Detrina Solomon v. Flipps Media, Inc., 136 F.4th 41

See case details

DETRINA SOLOMON, оn behalf of herself and all others similarly situated, Plaintiff-Appellant, v. FLIPPS MEDIA, INC., dba FITE, dba FITE TV, Defendant-Appellee.

Docket No. 23-7597-cv

UNITED STATES COURT OF APPEALS FOR THE SECOND CIRCUIT

Decided: May 1, 2025

August Term 2023 (Argued: May 13, 2024)

RAGGI, CHIN, and NARDINI, Circuit Judges.

Appeal from a judgment of the United States District Court for the Eastern District of New York (Azrack, J.), dismissing, pursuant to Fed. R. Civ. P. 12(b)(6), plaintiff-appellant‘s complaint alleging violations of the Video Privacy Protection Act, 18 U.S.C. § 2710, and denying her leave to amend. Defendant-appellee -- a video streaming platform -- disclosed certain information about plaintiff-appellant‘s streaming history to Facebook, Inc. (now Meta Platforms, Inc). Because plaintiff-appellant failed to plausibly allege an impermissible disclosure of her “personally identifiable information” under the statute, we conclude that the district court correctly dismissed her claims and denied leave to amend.

AFFIRMED.

NICOMEDES S. HERRERA (Bret D. Hembd, on the brief), Herrera Kеnnedy LLP, Oakland, CA, and Burbank, CA, and Christopher J. Cormier, Burns Charest LLP, Washington, DC, for Plaintiff-Appellant.

DAVID N. CINOTTI (Brendan M. Walsh, on the brief), Pashman Stein Walder Hayden, P.C., Hackensack, NJ, for Defendant-Appellee.

CHIN, Circuit Judge:

In 1987, a newspaper published an article that identified 146 films that a Supreme Court nominee and his family had rented from a local video store. Although the rental information disclosed in the article was “not at all salacious,”¹ the invasion of privacy prompted Congress to enact the Video Privacy Protection Act of 1988, 18 U.S.C. § 2710 (the “VPPA“), to protect the privacy of consumers who rented or purchased “video cassette tapes” and “similar audio visual materials.” 18 U.S.C. § 2710(a)(4).

In this case, plaintiff-appellant Detrina Solomon, a subscriber to a digital video streaming service, contends that her rights under the VPPA were violated when the service, operated by defendant-appеllee Flipps Media, Inc., dba FITE, dba FITE TV (“FITE“),² sent certain information to Facebook, Inc. (“Facebook“)³ each time she streamed a video. The information consisted of (1) a sequence of characters, letters, and numbers that, if correctly interpreted, would identify the title and URL (uniform resource locator, or web address) of the video, and (2) her “Facebook ID” (“FID“), a unique sequence of numbers linked to her Facebook profile.

The district court granted FITE‘s motion to dismiss pursuant to Rule 12(b)(6) of the Federal Rules of Civil Procedure, holding that Solomon did not plausibly allege that FITE disclosed her “personally identifiable information” as prohibited by the VPPA. Solomon v. Flipps Media, Inc., No. 22CV5508, 2023 WL 6390055, at *2-3 (E.D.N.Y. Sept. 30, 2023).⁴ The district court also denied Solomon‘s request for leave to amend because Solomon sought to amend only with “a footnote on the final page of her brief” and had “multiple opportunities to propose amendments” but “simply elected not to do so.” Id. at *5-6.

We agree in both respects and, accordingly, we affirm.

STATEMENT OF THE CASE

I. Statutory Background

The VPPA was enacted to “preserve personal privacy with respect to the rental, purchase or delivery of video tapes or similar audio visual materials.” S. Rep. No. 100-599, at 1 (1988) (Judiciary Committee); see Wilson v. Triller, Inc., 598 F. Supp. 3d 82, 90 (S.D.N.Y. 2022). To that end, it provides that:

[a] video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person . . . .

18 U.S.C. § 2710(b)(1); see In re Nickelodeon Consumer Priv. Litig., 827 F.3d 262, 278 (3d Cir. 2016) (“The [VPPA] creates a private cause of action for plaintiffs to sue persons who disclose information about their video-watching habits.“).

To state a claim under the VPPA, a plaintiff must plausibly allege that (1) a video tape service provider (2) knowingly disclosed to any person (3) personally identifiable information concerning her use of the service. See 18 U.S.C. § 2710(b)(1); In re Nickelodeon, 827 F.3d at 279. Violators are subjeсt to awards of actual damages (no less than $2,500), punitive damages, attorneys’ fees and costs, and equitable relief. 18 U.S.C. § 2710(c)(2).

The VPPA defines several key terms:

(1) the term “consumer” means any renter, purchaser, or subscriber of goods or services from a video tape service provider;

. . .

(3) the term “personally identifiable information” includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider; and

(4) the term “video tape service provider” means any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials, or any person or other entity to whom a disclosure is made under subрaragraph (D) or (E) of subsection (b)(2), but only with respect to the information contained in the disclosure.

