in 2013, there was a push to include IP addresses in the definition of PII, but Congress declined to do so, suggesting that the VPPA protects different information from other, broader privacy laws.

Having adopted the narrower “ordinary person” standard, the court examines the sample “GET request” included in the opinion and determines that the obfuscated video URL and Facebook ID included in the code transmitted to Facebook do not qualify for protection under the VPPA.

Although the information needed to identify the user and video title is present in the text of the GET request, the court finds it implausible that an ordinary person would be able to locate it in the “twenty-nine lines of computer code,” or that an ordinary person would ever see that code in the first place. For those reasons, the court affirms dismissal of the complaint.

Finding A Balance

The Second Circuit’s decision in Solomon resolves an issue that has divided the lower courts even within the Southern District of New York for several years. For example, Judge Rakoff reached the same result in 2022, adopting the “ordinary person” standard in Wilson v. Triller, Inc., 598 F. Supp. 3d 82, 89 (S.D.N.Y. 2022).

But just weeks before the Solomon decision, Judge Liman reached the opposite conclusion, rejecting Wilson and the “ordinary person” standard, and holding that “a Facebook ID is a type of information which qualifies as PII [under the VPPA] because it is capable of identifying an individual.” Lee v. Springer Nature Am., Inc., No. 24-CV-4493 (LJL), 2025 WL 692152, at *15 (S.D.N.Y. Mar. 4, 2025).

Judge Liman’s decision in Lee will presumably be subject to reconsideration after Solomon, but his analysis is compelling. He notes that the purpose of the VPPA is to protect ordinary people from invasions of privacy, and the statute is focused on the provider of the information, not the recipient.

Liman writes: “Congress intended to protect renters of video materials from the savvy reporter as well as from the average person. The statutory text makes that clear: an ordinary person would not necessarily have the time, motivation or skill to link a physical address to a person, but physical addresses are protected because they are closely linked to individual identity.

Digital identifiers cannot be excluded from the definition of PII simply because a hypothetical ‘ordinary person’ does not understand how to use them.”

This reasoning is compelling from a privacy perspective. If the only statutory goal is maximizing user privacy, then the best reading is one that accounts for the ultimate use of the information by the recipient.

But that argument may prove too much. In the current environment of targeted advertising and increasingly detailed user profiling, almost everything becomes PII, and prohibiting the sharing of any user data at all would end up “siloing” content in ways that users likely would not enjoy. The “ordinary person” test adopted by the Second Circuit strikes a balance between privacy and practicality.

As Liman correctly points out in Lee, it is not a perfect fit for the statutory language, but absent a complete overhaul of the VPPA by Congress, it is likely to be the dominant interpretation going forward, at least outside of the First Circuit.

This article first appeared in the New York Law Journal on June 24, 2025. Stephen M. Kramarsky, a member of Dewey Pegno & Kramarsky, focuses on complex commercial and intellectual property litigation.