VPPA in 2024: Key Lawsuits and Lessons
In the case of Salazar v. NBA, the court broadened the interpretation of what constitutes a “consumer” under the VPPA. Even a simple act like signing up for a newsletter was deemed sufficient to establish a consumer relationship, exposing organizations to lawsuits for common practices such as implementing tracking pixels.
Another lawsuit, Doe v. Meta, settled mostly in 2023 with some proceedings carrying on in early 2024, cost the company $7.5 million after claims arose that video watch history data was improperly shared with third-party advertisers. Meta's reliance on session replay and pixel tracking technologies without adequate user consent violated both VPPA standards and consumer expectations.
Another major case, Smith v. Hulu, settled for $4.2 million, highlighted the risk of collecting granular viewing data without explicit user consent. The court emphasized that merely having a privacy policy was insufficient if users were not fully aware of how their data was being shared or used.
These cases showcase a common thread: companies underestimate what is required to stay in regulation for privacy laws.
Why Were Companies Found Non-Compliant?
- Ambiguous Privacy Policies
Many businesses relied on outdated or overly broad privacy policies that failed to explicitly address video-related data sharing practices. - Lack of Explicit Consent
Tracking technologies, such as pixels and session replay tools, often collected and shared video watch history data without clear, affirmative user consent. - Over-Reliance on Third-Party Tools
Companies leaned on third-party vendors for tracking and analytics without ensuring those tools were compliant with VPPA standards.
The Costs of Non-Compliance
The financial penalties of VPPA violations are steep—reaching up to $2,500 per affected consumer. For companies with millions of users, the potential liability can escalate quickly. Beyond fines, the reputational damage and erosion of consumer trust can significantly impact long-term business growth.
1. Bleacher Report
Why the Company Was Out of Regulation
Bleacher Report used the Meta Pixel to share users’ video-watching data with Facebook without obtaining explicit consent. This violated the VPPA by disclosing personally identifiable information (PII) tied to video content.
The Cost to the Company
- Monetary: $4.8 million settlement.
- Reputational: Damage to trust among sports fans and subscribers, especially as privacy-conscious audiences grow.
- Operational: Likely required overhauling tracking and consent practices, incurring internal costs.
What It Means for Other Companies
Any website using the Meta Pixel for analytics or advertising could be exposed to similar risks. Companies must ensure explicit user consent before sharing video-related data.
2. Tubi
Why the Company Was Out of Regulation
Tubi was accused of sharing users’ personal information, including video-watching habits, with third parties without user consent, violating the VPPA.
The Cost to the Company
- Monetary: $19.99 million settlement.
- Reputational: A major blow to trust, especially for a platform positioning itself as a user-friendly free streaming service.
- Competitive Impact: Could deter future advertisers from partnering due to perceived privacy risks.
What It Means for Other Companies
Streaming platforms must assess how they share data with third parties, even for analytics. Transparent and consent-based data practices are critical.
3. BuzzFeed
Why the Company Was Out of Regulation
BuzzFeed shared PII from newsletter subscribers who accessed video content on their site with Facebook via the Meta Pixel, without clear user consent.
The Cost to the Company
- Monetary: $9 million settlement.
- Reputational: Eroded trust among users, particularly those interacting with video and newsletter content.
- Operational: Significant legal and compliance resources to address and rectify the breach.
What It Means for Other Companies
Businesses relying on newsletters or combining multiple data sources (e.g., email and video interaction) must be especially vigilant about how data flows between platforms.
4. Star Tribune
Why the Company Was Out of Regulation
The media company shared subscribers’ video-watching behaviors with Facebook, using tracking tools that collected and transmitted data without proper disclosures or consent.
The Cost to the Company
- Monetary: $2.9 million settlement.
- Reputational: Risk of losing subscriber confidence in a competitive digital media landscape.
- Operational: Potential need to retrain staff and replace existing tools to ensure compliance.
What It Means for Other Companies
Media and publishing companies need to carefully scrutinize how tracking tools are deployed and ensure they do not violate privacy laws.
5. Smith v. Hulu
Why the Company Was Out of Regulation
Hulu was accused of collecting detailed viewing data without obtaining explicit user consent and sharing this information with third parties.
The Cost to the Company
- Monetary: $4.2 million settlement.
- Reputational: As a streaming giant, Hulu's trust among subscribers likely took a hit, especially among privacy-conscious users.
- Operational: Likely required internal audits and updates to ensure future compliance.
What It Means for Other Companies
Streaming platforms must prioritize transparency and user education about data collection and sharing practices. Generic privacy policies are no longer sufficient.
6. Salazar v. NBA
Why the Company Was Out of Regulation
The NBA was accused of sharing data collected from users who signed up for newsletters and interacted with video content without proper consent. The court ruled that even signing up for a newsletter qualifies someone as a “consumer” under the VPPA, broadening the law’s applicability.
The Cost to the Company
- Monetary: Estimated $5 million settlement.
- Reputational: The decision set a precedent, making the NBA a cautionary tale for other organizations.
- Legal: Opened the floodgates for similar lawsuits targeting common business practices.
What It Means for Other Companies
The Salazar case has redefined what it means to be a “consumer,” potentially pulling more businesses into VPPA’s scope. Companies using tracking pixels on newsletter pages or video-heavy websites must reassess their practices immediately.
Implications for 2025: Preparing for a Privacy-First Landscape
As we move into 2025, businesses must prioritize VPPA compliance to safeguard against litigation. Here’s how:
- Evaluate Tracking Technologies
Assess tools like tracking pixels and session replay software for potential privacy risks, especially on pages with video content. - Obtain Explicit User Consent
Implement clear consent mechanisms, ensuring users understand what data is being collected and how it’s shared. - Update Privacy Policies
Ensure policies explicitly disclose video data usage and align with evolving legal standards. - Invest in Privacy-First Technologies
Tools like Qortex’s Intelligent Video Analytics (IVA) platform offer a compliance-friendly approach by aligning ads with content context rather than personal data.
Looking Ahead
The Salazar v. NBA decision and related cases have set a new precedent for interpreting VPPA compliance. With consumer expectations for privacy growing and legal interpretations tightening, advertisers, publishers, and any business using video content must rethink their data strategies. Non-compliance is no longer an option—it’s a costly mistake.
At Qortex, we believe that privacy and innovation can coexist. Our IAAS (Insights as a Service) platform is designed to respect user privacy while delivering impactful insights. Publishers can gain valuable insights into content performance, ad alignment, and audience engagement, without the need for pixels or session replays, which have been at the center of VPPA lawsuits.
Let’s prepare for a privacy-first future—together.
.png)
.png)
