In a notable development for corporate defendants grappling with consumer privacy litigation, the Southern District of New York has recently issued a decision in Lee v. Springer Nature America, Inc., embracing a broadened view of potential liability for defendants under the Video Privacy Protection Act (VPPA). This ruling should serve as a cautionary tale for companies leveraging digital marketing tools, especially social media pixels.
Mark Lee filed a putative class action against Springer Nature America, alleging violations of the VPPA for disclosing subscribers' video viewing data to Meta Platforms, Inc., via the Meta Pixel, without obtaining prior informed written consent. Springer, a scientific publisher that operates the website ScientificAmerican.com, allegedly integrated the Pixel into its website to transmit users’ video-viewing activities, including Facebook IDs (FID) and URLs of accessed videos, directly to Meta.
Springer moved to dismiss the suit, primarily arguing that it was not a “video tape service provider” under the VPPA, that Lee was not a “consumer” as defined by the statute, that the disclosed information was not “personally identifiable information” (PII), and that the disclosure was not “knowing” as required by the statute. The court rejected each of these arguments.
Following the Second Circuit’s recent formulation in Salazar v. NBA, the court broadly interpreted the definition of a "video tape service provider." Rejecting Springer’s argument—at least the motion to dismiss stage—that video delivery was merely incidental to its core business, the court held that because Springer required users to register and subscribe to access videos beyond a minimal threshold, it was "engaged in the business" of delivering audiovisual materials under the VPPA. This interpretation underscores that the VPPA is not restricted only to companies whose primary business is video rental or delivery. Rather, even businesses primarily engaged in publishing or content delivery may find themselves subject to the VPPA if they include any substantial offering of audiovisual content to subscribers.
Second, the court reaffirmed the expansive interpretation of who qualifies as a “consumer” under Salazar. It held that providing personal data as consideration—here, name and email address—in exchange for access to video content sufficiently establishes a subscriber relationship protected by the VPPA. This underscores for businesses that virtually any user interaction involving an exchange of personal information could establish a consumer-provider relationship, even if the consumer does not pay money in order to access the materials.
Third, the court concluded that Facebook IDs, when coupled with video content URLs, constitute PII under the VPPA, embracing the notion that unique digital identifiers are, indeed, personally identifiable information—particularly in instances where platforms like Facebook can directly link these identifiers to specific profiles, thus easily facilitating identification. The court stopped short of holding that IP addresses necessarily constituted PII, though that is likely little consolidation to Springer given the court’s broader holding.
Finally, the court found Springer’s disclosure via the Meta Pixel was potentially “knowing.” The court reasoned that by deliberately implementing and configuring the Pixel, Springer effectively “"opened a digital door” for Meta to identify subscriber information. Springer could not disclaim responsibility simply because the Pixel, an external tool, executed the technical disclosure.
This decision underscores a critical takeaway for corporate defendants: integrating third-party marketing tools that transmit user data demands careful compliance strategies. Companies must recognize that VPPA claims can arise even when video content is not central to their business model. With courts willing to recognize broad categories of data as PII, it is paramount that companies reevaluate their web and marketing practices to ensure explicit, informed consent processes are in place.
Now is the time for in-house counsel and legal management teams to audit their websites and applications for privacy compliance—particularly regarding third-party pixels and similar tracking technologies, that may inadvertently collect and share video viewing information with third parties. Making necessary changes to websites sooner rather than later is key. Statutory damages are significant under the VPPA at $2,500 per violation, and companies face significant class action exposure from potential missteps. Making changes now can mitigate the risk of substantial liability down the line. As the legal landscape continues to evolve, staying informed and proactive is the best defense.
