What Privacy Teams Can Learn from CoStar’s VPPA Victory

Case Memo: Banks v. CoStar Realty Information Inc.

Facts

• Plaintiff alleged that when he watched video tours on the website of Apartments.com (operated by CoStar Realty Information, Inc.), the company used tracking pixels (including the Meta/Facebook pixel) to transmit data about which videos he viewed to third-parties such as Facebook and TikTok.
• The plaintiff contended that this disclosure constituted a violation of the VPPA’s prohibition on a “video tape service provider” knowingly disclosing the “personally identifiable information” of a “consumer” to any person.
• The matter was heard in the United States District Court for the Eastern District of Missouri.

Legal Issues & Holding

• Is CoStar a “video tape service provider” under the VPPA? The VPPA defines that term as “any person, engaged in the business … of rental, sale, or delivery of prerecorded video cassette tapes or similar audio-visual materials.” 18 U.S.C. § 2710(a)(4).The Court held that CoStar was *not* a video tape service provider because its business model (a property-listing site with embedded video tours) is not one of rental, sale or delivery of prerecorded video “cassettes or similar audiovisual materials” in the sense the statute uses. Thus the threshold requirement failed.
• Is the plaintiff a “consumer” under the VPPA? Section 2710(a)(1) defines “consumer” as “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” The Court held that because CoStar is not a video tape service provider, the plaintiff cannot be a “consumer.” In addition, even if CoStar were one, the complaint did not allege the plaintiff subscribed specifically to CoStar’s video services.
• Was there a disclosure of “personally identifiable information” (PII)? The statute defines PII under Section 2710(a)(3) as “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” The Court noted the plaintiff’s reliance on tracking-pixel data, but found that even assuming the other elements were present, the pleading did not sufficiently allege disclosure of PII in the statutory sense.

Disposition

The court granted the defendant’s motion to dismiss under Rule 12(b)(6). The complaint was dismissed with prejudice for failure to state a claim under the VPPA.

Key Take-Aways from CoStar/Apartments.com VPPA Lawsuit

• Businesses that embed video content or use tracking pixels associated with video viewing must still assess whether the VPPA could apply—but mere use of pixels does not automatically trigger liability under VPPA.Case shows defendants can succeed on threshold arguments (provider status, consumer status) and avoid deeper PII-analysis when appropriate.
• The decision highlights the importance of business model analysis: the court asked whether video delivery was the core business and whether there was a “rental/sale/delivery of prerecorded video cassette tapes or similar audiovisual materials” as Congress used that term. Because CoStar’s business was property listings and video tours, the court said no.
• Even where a website uses video, embedding video tours or marketing videos isn’t automatically the “delivery” of audiovisual material in the statutory sense. If video is incidental, the provider-threshold may fail.
  

  VPPA Landscape: What’s Going On Across the Circuits?

  The VPPA is increasingly used in digital-litigation, often targeting websites that transmit viewing-data via pixels or share user IDs and video URLs with ad/analytics vendors.

  Below is a summary of current circuit trends and splits:

  Circuit	Key Issue	Recent Holdings / Trend	Implication for Businesses
  Second Circuit	Disclosed data = “personally identifiable information”? (ordinary-person test) Definition of “consumer”	In Solomon v. Flipps Media, Inc. (No. 23-7597-CV, 2nd Cir. May 1, 2025) the court held that URL + Facebook ID via pixel did *not* alone satisfy PII because an “ordinary person” could not identify the viewer. In Salazar v. NBA (2nd Cir. Oct. 2024) the court adopted a broader consumer definition (subscription to newsletter = “consumer”) though other issues remain.	Potentially broad — companies must still assess pixel data transfers; PII component remains a critical blocker for plaintiffs.
  Sixth Circuit	Interpretation of “consumer” & “goods or services”	In Salazar v. Paramount Global (6th Cir. April 3, 2025) the court held the goods or services must be “audiovisual goods/services” from a video tape service provider. It thus narrowed scope of consumer definition.	Stricter threshold for plaintiffs; businesses may have stronger defence when video is incidental to their core services.
  Seventh Circuit	Interpretation of “consumer” (broad view)	In Gardner v. Me‑TV Nat’l Ltd. Partnership (7th Cir. March 28, 2025) the court sided with the Second Circuit’s expansive view: a “consumer” can be someone who subscribes to goods/services of a video-tape service provider (regardless of video being the good).	Creates more exposure in jurisdictions within the Seventh Circuit; companies operating there should pay particular attention.

