Hall Approved Free Access to American Case Law
U.S. Court of Appeals for the Second Circuit, 2025

Detrina Solomon v. Flipps Media, Inc.

Detrina Solomon v. Flipps Media, Inc.
U.S. Court of Appeals for the Second Circuit · Decided May 1, 2025
136 F.4th 41 (Federal Reporter, Fourth Series)

Detrina Solomon v. Flipps Media, Inc.

Opinion

23‐7597‐cv Detrina Solomon v. Flipps Media, Inc.

UNITED STATES COURT OF APPEALS FOR THE SECOND CIRCUIT

August Term 2023 (Argued: May 13, 2024 Decided: May 1, 2025) Docket No. 23‐7597‐cv

DETRINA SOLOMON, on behalf of herself and all others similarly situated, Plaintiff‐Appellant, v. FLIPPS MEDIA, INC., dba FITE, dba FITE TV, Defendant‐Appellee.

ON APPEAL FROM THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF NEW YORK

Before: RAGGI, CHIN, and NARDINI, Circuit Judges.

Appeal from a judgment of the United States District Court for the Eastern District of New York (Azrack, J.), dismissing, pursuant to Fed. R. Civ. P. 12(b)(6), plaintiff‐appellantʹs complaint alleging violations of the Video Privacy Protection Act, 18 U.S.C. § 2710, and denying her leave to amend. Defendant‐ appellee ‐‐ a video streaming platform ‐‐ disclosed certain information about plaintiff‐appellantʹs streaming history to Facebook, Inc. (now Meta Platforms, Inc). Because plaintiff‐appellant failed to plausibly allege an impermissible disclosure of her ʺpersonally identifiable informationʺ under the statute, we conclude that the district court correctly dismissed her claims and denied leave to amend.

AFFIRMED.

NICOMEDES S. HERRERA (Bret D. Hembd, on the brief), Herrera Kennedy LLP, Oakland, CA, and Burbank, CA, and Christopher J. Cormier, Burns Charest LLP, Washington, DC, for Plaintiff‐ Appellant.

DAVID N. CINOTTI (Brendan M. Walsh, on the brief), Pashman Stein Walder Hayden, P.C., Hackensack, NJ, for Defendant‐Appellee.

CHIN, Circuit Judge: In 1987, a newspaper published an article that identified 146 films that a Supreme Court nominee and his family had rented from a local video store. Although the rental information disclosed in the article was ʺnot at all salacious,ʺ1 the invasion of privacy prompted Congress to enact the Video Privacy Protection Act of 1988, 18 U.S.C. § 2710 (the ʺVPPAʺ), to protect the privacy of consumers who rented or purchased ʺvideo cassette tapesʺ and ʺsimilar audio visual materials.ʺ 18 U.S.C. § 2710(a)(4).

In this case, plaintiff‐appellant Detrina Solomon, a subscriber to a digital video streaming service, contends that her rights under the VPPA were violated when the service, operated by defendant‐appellee Flipps Media, Inc., dba FITE, dba FITE TV (ʺFITEʺ),2 sent certain information to Facebook, Inc. (ʺFacebookʺ)3 each time she streamed a video. The information consisted of (1) a sequence of characters, letters, and numbers that, if correctly interpreted, would identify the title and URL (uniform resource locator, or web address) of the

1 Elizabeth Gemdjian, The Extraordinary Extension of the Video Privacy Protection Act: Why the ʺOrdinary Course of Businessʺ of an Analog Era is Anything but Ordinary in the Digital World, 90 Brook. L. Rev. 553, 558 (2025). 2 FITE has been rebranded as Triller TV. 3 Facebook has been rebranded as Meta Platforms, Inc. video, and (2) her ʺFacebook IDʺ (ʺFIDʺ), a unique sequence of numbers linked to her Facebook profile.

The district court granted FITEʹs motion to dismiss pursuant to Rule 12(b)(6) of the Federal Rules of Civil Procedure, holding that Solomon did not plausibly allege that FITE disclosed her ʺpersonally identifiable informationʺ as prohibited by the VPPA. Solomon v. Flipps Media, Inc., No. 22CV5508, 2023 WL 6390055, at *2‐3 (E.D.N.Y. Sept. 30, 2023).4 The district court also denied Solomonʹs request for leave to amend because Solomon sought to amend only with ʺa footnote on the final page of her briefʺ and had ʺmultiple opportunities to propose amendmentsʺ but ʺsimply elected not to do so.ʺ Id. at *5‐6.

We agree in both respects and, accordingly, we affirm.

STATEMENT OF THE CASE I. Statutory Background The VPPA was enacted to ʺpreserve personal privacy with respect to the rental, purchase or delivery of video tapes or similar audio visual materials.ʺ

4 The district court also held that Solomon did not plausibly allege that she accessed prerecorded videos as required under the VPPA. We need not and do not reach this issue.

S. Rep. No. 100‐599, at 1 (1988) (Judiciary Committee); see Wilson v. Triller, Inc., 598 F. Supp. 3d 82, 90 (S.D.N.Y. 2022). To that end, it provides that: [a] video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person . . . . 18 U.S.C. § 2710(b)(1); see In re Nickelodeon Consumer Priv. Litig., 827 F.3d 262, 278 (3d Cir. 2016) (ʺThe [VPPA] creates a private cause of action for plaintiffs to sue persons who disclose information about their video‐watching habits.ʺ).

