Establishing the “Ordinary Person” Standard for Personally Identifiable Information Under the VPPA

Establishing the “Ordinary Person” Standard for Personally Identifiable Information Under the VPPA

Introduction

Detrina Solomon v. Flipps Media, Inc. (No. 23-7597-cv) is a Second Circuit decision addressing the scope of “personally identifiable information” (PII) under the Video Privacy Protection Act, 18 U.S.C. § 2710. The plaintiff, a subscriber to Flipps Media’s video-streaming platform (dba FITE TV), alleged that FITE impermissibly disclosed her video-viewing history and Facebook identifier (FID) to Meta Platforms, Inc. via a tracking tool known as the Facebook Pixel. The District Court dismissed her complaint under Fed. R. Civ. P. 12(b)(6) for failure to allege PII and denied leave to amend. On appeal, the Second Circuit affirmed, adopting an “ordinary person” test for PII under the VPPA and holding that the raw code and numeric identifiers transmitted by FITE do not qualify.

Summary of the Judgment

The Court of Appeals unanimously affirmed the dismissal. It held that the VPPA’s definition of PII (“information which identifies a person as having requested or obtained specific video materials or services”) must be read from the perspective of what an ordinary recipient could readily use to identify a consumer’s video-watching habits. Technical metadata—URL-encoded characters intermingled with letters and digits, or a numeric “c_user” cookie string—does not permit identification by the average person without substantial decoding or back-end access to Meta’s internal systems.

The court also found no abuse of discretion in the district court’s denial of leave to amend. Solomon had been put on notice of the deficiencies, yet she requested amendment only in a single footnote, without proposing substantive changes.

Analysis

Precedents Cited

  • Sterk v. Redbox (7th Cir. 2012) – described the VPPA as “not well drafted.”
  • Wilson v. Triller (S.D.N.Y. 2022) – observed obliqueness of “personally identifiable information.”
  • Yershov v. Gannett (1st Cir. 2016) – held that PII includes information foreseeably linkable to a person (e.g., GPS coordinates + device ID).
  • In re Nickelodeon (3d Cir. 2016) – adopted the “ordinary person” standard, excluding raw IP addresses or device identifiers unless an average person could use them to identify a watcher.
  • Eichenberger v. ESPN (9th Cir. 2017) – reaffirmed the “ordinary person” test, emphasizing the disclosing-party focus and rejecting a foreseeability approach.
  • Salazar v. NBA (2d Cir. 2024) – addressed “subscriber” status under the VPPA but reserved the PII question for another day.

Legal Reasoning

1. Text and Structure: The VPPA defines PII as information that “identifies” a person as having requested specific video materials, and it uses the word “includes,” signaling that the list is illustrative, not exhaustive. At the same time, “identifiable” implies that the information must itself be readable and comprehensible—i.e., capable of revealing identity without specialized decoding or external data.

2. Disclosing-Party Perspective: Liability turns on what the video provider discloses, not on how a well-resourced recipient might later aggregate or decrypt the data. If the provider’s transmission is a string of URL-encoded code or a cookie token, an ordinary person cannot glean a consumer’s name or viewing history “with little or no extra effort.”

3. Statutory Purpose and History: Enacted in 1988 to prevent public outing of rental histories (prompted by a Supreme Court nominee’s rental list), the VPPA targeted human-readable, transaction-level disclosures. Although amended in 2012 to cover digital streaming, Congress retained the original PII definition despite calls to expand it to cover IP addresses or cookies—indicating satisfaction with the existing scope.

4. Application to Pixel Data: The Facebook Pixel’s “PageView” payload is a multi-line GET request full of encoded symbols. The video title appears in percent-encoded form (“title%22%3A%22…”) and the FID as “c_user=123456….” Neither transmission is meaningful to an ordinary recipient; decoding requires access to Meta’s back-end or specialized software. Thus, the average person could not identify Solomon’s video selections or profile page from that raw data alone.

Impact

This decision sharpens the boundary of VPPA liability. Video and streaming services that embed tracking pixels or similar tools will not face per-user statutory penalties so long as the data they transmit remains in a technical, encoded form unintelligible to non-experts. Class-action plaintiffs must now show that the disclosed data is human-readable or otherwise directly discloses titles, URLs, or subscriber identifiers in plain text. The ruling may reduce the volume of VPPA suits targeting ubiquitous analytics and ad-targeting technologies, while leaving untouched clear-text disclosures in marketing, billing, or human-readable sharing contexts.

Complex Concepts Simplified

  • Video Privacy Protection Act (VPPA): A 1988 federal law that punishes a video service provider for knowingly disclosing a consumer’s rental or streaming history to any third party.
  • Personally Identifiable Information (PII): Under the VPPA, PII “includes” info that identifies someone as having watched specific videos. The court now requires that an average person be able to identify the consumer from the data itself.
  • Facebook Pixel: A snippet of code placed on a website that reports back to Facebook details about user actions (e.g., which page or video was viewed).
  • FID (“c_user” cookie): A numeric token linking a browser session to a specific Facebook account, readable only by Facebook servers.
  • GET request and URL encoding: A format used by web browsers to request content. Video titles and identifiers are mixed with percent signs, colons, slashes, and hex codes—unintelligible without decoding tools.

Conclusion

The Second Circuit’s decision in Solomon v. Flipps Media crystallizes a key rule under the VPPA: only disclosures that an ordinary person can readily interpret as revealing a named consumer’s video-watching history qualify as “personally identifiable information.” Encoded strings, raw cookies, or device identifiers remain outside the statute’s protective scope unless they are translated into plain-text titles or names. For streaming services, this ruling provides clear guidance on when analytics or pixel transmissions trigger VPPA liability—and when they do not.

Case Details

Year: 2025
Court: Court of Appeals for the Second Circuit

Comments