The Video Privacy Protection Act (VPPA) is a 1988 federal law that bars "video tape service providers" from disclosing a person's video-viewing history. That history must stay private unless a person gives clear consent. Today the law powers class-action lawsuits over website tracking pixels.
This guide covers what the law prohibits, the four elements of a claim, and statutory damages. It also covers how a 1988 video-rental statute now reaches Meta Pixel and Google Analytics on ordinary websites, and how to reduce your exposure.
What Is the Video Privacy Protection Act (VPPA)?
The Video Privacy Protection Act is codified at 18 U.S.C. Section 2710. It makes it unlawful for a "video tape service provider" to knowingly disclose personally identifiable information about a "consumer" without consent. The statute defines a video tape service provider broadly: any business, affecting interstate commerce, that rents, sells, or delivers video materials. Courts now read that definition to cover websites and apps that deliver video content, not just physical rental stores.
A "consumer" is a renter, purchaser, or subscriber of goods or services from that provider. "Personally identifiable information" is any information that identifies a person as having requested or obtained specific video materials. The VPPA is, in short, an old VHS-era statute now doing new digital-tracking work.
Why Was the VPPA Passed? The Robert Bork Origin Story
Congress passed the VPPA in 1988 after a newspaper published Supreme Court nominee Robert Bork's video rental history during his 1987 confirmation hearings. The list of 146 videotapes he had rented from a local Washington, D.C. video store, leaked to the Washington City Paper, revealed nothing scandalous. Congress passed the VPPA anyway, reasoning that if a Supreme Court nominee's rental history could leak, anyone's could.
That 1988 law now governs a technology its authors never imagined. Video streaming, embedded players, and tracking pixels did not exist yet. But the statute's language, "knowingly discloses personally identifiable information," reaches them without needing a rewrite. The same statute that protected VHS renters now protects visitors to any site with video content.
What Does the VPPA Actually Prohibit? The Four Elements of a Claim
A VPPA claim requires proving four elements together:
- A "video tape service provider" delivered the disclosure
- The provider "knowingly" disclosed the information
- The disclosed information was "personally identifiable"
- The affected person was a "consumer" of that provider
A claim fails if a plaintiff cannot establish any single element. Courts examine each one closely, and three of the four now drive most of the litigation.
"Video Tape Service Provider" (and Why It Now Means Websites)
The statute defines a video tape service provider broadly. It covers any business engaged in renting, selling, or delivering "prerecorded video cassette tapes or similar audio visual materials". Courts extend that phrase to streaming video and embedded video content on ordinary websites, not just physical tape rental. A news site, an e-commerce store, or a test-prep platform that hosts video content can qualify.
"Personally Identifiable Information" (Including Facebook IDs and Device Data)
The VPPA defines personally identifiable information as data identifying a person as having requested or obtained specific video content. Courts read this to include a Facebook ID (FID), advertising cookies, and device identifiers when paired with a specific video title. That reading is broader than the GDPR or CCPA sense of "personal data". VPPA PII must tie a specific person to a specific piece of video content they watched. The Supreme Court declined to review that broad reading in Solomon v. Flipps Media, so those lower-court pixel standards stand for now.
"Knowingly Disclosed" to a Third Party
The provider must knowingly disclose the PII to a third party, such as transmitting a video-view event to Meta or Google through a tracking pixel. The "knowingly" element is a live defense. Courts read "knowingly" to mean the act of disclosure, not awareness of the VPPA itself. A site that installed a pixel without realizing it transmitted video-viewing data can still face a claim.
"Consumer" or "Subscriber" (the Question Now at the Supreme Court)
A "consumer" is a renter, purchaser, or subscriber of the provider's goods or services. Courts split on whether a free newsletter subscriber counts. The Second Circuit read "consumer" broadly in Salazar v. NBA, reviving a free newsletter subscriber's claim. The Sixth Circuit read it narrowly in Salazar v. Paramount Global, holding that a non-video newsletter signup does not make someone a consumer.