To state a claim under the VPPA, a plaintiff must plausibly allege that (1) a video tape service provider (2) knowingly disclosed to any person (3) personally identifiable information concerning her use of the service. See 18 U.S.C. § 2710(b)(1); In re Nickelodeon, 827 F.3d at 279. Violators are subject to awards of actual damages (no less than $2,500), punitive damages, attorneysʹ fees and costs, and equitable relief. 18 U.S.C. § 2710(c)(2).

The VPPA defines several key terms: (1) the term ʺconsumerʺ means any renter, purchaser, or subscriber of goods or services from a video tape service provider; ...

(3) the term ʺpersonally identifiable informationʺ includes information which identifies a person as

having requested or obtained specific video materials or services from a video tape service provider; and (4) the term ʺvideo tape service providerʺ means any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials, or any person or other entity to whom a disclosure is made under subparagraph (D) or (E) of subsection (b)(2), but only with respect to the information contained in the disclosure. 18 U.S.C. § 2710(a)(1), (3), (4).

The VPPA does not ban all disclosure of personally identifiable information. A video tape service provider may disclose personally identifiable information in six circumstances: (1) to the consumers themselves; (2) to any person with the informed written consent of the consumer; (3) to a law enforcement agency pursuant to a valid warrant, subpoena, or court order; (4) to any person if the disclosure is solely of the names and addresses of consumers and if the video tape service provider has provided the consumer with the opportunity to prohibit such disclosure; (5) if the disclosure is incident to the ordinary course of business of the video tape service provider; and (6) pursuant to a court order in a civil proceeding, upon a compelling showing of need and after the consumer is given reasonable notice and an opportunity to contest the claim. See 18 U.S.C. § 2710(b)(2)(A)‐(F); S. Rep. No. 100‐599, at 12‐15.

In recent years, the VPPA has generated extensive litigation, as numerous class actions have been filed against a wide variety of entities alleging that they impermissibly disclosed to third parties the personally identifiable information and video‐viewing histories of their consumers.5 II. The Facts6 FITE is a digital streaming company that provides subscribers with an array of sports, entertainment, and music video content through its website and applications. It offers video content, pay‐per‐view events, and live streaming events.

Facebook is an unrelated third party that, among other things, creates and sells products such as the Facebook Pixel (the ʺPixelʺ) to operators of

5 See Gemdjian, supra note 1, at 553 (including such entities as the ʺAARP, Hulu, General Mills, the NBA, PBSʺ); Ryan Joe & Lara OʹReilly, A Blockbuster‐Era Video Law Is Being Used to Ding Big‐Name Brands Like General Mills, Geico, and Chick‐Fil‐A With Privacy Lawsuits, Bus. Insider (Sept. 7, 2023, 12:23 PM), https://www.businessinsider.com/vppa‐ privacy‐legal‐threat‐major‐brands‐2023‐9 [https://perma.cc/DU3K‐SQJX]; Eriq Gardner, How Entertainment Companies Are Fighting Lawsuits over Disclosures of Who’s Watching, Hollywood Rep. (Oct. 21, 2014, 1:18 PM), https://www.hollywoodreporter.com/ business/business‐news/how‐entertainment‐companies‐are‐fighting‐742131/ [https://perma.cc/K55P‐GMEK]. 6 The facts are drawn from Solomonʹs complaint (the ʺComplaintʺ), which we construe liberally, accepting all factual allegations as true, and drawing all reasonable inferences in Solomonʹs favor. Herrera v. Comme des Garcons, Ltd., 84 F.4th 110, 113 (2d Cir. 2023) (quoting Miller v. Metro. Life Ins. Co., 979 F.3d 118, 121 (2d Cir. 2020)). websites.7 The Pixel is a ʺunique string of codeʺ that can be used to collect information about subscribersʹ interactions on websites. Joint Appʹx 17 ¶ 50. In other words, the Pixel is a tool that can be used to relay certain information to websites about the websitesʹ consumers, including whether consumers initiate purchases, what items they view, and the content consumers access on a particular webpage.

ʺPageViewʺ is an optional feature that allows the Pixel to capture the URL and title of each video that a user accesses on a providerʹs website, along with that userʹs FID, which identifies the individual more precisely than a name or email address. A userʹs FID is associated with a small text file that stores information, also known as a Facebook ʺc_user cookieʺ or ʺcookie.ʺ Because these c_user cookies are created and placed by Facebook on the Facebook usersʹ browsers, only Facebookʹs servers can access them.

7 Although the VPPA applies to ʺconsumersʺ of ʺvideo tape service providers,ʺ the parties do not dispute on appeal that Solomon fits within the definition of ʺconsumerʺ and FITE fits within the definition of a ʺvideo tape service provider.ʺ See Salazar v. Natʹl Basketball Assʹn, 118 F.4th 533, 545 (2d Cir. 2024). FITE does, however, argue on alternate grounds that Solomon does not plausibly allege a ʺdisclosureʺ within the meaning of the VPPA. But in light of our holding that Solomon does not plausibly allege that the disclosed information constitutes personally identifiable information, we do not address the merits of FITEʹs alternative argument.

During the installation process, FITE configured the Pixel on its website to include PageView. Since the implementation of the Pixel, every time a FITE consumer accesses a video on a FITE application or website, FITE, through the Pixelʹs PageView, sends Facebook certain information about the user and her viewing history. The following is an ʺexemplar screenshotʺ depicting the transmission that FITE sends Facebook via the Pixelʹs PageView.