18 U.S.C. § 2710(a)(1), (3), (4).

The VPPA does not ban all disclosure of personally identifiable information. A video tape service provider may disclose personally identifiable information in six circumstances: (1) to the consumers themselves; (2) to any person with the informed written consent of the consumer; (3) to a law enforcement agency pursuant to a valid warrant, subpoena, or court order; (4) to any person if the disclosure is solely of the names and addresses of consumers and if the video tape service provider has provided the consumer with the opportunity to prohibit such disclosure; (5) if the disclosure is incident to the ordinary course of business of the video tape service provider; and (6) pursuant to a court order in a civil proceeding, upon a compelling showing of need and after the consumer is given reasonable notice and an opportunity to contest the claim. See 18 U.S.C. § 2710(b)(2)(A)-(F); S. Rep. No. 100-599, at 12-15.

In recent years, the VPPA has generated extensive litigation, as numerous class actions have been filed against a wide variety of entities alleging that they impermissibly disclosed to third parties the personally identifiable information and video-viewing histories of their consumers.⁵

II. The Facts⁶

FITE is a digital streaming company that provides subscribers with an array of sports, entertainment, and music video content through its website and applications. It offers video content, pay-per-view events, and live streaming events.

Facebook is an unrelated third party that, among other things, creates and sells products such as the Facebook Pixel (thе “Pixel“) to operators of websites.⁷ The Pixel is a “unique string of code” that can be used to collect information about subscribers’ interactions on websites. Joint App‘x 17 ¶ 50. In other words, the Pixel is a tool that can be used to relay certain information to websites about the websites’ consumers, including whether consumers initiate purchases, what items they view, and the content consumers access on a particular webpage.

“PageView” is an optional feature that allows the Pixel to capture the URL and title of each video that a user accesses on a provider‘s website, along with that user‘s FID, which identifies the individual more precisely than a name or email address. A user‘s FID is associated with a small text file that stores information, also known as a Facebook “c_user cookie” or “сookie.” Because these c_user cookies are created and placed by Facebook on the Facebook users’ browsers, only Facebook‘s servers can access them.

During the installation process, FITE configured the Pixel on its website to include PageView. Since the implementation of the Pixel, every time a FITE consumer accesses a video on a FITE application or website, FITE, through the Pixel‘s PageView, sends Facebook certain information about the user and her viewing history. The following is an “exemplar screenshot” depicting the transmission that FITE sends Facebook via the Pixel‘s PageView.

Image in original document— exemplar screenshot of code transmission

Joint App‘x at 20.

The underlined code following the word GET (also known as a GET request) in Box A is generated when a hypothetical user requests a certain video on FITE‘s website. Within the GET request in Box A, the string оf characters includes the specific title of the video that the user accesses. In Box B (which starts in the lower right and continues in the lower left), the phrase “c_user=” is followed on the next line by a partially redacted string of numbers -- the user‘s FID.

The Pixel relays this information to Facebook regardless of whether the site‘s users are logged onto Facebook and even after they clear their browser histories. Facebook then uses this information to build detailed profiles about FITE‘s consumers, which enables FITE to present those same consumers with targeted advertisements. FITE does not disclose or discuss the Pixel specifically in its Terms of Use, Privacy Policy, or any other material provided to subscribers, nor does FITE provide an opportunity for its consumers to decline or withdraw consent to FITE‘s use of the Pixеl.

Entering “facebook.com/[an individual‘s FID]” into any web browser provides access to a specific individual‘s Facebook profile. This basic method of accessing a person‘s Facebook profile is “generally and widely known among the public.” Joint App‘x at 10, 21.

Solomon was a Facebook user and subscriber of FITE‘s TrillerVerzPass digital video streaming service during the two years before the Complaint was filed in 2022. The Complaint uses a hypothetical ‍‌‌‌​‌‌​‌‌‌‌‌‌​‌‌‌‌‌​‌​​​‌​‌​​​‌‌‌​​​‌​​​​​‌‌‌​​‌‍Facebook profile to illustrate Solomon‘s claims but does not depict Solomon‘s personal Facebook profile or specify any identifiable information that exists in her profile.

III. Proceedings Below

On September 14, 2022, Solomon brought this consumer privacy class action on behalf of subscribers and purchasers of FITE‘s video streaming services who (1) obtainеd specific video materials from FITE‘s website and applications, and (2) had a Facebook account during the time that FITE used the Facebook Pixel.⁸ The Complaint alleged that FITE violated the VPPA by disclosing its users’ personally identifiable information to Facebook, an unrelated third party, and sought statutory damages of $2,500 per violation.

On November 14, 2022, FITE submitted to the district court a pre-motion letter identifying numerous purported defects in the Complaint, including that the Complaint did not identify what information on Solomon‘s Facebook page would lead anyone to connect data in the alleged transmissions to her. Solomon did not offer to amend the Complaint upon receipt of FITE‘s pre-motion letter, nor did she amend of right as permitted under Fed. R. Civ. P. 15(a).

On February 7, 2023, FITE moved to dismiss the Complaint pursuant to Fed. R. Civ. P. 12(b)(6). Solomon filed а memorandum in opposition the same day. In a footnote, she noted that “[she] should be granted leave to amend the Complaint to remedy any perceived deficiencies.” Joint App‘x at 94.

