Hi TCPAWorld!
In Saul v. Valnet Inc., No. 1:25-cv-12236-JEK, 2026 WL 1878312 (D. Mass. June 30, 2026), the District of Massachusetts denied a gaming news website’s motion to dismiss a Video Privacy Protection Act (VPPA) class action, rejecting both its personal jurisdiction challenge and its consent defense. The court held that a Canadian company can be haled into a U.S. court under Rule 4(k)(2) based on nationwide contacts, and that a privacy policy not referenced in the complaint cannot be used to establish consent at the pleading stage.
Background
Defendant Valnet Inc. is a Canadian corporation, incorporated in Quebec and based in Montreal, that owns and operates gamerant.com, a gaming news website featuring videos on a wide range of video game topics. Plaintiff Jonathan Saul, a Massachusetts resident with a gamerant.com account since November 2024, alleged that Valnet installed Google Tag and Google Analytics on the site and, as a result, disclosed his personally identifiable information, including his Google Account ID and video viewing activity, to Google without his consent. According to the complaint, the URLs transmitted by Valnet allowed Google to determine both that a page hosted a video and the name of that video, effectively linking Saul’s identity to the specific videos he watched. Saul filed a putative class action on behalf of all U.S. gamerant.com accountholders, asserting a single VPPA claim.
Valnet moved to dismiss on two grounds: lack of personal jurisdiction under Rule 12(b)(2), and failure to state a claim under Rule 12(b)(6). Both failed.
No Escape on Personal Jurisdiction
Because Valnet is a foreign corporation not clearly subject to jurisdiction in any single state, Saul invoked Federal Rule of Civil Procedure 4(k)(2), which permits jurisdiction where the claim arises under federal law, the defendant is not subject to jurisdiction in any state’s courts of general jurisdiction, and the exercise of jurisdiction comports with the Constitution. Valnet conceded the first element and produced no evidence identifying a state where it could be sued, so the second element was satisfied by default.
On the constitutional question, the court applied the First Circuit’s familiar three-part due process test: (1) relatedness, (2) purposeful availment, and (3) reasonableness. The court noted that the Supreme Court’s decision in Fuld v. Palestine Liberation Organization, 606 U.S. 1 (2025), may have loosened the Fifth Amendment standard, but found it unnecessary to resolve that question because Saul’s showing satisfied even the more demanding traditional test.
On relatedness, the court found that Saul’s claim arose directly from Valnet’s own conduct, its alleged disclosure of his account and viewing data to Google, not merely from his unilateral decision to visit the site. On purposeful availment, Valnet’s own General Counsel attested that the website is generally available to and generates revenue from U.S. users, including a small but real slice from Massachusetts, and that roughly half of the site’s 448 million monthly sessions come from within the United States. That sustained, voluntary service of the U.S. market for at least two years was enough to show Valnet could have reasonably anticipated being sued here. Finally, on reasonableness, the court acknowledged that defending a suit in a foreign country is a real burden, but found it outweighed by the United States’ interest in enforcing a federal privacy statute and by the deference owed to a plaintiff’s chosen forum. The motion to dismiss for lack of personal jurisdiction was denied.
Privacy Policy Consent Defense Falls Flat
Valnet’s fallback argument was that Saul consented to the data disclosure by agreeing to its privacy policy when he created his account. The court rejected this for two independent reasons.
First, and most importantly, the privacy policy was not properly before the court at all. To dismiss a claim based on an affirmative defense like consent, the facts establishing that defense must be clear from the face of the complaint or documents fairly incorporated into it. Saul’s complaint alleged, repeatedly, that he never consented to the disclosure. The complaint’s only reference to a privacy policy was to a third party’s “OpenPass Privacy Policy,” not Valnet’s own policy. Merely alleging a lack of consent does not make Valnet’s policy part of the complaint, so the court declined to consider it.
Second, even assuming the policy could be considered, it would not have done Valnet any favors. The VPPA’s consent exception requires written consent that is distinct from other legal terms and either given at the time of disclosure or given in advance for no more than two years. Valnet’s policy said nothing about when Saul supposedly assented to it or whether that assent met these statutory requirements. Valnet’s argument that Saul “necessarily consented” by creating an account relied on facts and a supporting declaration outside the four corners of the complaint, which is prohibited on a motion to dismiss. Because the policy left plenty of doubt rather than “no doubt” that the VPPA’s consent exception applied, dismissal on that basis was unwarranted. The 12(b)(6) motion was denied as well.
Takeaways
This decision is a useful reminder on two fronts. First, foreign companies that build a real, revenue-generating U.S. audience, even a modest one relative to their global footprint, should not assume they can avoid U.S. courts entirely. Rule 4(k)(2) exists precisely to catch defendants who have enough nationwide contacts to be sued somewhere in the United States but no single state where they are clearly at home, and courts are willing to use it. Second, a consent defense built on a privacy policy is only as good as the complaint’s own allegations. If the complaint does not reference or rely on the policy, defendants cannot add it at the motion to dismiss stage.
We will keep you posted, TCPAWorld!

