Skip to main content
Back to Guides
Compliance5 min read

Cookie Consent for Streaming and Video Sites: The VPPA Problem

A 1988 law written for video-rental stores now drives class actions against any website that puts a tracking pixel near a video player. Here's how streaming and video sites handle the Video Privacy Protection Act alongside GDPR and state consent rules.

The Video Privacy Protection Act was passed in 1988 after a newspaper published a Supreme Court nominee's video-rental records. It was aimed at Blockbuster-era rental stores. Almost four decades later it's the reason a website with a video player and a Meta Pixel can face a class action worth thousands of dollars per visitor.

The statute (18 U.S.C. 2710) sets liquidated damages of at least $2,500 for each violation, plus attorneys' fees. Multiply that across a class of viewers and the exposure gets large fast. If your site streams video, hosts on-demand content, or embeds video anywhere a tracking tag can see it, the VPPA is the privacy rule most likely to bite you, and it sits on top of the usual GDPR and state consent duties.

What the VPPA actually prohibits

The VPPA bars a "video tape service provider" from knowingly disclosing personally identifiable information about a consumer's video-viewing to a third party without consent. In modern terms, the third party is usually Meta or Google, and the disclosure happens automatically when a pixel or analytics tag on your video page reports what someone watched along with an identifier that can be tied back to them.

The consent exception is strict. The disclosure has to be authorized by "informed, written consent" that's collected separately from your general terms of service, presented at the time of or before disclosure, and renewed at least every two years. A line buried in your privacy policy doesn't clear that bar. A checkbox that lumps video consent together with everything else doesn't either.

Why the lawsuits exploded, and where they stand in 2026

Plaintiffs' firms found that a huge number of sites load the Meta Pixel on pages with video, and that the pixel reports the video's identifier plus the Facebook cookie. That pattern generated hundreds of filings from 2022 onward. The case law is now split.

  • Narrowing decisions. In 2025 the Second Circuit held in Solomon v. Flipps Media that the strings of code the Meta Pixel transmits aren't "personally identifiable information" to an ordinary person, cutting off a swath of pixel claims in that circuit. Other courts have read the statute narrowly too.
  • The open question. In January 2026 the Supreme Court agreed to hear Salazar v. Paramount Global to decide who counts as a "consumer" under the VPPA, specifically whether signing up for a free email newsletter from a company that also offers video makes you a protected consumer. Its ruling will either widen or shrink the pool of people who can sue.

The practical takeaway doesn't depend on which way the Court goes. A narrower VPPA still leaves you exposed in circuits that read it broadly, and it does nothing about your GDPR and state-law obligations. Consent is the defense that works under every version of the statute.

This isn't only Netflix-style services

The trap is thinking the VPPA only touches dedicated streaming platforms. It reaches any site that delivers video to identifiable users:

  • News and magazine publishers with article videos.
  • Retailers with product demo or how-to clips.
  • Course and training providers streaming lessons.
  • Sports, fitness, and entertainment brands with a video library.
  • Any marketing site with gated or on-demand webinars.

If a page plays video and also carries a third-party tag that can identify the viewer, you're in scope. Embedded players carry their own risk too. A YouTube or Vimeo embed sets third-party cookies and reports viewing back to the platform, which our embed consent guide covers in detail.

The GDPR and state-law layer

Outside the US, video-watching is straightforward behavioral data. Under GDPR and the ePrivacy rules, any non-essential cookie or pixel that records what a visitor watches needs prior opt-in consent. US state laws treat sharing viewing data with an ad platform as "sharing" or a "sale," which means you owe an opt-out and have to honor Global Privacy Control.

So the video page needs the same discipline as any high-risk page: essential playback and DRM cookies run, and analytics, advertising, and social pixels stay blocked until you have the right consent for the visitor's location. Signal loss from denied consent is real, and our signal-loss guide covers how to recover conversions server-side without putting the raw pixel back on the video page.

How CookieBeam handles video sites

CookieBeam manages the consent and script-control layer that keeps tracking off your video pages until you're allowed to run it.

  • Block the pixels that create VPPA exposure. Meta, Google, and social tags stay blocked on video pages until consent, so viewing data doesn't leave your site by default. See how script blocking works.
  • Separate, purpose-level consent. Advertising and analytics are logged as their own purposes, which supports the VPPA's "separate from terms of service" standard better than a single blanket accept.
  • Regional rules from one config. Geo-targeted regional consent runs EU opt-in and US opt-out together, with Global Privacy Control honored automatically.
  • Scanning and drift detection. The scanner crawls your video pages and flags new tags and outbound connections, so a newly added pixel doesn't quietly reopen your exposure.
  • Durable consent records. Timestamped logs of what each viewer agreed to, which is the evidence a VPPA defendant wishes it had kept.

Checklist for streaming and video sites

  1. Inventory every page that plays or embeds video, including webinars and product clips.
  2. Scan those pages for pixels and analytics tags that can identify a viewer.
  3. Block advertising and social tags on video pages until the visitor consents.
  4. Collect video consent separately from your general terms, and refresh it within two years.
  5. Run EU opt-in and US opt-out, and honor Global Privacy Control.
  6. Recover lost conversions server-side rather than re-adding the raw pixel.
  7. Log consent and re-scan, since one added tag can restore full VPPA exposure.
Streaming Video VPPA Cookie Consent 2026 | CookieBeam | CookieBeam