On September 30, 2023, the district court granted FITE‘s motion to dismiss and denied Solomon leave to amend. Solomon, 2023 WL 6390055, at *1, *6. The district court held that Solomon did not plausibly allege that her public Facebook profile page contained personally identifiable information or that Solomon accessed prerecorded videos within the meaning of the VPPA. Id. at *2-5. The district court also denied Solomon‘s request for leave to amend the Complaint because she had addressed the issue only in “a conclusory footnote” and had failed to take advantage of “multiple opportunities to propose amendments.” Id. at *6. The district court entered judgment in favor of FITE on October 3, 2023.

This appeal followed.

DISCUSSION

Two issues are presented: first, whether the district court erred in holding that the Complaint failed to plausibly allege that FITE disclosed “personally identifiable information” to Facebook in violation of the VPPA, and, second, whether the district court abused its discretion in denying Solomon leave to amend the Complaint.

We review a district court‘s grant of a motion to dismiss pursuant to Rule 12(b)(6) ”de novo, accepting all factual allegations in the complaint as true and drawing all reasonable inferences in favor of the plaintiff.” Michael Grecco Prods., Inc. v. RADesign, Inc., 112 F.4th 144, 150 (2d Cir. 2024) (quoting Melendez v. Sirius XM Radio, Inc., 50 F.4th 294, 298 (2d Cir. 2022)). “We review a district court‘s denial of leave to amend for abuse of discretion, unless the denial was based on an interpretation of law, such as futility, in which case we review the legal conclusion de novo.” Carroll v. Trump, 88 F.4th 418, 430 (2d Cir. 2023) (quoting Empire Merchs., LLC v. Reliable Churchill LLLP, 902 F.3d 132, 139 (2d Cir. 2018)).

I. The Motion to Dismiss

The principal question, with respeсt to the first issue, is what constitutes “personally identifiable information” for purposes of the VPPA. It is undisputed that FITE is a video service provider that knowingly disclosed certain information about Solomon to Facebook -- namely, computer code that denoted the titles and URLs of the videos Solomon accessed and her FID. If that information constitutes “personally identifiable information,” then Solomon would have plausibly alleged a violation of the VPPA.

A. Applicable Law

The VPPA does not specifically define “personally identifiable information,” providing only that it “includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 18 U.S.C. § 2710(a)(3). Courts across the country, including lower courts in this circuit, have observed that the VPPA is “‘not well drаfted,‘” Wilson, 598 F. Supp. 3d at 90 (quoting Sterk v. Redbox Automated Retail, LLC, 672 F.3d 535, 538 (7th Cir. 2012)), and that its definition of personally identifiable information is “oblique[]” and not “clear,” id.; see also In re Nickelodeon, 827 F.3d at 281 (“As we shall see, what counts as personally identifiable information under the Act is not entirely clear.“); Yershov v. Gannett Satellite Info. Network, Inc., 820 F.3d 482, 486 (1st Cir. 2016) (“The statutory term ‘personally identifiable information’ is awkward and unclear.“); Gemdjian, supra note 1, at 561 (“Of the VPPA‘s key terms, the most ink has probably been spilled over the question of what constitutes [personally identifiable information].“).⁹

This Court has not defined personally identifiable information beyond the statutory definition,¹⁰ but other circuits have provided further explanation. The First, Third, and Ninth Circuits have held that personally identifiable information constitutes more than just information that identifies an individual, but also information that can be used to identify an individual. See Yershov, 820 F.3d at 485-86; In re Nickelodeon, 827 F. 3d at 290; Eichenberger v. ESPN, Inc., 876 F.3d 979, 984 (9th Cir. 2017). Accordingly, to define personally

identifiable information, circuits have endeavored to interpret what information Congress intended to cover as “‘cаpable of’ identifying an individual” under the VPPA. Eichenberger, 876 F.3d at 984. Two approaches have emerged: (1) the reasonable foreseeability standard and (2) the ordinary person standard. Id. at 985.

1. The Reasonable Foreseeability Standard

The First Circuit established the reasonable foreseeability standard in Yershov, holding that personally identifiable information is “not limited to information that explicitly names a person,” but also includes information disclosed to a third party that is “reasonably and foreseeably likely to reveal which . . . videos [the plaintiff] has obtained.” 820 F.3d at 486.

In Yershov, the defendant was an international media company that produced news and entertainment media, including the newspaper USA Today and the USA Today Mobile App (the “App“). Id. at 484. Every time a user viewed a video clip on the App, the defendant sent to Adobe Systems Incorporated (“Adobe“), an unrelated third party, “(1) the titlе of the video viewed, (2) the GPS coordinates of the device at the time the video was viewed, and (3) certain identifiers associated with the user‘s device, such as its unique Android ID.” Id. With the Android ID, Adobe could find other personal information about its customers, such as “the user‘s name and address, age and income, ‘household structure,’ and online navigation and transaction history.” Id. at 484-85.

