Paramount Hit With VPPA Class Action

Want to receive these privacy recaps that matter to consent management, adtech and martech in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

Paramount Hit With VPPA Class Action

A class action complaint (Case 1:24-cv-08312) was filed in the Southern District of New York (SDNY) November 1, 2024 alleging that Paramount Global violated the Video Privacy Protection Act (VPPA) by knowingly disclosing subscriber viewing information to Facebook, TikTok and other third parties through tracking tools on the company’s website and apps without subscriber consent.

TAKEAWAY

This complaint comes less than three weeks after the Second Circuit Court of Appeals reversed a SDNY dismissal of a VPPA class action against the NBA, finding that the SDNY court erred in holding that individuals who signed up for an online newsletter are not “subscribers” under the law. In this case against Paramount, the “subscribers” at issue, according to the complaint, must have registered with Paramount to be granted access to on-demand prerecorded video content, the delivery of which is Paramount’s primary business. The complaint alleges that subscribers’ granular website and app activity, including the names of specific videos that subscribers requested and/or viewed, were sent to Facebook and other third parties through tracking tools and pixels.   

To mitigate risk of class action litigation under VPPA and other laws, compliance monitoring is a must. To learn more, view our on-demand webinar with BakerHostetler.

CPPA Announces Enforcement Sweep of Unregistered Data Brokers

The California Privacy Protection Act’s Enforcement Division announced that it will be conducting an investigative sweep to take action against data brokers that have failed to register with the CPPA under the Delete Act. Companies that fall into the definition of a “data broker” (specifically, “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship”) were required to register with the CPPA by January 31, 2024 or be subject to a penalty of $200 per day of failing to register.

TAKEAWAY

A company’s designation as a “data broker” under the Delete Act currently only comes with certain registration and disclosure requirements, but starting in 2026, data brokers will be required to listen for and respect deletion requests submitted by consumers to a central deletion mechanism maintained by the CPPA, which, depending on the implementation and popularity of the mechanism, may have operational and revenue impacts far greater than the threat of regulatory penalties. Companies that are unsure whether they fall under the “data broker” definition may therefore be hesitant to error on the side of registration. 

Want more of the privacy highlights that matter for consent management, adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.