  Practical Compliance Checklist (for teams using consent & tracking platforms such as Captain Compliance)

  • Inventory all video content (embedded, user-uploaded, marketing tours) and determine whether your organisazion is in the “business of rental, sale or delivery” of prerecorded video or similar audiovisual materials. If video is incidental, you may fall outside VPPA’s provider threshold—but document the analysis.
  • Map tracking flows associated with video view events: which pixels, tags, analytics or ad networks receive data when a user watches video? What data fields are transmitted (video ID, URL, device ID, third-party user ID, cookie ID)?
  • For each data flow, assess whether the transmitted information qualifies as “personally identifiable information” under the VPPA standard — ask: would an ordinary person receiving the disclosed data be able to identify the person as having requested or obtained specific video materials or services from a video tape service provider? If not, risk may be lower.Recent decisions like Flipps and Banks reinforce the “ordinary person” standard.
  • Evaluate your consent mechanisms: Are you obtaining explicit, informed consent for video-view tracking, especially if third parties receive data about the video viewed? Even if you determine VPPA doesn’t apply, good consent hygiene is still best practice.
  • Update your preference centre and consent management platform (e.g., Captain Compliance’s preference center module) to include a distinct category for “Video tracking & sharing” and show it in your user interface so that users can opt-in or opt-out transparently.
  • Document your decisions: Maintain an audit log of your business-model assessment, pixel/flow inventory, consent receipts, and risk-analysis. Should litigation arise, documentation of a good-faith compliance process is a key defence.
  • Monitor circuit developments: as shown above, different federal circuits take divergent positions on what constitutes a “consumer” or “PII” under the VPPA, and some decisions raise the possibility of a future Supreme Court review.

  Why This Matters for Privacy Practitioners

  The Banks v. CoStar case is a significant reminder that even legacy statutes rooted in pre-digital-era behavior (like the VPPA) still have real relevance in today’s tracking- and-analytics driven world. From an enforcement and litigation risk perspective:

  • VPPA claims carry statutory damages of up to $2,500 per violation for each person whose PII was disclosed without consent.
  • Even if video is ancillary to a business (e.g., marketing tours or embedded clips), companies cannot assume exemption — the provider threshold is fact-specific. Banks shows a business model defense can succeed, but only with the right facts and documentation.
  • Because the circuit law is inconsistent (as illustrated above) thousands of websites may be exposed depending on where they are sued. Global companies should assume the broadest possible exposure and plan accordingly.
  • Even where VPPA risk may be low, the scrutiny around video tracking and third-party sharing is growing — compliance with data-protection obligations (GDPR, CCPA/CPRA, other state laws) demands attention to what users see when they watch videos and what happens behind the scenes. Including video flows in your overall privacy architecture (consent management, audit logs, DPIAs) is therefore important.

  Looking Ahead For Future VPPA Cases

  This moment may mark a pivot in VPPA litigation and a potential relief for defendants but regardless you’ll want to make sure you cover your bases with Captain Compliance’s privacy software to protect against potential VPPA litigation. While the plaintiff bar has aggressively pursued pixel-based claims for video tracking, recent decisions show stronger defensibility when businesses conduct model-based analyses and carefully manage their video-tracking architecture. At the same time, the industry is watching closely for how the Supreme Court of the United States might weigh in on the circuit split about the definition of “consumer” (among other terms).

  For privacy teams, this is a wake-up call: embed video-tracking into your consent and governance architecture, review pixel deployment across video assets, document your business model, and ensure your preference-center and user consent flows (for example via Captain Compliance) are aligned with these evolving risks and know that if you have a video streaming you’ll need proper disclosures and then you’ll want to protect against CIPA & ECPA claims next.