Supreme Court Leaves VPPA Circuit Split Unresolved as California Age-Appropriate Design Code Faces Partial Injunction Lift

Want to receive these privacy recaps in your inbox each week? Subscribe here.

The U.S. Supreme Court has declined to review the 2nd Circuit’s dismissal of a lawsuit alleging the NFL violated the Video Privacy Protection Act, leaving a three-to-one circuit split over the definition of “personally identifiable information” unresolved. Meanwhile, the Ninth Circuit partially lifted a preliminary injunction on California’s Age Appropriate Design Code, creating continued uncertainty for businesses serving users under 18.

Keep reading to learn more and discover my takeaways.

United States

US Supreme Court Declines Review of “Ordinary Person” standard under the VPPA

The US Supreme Court has refused to review a 2nd Circult dismissal of Hughes v. National Football League, a case alleging the NFL’s violation of the Video Privacy Protection Act (VPPA). In this case, the plaintiff subscribed to the NFL’s newsletter and the NFL+ video streaming service, through which he viewed videos while logged into his Facebook account. The NFL then transmitted the plaintiff’s Facebook ID and video viewing information using a Facebook pixel installed on the NFL website. The plaintiff alleged that this transmission violated the VPPA because it allowed Facebook to know the names of the videos the plaintiff watched on NFL.com. 

Following precedent from its May 2025 decision in Solomon v. Flipps Media, Inc., the 2nd Circuit upheld the district court’s dismissal of the case. The 2nd Circuit found that, in determining whether transmitted information constitutes personally identifiable information under the VPPA, courts must ask only “whether an ordinary person would be able to understand the actual underlying code communication itself.” Here, it did not believe an “ordinary person” would understand the computer code, so the 2nd Circuit held the disclosures did not contain “personally identifiable information.”

TAKEAWAY

The Supreme Court’s refusal to review the 2nd Circuit decision in Hughes leaves unresolved a 3-1 circuit split over whether information counts as personally identifiable information under the VPPA if only a sophisticated technology company (like Facebook), and not an ordinary person, could understand it. The Third and Ninth Circuits have applied the “ordinary person” test consistent with the Second Circuit, however, the First Circuit applied a different test, asking whether disclosed information is reasonably and foreseeably likely to reveal to the actual recipient (e.g., Facebook) a person as having requested or obtained specific video materials. 

The Supreme Court has granted certiorari in Salazar v. Paramount Global to resolve a different VPPA circuit split over the definition of a “consumer” under the VPPA. Oral arguments for that case are expected in October 2026. 

California Age Appropriate Design Code Injunction Partially Lifted

The Ninth Circuit affirmed in part and vacated in part a preliminary injunction preventing enforcement of the California Age Appropriate Design Code Act (CAADCA). Specifically, the Ninth Circuit affirmed the preliminary injunction regarding the data use and dark patterns restrictions on vagueness grounds but vacated it concerning age estimation requirements. The court held that plaintiff NetChoice is not likely to succeed on the merits of its challenges to the CAADCA as a whole and to the age estimation requirements. 

The case has been remanded to the district court for further proceedings. Injunctions that were not challenged on appeal (i.e., those concerning mandatory DPIAs, high default privacy settings, age-appropriate language, and internal policy enforcement) will remain in effect.

TAKEAWAY

The CAADCA requires online services likely to be accessed by children under age 18 to implement certain privacy measures, however, enforcement has been either enjoined or stayed since the law took effect in July 2024, pending legal challenges. Following the most recent ruling, businesses can technically be required to implement a mechanism that reasonably estimates the age of child users, appropriate to the risks arising from their data management practices. However, because so much of the law remains enjoined, enforcing this requirement would be difficult. For example, the purpose of age estimation under the law is to determine which users to whom the business must apply the restrictions and protections of the law. However, all of those restrictions and protections are still enjoined, rendering age estimation pretty meaningless. 

The practical implication for businesses is that they remain in limbo. Businesses likely to be accessed by children under age 18 should watch the remand proceedings closely. However, there are currently no operative set of CAADCA child-protective obligations they can be penalized for violating, other than potentially the age estimation requirement itself, pending further district court proceedings.

A LITTLE MORE PRIVACY, IF YOU PLEASE

• Luxembourg Court Overturns GDPR Fine Against Amazon
• South Korea Amends PIPA to Cap Penalties / Place Supervisory Liability on CEOs
• Consent managers: India’s legislative blueprint for digital privacy infrastructure
  
  
  

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.