A recent decision from the U.S. District Court for the Western District of Michigan, Goodman v. Hillsdale College (No. 1:25-cv-417, Oct. 17, 2025), denied Hillsdale College’s motion to dismiss a proposed class action brought under the federal Video Privacy Protection Act (VPPA). The ruling signals that federal VPPA claims—once concentrated in media and consumer-facing sectors—are now reaching higher-education institutions and testing how data-driven outreach and analytics intersect with legacy privacy laws drafted for a different era.
For colleges and universities, the opinion underscores a broader truth: even where intent is educational, tracking and data-sharing practices can be re-framed as “disclosures” under privacy statutes originally aimed at commercial video services. From a defense standpoint, it highlights the need for institutions to evaluate marketing infrastructure through a litigation-informed compliance lens—balancing mission-driven engagement with disciplined oversight, privilege-protected assessments, and defensible documentation.
Procedural Status
The plaintiffs—users of online.hillsdale.edu—allege that the College’s website used the Meta Pixel to transmit their viewing activity and corresponding Facebook IDs to Meta without consent, in violation of the VPPA (18 U.S.C. § 2710).
They contend that Hillsdale qualifies as a “video tape service provider,” that registrants who created free accounts are “consumers,” and that the combined data (course URLs + Facebook IDs) constitutes personally identifiable information.
Hillsdale moved to dismiss, arguing that the VPPA should not apply because:
- its online videos are free and thus not part of a commercial “business”;
- free registrants are not “subscribers” under the statute;
- Meta Pixel does not transmit PII within the meaning of the VPPA; and
- any data exchange occurred in the “ordinary course of business.”
Chief Judge Jarbou rejected these arguments at the pleading stage. The Court found the complaint plausibly alleged that:
- Hillsdale was “engaged in the business of delivering videos” because its online courses furthered fundraising and paid distance-learning efforts, and
- the alleged transmission of URLs and Facebook IDs could constitute disclosure of personally identifiable information.
The Court emphasized that nonprofit status or free access does not categorically exempt an entity from VPPA coverage and held that discovery should proceed on the factual questions surrounding business purpose, data transmission, and consent. No class has been certified and no merits findings have been made.
Why It Matters
This is among the first federal VPPA decisions to squarely apply the statute to an academic institution’s educational video platform.
Key takeaways include:
- Statutory expansion beyond media companies. Courts are increasingly willing to treat any entity delivering online video content—even for free—as a potential “video tape service provider.”
- Data-pairing risk. Combining user identifiers (like Facebook IDs, hashed emails, or device tokens) with viewed content titles can meet the VPPA’s definition of “personally identifiable information.”
- Nonprofit and educational missions offer no categorical defense. Indirect revenue generation (fundraising, course promotion, book sales) may establish a “business purpose.”
- Discovery will probe governance, not intent. Plaintiffs will seek vendor contracts, configuration logs, and internal privacy reviews to test diligence and disclosure oversight.
Strategic Considerations for Higher-Education Institutions
- Conduct privileged tracking-technology assessments. Engage outside counsel to oversee technical audits under attorney-client privilege. Work-product findings can guide remediation while preserving confidentiality and litigation defensibility.
- Re-evaluate disclosure and consent language. Ensure website privacy notices and cookie banners accurately describe data sharing with third parties. Even if tracking supports fundraising or analytics, users must have clear notice and choice consistent with FTC deception principles and CCPA/CPRA “do not share” standards.
- Classify data-sharing within existing information-security governance. Treat tracking technology as part of your cybersecurity architecture—not merely marketing infrastructure—integrating it into NIST or ISO risk-management frameworks and board-level reporting.
- Revisit vendor and platform agreements. Confirm service-provider status, data-use limitations, and indemnity terms in contracts with advertising and analytics vendors. Document due diligence and configuration decisions.
- Preserve documentation of compliance rationale. Maintain contemporaneous records of policy decisions, legal reviews, and technical settings. Such artifacts are often pivotal in motions practice and settlement positioning.
Closing Perspective
The Goodman decision doesn’t establish liability—it merely allows discovery—but it broadens the VPPA’s reach and foreshadows increased scrutiny of how institutions govern tracking technologies. For the higher-education sector, where public trust and donor confidence are paramount, this is a moment for proactive governance.
By treating data-flow design as a matter of compliance discipline rather than technical convenience, colleges can reduce litigation exposure while demonstrating accountability—a theme running through every major privacy and cybersecurity enforcement trend in 2025.
Thompson Coburn’s Cybersecurity, Privacy and Data Governance team helps colleges and universities navigate the intersection of privacy compliance, cybersecurity, and litigation risk. Our attorneys work closely with institutional clients to design governance frameworks that withstand scrutiny—from evaluating tracking-technology deployments to coordinating privilege-protected audits and refining disclosures that align with both educational missions and evolving regulatory expectations. We focus on building programs that are not only compliant, but defensible—helping higher-education leaders demonstrate accountability in a rapidly changing enforcement landscape.