The court first held that personally identifiable information includes information that can be used to identify a specific individual. The court reasoned that the word “includes” in the text of the definition implies that personally identifiable information is not limited to information that explicitly names a person. Id. at 486. Indeed, the court cited the Senate Report, which expressly stated that the drafters’ aim was “to establish a minimum, but not exclusive, definition of personаlly identifiable information.” Id. (quoting S. Rep. No. 100-599, at 12 (1988)). Had Congress intended a narrow and simple construction, the court concluded, it would have had no reason “to fashion the more abstract formulation contained in the statute.” Id. The court also noted that many types of information, other than a name, can easily identify a person. “Revealing a person‘s social security number to the government, for example, plainly identifies the person. Similarly, when a football referee announces a violation by ‘No. 12 on the offense,’ everyone with a game program knows the name of the player who was flagged.” Id.

The First Circuit subsequently established the reasonable foreseeability standard as the framework to determine what information can be used to identify an individual under the VPPA. The court concluded that the plaintiff in Yershov had plausibly alleged that the defendant impermissibly disclosed personally identifiable information when it supplied Adobe with information about the videos the plaintiff ‍‌‌‌​‌‌​‌‌‌‌‌‌​‌‌‌‌‌​‌​​​‌​‌​​​‌‌‌​​​‌​​​​​‌‌‌​​‌‍watched on the App, along with “GPS coordinates of the device at the time the video was viewed,” and “certain identifiers associated with the user‘s device.” Id. at 484. The court explicitly relied on the allegation that the defendant knew that Adobe had the “game program,” or the mechanism necessary to “allow[] it to link the GPS address and device identifier information to a certain person by name, address, phone number, and more.” Id. at 486. The court concluded that the plaintiff thus plausibly alleged that the defendant violated the VPPA because it was reasonably and foreseeably likely to the defendant that Adobe, a sophisticatеd technological company, would have the ability to identify the plaintiff‘s video-watching habits. Id.

2. The Ordinary Person Standard

In In re Nickelodeon, the Third Circuit took a different approach by holding that “the [VPPA‘s] prohibition on the disclosure of personally identifiable information applies only to the kind of information that would readily permit an ordinary person to identify a specific individual‘s video-watching behavior.” 827 F.3d at 267.

In that case, the plaintiffs (children under thirteen) brought a putative class action alleging that Viacom disclosed information to Google that effectively revealed the videos they had watched on Nickelodeon‘s websites. Id. at 279. The plaintiffs argued that static digital identifiers (such as internet protocol (“IP“) addresses, browser fingerprints, and unique device identifiers) were personally identifiable information that enabled Google to link those videos to their real-world identities. Id.

The Third Circuit rejected the argument that succeeded in Yershov -- that it was reasonably foreseeable that Google, given its business model as a data aggregator, could use the disclosed information to identify the plaintiffs. Id. at 289-90. Although the court agreed with the First Circuit on the preliminary issue -- that “Congress‘s use of the word ‘includes’ could suggest that Congress intended for future courts to read contemporary norms about privacy into the statute‘s original text,” id. at 286 -- the court did not believe that “a law from 1988 can be fairly read to incorporate such a contemporary understanding of Internet privacy,” id. at 290. The court reasoned that the plaintiffs’ argument would mean that “the disclosure of an IP address to any Internet company with registered users might trigger liability under the [VPPA]” and that “the use of third-party cookies on any website that streams video content [would be] presumptively illegal.” Id.

The Third Circuit thus did not adopt Yershov‘s reasonable foreseeability standard, concluding that the VPPA did not “sweep[] quite so broadly.” Id.¹¹ Instead, the court adopted the ordinary person standard -- holding that static digital identifiers were not personally identifiable information protected from disclosure by the VPPA because an ordinary person, as opposed to a sophisticated internet company such as Google, could not use the static

digital identifiers to identify a specific individual‘s video-watching habits. Id. at 289-90.

In Eichenberger, the Ninth Circuit also adopted the ordinary person standard, concluding that it “better informs video service providers of their obligations under the VPPA.” 876 F.3d at 985. In that case, defendant ESPN produced sports-related news and entertainment programming through its television channel and application, which were available on the Roku digital streaming device. Id. at 981. Every time a consumer watched a video, ESPN knowingly disclosed to Adobe Analytics (“Analytics“) the consumer‘s Roku device serial number and the identity of the video that he watched. Id. Analytics also obtained email addresses, account information, Facebook profile information, photos, and usernames, from sources other than ESPN. Id. Analytics could identify the consumer by connecting both sources of information with other data already in Analytics’ profile of the consumer. Id. Analytics then gave that compiled information back to ESPN, which used it to provide advertisers with information about its user demographics. Id.

The Ninth Circuit agreed that the word “include” signifies that the definition of personally identifiable information must encompass “more information than that which, by itself, identifies an individual as having watched certаin videos.” Id. at 984. Instead of just explicitly identifying information, the court reasoned, the statute‘s use of the word “identifiable,” where “the suffix ‘able’ means ‘capable of,‘” reinforces that the definition of PII also “covers some information that can be used to identify an individual.” Id. at 979, 984.

The Ninth Circuit declined, however, to adopt Yershov‘s reasonable foreseeability standard because “the advent of the Internet did not change the disclosing-party focus of the [VPPA].” Id. at 985. The court was “not persuaded that the 1988 Congress intended for the VPPA to cover circumstances so different from the ones that motivated its passage.” Id.¹² Instead, the court reasoned that the ordinary person standard was more appropriate because the VPPA “views disclosure from the perspective of the disclosing party” and “looks to what information a video service provider discloses, not to what the recipient of that information decides to do with it.” Id.

