Avoid the Video Privacy Lawsuit Wave

The Video Privacy Protection Act (VPPA) is a U.S. law that protects the privacy of people’s video viewing history. Originally passed in 1988 to protect video rental records, it now applies to many online streaming services, media sites, and embedded video platforms. It prohibits companies from knowingly sharing with third parties information about which videos a person watches without that person’s informed, written consent.

Yes, courts have increasingly applied the VPPA to online streaming services and websites. Although the law was originally enacted in 1988 to protect video rental records, it has been interpreted to cover digital video providers, including streaming platforms and media sites that host or embed video content. If a website shares identifiable information about a user’s video-viewing activity with a third party via tracking pixels or analytics tools, it may trigger VPPA actions.

Under the VPPA, personally identifiable information (PII) generally means information that identifies a specific person as having requested or obtained particular video content. This can include a person’s name combined with video viewing history, but courts have also examined whether persistent identifiers, such as user IDs, email addresses, or device identifiers, may qualify if they can reasonably link an individual to specific videos watched.

Not automatically. Under the VPPA, the key issue is whether the disclosed data can reasonably identify a specific person as having watched particular video content. If an identifier, even if hashed or encrypted, can be linked back to an individual by the receiving party, courts may still treat it as personally identifiable information. True de-identification that cannot reasonably be reversed or associated with a person reduces risk, but pseudonymous or encrypted identifiers that remain linkable may still create VPPA exposure.

Generally not, if the user knowingly and voluntarily chose to share the video. The VPPA prohibits a company from disclosing a person’s video-viewing information without informed, written consent. When a user actively clicks a share button to post or send a video, that disclosure is typically considered user-directed, not an unauthorized company disclosure.

The Video Privacy Protection Act is primarily enforced through civil litigation. It includes a private right of action, meaning individuals can sue companies directly for alleged violations. Plaintiffs may seek statutory damages, including $2,500 per violation, as well as attorneys’ fees and other relief. While the statute was enacted by Congress, enforcement today most commonly occurs through class-action lawsuits rather than government criminal charges.

Yes. There are VPPA cases that progressed through the courts and produced significant rulings, even if most haven’t gone to a full jury trial. For example, in Salazar v. NBA, the Second Circuit held that the plaintiff qualified as a “consumer” under the VPPA when watching videos on a site after subscribing to a newsletter, expanding the law’s interpretation.  Other federal appellate decisions have ruled on whether certain data shared via tracking tools qualifies as “personally identifiable information,” dismissing some claims and clarifying legal standards without trial.

Many VPPA lawsuits have survived initial pleadings and produced binding legal interpretations on key terms such as “consumer” or “PII”, even if they settle before trial. The U.S. Supreme Court has agreed to hear a case on these issues, suggesting further definitive rulings are coming.

The Video Privacy Protection Act (VPPA) does not distinguish between prerecorded and live video content. Courts generally focus on whether a company is a “video tape service provider” and whether it discloses personally identifiable information linking a person to specific video content. That means live streaming can fall within the VPPA’s scope if a platform shares identifiable information about who watched a particular live event.