Why this matters

If you run a streaming product, viewing data feels like your most valuable asset — it powers recommendations, retention analytics, and ad revenue — but legally it is closer to a loaded weapon than a free resource. A founder who drops a standard marketing pixel onto a video page, the way every web team has done for a decade, can expose the company to per-viewer statutory damages that scale into the millions before any actual harm is shown. This article maps the three regimes that govern viewing data — the US VPPA, the EU's GDPR and ePrivacy rules, and California's CCPA/CPRA alongside the wider US state-law wave — and then shows the one architectural idea, the privacy boundary, that satisfies all of them at once. It is the privacy specialization of Block 8's legal shell, sitting beside accessibility law for streaming and built directly on top of the personalization data pipeline whose boundary it governs. This is engineering guidance, not legal advice; confirm your specific obligations with qualified privacy counsel for each market you serve.

The one idea: viewing data is special, and three regimes reach it at once

Most teams file privacy under one generic heading — "we have a cookie banner and a privacy policy, we're fine." Viewing data breaks that assumption, because the record of what a person chose to watch is treated as unusually sensitive by lawmakers on both sides of the Atlantic, and three separate legal regimes claim authority over it at the same time.

Start with what "viewing data" actually is. It is any data that ties a person — or a household, a device, or an account — to specific titles: the play events, the watch history, the "continue watching" row, the search queries, the watchlist, and the profile that links them. On its own this looks like ordinary product telemetry. The reason it is regulated more tightly than, say, which button you clicked is that what someone watches can reveal their health, their politics, their religion, and their sexuality — the most private facts about them — inferred from a list of titles.

A useful analogy is a library borrowing record. Few people would want a list of every book they have ever checked out handed to an advertiser, because the list is a portrait of the reader. Viewing history is the same portrait, and the law treats it that way. The difference from a library is that three different inspectors show up to check it: one American federal statute written for video stores, one European framework written for all personal data, and one Californian regime (now echoed across many US states) written for the data economy.

These three do not agree on the mechanism. The VPPA is opt-in by consent and enforced through private lawsuits with fixed per-person damages. The GDPR and ePrivacy rules are opt-in by consent enforced by regulators with turnover-based fines. The CCPA/CPRA is opt-out, enforced by a dedicated agency and honored through automatic browser signals. A platform that serves all three markets must satisfy the strictest behavior on each axis. The rest of this article takes them one at a time, then shows the single boundary that reconciles them.

Viewing data reached at once by the US VPPA, EU GDPR/ePrivacy, and California CCPA/CPRA, gated by one privacy boundary. Figure 1. One kind of data, three regimes. The record of what a viewer watched is reached simultaneously by the US VPPA, the EU's GDPR and ePrivacy Directive, and California's CCPA/CPRA — and a single privacy boundary on the pipeline is what answers all three.

Regime one: the VPPA, a 1988 statute with sharp teeth

Of the three, the one that surprises founders most is the oldest and most American. The Video Privacy Protection Act, codified at 18 U.S.C. § 2710, was passed in 1988 after a newspaper obtained and published the video-rental history of a US Supreme Court nominee, Judge Robert Bork, during his confirmation. Congress reacted by making it unlawful for a "video tape service provider" to knowingly disclose the video-viewing records of a "consumer" to a third party. The statute reads as if it is about rental stores, but its language was written broadly enough to reach the streaming era, and courts have applied it to online video.

Three definitions decide whether the VPPA touches you. A video tape service provider is anyone "engaged in the business" of delivering "prerecorded video cassette tapes or similar audio visual materials" — which courts have read to include websites and apps that deliver video. Personally identifiable information (PII) is defined in the statute as "information which identifies a person as having requested or obtained specific video materials or services." And a consumer is "any renter, purchaser, or subscriber of goods or services from a video tape service provider." If you deliver video and you disclose, to a third party, information that ties an identifiable person to specific titles, you are in VPPA territory.

