Can sharing a string of numbers, such as a Facebook User ID, violate federal privacy law? Two recent federal court decisions say no, offering critical guidance for digital media companies navigating the increasingly aggressive use of the Video Privacy Protection Act (VPPA) in the online world.
In Hughes v. National Football League and Solomon v. Flipps Media, Inc., plaintiffs argued that defendants violated VPPA by transmitting Facebook User IDs and video-viewing data to Meta through embedded tracking tools. Both courts rejected the claims, concluding that a Facebook User ID, on its own, does not qualify as "personally identifiable information" (PII) under the statute.
These decisions mark a significant moment in the evolution of VPPA litigation. Once aimed at preventing video rental stores from disclosing a customer's movie habits, the VPPA has been repurposed by privacy litigants to target streaming services, news outlets, and apps that share user data through tools like the Meta Pixel. Recently, however, courts have pushed back by clarifying that not all data sharing violates the statute and drawing a clear line between what sophisticated platforms can infer and what an ordinary person could identify.
At the heart of these decisions is a key legal question: What does it mean for information to "identify" a person under the VPPA? While some courts have adopted a broad "reasonable foreseeability" standard, others, including the courts in Hughes and Flipps Media, have embraced the narrower "ordinary person" test. These recent rulings make clear that unless the disclosed information would immediately identify a consumer's viewing habits to a layperson, no VPPA violation has occurred.
Background: The VPPA and the Rise of Digital Litigation
Enacted in 1988 after the unauthorized disclosure of a Supreme Court nominee's video rental history, the VPPA prohibits "video tape service providers from knowingly disclosing consumers' personally identifiable information" to third parties without consent. Codified at 18 U.S.C. §2710, the statute defines PII as including "information which identifies a person as having requested or obtained specific video materials or services."
Originally aimed at brick-and-mortar video rental stores, the VPPA has been increasingly applied to digital streaming platforms and media sites. Plaintiffs have targeted companies for sharing user data- such as video viewing history and Facebook User IDs, with third party platforms like Meta through embedded tools like Meta Pixel.
In Hughes and Flipps Media, plaintiffs alleged that transmission of Facebook User IDs and video viewing history to Meta without user consent violated the VPPA. They argued that the Facebook ID enabled Meta to identify users and connect them to specific videos they had watched.
Competing Standards for PII: Reasonable Foreseeability vs. Ordinary Person
Courts have differed on how broadly to interpret PII under the VPPA. Two competing standards have emerged.
1. The Reasonable Foreseeability Standard (First Circuit)
In Yershov v. Gannett Satellite Information Network, Inc., 820 F.3d 482 (1st Cir. 2016), the court held that PII is "not limited to information that explicitly names a person," but includes data "reasonably and foreseeably likely to reveal which videos the plaintiff had watched." The defendant's mobile app transmitted video titles along with GPS coordinates and a unique Android ID to a third-party analytics firm.
The court found this combination of data sufficient to identify an individual and their video habits, without requiring extraordinary technical effort. The foreseeability standard thus considers both the nature of the information and how likely it is to reveal a user's identity when combined with external data.
2. The Ordinary Person Standard (Third and Ninth Circuits)
The Third Circuit, in In re: Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3rd Cir. 2016), took a narrower view. It held that the VPPA only prohibits disclosure of information that would allow an ordinary person, not a data analyst or tech company, to identify an individual's video-watching history. Under this "ordinary person" standard, static digital identifiers like cookies or device IDs do not constitute PII because they don't, on their own, reveal user identities in a way understandable to the general public.
The Ninth Circuit adopted the same approach in Eichenberger v. ESPN, Inc. 876 F.3d 979 (9th Circ. 2017), reasoning that this standard "better informs video service providers of their obligations under the VPPA" by providing clearer, more objective compliance criteria. Together, these decisions signaled a preference for limiting VPPA liability to disclosures that are plainly revealing, not those that require complex technical analysis to interpret.
Application of the Ordinary Person Standard
In both the Hughes and Flipps Media cases, the courts rejected the idea that a Facebook User ID is PII under the VPPA:
In Hughes, the court acknowledged that Meta could theoretically match a Facebook User ID to a specific account but emphasized that the statute required a different test. Namely, could an ordinary person, using only the disclosed information, identify the user and their video-viewing behavior? Because a standalone Facebook User ID is a string of numbers unintelligible to the average person the court found no VPPA violation.
In Flipps Media, the court reached a similar conclusion. While Meta may be able to use its internal databases to link an ID to a user, this level of inference and technical ability is beyond what the VPPA contemplates. The statute is concerned with what can be known, not what could be reverse engineered by a sophisticated party.
These rulings align with other recent decisions limiting PII to data that directly identifies a consumer, such as a name or email address, not abstract technical identifiers.
Court Rejects Yershov and Affirms Narrow Interpretation
Plaintiff in both cases urged the courts to adopt Yershov's reasonable foreseeability standard. The courts declined. Both Hughes and Flipps Media emphasized VPPA's statutory language, specifically, the terms "identifies" and "includes," do not automatically broaden the scope of PII to cover any data that could be identifying. Instead, it found that the statute's protections hinge on what an ordinary person could reasonably deduce from the disclosed data. The courts further noted that in 2013, Congress amended the VPPA to reflect evolving technologies, but notably did not amend the definition of PII. This omission suggests Congress intentionally preserved the statute's limited reach. Distinguishing it from broader privacy laws that use more expansive definitions.
In both cases, the courts found it implausible that a random string of alphanumeric characters standing alone would allow an ordinary person to determine what videos a specific user had watched. Thus, the plaintiffs failed to allege a plausible VPPA violation.
Broader Implications for Streaming Services and Advertisers
These rulings have important implications for streaming platforms, media companies, advertisers, and other businesses using online tracking technologies:
- Limited VPPA Liability- The cases suggest that transmitting anonymous or pseudonymous identifiers, without more, will not trigger VPPA liability, even if the receiving platform (like Meta) can match those identifiers to user accounts internally.
- Defense Strategies: These cases give defendants a clear line of argument to challenge the sufficiency of alleged PII disclosures in VPPA cases. Courts are unlikely to stretch the definition of PII to cover technical data unless it plainly reveals a consumer's identity to an ordinary person.
- Compliance Focus Shifts: Companies may shift their focus from avoiding the transmission of all user identifiers to ensuring that no disclosures reveal user identities in a way an ordinary person could recognize.
- Uncertainty Remains for Complex Data Sets: These rulings don't fully resolve what happens when multiple data points are shared together, potentially allowing a recipient to piece together a user's identity. Courts may still find a VPPA violation if the combined data reveals identifying information to an ordinary person.
Conclusion
The Hughes and Flipps Media rulings reaffirm that the VPPA protects against disclosures that plainly identify a consumer, not every technical transmission of user-related data. Courts remain reluctant to extend liability to disclosures of pseudonymous identifiers liked Facebook User IDs without more. For now, businesses can take some comfort in the narrowed interpretation of PII under the VPPA. However, as technologies evolve and litigation strategies shift, evaluating data-sharing practices remains essential.
