Federal Court Dismisses VPPA Claims Against Website with Prejudice - "Not a Videotape Business"

October 24, 2025 in Personal Data, State Legislation

On Monday, October 20, the Eastern District of Missouri dismissed a proposed class action based on the federal Video Privacy Protection Act ("VPPA") against CoStar, the company behind apartments.com. It isn't clear at this point whether the plaintiff will appeal.

CoStar does not dispute that it uses several pixels on apartments.com, including the Meta Pixel. The plaintiff, Banks, alleged that "when he watched videos on apartments.com, CoStar disclosed his information, including which videos he watched on apartments.com, to third parties, though he specifically names only Facebook and TikTok.," thereby "disclosing [his] personal identifying information... to third parties" without his consent, in violation of the VPPA.

The court stated that a successful VPPA claim for failure to obtain consent requires (1) the defendant to be a "video tape service provider", (2) the plaintiff to be a "consumer", and (3) the defendant to have disclosed "personally identifiable information" to third parties. The court found that all three elements were not satisfied, and dismissed, with prejudice, for failure to state a claim under VPPA.

Below is a breakdown of the courts analysis for element (1), and a summary for the court's less-extensive take on elements (2) and (3).

CoStar is not a "video tape service provider" because its business does not involve "prerecorded video cassette tapes or similar audio-visual materials," or even if it did, it is not "in the business... of... deliver[ing]" them.
- Not similar: The court stated the only similarity between the video tours at issue in this case and prerecorded cassette tapes is that they are both "audio visual materials." Additionally, "[t]he [VPPA's] statutory context... includes the consistent mention of the noun phrase "video tape," demonstrating "that 'audio visual materials' must be stored in a physical format to be 'similar' to 'prerecorded video cassette tapes.'"
  - Banks did not argue that CoStar delivered prerecorded video cassette tapes, so the emphasis was on the "similarity" prong. The court looked at the "plain meaning [of words in the definition of video tape service provider] at the time of the VPPA’s enactment," noting the 1981 dictionary definition of "similar" was "having characteristics in common; very much alike; comparable."
  - Banks's argument relied heavily on recent case law (including Mata v Zillow Grp) from courts in other federal Circuits, which has taken a broad view of VPPA to include websites with "non-video aspects to their business model." The Eastern District of Missouri categorized Mata as "misinterpret[ing] the language of" VPPA, partially because it fully omitted the statutory language of "similar" from its analysis.
  - Note — The court looked at the "plain meaning [of words in the definition of video tape service provider] at the time of the VPPA’s enactment," noting the 1981 dictionary definition of "similar" was "having characteristics in common; very much alike; comparable," and the 1981 dictionary definition of "business" was "a usual commercial or mercantile activity customarily engaged in as a means of livelihood and typically involving some independence of judgment and power of decision."
Banks is not a "consumer" because, even though he is viewing video tours on a logged-in apartments.com account, he does not have "a subscription to [the defendant's] video services."
- The court emphasized the VPPA's protections against disclosure of "rental" and "sale" information to imply a more tangible commercial relationship than simple interaction.
CoStar did not disclose "personally identifiable information" to third parties because Banks failed to allege "anything about" how the Meta Pixel use could identify him, and in any case, PII is "definitionally constrained to 'specific video materials or services... from a video tape service provider,' which... CoStar is not" (see element (1) above).

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.

Cameron Cantrell is an Associate at Hintze Law PLLC, counseling companies on global data protection issues, including health (consumer, biotech, genetics), business (CCPA, GDPR), and areas of ongoing federal regulation (HIPAA, GLBA, the DOJ Cross-Border Data Transfers Rule, human subject research).

California Prohibits AI Misrepresentations about Health Care Licenses

October 23, 2025 in Artificial Intelligence, GenAI, Health + Biotech Privacy, State Legislation

By Cameron Cantrell

On October 11, 2025, California’s Governor Newsom signed AB 489, a law designed to address health advice from artificial intelligence (“AI”). It will take effect on January 1, 2026.

