The Expanding Web of Digital Compliance: From VHS Tapes to Global Regulations
In 2024, a surprising trend emerged: over 250 class action lawsuits were filed under the Video Privacy Protection Act (VPPA), a US federal law originally enacted in 1988 to protect VHS rental records. This surge highlights a critical shift in the compliance landscape, where decades-old laws are being applied to modern digital tools with significant consequences.
The VPPA’s Unexpected Revival
The VPPA was designed to prevent the disclosure of a consumer’s video rental history. But, plaintiffs’ firms discovered a novel application in 2022: embedding third-party video players on websites – without proper consent mechanisms – could expose companies to liability under the same statute. This interpretation rapidly gained traction, leading to a doubling of VPPA lawsuits in 2024 compared to the prior year, with settlements reaching into the millions.
The companies targeted weren’t necessarily negligent or operating in legal grey areas. Many were simply using standard video embedding practices, unaware of the potential legal ramifications. This illustrates a broader issue: the compliance landscape is sprawling, fast-moving, and often invisible to product teams.
Beyond Video: The Rise of “Wiretapping” Theories
The VPPA surge wasn’t an isolated incident. Simultaneously, California’s Invasion of Privacy Act became the basis for litigation targeting session replay tools, chat widgets, and analytics pixels. The core theory: capturing a user’s session in real-time without prior notice could be considered intercepting an electronic communication.
Although courts have offered inconsistent rulings on these claims, the sheer volume of cases prompted major law firms to issue guidance on defending against them. This “wiretapping” theory has since spread to other states, further expanding the potential legal exposure for businesses.
A Global Product, Global Obligations
A key takeaway is that compliance obligations aren’t tied to a company’s location. They depend on a complex mix of factors, including where the company is established, its sector, revenue, the type of data processed, and the location of its users.
A product built in one location that attracts users from multiple countries immediately falls under the purview of various international regulations. For example, a product reaching users in California, Germany, and Canada must comply with CPRA, GDPR, and Canada’s PIPEDA from the moment the first user signs up. Unlike a physical business expanding market by market, a digital product is inherently global from launch.
GDPR, with over €5.88 billion in cumulative fines since 2018, applies to any organization targeting EU users, regardless of its headquarters location. Nearly 20 US states now have comprehensive privacy laws, each with unique requirements. The European Accessibility Act, fully enforced since June 2025, extends accessibility standards to businesses serving EU consumers worldwide. The EU Whistleblower Directive also mandates secure internal reporting channels for companies with over 50 employees, regardless of location.
From Point Solutions to Integrated Platforms
Many companies initially address compliance issues reactively, implementing solutions as new regulations emerge. This often results in a fragmented stack of vendors, contracts, and renewal dates, lacking a cohesive view of overall compliance posture.
This approach fails to recognize the interconnected nature of data privacy, accessibility, and transparency requirements. Managing these obligations in isolation leads to inefficiencies and potential gaps in coverage. The market is shifting towards integrated platforms, mirroring the consolidation seen in CRM, marketing technology, and security tooling.
Compliance as a Product Property
The VPPA and session replay cases demonstrate a fundamental shift in perspective. Companies are often sued not for making deliberate compliance decisions, but for making product decisions – such as embedding a video player or deploying an analytics tool – without fully considering the associated legal risks.
Successful companies are treating compliance obligations as an inherent property of their product, rather than solely a legal team’s responsibility. This proactive approach is essential for navigating the increasingly complex and interconnected regulatory landscape. In 2025, the California attorney general secured its largest-ever CCPA settlement at $1.55 million, and Texas continues active enforcement of its own privacy law, underscoring the financial consequences of non-compliance.
Frequently Asked Questions
Q: What is the VPPA?
A: The Video Privacy Protection Act is a US federal law from 1988 that protects video rental records. It’s recently been applied to online video players and tracking technologies.
Q: Does GDPR apply to my company if we’re not based in Europe?
A: Yes, GDPR applies to any organization that targets users in the European Union, regardless of its location.
Q: What is the best way to manage compliance obligations?
A: Treat compliance as an integral part of your product development process, rather than an afterthought handled solely by the legal team.
Q: What are session replay tools?
A: Session replay tools record user interactions on a website, which can be used for analytics and debugging. They have grow the subject of privacy litigation.
Q: What is the European Accessibility Act?
A: The EAA requires businesses serving EU consumers to meet harmonized accessibility standards.
Did you know? The number of VPPA lawsuits more than doubled between 2023 and 2024, demonstrating the growing legal risk associated with online video tracking.
Pro Tip: Regularly review your third-party vendor contracts to ensure they align with your compliance obligations.
Stay informed about evolving regulations and proactively integrate compliance considerations into your product development lifecycle. Explore resources from organizations like the IAB and legal firms specializing in privacy and cybersecurity law to stay ahead of the curve.