Accordingly, the court held that the plaintiff did not plausibly allege that the information that ESPN disclosed to Analytics constituted personally identifiable information under the ordinary person standard because the information disclosed “cannot identify an individual unless it is combined with other data in [Analytics‘] possession.” Id. at 986 (emphasis omitted).

B. Application

Although she did not advocate for a particular standard in the district court, Solomon now argues that this Court should adopt a variation of Yershov‘s reasonable foreseeability standard and hold that “personally identifiable information under the VPPA encompasses specific information about a consumer, disclosed by a video tape service provider to a particular recipient, that the provider knows the recipient сan use to personally identify that consumer.” Brief of Plaintiff-Appellant at 13-14. FITE contends that if this Court reaches the question, we should adopt the Third and Ninth Circuits’ ordinary person standard. Both parties contend that, regardless of the standard to be applied, they should prevail -- Solomon argues that the Complaint states a plausible claim and FITE argues that it does not.

First, we do reach the question of which standard applies, and we adopt the Third and Ninth Circuits’ ordinary person standard. Second, applying that standard, we conclude that the Complaint fails to state a claim for violation of the VPPA.

1. The Applicable Standard

“When interpreting a statutory provision, we begin with the words of the statute.” Soliman v. Subway Franchisee Advert. Fund Tr., LTD., 101 F.4th 176, 181 (2d Cir. 2024). If the words are clear, we construe the statute according to their plain meaning. Id. If the words are not clear, we may consider legislative history and the tools of statutory construction. Id.; accord Greenery Rehab. Grp., Inc. v. Hammon, 150 F.3d 226, 231 (2d Cir. 1998). We assess plain meaning “by reference to the language itself, the specific context in which that language is used, and the broader context of the statute as a whole.” Zepeda-Lopez v. Garland, 38 F.4th 315, 320 (2d Cir. 2022) (citation omitted).

As an initial matter, and as the parties appear to agree, we conclude that Congress intended the VPPA to cover not just information that, by itself, identifies a consumer‘s video-viewing history, but also information capable of being used to do so. The VPPA states that “the term ‘personally identifiable information’ includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 18 U.S.C. § 2710(a)(3). The words “include[]” and “identifiable” suggest that personally identifiable information includes information that can be used to identify a person, as well as information that, standing alone, identifies a person. The Senate Report also supports this result, as it states that the drafters’ aim was “to establish a minimum, but not exclusive, definition of personally identifiable information.” S. Rep. No. 100-599, at 12 (1988). The circuit courts that have addressed the issue have reached the same conclusion, even where they disagreed in other respects. See Eichenberger, 876 F.3d at 984 (“‘[P]ersonally identifiable information’ covers some information that can be used to identify an individual.“); Yershov, 820 F.3d at 486 (“[T]he language reasonably conveys the point that PII is not ‍‌‌‌​‌‌​‌‌‌‌‌‌​‌‌‌‌‌​‌​​​‌​‌​​​‌‌‌​​​‌​​​​​‌‌‌​​‌‍limited to information that explicitly names a person.“); In re Nickelodeon, 827 F.3d at 290 (“Congress‘s use of the word ‘includes’ could suggest that Congress intended for future courts to read contemporary norms about privacy into the statute‘s original text.“).

In addition, based on the words of the statute, the specific context in which the language is used, and the broader context of the statute as a whole, we conclude that “personally identifiable information” encompasses information that would allow an ordinary person to identify a consumer‘s video-watching habits, but not information that only a sophisticated technology company could use to do so.

First, the words of the definition surely can be read to refer to the “kind of information that would readily permit an ordinary person to identify a specific individual‘s video-watching behavior.” In re Nickelodeon, 827 F.3d at 290. The definition provides that “‘personally identifiable information’ includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 18 U.S.C. § 2710(a)(3). We acknowledge that these words could also be read to еncompass computer code and digital identifiers decipherable only by a technologically sophisticated third party. But even though the words are not without some ambiguity, they are more naturally read as referring to information that would permit an ordinary person to learn another individual‘s video-watching history.

Second, the specific context in which those words are used suggests that the definition encompasses information that would permit an ordinary person to identify a specific individual‘s video-watching behavior, as opposed to information that only a technologically sophisticated third party could use to identify specific consumers. The VPPA imposes liability on a “video tape service provider” that “knowingly discloses” a consumer‘s information to a third party. 18 U.S.C. § 2710(b)(1) (emphasis аdded). “In other words, the statute views disclosure from the perspective of the disclosing party. It looks to what information a video service provider discloses, not to what the recipient of that information decides to do with it.” Eichenberger, 876 F.3d at 985. It does not make sense that a video tape service provider‘s liability would turn on circumstances outside of its control and the level of sophistication of the third party. The ordinary person standard is a more suitable framework to determine what constitutes personally identifiable information because it “better informs video service providers of their obligations under the VPPA,” while not impermissibly broadening its scope to include the disclosure of technological data to sophisticated third parties. See id.; see also S. Rep. No. 100-599, at 12 (1988) (“[P]ersonally identifiable information is intended to be transаction-oriented. It is information that identifies a particular person as having engaged in a specific transaction with a video tape service provider.“).