Joint Appʹx at 20.

The underlined code following the word GET (also known as a GET request) in Box A is generated when a hypothetical user requests a certain video on FITEʹs website. Within the GET request in Box A, the string of characters includes the specific title of the video that the user accesses. In Box B (which

starts in the lower right and continues in the lower left), the phrase ʺc_user=ʺ is followed on the next line by a partially redacted string of numbers ‐‐ the userʹs FID.

The Pixel relays this information to Facebook regardless of whether the siteʹs users are logged onto Facebook and even after they clear their browser histories. Facebook then uses this information to build detailed profiles about FITEʹs consumers, which enables FITE to present those same consumers with targeted advertisements. FITE does not disclose or discuss the Pixel specifically in its Terms of Use, Privacy Policy, or any other material provided to subscribers, nor does FITE provide an opportunity for its consumers to decline or withdraw consent to FITEʹs use of the Pixel.

Entering ʺfacebook.com/[an individualʹs FID]ʺ into any web browser provides access to a specific individualʹs Facebook profile. This basic method of accessing a personʹs Facebook profile is ʺgenerally and widely known among the public.ʺ Joint Appʹx at 10, 21.

Solomon was a Facebook user and subscriber of FITEʹs TrillerVerzPass digital video streaming service during the two years before the Complaint was filed in 2022. The Complaint uses a hypothetical Facebook

profile to illustrate Solomonʹs claims but does not depict Solomonʹs personal Facebook profile or specify any identifiable information that exists in her profile.

III. Proceedings Below On September 14, 2022, Solomon brought this consumer privacy class action on behalf of subscribers and purchasers of FITEʹs video streaming services who (1) obtained specific video materials from FITEʹs website and applications, and (2) had a Facebook account during the time that FITE used the Facebook Pixel.8 The Complaint alleged that FITE violated the VPPA by disclosing its usersʹ personally identifiable information to Facebook, an unrelated third party, and sought statutory damages of $2,500 per violation.

On November 14, 2022, FITE submitted to the district court a pre‐ motion letter identifying numerous purported defects in the Complaint, including that the Complaint did not identify what information on Solomonʹs Facebook page would lead anyone to connect data in the alleged transmissions to

8 Although the Pixel was first introduced in 2013, Solomon does not specifically allege when FITE began using the Pixel. Solomon does, however, purport to be a consumer of FITE during the two years before this action was filed and defines the class period in the Complaint as ʺfrom September 14, 2020 to the present.ʺ Joint Appʹx at 28‐ 29. her. Solomon did not offer to amend the Complaint upon receipt of FITEʹs pre‐ motion letter, nor did she amend of right as permitted under Fed. R. Civ. P. 15(a).

On February 7, 2023, FITE moved to dismiss the Complaint pursuant to Fed. R. Civ. P. 12(b)(6). Solomon filed a memorandum in opposition the same day. In a footnote, she noted that ʺ[she] should be granted leave to amend the Complaint to remedy any perceived deficiencies.ʺ Joint Appʹx at 94.

On September 30, 2023, the district court granted FITEʹs motion to dismiss and denied Solomon leave to amend. Solomon, 2023 WL 6390055, at *1, *6. The district court held that Solomon did not plausibly allege that her public Facebook profile page contained personally identifiable information or that Solomon accessed prerecorded videos within the meaning of the VPPA. Id. at *2‐ 5. The district court also denied Solomonʹs request for leave to amend the Complaint because she had addressed the issue only in ʺa conclusory footnoteʺ and had failed to take advantage of ʺmultiple opportunities to propose amendments.ʺ Id. at *6. The district court entered judgment in favor of FITE on October 3, 2023.

This appeal followed.

DISCUSSION Two issues are presented: first, whether the district court erred in holding that the Complaint failed to plausibly allege that FITE disclosed ʺpersonally identifiable informationʺ to Facebook in violation of the VPPA, and, second, whether the district court abused its discretion in denying Solomon leave to amend the Complaint.

We review a district courtʹs grant of a motion to dismiss pursuant to Rule 12(b)(6) ʺde novo, accepting all factual allegations in the complaint as true and drawing all reasonable inferences in favor of the plaintiff.ʺ Michael Grecco Prods., Inc. v. RADesign, Inc., 112 F.4th 144, 150 (2d Cir. 2024) (quoting Melendez v. Sirius XM Radio, Inc., 50 F.4th 294, 298 (2d Cir. 2022)). ʺWe review a district courtʹs denial of leave to amend for abuse of discretion, unless the denial was based on an interpretation of law, such as futility, in which case we review the legal conclusion de novo.ʺ Carroll v. Trump, 88 F.4th 418, 430 (2d Cir. 2023) (quoting Empire Merchs., LLC v. Reliable Churchill LLLP, 902 F.3d 132, 139 (2d Cir. 2018)).

I. The Motion to Dismiss The principal question, with respect to the first issue, is what constitutes ʺpersonally identifiable informationʺ for purposes of the VPPA. It is undisputed that FITE is a video service provider that knowingly disclosed certain information about Solomon to Facebook ‐‐ namely, computer code that denoted the titles and URLs of the videos Solomon accessed and her FID. If that information constitutes ʺpersonally identifiable information,ʺ then Solomon would have plausibly alleged a violation of the VPPA.

