Blog

Mitigating risk under the Video Privacy Protection Act (VPPA)

Sourcepoint
September 3, 2023

Concerned about whether you could be at risk of a Video Privacy Protection Act (VPPA) class action? You wouldn’t be alone. Since 2022, over 100 lawsuits have been filed alleging violations of the VPPA, pointing to the sharing of identifiable video viewing information via the Meta tracking pixel without user consent. 

If you have video content on your website and use web tracking technology, it’s important to understand your risk under VPPA, and what strategies and tools are available to help you mitigate that risk. 

What is the VPPA? 

The VPPA is a federal law, enacted in 1988, which prohibits any video service provider” from knowingly disclosing personally identifiable information concerning “any renter, purchaser, or subscriber of goods or services” from the video tape service provider without their consent. 

Under the VPPA, personally identifiable information is defined as any information that identifies a consumer as having requested or obtained “specific video materials or services” from a Video Tape Service Provider. 

What’s behind the surge in VPPA class actions? 

There’s actually been an uptick in enforcement against web tracking in general. The FTC has engaged in a wave of enforcement within the last year against healthcare apps and web services that allegedly shared sensitive health information without user consent through the use of third-party tracking technologies like the Meta pixel. Class actions based on state and federal wiretapping laws, common law claims, and even claims under state constitutional rights have all been used to attack web tracking from different angles. 

The VPPA, specifically, was created during a time when physical video rentals were the norm, but the proliferation of online video content has made room for a broader understanding of who counts as a Video Tape Service Provider. Among the companies facing lawsuits are online news outlets like the Boston Globe (which has settled for $4MM), retail brands like Home Depot, and even fast food chains like Chick-fil-A. It’s common for websites to employ third-party technologies to track user behavior, and it’s also common for websites to feature video content. That combination makes for a wide net of potential targets for VPPA class actions. 

How are VPPA cases being ruled?

The complaints that are part of the recent surge typically follow similar patterns, arguing that: 

  1. The defendant is engaged in the business of delivering pre-recorded video content, making them Video Tape Service Providers 
  2. The plaintiff class members were subscribers to the defendant’s service of providing video content and thus “consumers” under the law. 
  3. The defendant knowingly disclosed to Meta visitors’ Facebook IDs and title and URL of the videos they requested or obtained via a Meta tracking pixel. 
  4. The information disclosed to Meta, including Facebook IDs and video titles, could be used to find public Facebook pages and identify site visitors—making that information personal identifiable information (PII) 
  5. The website did not obtain written consent from users before disclosing PII to Meta, putting the defendants in violation of VPPA. 

The number of cases overcoming motions to dismiss is growing, and more companies are settling as a result

There have been successful motions to dismiss as well. Some cases have been dismissed in California where it was held that only pre-recorded content is covered under VPPA, but not live streamed content or when it was held that only users who have viewed or obtained video content as part of some sort of purchase (e.g., a subscription) can be considered consumers under VPPA. 

These dismissals provide signals to companies for which types of activity might pose the greatest risks, while at the same time clarify for plaintiffs which cases are more likely to overcome motions to dismiss in court. 

How can brands protect themselves from VPPA suits? 

If your brand has video content on your website, you’ll want to check if the pages that have video are associated with URLs or any other mechanisms that could identify what video content was viewed. If so, you’ll also want to understand what tracking technologies are being used on your site, whether any exist on those pages with video content, and whether the trackers will collect information that could be used to identify individual users in connection with the titles of videos they are viewing. If all conditions are met, you’re dealing with some risk under VPPA. 

Brands have some options for how to proceed, whether that’s removing the tracking technologies completely, or reconfiguring your video content set up and/or trackers to prevent or obfuscate the collection of video title information or user identifiers. You may also consider obtaining consent for the use of tracking technologies to comply with VPPA. 

Adopting a comprehensive approach to privacy

Because VPPA is just one of many tools being used in the crackdown against web tracking, adopting a long-term, strategic approach to privacy is the best way to future-proof your organization against microtrends in litigation, enforcement, or new privacy laws.

Brands that operate digital properties need to have an always-up-to-date understanding of how they handle personal information, including:

  • What personal data is collected;
  • Why it’s collected;
  • Where it’s collected 
  • Who is collecting it;
  • Who it’s being shared with, and who they’re sharing it with.

Only when you gain a comprehensive view of how personal data flows through your tech ecosystem can you start applying privacy principles like transparency, downstream due diligence, and privacy-by-design. 


Scanning tools like Sourcepoint’s Diagnose help you take the first step in monitoring tracking technologies on your digital properties and managing your privacy workflows. Get in touch with our team to learn more about how we can help you mitigate risk under VPPA and other enforcement trends. 

Latest Blog Posts

FTC warns tax prep companies against using trackers without consent

September 25, 2023

The Federal Trade Commission sent warning letters to five...

Delaware governor signs comprehensive privacy law

September 18, 2023

Delaware HB 154, implementing the Delaware Personal Data Privacy Act,...

Comparing U.S. state privacy laws: Sensitive Data

September 18, 2023

How do different U.S. state laws define and protect...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

© Sourcepoint 2023. All Rights Reserved

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]