Finally, the broader context of the statute as a whole squarely supports the conclusion that liability under the VPPA should be limited to the disclosure of information that would permit an ordinary person to learn a specific individual‘s video-watching history. The VPPA was enacted in 1988, when “the Internet had not yet transformed the way that individuals and companies use consumer data -- at least not to the extent that it has today.” Eichenberger, 876 F.3d at 985; accord In re Nickelodeon, 827 F.3d at 284 (“We do not think that, when Congress passed the [VPPA], it intended for the law to cover factual circumstances far removed from those that motivated its passage.“); see also Twentieth Century Music Corp. v. Aiken, 422 U.S. 151, 156 (1975) (“When technological change has rendered its literal terms ambiguous, the [statute] must be construed in light of [its] basic purpose.“) (interpreting Copyright Act).

The evolution of the VPPA provides additional insights into its purpose. In 2013, some twenty-five years after its inception, Congress amended the VPPA in recognition that “the Internet ha[d] revolutionized the way that American consumers rent and watch movies and television programs.” Salazar, 118 F.4th at 545 (quoting S. Rep. No. 112-258, at 2 (2012)).¹³ Congress, however, declined to amend the definition of personally identifiable information, even in the face of testimony asking for an expansion of the definition to include IP addresses. See In re Nickelodeon, 827 F.3d at 288 (“Despite this recognition [that the Internet has revolutionized the way that Americans rent and watch movies and television programs], Congress did not update the definition of personally identifiable information in the statute.“).

The decision to not amend the VPPA suggests that Congress believed that the VPPA “serves different purposes, and protects different constituencies, than other, broader privacy laws.” Id. This is especially notable when we compare the VPPA to other, later privacy statutes that included a more expansive definition of personally identifiable information or related terms. For example, in 1998, ten years after the VPPA was enacted, Congress passed the Children‘s Online Privacy Protection Act (“COPPA“), and defined “personal information” to include:

1. a first and last name;
2. a home or other physical address . . . ;
3. an e-mail address;
4. a telephone number;
5. a Social Security number;
6. any other identifier that the [Federal Trade Commission] determines permits the physical or online contacting of a specific individual; or
7. information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph.

15 U.S.C. § 6501(8); see In re Nickelodeon, 827 F.3d at 286-87 & n.158. When Congress amended the VPPA in 2013, it could have expanded its definition of “personally identifiable information,” but it did not -- even though it was urged to do so.

We decline to adopt Yershov‘s reasonable foreseeability standard because it focuses on what a recipient can or cannot reasonably do when given personal information. 820 F.3d at 486. The “classic example” of the “1988 paradigm” is “a video clerk leaking an individual customer‘s video rental history,” and the VPPA was not intended to create liability where a third party is able to “assemble otherwise anonymous pieces of data to unmask the identity of individual [users].” In re Nickelodeon, 827 F.3d at 290; see also Eichenberger, 876 F.3d at 985 (“‘[P]ersonally identifiable information’ must have the same meaning without regard to its recipient‘s capabilities. Holding otherwise would make ‘the lawfulness of a disclosure depend on circumstances outside of a video service provider‘s control.‘” (quоting Mollett v. Netflix, Inc., 795 F.3d 1062, 1066 (9th Cir. 2015)) (alterations adopted)).

2. FITE‘s Use of the Pixel

Turning to the facts of this case, we consider whether the Complaint plausibly alleges that FITE‘s disclosure of Solomon‘s FID and video titles “would, with little or no extra effort, permit an ordinary recipient to identify [Solomon‘s] video-watching habits.” In re Nickelodeon, 827 F.3d at 284. We conclude it does not.

The information transmitted by FITE to Facebook via the Pixel‘s PageView is set forth in the “exemplar screenshot” reproduced in the Complaint. See page 9 supra; Joint App‘x at 20. The exemplar depicts some twenty-nine lines of computer code, and the video title is indeed contained in Box A following the GET request. The words of the title, however, are interspersed with many characters, numbers, and letters. It is implausible that an ordinary person would look at the phrase “title%22%3A%22-%E2%96%B7%20The%20Roast%20of%-%20Ric%20Flair” -- particularly if the highlighting in Box A is removed -- and understand it to be a video title.¹⁴ It is also implausible that an ordinary person would understand, “with little or no extra effort,” the highlighted portion to be a video title as opposed to any of the other combinations of words within the code, such as, for example, “%9C%93%20In%20the%20last%20weekend%20of%20-July%2C.” Id.; Joint App‘x at 20.

Nor does the Complaint plausibly allege that an ordinary person could identify Solomon through her FID. Because the redacted sequence of numbers in the second line of Box B is not labeled, the FID would be just one phrase embedded in many other lines of code. And if the numbers in the exemplar were not redacted, what an individual would see is, for example, a phrase such as “c_user=123456” or “c_user=00000000.” Although a section of the code in Box A does state “[h]ost: www.facebook.com,” it is not plausible that an ordinary person, without the annotation of Box B, would see the “c_user” phrase on FITE‘s servers and conclude that the phrase was a person‘s FID.