A. Applicable Law The VPPA does not specifically define ʺpersonally identifiable information,ʺ providing only that it ʺincludes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.ʺ 18 U.S.C. § 2710(a)(3). Courts across the country, including lower courts in this circuit, have observed that the VPPA is ʺʹnot well drafted,ʹʺ Wilson, 598 F. Supp. 3d at 90 (quoting Sterk v. Redbox Automated Retail, LLC, 672 F.3d 535, 538 (7th Cir. 2012)), and that its definition of personally identifiable information is ʺoblique[]ʺ and not ʺclear,ʺ id.; see also In re Nickelodeon, 827 F.3d at 281 (ʺAs we shall see, what counts as personally identifiable

information under the Act is not entirely clear.ʺ); Yershov v. Gannett Satellite Info.

Network, Inc., 820 F.3d 482, 486 (1st Cir. 2016) (ʺThe statutory term ʹpersonally identifiable informationʹ is awkward and unclear.ʺ); Gemdjian, supra note 1, at (ʺOf the VPPAʹs key terms, the most ink has probably been spilled over the question of what constitutes [personally identifiable information].ʺ).9 This Court has not defined personally identifiable information beyond the statutory definition,10 but other circuits have provided further explanation. The First, Third, and Ninth Circuits have held that personally identifiable information constitutes more than just information that identifies an individual, but also information that can be used to identify an individual. See Yershov, 820 F.3d at 485‐86; In re Nickelodeon, 827 F. 3d at 290; Eichenberger v. ESPN, Inc., 876 F.3d 979, 984 (9th Cir. 2017). Accordingly, to define personally

9 See also Marc Chase McAllister, Modernizing the Video Privacy Protection Act, 25 Geo. Mason L. Rev. 102, 145‐46 (2017); Yarden Z. Kakon, Note, ʺHello, My Name Is User #101ʺ: Defining PII Under the VPPA, 33 Berkeley Tech. L.J. 1251, 1252 (2018); Daniel L.

Macioce Jr., Comment, PII in Context: Video Privacy and a Factor‐Based Test for Assessing Personal Information, 45 Pepp. L. Rev. 331, 401‐02 (2018).

10 In Salazar, this Court construed the definition of ʺsubscriber of goods or servicesʺ under the VPPA. 118 F.4th at 536. The facts of Salazar closely resemble this case, as a plaintiff was also alleging the disclosure of an FID to a third party via the Pixel. But we limited our holding in Salazar by noting that ʺwhile there may be breathing room in the statute to explore what exactly is ʹpersonally identifiable informationʹ ‐‐ we need not and do not explore that argument in this appeal.ʺ Id. at 549 n.10. identifiable information, circuits have endeavored to interpret what information Congress intended to cover as ʺʹcapable ofʹ identifying an individualʺ under the VPPA. Eichenberger, 876 F.3d at 984. Two approaches have emerged: (1) the reasonable foreseeability standard and (2) the ordinary person standard. Id. at 985.

1. The Reasonable Foreseeability Standard The First Circuit established the reasonable foreseeability standard in Yershov, holding that personally identifiable information is ʺnot limited to information that explicitly names a person,ʺ but also includes information disclosed to a third party that is ʺreasonably and foreseeably likely to reveal which . . . videos [the plaintiff] has obtained.ʺ 820 F.3d at 486.

In Yershov, the defendant was an international media company that produced news and entertainment media, including the newspaper USA Today and the USA Today Mobile App (the ʺAppʺ). Id. at 484. Every time a user viewed a video clip on the App, the defendant sent to Adobe Systems Incorporated (ʺAdobeʺ), an unrelated third party, ʺ(1) the title of the video viewed, (2) the GPS coordinates of the device at the time the video was viewed, and (3) certain identifiers associated with the userʹs device, such as its unique

Android ID.ʺ Id. With the Android ID, Adobe could find other personal information about its customers, such as ʺthe userʹs name and address, age and income, ʹhousehold structure,ʹ and online navigation and transaction history.ʺ Id. at 484‐85.

The court first held that personally identifiable information includes information that can be used to identify a specific individual. The court reasoned that the word ʺincludesʺ in the text of the definition implies that personally identifiable information is not limited to information that explicitly names a person. Id. at 486. Indeed, the court cited the Senate Report, which expressly stated that the draftersʹ aim was ʺto establish a minimum, but not exclusive, definition of personally identifiable information.ʺ Id. (quoting S. Rep. No. 100‐ 599, at 12 (1988)). Had Congress intended a narrow and simple construction, the court concluded, it would have had no reason ʺto fashion the more abstract formulation contained in the statute.ʺ Id. The court also noted that many types of information, other than a name, can easily identify a person. ʺRevealing a personʹs social security number to the government, for example, plainly identifies the person. Similarly, when a football referee announces a violation by

ʹNo. 12 on the offense,ʹ everyone with a game program knows the name of the player who was flagged.ʺ Id. The First Circuit subsequently established the reasonable foreseeability standard as the framework to determine what information can be used to identify an individual under the VPPA. The court concluded that the plaintiff in Yershov had plausibly alleged that the defendant impermissibly disclosed personally identifiable information when it supplied Adobe with information about the videos the plaintiff watched on the App, along with ʺGPS coordinates of the device at the time the video was viewed,ʺ and ʺcertain identifiers associated with the userʹs device.ʺ Id. at 484. The court explicitly relied on the allegation that the defendant knew that Adobe had the ʺgame program,ʺ or the mechanism necessary to ʺallow[] it to link the GPS address and device identifier information to a certain person by name, address, phone number, and more.ʺ Id. at 486. The court concluded that the plaintiff thus plausibly alleged that the defendant violated the VPPA because it was reasonably and foreseeably likely to the defendant that Adobe, a sophisticated technological company, would have the ability to identify the plaintiffʹs video‐ watching habits. Id.