California Amends Artificial Intelligence Transparency Act and Passes AI Defenses Act

October 20, 2025 in Artificial Intelligence, Data Privacy, GenAI, Hintze Law Blog Series, State Legislation

By Leslie Veloz

On October 13th, 2025, Governor Gavin Newsom signed into law AB 853, which amends the California Artificial Intelligence Transparency Act (AI Transparency Act (SB 942)), a law placing obligations on makers of generative AI systems aimed at increasing transparency to allow individuals to more easily assess whether digital content is generated or modified using AI.

California Passes Law on AI Companion Chatbot Safety

October 17, 2025 in Artificial Intelligence, Data Privacy, GenAI, Kid's Online Privacy, State Legislation, Technology Law

By Clara De Abreu E Souza

On Oct. 13, 2025, California Governor Gavin Newsom signed into law Senate Bill 243 – Companion Chatbots. SB 243, authored by Senator Steve Padilla, requires operators of companion chatbot platforms to notify users that the chatbot is AI, provide specific disclosures to minors, and restrict harmful content. The law also includes a private right of action.

California Passes Digital Age-Assurance Act Into Law

October 16, 2025 in CCPA, COPPA, Data Privacy, Hintze Law Blog Series, Kid's Online Privacy, State Legislation, Online Advertising

By Hansenard Piou

On October 13th, 2025, Governor Newsom signed the Digital Age Assurance Act (AB 1043) into law. Introduced by co-authors Assembly Member Buffy Wicks and Senator Tom Umberg, the law establishes age-assurance requirements for computer and mobile operating system providers and app stores as well as app developers with an aim to protect children’s online safety. The Digital Age Assurance Act enters into effect on January 1, 2027.

California’s Social Media Account Cancellation Act Signed into Law

October 14, 2025 in CCPA, Data Privacy, State Legislation, Personal Data

By Clara De Abreu E Souza

On October 8, 2025, California Governor Gavin Newsom signed into law Assembly Bill 656 — Account Cancellation. AB 656, authored by Assembly member Pilar Schiavo, focuses on social media platforms and requires them to provide users with a clear and accessible way to delete their accounts. This action must also trigger the complete deletion of the user’s personal data.

California Opt Me Out Act Signed into Law

October 14, 2025 in Data Privacy, State Legislation, CCPA

By Cameron Cantrell

On October 8, 2025, California’s Governor Newsom signed AB 566—the California Opt Me Out Act—into law. The California Opt Me Out Act, using the same definitions as the CCPA, requires any business that develops or maintains an internet browser to build in an opt-out preference signal (“OOPS”) functionality. The law takes effect on January 1, 2027.

California Further Amends its Data Broker Registration Law

October 13, 2025 in Data Privacy, State Legislation

By Hansenard Piou

On October 8, 2025, Governor Gavin Newsom signed SB 361 into law. Introduced by Senator Josh Becker, the bill amends California’s Data Broker Registration Law (and amendments to the law under the Delete Act) with additional disclosure requirements for data brokers.

What is “Bulk U.S. Sensitive Personal Data”?

October 10, 2025 in Data Privacy, DOJ, Hintze Law Blog Series

By Emily Litka

This is the second in a series of blog posts about the DOJ Rule regarding Access To U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the “DOJ Rule”). It provides an overview of one of the categories of data that is in scope under the DOJ Rule: bulk U.S. sensitive personal data.

Governor Newsom signs Transparency in Frontier Artificial Intelligence Act

October 03, 2025 in Artificial Intelligence, State Legislation, Technology Law

By Clara De Abreu E Souza

On September 29, 2025, California Governor Gavin Newsom signed the Transparency in Frontier Artificial Intelligence Act (TFAIA). Authored by Senator Scott Wiener, TFAIA follows the release of the Governor’s California Report on Frontier AI Policy, which was drafted by the Joint California Policy Working Group on AI Frontier Models.

IAPP Publishes EU Digital Laws Report 2025

October 01, 2025 in Data Privacy, Global Privacy & Security, Artificial Intelligence

By Hansenard Piou

On September 30th, the IAPP (formerly the International Association of Privacy Professionals) released its EU Digital Laws Report 2025, a comprehensive analysis explaining and synthesizing the requirements of core EU digital laws. The report aims to provide a resource to help the broadest possible class of organizations, platforms, and developers comply with the Data Governance Act, the Data Act, the Digital Markets Act, the Digital Services Act, the EU AI Act, and the NIS2 Directive.