The Supreme Court granted certiorari on January 26, 2026, in Salazar v. Paramount Global to resolve that split. It will decide whether someone who only signs up for a free newsletter, without directly subscribing to video content, qualifies as a protected consumer.
How Do Tracking Pixels Trigger VPPA Lawsuits?
A site that embeds the Meta Pixel or Google Analytics on a video page can transmit a visitor's identity along with the video they watched. When the site never obtained consent for that disclosure, the transmission is the core VPPA theory driving today's lawsuit wave.
The trigger surfaces show up in several forms.
- The Meta Pixel or Facebook Pixel, which can record video-view events tied to a Facebook ID
- Google Analytics or other third-party analytics, which log page-level video engagement alongside visitor identifiers
- In-app SDKs, the newer fact pattern behind suits against streaming and media apps
- Embedded video players, such as a YouTube or Vimeo iframe that loads before a visitor consents
A wave of website tracking lawsuits has followed this pattern since 2022, and Meta Pixel lawsuits specifically account for most VPPA filings today. The Supreme Court's pending Salazar ruling will reshape how far this theory reaches.
How Much Does a VPPA Violation Cost? Statutory Damages and Settlements
The VPPA allows liquidated damages of at least $2,500 per violation, plus punitive damages and attorney fees. A plaintiff does not need to prove actual harm to recover that floor. That combination, a guaranteed damages floor with no harm requirement, makes VPPA claims attractive to class-action plaintiffs and expensive across a large user base.
Multiplied across thousands of visitors, exposure reaches into the millions quickly. Recent settlements show the range.
| Company | Settlement amount | What it covered |
|---|---|---|
| AMC Networks | $8.3 million | Registered users of AMC+, Shudder, Acorn TV, and related streaming services |
| FloSports | $2.625 million | Subscribers who accessed video content on FloSports websites |
| Boston Globe | $4 million | Digital subscribers who viewed videos, with individual payouts of roughly $20 to $40 |
Many tracking-related privacy statutes carry no private right of action, so plaintiffs cannot sue directly under them. The VPPA does, which is exactly why plaintiffs' firms reach for it over other tracking laws. One narrow limit works in a defendant's favor. A VPPA claim must be filed within two years of the disclosure or its discovery, under Section 2710(c).
What Counts as Valid Consent Under the VPPA? (The 2012 "Netflix Amendment")
The VPPA requires informed, written consent that is distinct from any other agreement a business asks a visitor to sign. The Video Privacy Protection Act Amendments Act of 2012, known as the "Netflix Amendment," changed that. It lets a provider collect consent electronically on an ongoing basis, valid for up to two years, instead of requiring a fresh signature each time.
Congress passed the amendment after Netflix pushed for it. Netflix wanted users to authorize the company to post their viewing activity to Facebook without re-consenting for every title. The amendment also requires a clear opportunity to withdraw consent at any point.
Compliant consent in practice means three things. The consent request is separate from a general terms-of-service agreement. It clearly states what will be disclosed and to whom. The visitor can see a straightforward way to opt out or withdraw later.
How Is the VPPA Different from CIPA and Wiretapping Laws?
The VPPA covers disclosure of video-viewing data specifically. CIPA and general wiretapping laws cover the interception of communications, such as keystrokes, chat messages, or session recordings, regardless of whether video is involved.
| VPPA | CIPA / wiretapping laws | |
|---|---|---|
| What it covers | Disclosure of personally identifiable video-viewing history | Interception of communications (chat, keystrokes, session replay) |
| Scope | Federal, video content specifically | State (CIPA) or federal, any electronic communication |
| Statutory damages | $2,500 liquidated damages per violation | Varies; CIPA allows up to $5,000 per violation |
A single tracking pixel can trigger both theories at once. The Meta Pixel on a page with an embedded video can create VPPA exposure for the video-viewing disclosure. If it also intercepts other visitor communications, it can separately draw a claim under California's CIPA wiretapping law. The two statutes are not competitors; they are two different doors into the same underlying tracking practice.