2. The Ordinary Person Standard In In re Nickelodeon, the Third Circuit took a different approach by holding that ʺthe [VPPAʹs] prohibition on the disclosure of personally identifiable information applies only to the kind of information that would readily permit an ordinary person to identify a specific individualʹs video‐ watching behavior.ʺ 827 F.3d at 267.

In that case, the plaintiffs (children under thirteen) brought a putative class action alleging that Viacom disclosed information to Google that effectively revealed the videos they had watched on Nickelodeonʹs websites. Id. at 279. The plaintiffs argued that static digital identifiers (such as internet protocol (ʺIPʺ) addresses, browser fingerprints, and unique device identifiers) were personally identifiable information that enabled Google to link those videos to their real‐world identities. Id. The Third Circuit rejected the argument that succeeded in Yershov ‐‐ that it was reasonably foreseeable that Google, given its business model as a data aggregator, could use the disclosed information to identify the plaintiffs. Id. at 289‐90. Although the court agreed with the First Circuit on the preliminary issue ‐‐ that ʺCongressʹs use of the word ʹincludesʹ could suggest that Congress

intended for future courts to read contemporary norms about privacy into the statuteʹs original text,ʺ id. at 286 ‐‐ the court did not believe that ʺa law from 1988 can be fairly read to incorporate such a contemporary understanding of Internet privacy,ʺ id. at 290. The court reasoned that the plaintiffsʹ argument would mean that ʺthe disclosure of an IP address to any Internet company with registered users might trigger liability under the [VPPA]ʺ and that ʺthe use of third‐party cookies on any website that streams video content [would be] presumptively illegal.ʺ Id. The Third Circuit thus did not adopt Yershovʹs reasonable foreseeability standard, concluding that the VPPA did not ʺsweep[] quite so broadly.ʺ Id.11 Instead, the court adopted the ordinary person standard ‐‐ holding that static digital identifiers were not personally identifiable information protected from disclosure by the VPPA because an ordinary person, as opposed to a sophisticated internet company such as Google, could not use the static

11 The Third Circuit distinguished Yershov as ʺmerely demonstrat[ing] that GPS coordinates contain more power to identify a specific person than, in our view, an IP address, a device identifier, or a browser fingerprint.ʺ 827 F.3d at 289. The court further explained: ʺYershov itself acknowledges that ʹthere is certainly a point at which the linkage of information to identity becomes too uncertain, or too dependent on too much yet‐to‐be‐done, or unforeseeable detective workʹ to trigger liability under this statute. We believe the information allegedly disclosed here is on that side of the divide.ʺ Id. (quoting Yershov, 820 F.3d at 486). digital identifiers to identify a specific individualʹs video‐watching habits. Id. at 289‐90.

In Eichenberger, the Ninth Circuit also adopted the ordinary person standard, concluding that it ʺbetter informs video service providers of their obligations under the VPPA.ʺ 876 F.3d at 985. In that case, defendant ESPN produced sports‐related news and entertainment programming through its television channel and application, which were available on the Roku digital streaming device. Id. at 981. Every time a consumer watched a video, ESPN knowingly disclosed to Adobe Analytics (ʺAnalyticsʺ) the consumerʹs Roku device serial number and the identity of the video that he watched. Id. Analytics also obtained email addresses, account information, Facebook profile information, photos, and usernames, from sources other than ESPN. Id. Analytics could identify the consumer by connecting both sources of information with other data already in Analyticsʹ profile of the consumer. Id. Analytics then gave that compiled information back to ESPN, which used it to provide advertisers with information about its user demographics. Id. The Ninth Circuit agreed that the word ʺincludeʺ signifies that the definition of personally identifiable information must encompass ʺmore

information than that which, by itself, identifies an individual as having watched certain videos.ʺ Id. at 984. Instead of just explicitly identifying information, the court reasoned, the statuteʹs use of the word ʺidentifiable,ʺ where ʺthe suffix ʹableʹ means ʹcapable of,ʹʺ reinforces that the definition of PII also ʺcovers some information that can be used to identify an individual.ʺ Id. at 979, 984.

The Ninth Circuit declined, however, to adopt Yershovʹs reasonable foreseeability standard because ʺthe advent of the Internet did not change the disclosing‐party focus of the [VPPA].ʺ Id. at 985. The court was ʺnot persuaded that the 1988 Congress intended for the VPPA to cover circumstances so different from the ones that motivated its passage.ʺ Id.12 Instead, the court reasoned that the ordinary person standard was more appropriate because the VPPA ʺviews disclosure from the perspective of the disclosing partyʺ and ʺlooks to what information a video service provider discloses, not to what the recipient of that information decides to do with it.ʺ Id.

12 The Ninth Circuit explained that although its decision ʺadopts a different test [it] does not necessarily conflict with Yershovʺ because Yershov was narrowly tailored to the disclosure of GPS coordinates, which ʺwould enable most people to identify an individualʹs home and work addresses.ʺ Eichenberger, 876 F.3d at 986 (quoting Yershov, 820 F.3d at 486) (alterations adopted).

