More than 250 class action lawsuits were filed in US courts during 2024 alleging violations of the Video Privacy Protection Act (VPPA), a federal law originally enacted in 1988 to safeguard the privacy of video rental records. The surge in litigation, more than double the number filed the prior year, stems from a novel legal interpretation that applies the decades-ancient statute to modern online tracking practices.
The VPPA was initially a response to public concern over the potential for disclosure of personal information following the revelation of Supreme Court nominee Robert Bork’s video rental history in 1988. The law prohibits “video tape service providers” from knowingly disclosing a consumer’s personally identifiable information (PII). However, plaintiffs’ attorneys discovered in 2022 that embedding third-party video players on websites – even without explicit consent mechanisms – could be construed as a violation under the same statute, triggering class action liability.
The lawsuits target companies that utilize pixel tracking tools embedded in videos hosted on their websites. These pixels, small pieces of code, collect data about user activity, including viewing habits, and transmit that information to third parties. According to legal experts, the core argument is that the use of these pixels constitutes an unauthorized disclosure of PII, violating the VPPA’s protections. Multiple settlements have already been reached, with payouts reaching into the millions of dollars, despite the fact that many of the defendant companies were not intentionally circumventing privacy regulations.
“The defendants weren’t careless companies operating in legal grey areas,” explained a recent analysis by Polsinelli PC. “They were ordinary businesses that had embedded a video player the way everyone embeds a video player.” This highlights a growing trend: established laws being repurposed to address new technologies and data collection practices.
The VPPA surge is not occurring in isolation. A parallel wave of litigation has emerged around California’s Invasion of Privacy Act (CIPA), targeting session replay tools, chat widgets, and analytics pixels. The legal theory underpinning these cases posits that capturing a user’s session in real-time without prior notice may constitute the interception of an electronic communication, potentially violating CIPA. While courts have yielded inconsistent rulings, the sheer volume of cases has prompted major law firms to issue guidance on defense strategies.
This trend underscores a broader challenge for businesses: compliance obligations are expanding rapidly, often driven by the application of older laws to new technologies. Product teams are increasingly facing unforeseen legal exposure when deploying seemingly routine infrastructure. The IAB notes that pixels are a common piece of code embedded on websites to track user activity.
The complexity is further compounded by the global nature of digital products. A company based in Austin, Texas, that attracts users from California, Germany, and Canada immediately falls under the purview of the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), respectively. Unlike traditional businesses that expand geographically in a controlled manner, digital products are inherently global from launch, and their compliance obligations follow suit. GDPR, for example, applies to any organization targeting EU users, regardless of its physical location, and has resulted in over €5.88 billion in cumulative fines since 2018.
Nearly 20 US states now have comprehensive privacy laws in force or scheduled to take effect, each with varying thresholds, exemptions, and enforcement mechanisms. The European Accessibility Act, fully enforced as of June 2025, mandates harmonized accessibility standards for businesses serving EU consumers, including those based outside of Europe. The EU Whistleblower Directive also requires companies with over 50 employees to establish secure internal reporting channels, irrespective of their headquarters location.
Companies are increasingly realizing that a piecemeal approach to compliance – addressing each regulation as it arises – is unsustainable. This often results in a fragmented stack of vendors, contracts, and renewal dates, lacking a cohesive understanding of the overall compliance posture. The issue is structural, as compliance obligations across data privacy, accessibility, and transparency requirements frequently overlap and share underlying data.
The situation highlights a fundamental shift in responsibility. Companies that proactively address compliance treat it not as a legal team’s task, but as an inherent property of their product’s functionality. This approach is driven by the recognition that, at the scale and speed of modern digital product development, there is no other viable way to maintain compliance across jurisdictions. California’s attorney general secured its largest-ever CCPA settlement in 2025 at $1.55 million, and Texas continues pursuing active enforcement of its own comprehensive privacy law.
The core issue, as illustrated by the VPPA and session replay cases, is that product decisions often carry hidden compliance implications. Engineering teams routinely embed video players and deploy analytics tools without fully considering the legal ramifications. This assumption is becoming increasingly costly, with settlements, fines, and enforcement actions demonstrating the financial consequences of neglecting compliance. The question for companies with a global user base is whether they will proactively adapt to this new reality.
