The Expanding Reach of the Video Privacy Protection Act

In 2024, over 250 class action lawsuits were filed under a US federal law passed in 1988 to protect VHS rental records. The Video Privacy Protection Act (VPPA) was originally aimed at brick-and-mortar video stores, but plaintiffs’ firms discovered a 2022 application: embedding third-party video players on a website – without proper consent mechanisms – could expose companies to class action liability under the same statute. This trend has continued, with the Supreme Court set to hear its first case under the VPPA in 2026.

From VHS Tapes to Online Tracking

The Video Privacy Protection Act (VPPA), enacted in 1988 as Public Law 100-618, was initially a response to concerns about the privacy of video rental records. It was even dubbed the “Bork bill” after the video rental history of Supreme Court nominee Robert Bork was published without his consent [1]. The law prohibits “video tape service providers” from disclosing a consumer’s personally identifiable information without consent, a court order, or other specific exceptions [1].

However, the VPPA has experienced a resurgence in relevance due to its application to online video platforms and tracking technologies. Plaintiffs argue that embedding videos from platforms like YouTube or Vimeo, and utilizing pixels or other web trackers within those videos, constitutes a violation of the VPPA because it allows for the collection of viewing data without adequate user consent [2].

The Surge in Litigation

Over 250 VPPA lawsuits were filed in 2024 alone, more than double the number from the previous year, with settlements reaching into the millions of dollars [2]. The defendants aren’t necessarily companies intentionally flouting privacy regulations. many are businesses that routinely embed video players on their websites.

This increase in litigation parallels a similar trend involving California’s Invasion of Privacy Act, which is being used to target session replay tools, chat widgets, and analytics pixels. The core argument is that capturing user sessions in real-time without prior notice may constitute the interception of electronic communications [2].

The Supreme Court Weighs In

The U.S. Supreme Court has agreed to review Salazar v. Paramount Global, its first major case under the VPPA [3]. The central question before the Court is who qualifies as a “consumer” under the VPPA [3]. The Court’s decision, expected in the coming months, could significantly impact the scope of VPPA liability.

The case stems from a Sixth Circuit decision dismissing a VPPA class action, finding that the plaintiff was not a “consumer” as defined by the statute [3]. The VPPA protects “renters, purchasers, or subscribers” of goods or services [3].

Broader Compliance Implications

The VPPA and related cases highlight a broader trend: companies are facing increasing scrutiny for data collection practices, even when using tools considered standard infrastructure. Compliance obligations are expanding beyond traditional data privacy laws like GDPR and CCPA to encompass older statutes applied to fresh technologies.

Companies must recognize that compliance is not simply a legal issue but an integral part of product development. Treating compliance obligations as a property of the product itself, rather than an afterthought handled by the legal team, is becoming essential for navigating the complex and evolving regulatory landscape.