Accordingly, the court held that the plaintiff did not plausibly allege that the information that ESPN disclosed to Analytics constituted personally identifiable information under the ordinary person standard because the information disclosed ʺcannot identify an individual unless it is combined with other data in [Analyticsʹ] possession.ʺ Id. at 986 (emphasis omitted).

B. Application Although she did not advocate for a particular standard in the district court, Solomon now argues that this Court should adopt a variation of Yershovʹs reasonable foreseeability standard and hold that ʺpersonally identifiable information under the VPPA encompasses specific information about a consumer, disclosed by a video tape service provider to a particular recipient, that the provider knows the recipient can use to personally identify that consumer.ʺ Brief of Plaintiff‐Appellant at 13‐14. FITE contends that if this Court reaches the question, we should adopt the Third and Ninth Circuitsʹ ordinary person standard. Both parties contend that, regardless of the standard to be applied, they should prevail ‐‐ Solomon argues that the Complaint states a plausible claim and FITE argues that it does not.

First, we do reach the question of which standard applies, and we adopt the Third and Ninth Circuitsʹ ordinary person standard. Second, applying that standard, we conclude that the Complaint fails to state a claim for violation of the VPPA.

1. The Applicable Standard ʺWhen interpreting a statutory provision, we begin with the words of the statute.ʺ Soliman v. Subway Franchisee Advert. Fund Tr., LTD., 101 F.4th 176, 181 (2d Cir. 2024). If the words are clear, we construe the statute according to their plain meaning. Id. If the words are not clear, we may consider legislative history and the tools of statutory construction. Id.; accord Greenery Rehab. Grp., Inc. v. Hammon, 150 F.3d 226, 231 (2d Cir. 1998). We assess plain meaning ʺby reference to the language itself, the specific context in which that language is used, and the broader context of the statute as a whole.ʺ Zepeda‐Lopez v. Garland, 38 F.4th 315, 320 (2d Cir. 2022) (citation omitted).

As an initial matter, and as the parties appear to agree, we conclude that Congress intended the VPPA to cover not just information that, by itself, identifies a consumerʹs video‐viewing history, but also information capable of being used to do so. The VPPA states that ʺthe term ʹpersonally identifiable

informationʹ includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.ʺ 18 U.S.C. § 2710(a)(3). The words ʺinclude[]ʺ and ʺidentifiableʺ suggest that personally identifiable information includes information that can be used to identify a person, as well as information that, standing alone, identifies a person. The Senate Report also supports this result, as it states that the draftersʹ aim was ʺto establish a minimum, but not exclusive, definition of personally identifiable information.ʺ S. Rep. No. 100‐599, at 12 (1988). The circuit courts that have addressed the issue have reached the same conclusion, even where they disagreed in other respects. See Eichenberger, 876 F.3d at 984 (ʺʹ[P]ersonally identifiable informationʹ covers some information that can be used to identify an individual.ʺ); Yershov, 820 F.3d at 486 (ʺ[T]he language reasonably conveys the point that PII is not limited to information that explicitly names a person.ʺ); In re Nickelodeon, 827 F.3d at 290 (ʺCongressʹs use of the word ʹincludesʹ could suggest that Congress intended for future courts to read contemporary norms about privacy into the statuteʹs original text.ʺ).

In addition, based on the words of the statute, the specific context in which the language is used, and the broader context of the statute as a whole, we

conclude that ʺpersonally identifiable informationʺ encompasses information that would allow an ordinary person to identify a consumerʹs video‐watching habits, but not information that only a sophisticated technology company could use to do so. First, the words of the definition surely can be read to refer to the ʺkind of information that would readily permit an ordinary person to identify a specific individualʹs video‐watching behavior.ʺ In re Nickelodeon, 827 F.3d at 290.

The definition provides that ʺʹpersonally identifiable informationʹ includes information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.ʺ 18 U.S.C. § 2710(a)(3). We acknowledge that these words could also be read to encompass computer code and digital identifiers decipherable only by a technologically sophisticated third party. But even though the words are not without some ambiguity, they are more naturally read as referring to information that would permit an ordinary person to learn another individualʹs video‐watching history.

Second, the specific context in which those words are used suggests that the definition encompasses information that would permit an ordinary person to identify a specific individualʹs video‐watching behavior, as opposed to

information that only a technologically sophisticated third party could use to identify specific consumers. The VPPA imposes liability on a ʺvideo tape service providerʺ that ʺknowingly disclosesʺ a consumerʹs information to a third party. 18 U.S.C. § 2710(b)(1) (emphasis added). ʺIn other words, the statute views disclosure from the perspective of the disclosing party. It looks to what information a video service provider discloses, not to what the recipient of that information decides to do with it.ʺ Eichenberger, 876 F.3d at 985. It does not make sense that a video tape service providerʹs liability would turn on circumstances outside of its control and the level of sophistication of the third party. The ordinary person standard is a more suitable framework to determine what constitutes personally identifiable information because it ʺbetter informs video service providers of their obligations under the VPPA,ʺ while not impermissibly broadening its scope to include the disclosure of technological data to sophisticated third parties. See id.; see also S. Rep. No. 100‐599, at 12 (1988) (ʺ[P]ersonally identifiable information is intended to be transaction‐oriented. It is information that identifies a particular person as having engaged in a specific transaction with a video tape service provider.ʺ).