Does the DOJ Rule Apply?

September 30, 2025 in Data Privacy, DOJ, Hintze Law Blog Series

By Hansenard Piou and Sam Castic

This is the first in a series of blog posts about the DOJ Rule regarding Access To U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the “DOJ Rule”). It provides a high-level overview of the kinds of cross-border data transfers that are regulated by the DOJ Rule. Future blog posts will more closely examine the DOJ Rule, its requirements, potential impacts, and strategies to address compliance.

Clara De Abreu E Souza Joins Hintze Law as an Associate

September 29, 2025

Hintze Law PLLC is excited to announce that Clara De Abreu E Souza has joined the firm as a first-year Associate in the Seattle office.

Hintze Lawyers Recognized in 2026’s Best Lawyers in America

August 21, 2025 in Hintze Law Recognitions

This year, eight of Hintze Law’s attorneys have been recognized by Best Lawyers® across a variety of categories, marking a significant milestone for the firm. Every one of our associates earned recognition, reflecting both the breadth of talent within our team and the dedication each attorney brings to their practice.

California Adopts Privacy, Cybersecurity, ADMT Regulations and Amendments

August 20, 2025 in CCPA, CPPA, Cybersecurity, Data Privacy, Artificial Intelligence, State Legislation

By Sam Castic

The California Privacy Protection Agency (CPPA) has adopted final regulations on privacy risk assessments, cybersecurity audits, and automated decisionmaking technology (ADMT), as well as amendments to existing CCPA regulations. Final publication of the regulations is pending review by the Office of Administrative Law, and depending on when that occurs, the regulations will likely take effect 10/1/2025 or 1/1/2026. Some key concepts from these regulations, and actions to consider, are below.

California’s Healthline.com Enforcement Action Shows CCPA’s Teeth – and Sensitive Data Reach

July 09, 2025 in CCPA, Data Privacy, Health + Biotech Privacy, State Legislation

By Mason Fitch and Kate Black

The California Attorney General’s Office (“OAG”) announced an enforcement action against Healthline.com on July 1 that marks a significant development in California Consumer Privacy Act (CCPA) enforcement. This action, accompanied by the largest fine under CCPA yet at $1.55 million, highlights critical areas of consideration for any company engaging in the advertising ecosystem as well as any company that processes sensitive personal information.

Congratulations to Mason Fitch on Promotion to Of Counsel

July 09, 2025 in Hintze Law Recognitions

Hintze Law PLLC is pleased to announce Mason Fitch’s promotion to Of Counsel at the firm.

Texas District Court Vacates Majority of HIPAA Reproductive Privacy Rule

June 24, 2025 in Data Privacy, Health + Biotech Privacy

by Cameron Cantrell and Felicity Slater

On June 19, 2025, the U.S. District Court in the Northern District of Texas vacated the vast majority of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “HIPAA Reproductive Privacy Rule” or “Rule”). The Department of Health and Human Services (“HHS”) published the Rule in the Federal Register in April 2024 with a compliance date of December 23, 2024. The District Court’s decision to vacate the reproductive privacy aspects of the Rule has an immediate and nationwide effect.

Hintze & Partners Recognized by Chambers in 2025 USA Rankings

June 05, 2025 in Hintze Law Recognitions

Hintze Law PLLC is delighted to announce the Chambers & Partners recognition of Susan Hintze, Mike Hintze, Sam Castic, and Mason Fitch in its USA Guide 2025. These recognitions include the firm’s sixth year being nationally ranked in Privacy and Data Security, and third year in Privacy & Data Security: Healthcare.

State Privacy Regulators Announce Formation of Collaboratory Consortium

April 17, 2025 in CPPA, Data Privacy, State Legislation

by Felicity Slater and Susan Hintze

On April 16, 2025, the California Privacy Protection Agency (CPPA) and state Attorneys General from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon announced the formation of the bipartisan "Consortium of Privacy Regulators." The focus of the Consortium will be to foster multi-state coordination, including sharing of expertise and resources, in investigation of potential violations of and enforcement of their state's respective comprehensive privacy laws.