Keypoint: Plaintiffs’ attorneys continue to expand lawsuits relating to website tracking technologies.

Chick-fil-A once again found itself in the spotlight last week when it was named as a defendant in a lawsuit filed in the Northern District of California. The complaint alleges the plaintiff was harmed not by Chick-fil-A’s food products, but rather by Chick-fil-A’s operation of “Stories of Evergreen Hills,” which Chick-fil-A describes as a “series of animated short films, collectibles, and experiences created by Chick-fil-A®, Stories of Evergreen Hills™ follows a young girl named Sam as she discovers how little acts of kindness can bring people together.”

In the below post, we provide an overview of the case against Chick-fil-A and the Video Privacy Protection Act that forms the foundation of the plaintiff’s complaint.

The plaintiff—who describes themselves as a “consumer privacy advocate” who “advances important public interests at the risk of vile personal attacks” and, as such, alleges they should be “‘praised rather than vilified’”—alleges Chick-fil-A violated the Video Privacy Protection Act (“VPPA”) by sharing Personally Identifiable Information (“PII”) about the plaintiff’s video watching habits with Meta. As tech-publication Gizmodo describes it: “While Chick-fil-A was serving you sandwiches, it was also serving up data to Facebook’s parent company Meta.”

The plaintiff’s complaint rests upon the Facebook (now Meta) “Pixel,” which is software code through which website operators monitor how website visitors interact with the website. Meta describes “how the Facebook pixel works”:

Importantly for Chick-fil-A and others that may use the Pixel on websites that stream videos for consumers to view, the Pixel transmits information to Meta, including anything present in HTTP headers, pixel-specific data (including the pixel ID and cookie), button click data, and optional values the website owner can choose. The plaintiff alleged Chick-fil-A transmitted the URL, the video’s title, and other data that describes the video the plaintiff (and any other visitor to the Evergreen website) viewed, which in connection with transmitted cookies that allegedly contain the visitor’s Facebook ID, allows Facebook to determine what specific videos specific individuals, including but not limited to the plaintiff, viewed. The plaintiff alleges this violates the VPPA.

So what Is the VPPA?

The VPPA was originally enacted in 1988 to protect information about people’s video tape rentals written after the press leaked a list of a failed Supreme Court nominee’s movie rental history. Through its enactment, Congress sought “to prevent disclosures of information that would, with little or no extra effort, permit an ordinary recipient to identify a particular person’s video-watching habits.” In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262, 284 (3d Cir. 2016). Under the VPPA, “video tape service providers”—or anyone who offers similar services—cannot disclose personally identifiable information about what videos an individual watches without the individual first providing informed, written consent. Importantly, the written consent must be “in a form distinct and separate from any form setting forth other legal or financial obligations of the consumer[.]” 18 U.S.C. § 2710(b)(2)(B)(i). The Act provides statutory damages of $2,500 per breach in addition to other monetary relief, attorneys’ fees, and preliminary injunctive relief. Id. at § 2710(c)(2).

Because the VPPA is Federal legislation, litigations can expect to be in Federal court for any case involving the VPPA. The Northern District of California most often deals with the VPPA (23 reported decisions), followed by the Northern District of Illinois (15) and Southern District of New York (11). The Ninth Circuit has addressed the Act 12 times. Since the Act’s introduction in 1998, more than 170 reported decisions have cited the Act. There was a spike of decisions in 2012 through 2017 before slowing down in 2018 through 2021. In 2022, however, 16 decisions cited the VPPA, nearly matching the height of the 2012–2017 timeframe.

Source: Author-created chart using data from Westlaw.

Several of these decisions have considered the Facebook Pixel under the VPPA. Earlier cases dealt with instances where the Facebook Pixel was used to transmit information about a video purchase. See e.g., Bernardino v. Barnes & Noble Booksellers, Inc., 2017 WL 3727230 (S.D.N.Y. Aug. 11, 2017) (alleging use of Facebook Pixel by Barnes & Noble to transmit information to Facebook about the plaintiff’s DVD purchase violated the VPPA); Cappello v. Walmart Inc., 2019 WL 11687705 (N.D. Cal. April 5, 2019) (alleging Walmart’s disclosure of walmart.com customers’ identities and video media purchases to Facebook without the customers’ consent violated the VPPA). In 2022, however, courts began considering whether providers of online-only videos (aka “streaming”) violated the VPPA when transmitting information to Meta via the Pixel. These cases were targeted toward companies whose provision of video services made up a major component of the services the company offered, including newspaper providers, WebMD, and Patreon. These cases held the Facebook ID was PII and that although the offending companies were not primarily video providers, the plaintiffs could still successfully plead a VPPA claim against the defendants.

Last week’s case against Chick-fil-A attempts to assert the VPPA against a defendant who primarily offers a good or service that is unrelated to video services but nevertheless uses the Pixel to transmit information about visitor’s video watching habits to Facebook. It remains to be seen whether the plaintiff will be successful in its case against Chick-fil-A. Although the courts that have considered claims that use of the Pixel violates the VPPA have allowed these claims to pass the pleading stage, no court has yet resolved whether use of the Pixel with streaming content violates the VPPA as a substantive matter of law.