Finally, the broader context of the statute as a whole squarely supports the conclusion that liability under the VPPA should be limited to the disclosure of information that would permit an ordinary person to learn a specific individualʹs video‐watching history. The VPPA was enacted in 1988, when ʺthe Internet had not yet transformed the way that individuals and companies use consumer data ‐‐ at least not to the extent that it has today.ʺ Eichenberger, 876 F.3d at 985; accord In re Nickelodeon, 827 F.3d at 284 (ʺWe do not think that, when Congress passed the [VPPA], it intended for the law to cover factual circumstances far removed from those that motivated its passage.ʺ); see also Twentieth Century Music Corp. v. Aiken, 422 U.S. 151, 156 (1975) (ʺWhen technological change has rendered its literal terms ambiguous, the [statute] must be construed in light of [its] basic purpose.ʺ) (interpreting Copyright Act).

The evolution of the VPPA provides additional insights into its purpose. In 2013, some twenty‐five years after its inception, Congress amended the VPPA in recognition that ʺthe Internet ha[d] revolutionized the way that American consumers rent and watch movies and television programs.ʺ Salazar,

118 F.4th at 545 (quoting S. Rep. No. 112‐258, at 2 (2012)).13 Congress, however, declined to amend the definition of personally identifiable information, even in the face of testimony asking for an expansion of the definition to include IP addresses. See In re Nickelodeon, 827 F.3d at 288 (ʺDespite this recognition [that the Internet has revolutionized the way that Americans rent and watch movies and television programs], Congress did not update the definition of personally identifiable information in the statute.ʺ).

The decision to not amend the VPPA suggests that Congress believed that the VPPA ʺserves different purposes, and protects different constituencies, than other, broader privacy laws.ʺ Id. This is especially notable when we compare the VPPA to other, later privacy statutes that included a more expansive definition of personally identifiable information or related terms. For example, in 1998, ten years after the VPPA was enacted, Congress passed the Childrenʹs Online Privacy Protection Act (ʺCOPPAʺ), and defined ʺpersonal informationʺ to include: (A) a first and last name; (B) a home or other physical address . . . ; 13 Although Congress did not pass the law until January 2013, it is titled the ʺVideo Privacy Protection Act Amendments Act of 2012.ʺ In re Nickelodeon, 827 F.3d at 287 n.164.

(C) an e‐mail address; (D) a telephone number; (E) a Social Security number; (F) any other identifier that the [Federal Trade Commission] determines permits the physical or online contacting of a specific individual; or (G) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph. 15 U.S.C. § 6501(8); see In re Nickelodeon, 827 F.3d at 286‐87 & n.158. When Congress amended the VPPA in 2013, it could have expanded its definition of ʺpersonally identifiable information,ʺ but it did not ‐‐ even though it was urged to do so. We decline to adopt Yershovʹs reasonable foreseeability standard because it focuses on what a recipient can or cannot reasonably do when given personal information. 820 F.3d at 486. The ʺclassic exampleʺ of the ʺ1988 paradigmʺ is ʺa video clerk leaking an individual customerʹs video rental history,ʺ and the VPPA was not intended to create liability where a third party is able to ʺassemble otherwise anonymous pieces of data to unmask the identity of

individual [users].ʺ In re Nickelodeon, 827 F.3d at 290; see also Eichenberger, 876 F.3d at 985 (ʺʹ[P]ersonally identifiable informationʹ must have the same meaning without regard to its recipientʹs capabilities. Holding otherwise would make ʹthe lawfulness of a disclosure depend on circumstances outside of a video service providerʹs control.ʹʺ (quoting Mollett v. Netflix, Inc., 795 F.3d 1062, 1066 (9th Cir. 2015) (alterations adopted)).

2. FITEʹs Use of the Pixel Turning to the facts of this case, we consider whether the Complaint plausibly alleges that FITEʹs disclosure of Solomonʹs FID and video titles ʺwould, with little or no extra effort, permit an ordinary recipient to identify [Solomonʹs] video‐watching habits.ʺ In re Nickelodeon, 827 F.3d at 284. We conclude it does not.

The information transmitted by FITE to Facebook via the Pixelʹs PageView is set forth in the ʺexemplar screenshotʺ reproduced in the Complaint.

See page 9 supra; Joint Appʹx at 20. The exemplar depicts some twenty‐nine lines of computer code, and the video title is indeed contained in Box A following the GET request. The words of the title, however, are interspersed with many characters, numbers, and letters. It is implausible that an ordinary person would

look at the phrase ʺtitle%22%3A%22‐%E2%96%B7%20The%20Roast%20of%‐ 20Ric%20Flairʺ ‐‐ particularly if the highlighting in Box A is removed ‐‐ and understand it to be a video title.14 It is also implausible that an ordinary person would understand, ʺwith little or no extra effort,ʺ the highlighted portion to be a video title as opposed to any of the other combinations of words within the code, such as, for example, ʺ%9C%93%20In%20the%20last%20weekend%20of%20‐ July%2C.ʺ Id.; Joint Appʹx at 20.

Nor does the Complaint plausibly allege that an ordinary person could identify Solomon through her FID. Because the redacted sequence of numbers in the second line of Box B is not labeled, the FID would be just one phrase embedded in many other lines of code. And if the numbers in the exemplar were not redacted, what an individual would see is, for example, a phrase such as ʺc_user=123456ʺ or ʺc_user=00000000.ʺ Although a section of the code in Box A does state ʺ[h]ost: www.facebook.com,ʺ it is not plausible that an ordinary person, without the annotation of Box B, would see the ʺc_userʺ phrase on FITEʹs servers and conclude that the phrase was a personʹs FID.