Notably, the Complaint lacks any details about how an ordinary person might access the information on the Pixel‘s PageView. But even assuming, arguendo, that an ordinary person could somehow gain access to the Pixel‘s PageView, the Complaint is also devoid of any details about how an ordinary person would use an FID to identify Solomon. The Complaint merely states that entering “facebook.com/[Solomon‘s FID]” into any web browser would result in Solomon‘s personal Facebook profile, and that “[t]his basic method of accessing a person‘s Facebook profile is generally and widely known among the public.” Joint App‘x at 21. But see In re Nickelodeon, 827 F.3d at 283 (“To an average person, an IP address or a digital code in a cookie file would likely be of little help in trying to identify an actual person.“). Accordingly, we are not persuaded that an FID is “vastly different,” Appellant Br. at 29, from the unique device identifiers in Nickelodeon, 827 F.3d at 262, or the Roku device serial numbers in Eichenberger, 876 F.3d at 979.¹⁵

Accordingly, we hold that Solomon failed to plausibly allege that FITE disclosed “personally identifiable information” in violation of the VPPA and we therefore affirm the district court‘s dismissal of the Complaint.

II. Leave to Amend

We find no abuse of discretion in the district court‘s decision to deny Solomon leave to amend the Complaint. Although FITE sent Solomon a pre-motion letter advising her of the deficiencies in the Complaint, she waited until her opposition to the motion to dismiss to request leave, and she did so only in a single footnote on the final page of her brief, stating that “[i]f the Court grants Defendant‘s motion in any respect, Solomon should be granted leave to amend the Complaint to remedy any perceived deficiencies.” Joint App‘x at 94 n.4. In denying Solomon leave to amend, the district court observed that Solomon “has had more than ample opportunity to address the deficiencies identified [in the Complaint], but has not identified any proposed amendments.” Solomon, 2023 WL 6390055, at *5.

In light of these facts, the district court acted wholly within its discretion in denying leave to amend. See, e.g., Noto v. 22nd Century Grp., Inc., 35 F.4th 95, 107 (2d Cir. 2022) (denial of leave to amend is proper “where the request gives no clue as to how ‍‌‌‌​‌‌​‌‌‌‌‌‌​‌‌‌‌‌​‌​​​‌​‌​​​‌‌‌​​​‌​​​​​‌‌‌​​‌‍the complaint‘s defects would be cured” (internal quotation marks omitted)); Porat v. Lincoln Towers Cmty. Ass‘n, 464 F.3d 274, 276 (2d Cir. 2006) (holding that the district court did not abuse its discretion in denying leave to amend where the request was made only in a footnote and with no explanation as to how the complaint‘s defects would be cured).

Solomon relies on this Court‘s decision in Mandala v. NTT Data, Inc. to argue that the district court abused its discretion in denying her leave. 88 F.4th 353 (2d Cir. 2023). The reliance is misplaced. In Mandala, this Court held that a district court abused its discretion in denying a motion to vacate a judgment of dismissal pursuant to Rule 60(b) of the Federal Rules of Civil Procedure, noting that:

[Mandala] is one of the exceptional cases necessitating relief from judgment: Plaintiffs have yet to be afforded a single opportunity to amend their pleading; the original dismissal of the Complaint was premised on grounds subject to reasonable, actual, and vigorous debate; Plaintiffs diligently prosecuted their case at all times; and Plaintiffs’ proposed amendments address the sole pleading deficiency identified by the district court.

Id. at 365.

Mandala is distinguishable and of no help to Solomon. First, Mandala involved a motion to vacate a judgment of dismissal, rather than a request for leave to amend a complaint. Second, the plaintiffs there actually made a motion and did not rely solely on a footnote. Third, the plaintiffs in Mandala wеre not “afforded a single opportunity to amend their pleadings,” id., while here Solomon was put on notice of the deficiencies in the Complaint and had “ample opportunity” to address them. Joint App‘x at 124. Finally, we concluded that Mandala was “one of the exceptional cases necessitating relief from judgment,” 88 F.4th at 365, and the instant case does not present similar exceptional circumstances.

Accordingly, we hold that the district court did not abuse its discretion in denying Solomon‘s request for leave to amend the Complaint.

CONCLUSION

For the reasons set forth above, the judgment of the district court is AFFIRMED.

Notes

1

Elizabeth Gemdjian, The Extraordinary Extension of the Video Privacy Protection Act: Why the “Ordinary Course of Business” of an Analog Era is Anything but Ordinary in the Digital World, 90 Brook. L. Rev. 553, 558 (2025).

2

FITE has been rebranded as Triller TV.

3

Facebook has been rebranded as Meta Platforms, Inc.

4

The district court also held that Solomon did not plausibly allege that she accessed prеrecorded videos as required under the VPPA. We need not and do not reach this issue.