What makes the VPPA dangerous is not the prohibition but the price. The statute sets liquidated damages of $2,500 per aggrieved person — a floor that applies whether or not anyone suffered measurable harm — plus the possibility of punitive damages and the plaintiff's attorneys' fees. Because viewing data is collected from everyone at once, a single misconfigured integration becomes a class action. Walk the arithmetic out loud:

VPPA exposure = affected viewers × statutory minimum per person

   100,000 affected viewers × $2,500   =   $250,000,000
   1,000,000 affected viewers × $2,500  =  $2,500,000,000

Those are not damages a startup negotiates down casually; they are the reason VPPA compliance is a board-level item for any platform with a US audience. The good news is that the same statute provides a clean exit: disclosure is lawful if the consumer gives informed, written consent. After the Video Privacy Protection Act Amendments Act of 2012 (Public Law 112-258), that consent may be obtained electronically over the internet — but only if it is in a form distinct and separate from any other terms, given in advance, and revocable, with the provider offering a way to withdraw it. A consent buried in a general terms-of-service click does not count.

Common mistake: dropping a third-party tracking pixel on the video page. The single most common VPPA exposure today is a marketing or analytics tag — the kind that has lived in web headers for years — placed on a page where people watch video. When that tag transmits the title (often in the page URL) together with an identifier the third party can tie to a person, it can be an unconsented disclosure of viewing data to that third party. Teams add the tag for retargeting or measurement without realizing the video context changes the legal stakes entirely. Treat any page that knows what a user is watching as a restricted zone for third-party tags.

Why the VPPA is back: the pixel wave and the 2026 Supreme Court case

This is the dated, fast-moving part of the topic, and it must be re-checked at publish. Beginning around 2022, plaintiffs' firms filed hundreds of VPPA class actions against streaming services, broadcasters, and any site with video, almost all built on the same theory: an embedded third-party pixel — frequently the Meta Pixel — sent the user's video URL together with a platform identifier such as a Facebook ID to the third party, without VPPA-grade consent.

The courts are now sorting out two questions, and they are splitting. The first is what counts as PII. Several appeals courts, following Eichenberger v. ESPN (9th Cir. 2017) and In re Nickelodeon (3d Cir. 2016), apply an "ordinary person" standard: PII is information that would let an ordinary person — not a sophisticated data company — identify someone's video-watching. On 1 May 2025, the Second Circuit adopted that standard in Solomon v. Flipps Media and held that the strings of code a pixel transmits are not PII, because only a technically sophisticated company could decode them into a person's identity; it denied rehearing in July 2025. That reading is good news for platforms, but it is not universal — other courts applying the same test have reached the opposite result on near-identical facts.

The second question is who is a "consumer." Here the split is sharp enough that the Supreme Court stepped in. The Second Circuit, in Salazar v. NBA (2025), read "consumer" broadly: subscribing to any good or service from a provider that also offers video — even a free email newsletter — can make you a "consumer" protected as to your later video-watching. The Sixth Circuit, in Salazar v. Paramount Global, read it narrowly: only a subscription to audiovisual goods or services counts. On 26 January 2026, the US Supreme Court granted certiorari in the Paramount case to resolve who qualifies as a "consumer" under the VPPA. As of this writing the decision is pending; its outcome will materially change every platform's VPPA exposure, so treat this section as provisional and confirm the current state of the law before relying on it.

VPPA timeline: 1988 enactment, 2012 consent amendment, 2022 pixel lawsuits, 2025 PII narrowing, 2026 Supreme Court case. Figure 2. The VPPA, 1988 to now. A video-store statute became the sharpest privacy risk in streaming: written in 1988, opened to electronic consent in 2012, weaponized against tracking pixels from 2022, narrowed on the meaning of PII in 2025, and now before the Supreme Court on the meaning of "consumer."

Regime two: GDPR and ePrivacy — consent before the tracker fires

Cross the Atlantic and the framing changes from "don't disclose without consent" to "don't even observe without a legal basis." Under the EU's General Data Protection Regulation (Regulation (EU) 2016/679), applicable since 25 May 2018, viewing data tied to an identifiable person is personal data, and every use of it needs one of six lawful bases in Article 6 — most often the viewer's consent. Where the titles a person watches reveal health, sexual orientation, religious belief, or political opinion, that data can fall into the GDPR's special categories (Article 9), which demand an even higher bar. Consent under the GDPR is exacting: it must be freely given, specific, informed, unambiguous, as easy to withdraw as to give, and never bundled into a take-it-or-leave-it agreement.

