The VPPA's Second Act: Why a 1988 Video Law Now Turns on a String of Pixel Code
A statute written for VHS rental records has become one of the most active theories in website-tracking litigation — and the courts can't agree on who it protects or what counts as identifying.
The Video Privacy Protection Act was passed in 1988 after a newspaper obtained Robert Bork's video rental history during his Supreme Court confirmation. It sat largely dormant for three decades. Today it is one of the most-pled theories in website-tracking litigation, and in early 2026 the Supreme Court agreed to hear a piece of it — a sign of how unsettled the law has become.
The reason is structural. The VPPA gives plaintiffs a private right of action with liquidated damages of $2,500 per violation, no proof of actual harm required. Apply that to a class of everyone who watched a video on a media site running the Meta Pixel, and the exposure becomes serious quickly. That arithmetic, more than any single ruling, is what keeps the filings coming.
The mechanism is ordinary
The fact pattern is almost mundane. A publisher embeds a video on a page and also runs the Meta Pixel for advertising. When the page loads, the pixel sends a request to Meta that can include the page URL — which frequently contains the video's title or slug — alongside the visitor's Facebook identifiers, typically the c_user cookie or an fbp value, if the visitor is logged into Facebook in the same browser. The theory is that this combination discloses, to a third party, what a specific identifiable person watched. No bespoke tooling is required; it is the same pixel millions of sites already run.
Where the courts have split
Two questions are doing all the work, and courts have answered both in opposite directions.
The first is what counts as "personally identifiable information." On May 1, 2025, the Second Circuit became the first appeals court to apply an "ordinary person" standard to a Meta Pixel claim, in Solomon v. Flipps Media. It held that the strings of code the pixel transmits are not PII, because they are not information that would readily allow an ordinary person — as opposed to a sophisticated entity like Meta — to identify what an individual watched. Practitioners described it as the Second Circuit "shutting the door" on a large category of pixel claims in that circuit.
The second question is who even qualifies as a "consumer" the statute protects. Here the same circuit cut the other way. In Salazar v. NBA, the Second Circuit read "consumer" broadly, holding that someone who subscribes to a provider's services — an email newsletter, in that case — can be a "subscriber" under the Act even if the thing they subscribed to was not itself audio-visual. The Sixth Circuit, in the April 2025 Salazar v. Paramount Global decision, took the narrower view, requiring a closer nexus to audio-visual goods or services.
That divide is what the Supreme Court stepped into. On January 26, 2026 it granted certiorari in Salazar v. Paramount Global to resolve who counts as a "consumer." Until it rules, the same website behavior can sustain a claim in one circuit and fail in another, and the value of a case depends heavily on where it is filed.
Reading the landscape honestly
It would be easy to read Flipps Media as the end of pixel-based VPPA exposure. That would be premature. The PII ruling is one circuit's, framed around the specific identifiers in that record; other courts have not uniformly adopted the ordinary-person framing, and plaintiffs continue to plead configurations where the disclosure is more directly identifying. The "consumer" question is now squarely before the Supreme Court, and a broad answer would re-energize filings nationwide. This is an area in genuine motion, and confident predictions in either direction have not aged well.
What is stable is the underlying behavior. Whatever the courts ultimately decide about PII and "consumer" status, the disclosure that anchors every one of these cases is a pixel on a video page transmitting a title-bearing URL together with a platform identifier.
What this looks like from the outside
The configuration that creates VPPA exposure is observable without any inside knowledge of the site:
- A video embedded on a page that also loads the Meta Pixel or a comparable advertising tag.
- Outbound tracker requests carrying the page URL when that URL encodes the video's title or slug.
- Facebook identifiers —
c_user,fbp, or anfbclid— present in those requests. - Tags that fire on video pages before any consent interaction, which removes the "they agreed" defense.
None of that proves a violation; the law is too unsettled for that, and much turns on facts a scan cannot see. But it tells you whether your pages exhibit the exact pattern these suits are built on — which is worth knowing before someone else maps it for you.
Sources
- ABA Business Law Today — Pixel Tools and a New Wave of VPPA Litigation (Apr 2025)
- Morgan Lewis — Second Circuit 'Shuts the Door' on Meta Pixel VPPA Claims (Jul 2025)
- Troutman Pepper — Second Circuit Forecloses VPPA Claims via Meta Pixel
- Foley Hoag — The Supreme Court Enters the Pixel Discussion (Feb 2026)
See what your own pages do
The behaviors above are observable on the wire. LawsuitGuard loads your site in a real browser, maps every tracker and when it fires, and shows the evidence behind each finding.
Run a free scan