14 This screenshot also shows only a portion of the PageView that the Pixel produces.

Notably, the Complaint lacks any details about how an ordinary person might access the information on the Pixelʹs PageView. But even assuming, arguendo, that an ordinary person could somehow gain access to the Pixelʹs PageView, the Complaint is also devoid of any details about how an ordinary person would use an FID to identify Solomon. The Complaint merely states that entering ʺfacebook.com/[Solomonʹs FID]ʺ into any web browser would result in Solomonʹs personal Facebook profile, and that ʺ[t]his basic method of accessing a personʹs Facebook profile is generally and widely known among the public.ʺ Joint Appʹx at 21. But see In re Nickelodeon, 827 F.3d at 283 (ʺTo an average person, an IP address or a digital code in a cookie file would likely be of little help in trying to identify an actual person.ʺ). Accordingly, we are not persuaded that an FID is ʺvastly different,ʺ Appellant Br. at 29, from the unique device identifiers in Nickelodeon, 827 F.3d at 262, or the Roku device serial numbers in Eichenberger, 876 F.3d at 979.15

15 FITE also argues that the Complaint fails to allege any harm suffered by Solomon herself because the exemplar screenshots of code ʺappear to have been taken from an unidentified personʹs web browser,ʺ and Solomonʹs demonstrative Facebook profile uses a hypothetical profile rather than her own. Appellee Br. at 8. FITE argues that these generalized claims are insufficient to support a plausible cause of action. See, e.g., Spokeo, Inc. v. Robins, 578 U.S. 330, 338 n.6 (2016) (ʺ[E]ven named plaintiffs who represent a class must allege and show that they personally have been injured, not that

Accordingly, we hold that Solomon failed to plausibly allege that FITE disclosed ʺpersonally identifiable informationʺ in violation of the VPPA and we therefore affirm the district courtʹs dismissal of the Complaint.

II. Leave to Amend We find no abuse of discretion in the district courtʹs decision to deny Solomon leave to amend the Complaint. Although FITE sent Solomon a pre‐ motion letter advising her of the deficiencies in the Complaint, she waited until her opposition to the motion to dismiss to request leave, and she did so only in a single footnote on the final page of her brief, stating that ʺ[i]f the Court grants Defendantʹs motion in any respect, Solomon should be granted leave to amend the Complaint to remedy any perceived deficiencies.ʺ Joint Appʹx at 94 n.4. In denying Solomon leave to amend, the district court observed that Solomon ʺhas had more than ample opportunity to address the deficiencies identified [in the

injury has been suffered by other, unidentified members of the class to which they belong.ʺ (internal quotation marks omitted)); see also In re Nickelodeon, 827 F.3d at 285 (ʺ[W]e think that legislatorsʹ initial focus on both libraries and video stores indicates that the [VPPA] was meant to prevent disclosures of information capable of identifying an actual personʹs reading or video‐watching habits.ʺ). We do not reach this argument, in light of our holding above.

Complaint], but has not identified any proposed amendments.ʺ Solomon, 2023 WL 6390055, at *5.

In light of these facts, the district court acted wholly within its discretion in denying leave to amend. See, e.g., Noto v. 22nd Century Grp., Inc., 35 F.4th 95, 107 (2d Cir. 2022) (denial of leave to amend is proper ʺwhere the request gives no clue as to how the complaintʹs defects would be curedʺ (internal quotation marks omitted)); Porat v. Lincoln Towers Cmty. Assʹn, 464 F.3d 274, 276 (2d Cir. 2006) (holding that the district court did not abuse its discretion in denying leave to amend where the request was made only in a footnote and with no explanation as to how the complaintʹs defects would be cured).

Solomon relies on this Courtʹs decision in Mandala v. NTT Data, Inc. to argue that the district court abused its discretion in denying her leave. 88 F.4th 353 (2d Cir. 2023). The reliance is misplaced. In Mandala, this Court held that a district court abused its discretion in denying a motion to vacate a judgment of dismissal pursuant to Rule 60(b) of the Federal Rules of Civil Procedure, noting that: [Mandala] is one of the exceptional cases necessitating relief from judgment: Plaintiffs have yet to be afforded a single opportunity to amend their pleading; the original dismissal of the Complaint was premised on grounds

subject to reasonable, actual, and vigorous debate; Plaintiffs diligently prosecuted their case at all times; and Plaintiffsʹ proposed amendments address the sole pleading deficiency identified by the district court. Id. at 365.

Mandala is distinguishable and of no help to Solomon. First, Mandala involved a motion to vacate a judgment of dismissal, rather than a request for leave to amend a complaint. Second, the plaintiffs there actually made a motion and did not rely solely on a footnote. Third, the plaintiffs in Mandala were not ʺafforded a single opportunity to amend their pleadings,ʺ id., while here Solomon was put on notice of the deficiencies in the Complaint and had ʺample opportunityʺ to address them. Joint Appʹx at 124. Finally, we concluded that Mandala was ʺone of the exceptional cases necessitating relief from judgment,ʺ 88 F.4th at 365, and the instant case does not present similar exceptional circumstances.

Accordingly, we hold that the district court did not abuse its discretion in denying Solomonʹs request for leave to amend the Complaint.

CONCLUSION For the reasons set forth above, the judgment of the district court is AFFIRMED.

Case-law data current through December 31, 2025. Source: CourtListener bulk data.