659 F.Supp.3d 1006
D. Minnesota2023Background
- Plaintiff Kyle Feldman is a startribune.com subscriber who regularly watched videos on the site while logged into his Facebook account on the same browser/device.
- Star Tribune implemented Facebook Pixel on startribune.com, which allegedly transmitted a viewer’s Facebook ID (via cookie) and the URL/name of the video watched to Facebook each time a logged-in user viewed video content.
- Feldman alleges the simultaneous disclosure of his Facebook ID and video-URLs to Facebook constituted a knowing disclosure of "personally identifiable information" in violation of the Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710, and seeks to represent a nationwide class of similarly situated subscribers.
- Star Tribune moved to dismiss for lack of Article III standing (no concrete injury; lack of traceability) and for failure to state a VPPA claim (no PII disclosure, no knowing disclosure, or consent under VPPA safe harbor).
- The court denied the motion to dismiss, finding Feldman plausibly alleged a concrete privacy injury traceable to Star Tribune and pleaded the VPPA elements sufficiently to survive Rule 12(b)(6); the consent/safe-harbor defense was left for a later factual record.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III standing — concreteness of injury | Nonconsensual disclosure of viewing history is a concrete privacy harm analogous to intrusion upon seclusion | No physical, economic, reputational, or public-disclosure harm; statutory violation alone is not a concrete injury | Court: Plausible concrete injury — disclosure of private video-viewing history is a traditional privacy harm; circuits are uniform on this point |
| Traceability (causal link to Star Tribune) | Star Tribune’s use of Pixel directly caused transmission of Feldman’s Facebook ID and video-URLs to Facebook | Any disclosure resulted from user choices (being logged into Facebook, cookie settings), so injury is self-inflicted/attenuated | Court: Alleged conduct is sufficiently direct and not self-inflicted; traceability satisfied at pleading stage |
| VPPA element — "personally identifiable information" (connection between person and specific video) | Allegations that Pixel sent Facebook ID + video URL/name plausibly allow identification of a viewer and link to viewed videos | The disclosed data are not obviously identifying without additional data; therefore they don’t connect a person to specific videos | Court: Plausible connection alleged (Facebook ID maps to profile; URL maps to video); Yershov/Nickelodeon/Eichenberger line supports that electronic identifiers can suffice |
| VPPA element — "knowingly" disclosing PII | Knowing disclosure satisfied by conscious decision to implement Facebook Pixel that transmits Facebook IDs and video-URLs | To be "knowing," defendant must have known recipient would actually link IDs to viewing histories, not merely that such a linkage is hypothetically possible | Court: "Knowingly" met by allegations that Star Tribune consciously implemented Pixel and transmitted the data; VPPA doesn’t require proof that defendant knew the recipient would re-identify viewers |
| VPPA safe-harbor (informed, written consent) | Feldman did not consent to disclosures as required by §2710(b)(2)(B) | Privacy Policy/Terms provide notice/consent; cookie/browser settings or logout options satisfy informed consent | Court: Consent is an affirmative defense requiring factual development; Star Tribune did not establish on the face of the complaint that VPPA safe-harbor applies, so dismissal is improper |
Key Cases Cited
- Spokeo, Inc. v. Robins, 578 U.S. 330 (2016) (sets standard for concrete injury in statutory-violation claims)
- TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021) (distinguishes statutory causes of action from concrete Article III injuries)
- Yershov v. Gannett Satellite Info. Network, Inc., 820 F.3d 482 (1st Cir. 2016) (GPS/device identifiers can plausibly link viewer to videos under VPPA)
- In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262 (3d Cir. 2016) (adopts ordinary-recipient test: info that with little or no extra effort permits identification is PII under VPPA)
- Eichenberger v. ESPN, Inc., 876 F.3d 979 (9th Cir. 2017) (applies Nickelodeon test; declined to find PII where additional undisclosed data would be needed)
- Sterk v. Redbox Automated Retail, LLC, 770 F.3d 618 (7th Cir. 2014) (VPPA protects concrete privacy interests; disclosure can support standing)
- Perry v. Cable News Network, Inc., 854 F.3d 1336 (11th Cir. 2017) (VPPA claim gives standing for wrongful disclosure of viewing history)
- Braitberg v. Charter Commc’ns, Inc., 836 F.3d 925 (8th Cir. 2016) (recognizes common-law tradition of privacy torts relevant to concreteness)
- St. Louis Heart Ctr., Inc. v. Nomax, Inc., 899 F.3d 500 (8th Cir. 2018) (causation/traceability lacking where plaintiff consented or invited challenged communications)