Privacy & Cybersecurity Law Blog

On February 20, 2025, the U.S. District Court for the Northern District of Georgia (the “Court”) granted a motion for class certification in a class action alleging that WebMD violated the federal Video Privacy Protection Act (“VPPA”) by disclosing certain user data to Facebook without the users’ consent. Specifically, Plaintiff alleges that WebMD allowed Facebook Pixel to monitor what videos users are watching on WebMD’s website, information which Pixel then uses to create ads tailored to the user.

The Court found that Plaintiff satisfied each of the requisite elements under Rule 23 of the Federal Rules of Civil Procedure. The Court concluded the class was ascertainable because Pixel would match the data gathered from WebMD’s website to users’ Facebook accounts, so the class members were already identifiable through Pixel’s records. The Court also reasoned that Plaintiff’s claims were particularly conducive to class treatment because the same issues would predominate each class member’s claim—that is, did WebMD knowingly disclose the class member’s video-watching data to Facebook, a third party, without the class member’s consent?  Similar to the issue of ascertainability, the Court reasoned that Pixel’s records would be dispositive of that question.

Cases alleging privacy violations based on Pixel or a similar software surreptitiously collecting data from a website are not new. However, orders granting class certification in these types of privacy suits—or even in the much more common data breach case—are relatively rare. Future class plaintiffs therefore may seek to rely on the Court’s reasoning here in support of their request to certify classes for certain statutory privacy claims as well as data breach class actions.