How to Reduce Your VPPA Risk: Get Consent Before Video Trackers Fire
The core fix is straightforward. Stop third-party video and analytics trackers from firing until a visitor gives clear, prior consent, and keep a record of that consent.
To reduce VPPA exposure on a site with video content:
- Audit every page with embedded or hosted video for pixels, analytics tags, and third-party embeds
- Block those trackers by default until a visitor consents
- Collect VPPA-grade consent that is distinct from your general terms of service
- Log every consent decision as your audit-trail evidence
- Destroy video-viewing PII within one year of when it is no longer needed, as Section 2710(e) requires
- Confirm whether you need a cookie policy for every region your visitors come from
Each step closes a specific gap plaintiffs' attorneys look for. That includes an unaudited pixel, a tracker that fired before consent, an ambiguous consent record, or no compliance documentation at all.
How Consently Helps You Capture Consent Before Trackers Load
Consently is a consent management platform. It blocks third-party scripts, pixels, and iframes, including embedded YouTube and Vimeo players and the Meta Pixel, until a visitor consents. It then logs that consent as an audit trail.
Consently's scanner detects cookies, trackers, scripts, and iframes across a site and blocks them by default until a visitor opts in. That default-blocking behavior covers the exact gap most VPPA suits exploit: a pixel or embedded video player that fires before consent. Iframe blocking applies to YouTube, Vimeo, and Facebook embeds by default. A video page does not silently start disclosing viewing data the moment it loads.
Consent logs with export give a timestamped record of each visitor's choice, the audit trail a business needs if a claim ever surfaces. Google Consent Mode v2 is enabled by default, so analytics and ad tags respect the same consent state without extra setup work.
Consently helps support this part of your compliance posture; it does not offer a legal guarantee against a VPPA claim. Start free and block video trackers before they fire.
FAQs
What is the VPPA in simple terms?
The VPPA is a 1988 federal law that stops video providers, and now many websites, from sharing what videos someone watched without consent. It carries a $2,500-per-violation damages floor and no requirement to prove actual harm.
What are the statutory damages for a VPPA violation?
The VPPA sets liquidated damages of not less than $2,500 per violation under 18 U.S.C. Section 2710(c), plus possible punitive damages and attorney fees. Plaintiffs do not need to prove actual harm to recover this amount.
Does the VPPA only apply to streaming and video companies?
No. Any site or app that delivers video content and shares viewing data through pixels, analytics, or an SDK can face a claim. Recent suits have named news outlets, retailers, test-prep platforms, and sports sites, not just streaming services.
Is a VPPA settlement email legit or a scam?
Many VPPA settlement notices are legitimate class-action notices, including recent settlements from AMC Networks, FloSports, and the Boston Globe. Verify the notice against the settlement administrator's official site before assuming it is a scam or a personal lawsuit.
What is the VPPA "consumer" Supreme Court case (Salazar v. Paramount)?
The Supreme Court granted certiorari on January 26, 2026, to decide whether a free newsletter subscriber counts as a protected "consumer" under the VPPA. The Second and Seventh Circuits read "consumer" broadly, while the Sixth and D.C. Circuits read it narrowly. The ruling will resolve that split and reshape pixel-tracking litigation.
Does the VPPA apply outside the United States?
The VPPA is a US federal law, so it turns on US visitors, not on where a company is based. A site run from outside the US that serves US visitors video content, and shares their viewing data, can still face a VPPA claim. Location alone does not put a foreign-based operator outside the statute's reach.
Is the Video Privacy Protection Act the same as a Virtual Power Purchase Agreement?
No. They share the same acronym but are unrelated. This article covers the 1988 federal video-privacy law; a Virtual Power Purchase Agreement is a renewable-energy financial contract between a business and an energy project.

