The Video Privacy Protection Act was signed into law in 1988, prompted by a Washington City Paper reporter obtaining Robert Bork's video rental history during his Supreme Court confirmation hearings. For most of the next three decades, the statute sat largely dormant — a curiosity in federal privacy law. Then the plaintiffs' bar discovered that modern web analytics had recreated, at internet scale, precisely the behavior the law was designed to prevent.
Since 2022, VPPA litigation has become one of the fastest-growing vectors in consumer privacy class actions. The companies being sued are not video rental stores. They are hospitals, news publishers, streaming platforms, e-commerce sites, universities — essentially any organization that hosts video content and uses Meta Pixel or Google Analytics without having solved a consent problem most of them don't know they have.
The Video Privacy Protection Act (18 U.S.C. § 2710) prohibits a "video tape service provider" from knowingly disclosing personally identifiable information about a consumer's video viewing choices to any third party without written consent. The statute was designed to protect the privacy of video rental records. Today's plaintiffs' bar argues that any company delivering video content over the internet qualifies as a video tape service provider under the statute's plain terms.
The connection to modern web analytics is precise: when a website embeds Meta Pixel, the pixel typically transmits to Meta's servers a combination of the user's Facebook ID and the URL of the page they visited. If that URL contains or implies video content the user watched, the argument is that the company has made a knowing disclosure of the user's video viewing history to a third party — precisely what VPPA prohibits.
Courts have been receptive. In 2022 and 2023, multiple federal district courts allowed VPPA claims to proceed past motions to dismiss. Class certification followed in several cases. The plaintiffs' bar noticed the pattern, and filings accelerated sharply. By 2025, VPPA had overtaken BIPA as the most frequently filed privacy class action theory in federal court.
"The statute provides $2,500 per violation — not per lawsuit, per violation. In a class with one million members, the exposure math is straightforward and terrifying." — Privacy litigation defense counsel
Understanding why VPPA has become so potent for plaintiffs requires understanding its three structural advantages: statutory damages that eliminate the need to prove actual harm, a relatively low bar for class certification, and observable triggering behavior that can be identified without any cooperation from the defendant.
VPPA provides liquidated damages of $2,500 per violation plus punitive damages, attorneys' fees, and injunctive relief. Critically, plaintiffs do not need to demonstrate they suffered any actual injury. The statutory violation itself — the unauthorized disclosure — is sufficient.
VPPA claims are well-suited for class certification because the core question — did this website deploy a pixel that transmitted video viewing data to a third party? — is common to all class members and can be answered yes or no for the entire class. Courts have found that these characteristics satisfy Rule 23's commonality and predominance requirements more readily than many other privacy theories.
Perhaps the most significant feature of VPPA exposure from a risk management perspective is that it is entirely observable from outside the company. Any competent privacy researcher can visit a website, observe what JavaScript is loaded on pages that host video content, identify the presence of Meta Pixel or similar trackers, and confirm that the technical conditions for a VPPA claim exist. Companies cannot hide this exposure through good security practices, because it has nothing to do with security.
VPPA exposure is not limited to media companies or streaming platforms. The common denominator is not industry — it is a combination of three factors: the presence of video content, the deployment of third-party tracking pixels, and the absence of VPPA-compliant consent mechanisms.
Healthcare organizations have been disproportionately targeted. Hospitals and health systems routinely host patient education videos about conditions, procedures, and care instructions. Many of these organizations also run Meta Pixel for marketing purposes. The intersection creates exposure that is difficult to defend: a patient watching a video about a specific cancer treatment, with Meta Pixel present, creates a plausible argument that the organization disclosed sensitive health-adjacent viewing data to a third party without consent.
News publishers have been hit hard as well. Many run video alongside articles and have relied on Meta Pixel for advertising audience development. The Wall Street Journal, the Boston Globe, ESPN, and dozens of regional news organizations have faced VPPA suits. Universities, financial services firms with investor education video libraries, and e-commerce companies with product video content have all appeared in VPPA filings.
The first step is a complete inventory of where video content appears across all digital properties and which third-party scripts are loaded on those pages. Large organizations have dozens or hundreds of web properties, many managed by different teams or agencies. Pixels get added through tag management systems, sometimes by vendors, without centralized visibility. The only reliable approach is an automated, outside-in scan that doesn't depend on self-reporting by the teams that deployed the trackers.
Even where Meta Pixel and video content coexist, a VPPA-compliant consent mechanism can significantly reduce exposure. VPPA requires written consent — which courts have interpreted to include electronic consent — that is specific to the disclosure of video viewing records to identified third parties. Generic privacy policies and cookie banners that refer to "analytics partners" in aggregate terms have generally not satisfied this requirement.
Privacy programs that address VPPA exposure as a one-time remediation project will miss the ongoing nature of the risk. Pixels get re-added. Tag management systems get updated. New video content gets published to pages that weren't previously scanned. Maintaining a current, accurate picture of where VPPA exposure exists requires continuous monitoring — not periodic audits.
The companies that have navigated VPPA risk most effectively share a common approach: they treat their observable digital behavior as a continuous signal to be monitored, not a fixed state to be assessed. That shift in posture — from periodic audit to continuous observation — is what the current enforcement environment demands.