5

See Gemdjian, supra note 1, at 553 (including such entities as the “AARP, Hulu, General Mills, the NBA, PBS“); Ryan Joe & Lara O‘Reilly, A Blockbuster-Era Video Law Is Being Used to Ding Big-Name Brands Like General Mills, Geico, and Chick-Fil-A With Privacy Lawsuits, Bus. Insider (Sept. 7, 2023, 12:23 PM), https://www.businessinsider.com/vppa-privacy-legal-threat-major-brands-2023-9 [https://perma.cc/DU3K-SQJX]; Eriq Gardner, How Entertainment Companies Are Fighting Lawsuits over Disclosures of Who’s Watching, Hollywood Rep. (Oct. 21, 2014, 1:18 PM), https://www.hollywoodreporter.com/business/business-news/how-entertainment-companies-are-fighting-742131/ [https://perma.cc/K55P-GMEK].

6

The facts are drawn from Solomon‘s complaint (the “Complaint“), which we construe liberally, accepting all factual allegations as true, and drawing all reasonable inferences in Solomon‘s favor. Herrera v. Comme des Garcons, Ltd., 84 F.4th 110, 113 (2d Cir. 2023) (quoting Miller v. Metro. Life Ins. Co., 979 F.3d 118, 121 (2d Cir. 2020)).

7

Although the VPPA applies to “consumers” of “video tаpe service providers,” the parties do not dispute on appeal that Solomon fits within the definition of “consumer” and FITE fits within the definition of a “video tape service provider.” See Salazar v. Nat‘l Basketball Ass‘n, 118 F.4th 533, 545 (2d Cir. 2024). FITE does, however, argue on alternate grounds that Solomon does not plausibly allege a “disclosure” within the meaning of the VPPA. But in light of our holding that Solomon does not plausibly allege that the disclosed information constitutes personally identifiable information, we do not address the merits of FITE‘s alternative argument.

8

Although the Pixel was first introduced in 2013, Solomon does not specifically allege when FITE began using the Pixel. Solomon does, however, purport to be a consumer of FITE during the two years before this action was filed and defines the class period in the Complaint as “from September 14, 2020 to the present.” Joint App‘x at 28-29.

9

See also Marc Chase McAllister, Modernizing the Video Privacy Protection Act, 25 Geo. Mason L. Rev. 102, 145-46 (2017); Yarden Z. Kakon, Note, “Hello, My Name Is User #101“: Defining PII Under the VPPA, 33 Berkeley Tech. L.J. 1251, 1252 (2018); Daniel L. Macioce Jr., Comment, PII in Context: Video Privacy and a Factor-Based Test for Assessing Personal Information, 45 Pepp. L. Rev. 331, 401-02 (2018).

10

In Salazar, this Court construed the definition of “subscriber of goods or services” under the VPPA. 118 F.4th at 536. The facts of Salazar closely resemble this case, as a plaintiff was also alleging the disclosure of an FID to a third party via the Pixel. But we limited our holding in Salazar by noting that “while there may be breathing room in the statute to explore what exactly is ‘personally identifiable information’ -- we need not and do not explore that argument in this appeal.” Id. at 549 n.10.

11

The Third Circuit distinguished Yershov as “merely demonstrat[ing] that GPS coordinates contain more power to identify a specific person than, in our view, an IP address, a device identifier, or a browser fingerprint.” 827 F.3d at 289. The court further explained: ”Yershov itself acknowledges that ‘there is certainly a point at which the linkage of information to identity becomes too uncertain, or too dependent on too much yet-to-be-done, or unforeseeable detective work’ to trigger liability under this statute. We believe the information allegedly disclosed here is on that side of the divide.” Id. (quoting Yershov, 820 F.3d at 486).

12

The Ninth Circuit explained that although its decision “adopts a different test [it] does not necessarily conflict with Yershov” because Yershov was narrowly tailored to the disclosure of GPS coordinates, which “would enable most people to identify an individual‘s home and work addresses.” Eichenberger, 876 F.3d at 986 (quoting Yershov, 820 F.3d at 486) (alterations adopted).

13

Although Congress did not pass the law until January 2013, it is titled the “Video Privacy Protection Act Amendments Act of 2012.” In re Nickelodeon, 827 F.3d at 287 n.164.

14

This screenshot also shows only a portion ‍‌‌‌​‌‌​‌‌‌‌‌‌​‌‌‌‌‌​‌​​​‌​‌​​​‌‌‌​​​‌​​​​​‌‌‌​​‌‍of the PageView that the Pixel produces.

15

FITE also argues that the Complaint fails to allege any harm suffered by Solomon herself because the exemplar screenshots оf code “appear to have been taken from an unidentified person‘s web browser,” and Solomon‘s demonstrative Facebook profile uses a hypothetical profile rather than her own. Appellee Br. at 8. FITE argues that these generalized claims are insufficient to support a plausible cause of action. See, e.g., Spokeo, Inc. v. Robins, 578 U.S. 330, 338 n.6 (2016) (“[E]ven named plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong.” (internal quotation marks omitted)); see also In re Nickelodeon, 827 F.3d at 285 (“[W]e think that legislators’ initial focus on both libraries and video stores indicates that the [VPPA] was meant to prevent disclosures of information capable of identifying an actual person‘s reading or video-watching habits.“). We do not reach this argument, in light of our holding above.

Case Details

Case Name: Detrina Solomon v. Flipps Media, Inc.

Court Name: Court of Appeals for the Second Circuit

Date Published: May 1, 2025

Citations: 136 F.4th 41; 23-7597

Docket Number: 23-7597

Court Abbreviation: 2d Cir.