While no clients of Captain Compliance have had to deal with a VPPA lawsuit once they started to use our software a federal judge’s recent decision to let a privacy lawsuit proceed against the University of Phoenix has reignited debate over one of America’s oldest video privacy laws. On January 14, 2026, U.S. District Judge Mary Rowland in the Northern District of Illinois ruled that the for-profit online education giant must face claims under the Video Privacy Protection Act (VPPA), a 1988 statute originally crafted to shield video rental records from prying eyes. The case centers on allegations that the university deployed Meta’s tracking pixel on its website, transmitting students’ video-viewing data—paired with their unique Facebook IDs—to the social media behemoth without explicit consent.
This ruling stands out not just for denying the university’s motion to dismiss but for directly challenging a growing judicial trend that has favored defendants in similar cases. At a time when appellate courts have begun narrowing the VPPA’s reach, Judge Rowland’s opinion injects fresh uncertainty into an already volatile area of privacy litigation. It also underscores a broader reality: nearly four decades after its passage, the VPPA remains a surprisingly potent weapon in plaintiffs’ arsenals, even as courts grapple with applying a VHS-era law to modern pixel-tracking technology.
The Case at Hand: Tracking Students’ Educational Videos
The plaintiff, Janielle Dawson, a former University of Phoenix student, alleges that the institution embedded third-party tracking tools—including Meta’s ubiquitous pixel—across its online platform. Whenever Dawson accessed prerecorded course videos, the pixel allegedly fired, sending Meta a bundle of data: the URL of the video watched (revealing its title and content) alongside her Facebook ID (a long numeric string known as a “cUser” or FID). For logged-in Facebook users, Meta can easily tie that ID to a real name, profile, and vast trove of personal information.
Dawson argues this constitutes an unlawful disclosure of her “personally identifiable information” (PII) linked to her video-viewing history, violating the VPPA’s core prohibition. Enacted in response to the 1987 Supreme Court nomination controversy surrounding Judge Robert Bork—whose video rental records were leaked to the press—the law bars “video tape service providers” from knowingly disclosing consumers’ viewing information without informed, written consent. Violators face statutory damages of $2,500 per violation, making class actions financially attractive.
The University of Phoenix moved to dismiss, leaning on a line of Second Circuit precedents holding that a Facebook ID alone does not qualify as PII because an “ordinary person” could not readily convert the numeric string into a name. But Judge Rowland rejected that narrow interpretation. “Concluding otherwise would defy common sense,” she wrote, to skirt liability by disclosing information other than names that readily can be used to identify a consumer.” In her view, PII encompasses any data that can identify someone, particularly when transmitted to a sophisticated recipient like Meta capable of deanonymizing it instantly.
Rowland also allowed related wiretap claims under federal and Illinois law to survive, rebuffing the university’s argument that it implicitly consented to the data transfers as a party to the communication. While she dismissed VPPA counts against other trackers (Google, LinkedIn, TikTok) for lack of specificity on identification, the core Meta-related claims march forward.
The Meta Pixel: Privacy Villain or Advertising Essential?
To understand the stakes, one must grasp how the Meta Pixel operates. This tiny snippet of JavaScript code, embedded on billions of websites worldwide, reports user actions back to Meta for analytics and targeted advertising. When a video plays on a site equipped with the pixel, it can log the event, the page URL, and—crucially—any persistent identifiers like a logged-in Facebook cookie.
Plaintiffs’ bar has seized on this mechanism, filing hundreds of VPPA suits since 2022 alleging that websites become “video tape service providers” whenever they host or stream audiovisual content. From news outlets and retailers to streaming platforms and educational sites, few digital properties offering video have escaped scrutiny. The theory: sharing viewing data with Meta turns the social giant into a modern-day video store clerk, privy to intimate consumer preferences without permission.
Defendants counter that the VPPA was never intended to cover incidental tracking on general-purpose websites. They point to the law’s legislative history—focused on Blockbuster-style rentals—and argue that modern analytics serve legitimate business purposes, like improving user experience and funding free content through advertising.
The Ebb and Flow of VPPA Litigation
The University of Phoenix ruling arrives amid a shifting tide in VPPA class actions. After exploding in 2022–2023, with plaintiffs targeting everyone from Major League Baseball to Martha Stewart’s media empire, the litigation wave crested in 2024–2025 as appellate courts began imposing limits.
The Second Circuit led the charge, repeatedly affirming dismissals in Meta Pixel cases. In a series of 2025 decisions, the court held that transmitting a Facebook ID does not disclose PII under the VPPA’s “ordinary person” standard—essentially requiring that the information itself reveal identity to a layperson, not just to the recipient armed with additional databases. Other districts, particularly in New York, followed suit, effectively closing the door on many pixel-based claims.
Meanwhile, circuits remain split. The Eleventh Circuit has taken a broader view of PII, and district courts elsewhere—including the Third and Ninth—have allowed cases to proceed on theories similar to Rowland’s. Year-in-review analyses from late 2025 noted a marked decline in new filings as defendants racked up victories and plaintiffs’ firms recalibrated strategies. Some observers predicted the VPPA frenzy might finally subside.
Yet Judge Rowland’s opinion throws sand in the gears. By explicitly disagreeing with the Second Circuit and embracing a functional definition of identification, she preserves a viable path for plaintiffs in the Seventh Circuit and potentially influences others. Combined with lingering wiretap claims (which often survive even when VPPA counts falter), the decision ensures that pixel-related privacy battles will persist into 2026 and beyond.
Broader Implications for Education and Digital Privacy
The case carries particular resonance for online education providers. As universities increasingly rely on digital platforms delivering prerecorded lectures and supplemental videos, they risk morphing into VPPA-regulated entities. The University of Phoenix, already no stranger to regulatory scrutiny (recall its $191 million FTC settlement in 2019 over deceptive advertising), now faces heightened exposure. If certified as a class action, damages could balloon rapidly given the volume of students accessing video content.
More fundamentally, the litigation exposes the tension between data-driven personalization and individual privacy. Educational institutions use analytics to track engagement, identify struggling students, and refine curricula—worthy goals enabled by tools like the Meta Pixel. But when those tools leak sensitive viewing patterns to third-party advertisers, they cross into territory the VPPA was designed to protect.
Critics of aggressive VPPA enforcement argue the law has become a blunt instrument, wielded by class counsel to extract settlements from risk-averse defendants rather than vindicate genuine privacy harms. Proponents counter that consumers deserve transparency over how their viewing habits—often revealing political leanings, health interests, or educational pursuits—are commodified.
Toward a Modern Privacy Framework?
Ultimately, the University of Phoenix case highlights the VPPA’s enduring relevance and its limitations. A law born from analog-era scandal has proven remarkably adaptable to digital tracking, but its patchy application across circuits cries out for clarification—perhaps from the Supreme Court, which has yet to weigh in definitively.
In the meantime, businesses face practical choices: disable pixels on video pages, implement robust consent banners, or audit tracking configurations. For consumers, the ruling serves as a reminder that privacy protections, however antiquated their origins, can still pack a punch.
As courts continue wrestling with these issues, one thing is clear: the fight over what constitutes “private” video viewing in the age of endless scrolling is far from over. The University of Phoenix decision may not rewrite the law, but it ensures the conversation—and the litigation—will keep playing.
