Duane Morris Takeaways: On September 3, 2025, in Golden v. NBCUniversal Media, LLC, No. 22-CV-9858, 2025 WL 2530689 (S.D.N.Y. Sept. 3, 2025), Judge Paul A. Engelmayer of the U.S. District Court for the Southern District of New York granted a motion to dismiss with prejudice for a media company on a claim that the company's use of website advertising technology on its website violated the Video Privacy Protection Act ("VPPA"). The ruling is significant as it shows that in the explosion of adtech class actions across the nation seeking millions or billions of dollars in statutory damages under not only the VPPA but also myriad other statutes providing for statutory penalties on similar theories that the website owner disclosed website activities to Facebook, Google, and other advertising agencies, the statute and its harsh penalties should not be triggered because no ordinary person could access and decipher the information transmitted.
Background
This case is one of a multiplying legion of class actions that plaintiffs have filed nationwide alleging that Meta Pixel, Google Analytics, and other similar software embedded in defendants' websites secretly captured plaintiffs' web-browsing activity and sent it to Meta, Google, and other online advertising agencies.
This software, often called website advertising technology or "adtech," is a common feature on corporate, governmental, and other websites in operation today. In adtech class actions, the key issue is often a claim brought under the VPPA, a federal or state wiretap act, a consumer fraud act, and even the Illinois Genetic Information Privacy Act (GIPA), because plaintiffs often seek millions (and sometimes even billions) of dollars, even from midsize companies, on the theory that hundreds of thousands of website visitors, times $2,500 per claimant in statutory damages under the VPPA, for example, equals a huge amount of damages. Plaintiffs have filed the bulk of these types of lawsuits to date against healthcare providers, but they also have filed suits against companies that span nearly every industry including retailers, consumer products, and universities. Several of these cases have resulted in multimillion-dollar settlements, several have been dismissed, the vast majority remain undecided, and especially with some district courts being more permissive than others in allowing adtech class actions to proceed beyond the motion to dismiss stage (as we blogged about here), the plaintiffs' bar continues to file adtech class actions at an alarming rate.
InGolden, the plaintiff brought suit against a media company. According to the plaintiff, she signed up for an online newsletter offered by the media company and, thereafter, visited the media company's website, where she watched videos. Id. at *2-4. The plaintiff further alleged that, after she watched those videos, her video-watching history was sent to Meta without her permission via the media company's undisclosed use of the Meta Pixel on its website. Id. Like plaintiffs in most adtech class action complaints, this plaintiff: (1) alleged that before the company sent the web-browsing data to the online advertising agency (e.g., Meta), the company encrypted the data via the secure "https" protocol (id., ECF No. 56 ¶ 45); and (2) did not allege that any human had her encrypted web-browsing data or could retrieve it from the advertising agency's algorithms or that even the advertising agency, or any other entity or person, has her web-browsing data stored or could retrieve it from the advertising agency's algorithms in a decrypted (readable) format. Based on the plaintiffs' allegations, the plaintiff alleged a violation of the VPPA.
The media company moved to dismiss under Rule 12(b)(6), arguing that the media company did not adequately allege that the media company "disclosed" the plaintiff's "personally identifiable information" ("PII"), defined under the VPPA as "information which identifies a person as having requested or obtained specific video materials or services...." Id., 2025 WL 2530689, at *5-6.
TheCourt's Decision
The Court agreed with the media company and held that the plaintiff failed plausibly to plead any unauthorized "disclosure."
As the Court explained, "PII, under the VPPA, has three distinct elements: (1) the consumer's identity, (2) the video material's identity, and (3) the connection between them." Id. at *6. Moreover, PII "encompasses information that would allow an ordinary person to identify a consumer's video-watching habits, but not information that only a sophisticated technology company could use to do so." Id. (emphasis in original). Therefore, "to survive a motion to dismiss, a complaint must plausibly allege that the defendant's disclosure of information would, with little or no extra effort, permit an ordinary recipient to identify the plaintiff's video-watching habits." Id. For these reasons, explained the Court, the Second Circuit has "effectively shut the door for Pixel-based VPPA claims." Id. at *7 (citing Hughes v. National Football League, 2025 WL 1720295 (2d Cir. June 20, 2025)).
Applying these standards, the Court dismissed the plaintiff's VPPA claim with prejudice, holding that, "[i]n short, because the alleged disclosure could not be appreciated — decoded to reveal the actual identity of the user, and his or her video selections — by an ordinary person but only by a technology company such as Facebook, it did not amount to PII." Id. at *6-7. In so holding, the Court cited an "emergent line of authority" shutting the door on VPPA claims not only in the Second Circuit but also in other U.S. Courts of Appeal. See In Re Nickelodeon Consumer Priv. Litig., 827 F.3d 262, 283 (3d Cir. 2016) (affirming dismissal of VPPA case involving the use of Google Analytics, stating, "To an average person, an IP address or a digital code in a cookie file would likely be of little help in trying to identify an actual person"); Eichenberger v. ESPN, Inc., 876 F.3d 979, 986 (9th Cir. 2017) (affirming dismissal of VPPA case because "an ordinary person could not use the information that Defendant allegedly disclosed [a device serial number] to identify an individual").
Implications For Companies
The Court's holding inGoldenis a win for adtech class action defendants and should be instructive for courts around the country addressing adtech class actions brought under not only the VPPA, but also other statutes prohibiting "disclosures," and the like. These statutes should be interpreted similarly to require proof that an ordinary person could access and decipher the web-browsing data, identify the person, and link the person to the data.
Consider a few examples. A GIPA claim requires proof of a disclosure or a breach of confidentiality and privilege. An eavesdropping claim under the California Information of Privacy Act (CIPA) § 632 requires proof of eavesdropping. A trap and trace claim under CIPA § 638.51 requires proof that the data captured is reasonably likely to identify the source of the data. A claim under the Electronic Communications Privacy Act (ECPA) requires proof of an interception.
When adtech sends encrypted, inaccessible, anonymized transmissions to the advertising agency's algorithms, has there been any disclosure or breach of confidentiality and privilege (GIPA), eavesdropping (CIPA § 632), data capture reasonably likely to identify the source (CIPA § 638.51), or interception (ECPA)? Just as adtech transmissions are insufficient to amount to a disclosure under the VPPA, Golden shows neither should adtech transmissions trigger these similarly worded statutes because no ordinary person could access and decipher the data transmitted.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.