Layered on top of the GDPR is the older but still-controlling ePrivacy Directive (2002/58/EC), whose Article 5(3) governs the act of storing or reading anything on a user's device. This is the rule behind cookie banners, and it is stricter than many teams expect: for any non-essential tracker, prior consent is required before the tracker may fire — and crucially, "legitimate interest" under the GDPR does not substitute for that ePrivacy consent. The European Data Protection Board's Guidelines 2/2023 (finalized October 2024) confirmed that Article 5(3) reaches well beyond cookies to tracking pixels, URL-based tracking, IP-only tracking, and device fingerprinting — exactly the techniques streaming analytics and ad stacks rely on. The order of operations is the opposite of the US default: in the EU the tag stays dark until the viewer opts in.

The teeth are turnover-based and large. GDPR fines reach up to €20 million or 4% of global annual turnover, whichever is higher, and regulators are actively enforcing the consent rules against trackers: in September 2025 France's data-protection authority, the CNIL, fined Google €325 million and the retailer Shein €150 million over cookie-consent failures. For a streaming platform this means the consent layer is not a banner bolted on at the end; it is a gate wired in front of every analytics, recommendation, and advertising tracker that touches an EU viewer.

One forward-looking note to watch: the EU is reshaping this area. The European Commission withdrew the long-pending ePrivacy Regulation in early 2025, and a November 2025 "Digital Omnibus" proposal would move cookie-consent rules out of the ePrivacy Directive and into the GDPR, with a broader list of consent-exempt activities. None of that is law yet, but it is the most likely near-term change to the rules in this section — re-verify before publishing.

Regime three: CCPA/CPRA and the US state wave — opt-out and "sharing"

California takes a third path. The California Consumer Privacy Act (CCPA), effective 2020 and substantially expanded by the California Privacy Rights Act (CPRA) from 1 January 2023, does not generally require opt-in consent the way the EU does. Instead it gives consumers the right to opt out of certain data flows, and it created a dedicated regulator, the California Privacy Protection Agency (CPPA), to enforce it.

The concept that matters most for streaming is "sharing." The CPRA defines sharing as transferring personal information to a third party for cross-context behavioral advertising — that is, targeting ads to a person based on data gathered as they move across different sites and services. Sending viewing data to an ad-tech partner to build an audience profile is the textbook example. Consumers have the right to opt out of both the sale and the sharing of their personal information, and a platform must surface a clear "Do Not Sell or Share My Personal Information" control to make that possible.

The operational catch is automation. Under the CPRA, a business must honor an opt-out preference signal sent by the browser — the Global Privacy Control (GPC) — as a valid opt-out, with no extra clicks required from the user. So the right is not just a link in your footer; it is a signal your servers and your ad integrations must detect and obey in real time. The CPRA also creates a category of sensitive personal information — precise geolocation, race, health, sexual orientation, and more — that consumers can direct a business to limit, which is relevant when viewing patterns are used to infer those traits.

California is no longer alone. A wave of comprehensive US state privacy laws — covering most of the country's population by 2026 — follows a similar opt-out-and-signal model, several of them treating data that reveals health or sexuality as sensitive. The practical engineering implication is to build to the strictest common denominator: honor opt-out signals automatically, expose granular controls, and treat viewing-derived inferences as sensitive by default, rather than maintaining a different data flow for every state.

The three regimes, side by side

The table below is the one a product and legal team should align on before a single tracker ships. The "Enforcement teeth" column is the one that should drive your risk budget.

Regime Consent model What it reaches Key mechanism you must build Enforcement teeth
US — VPPA (18 U.S.C. § 2710) Opt-in: informed, written, separate consent Disclosure of identifiable video-watching to a third party VPPA-grade consent gate; no unconsented video-page pixels $2,500 per person + punitive + fees; class actions
EU — GDPR (Reg. 2016/679) Opt-in: a lawful basis, usually consent All viewing data as personal data; some as special category Lawful basis, withdrawal, data-subject rights Up to €20M or 4% of global turnover
EU — ePrivacy (2002/58/EC, Art. 5(3)) Opt-in: prior consent before the tracker fires Cookies, pixels, URL tracking, fingerprinting Consent gate that blocks tags until opt-in National fines (e.g., CNIL €325M, 2025)
California — CCPA/CPRA Opt-out (+ automatic signal) "Sale" and "sharing" for cross-context ad targeting "Do Not Sell or Share" + honor Global Privacy Control CPPA enforcement; per-violation penalties

VPPA, GDPR, ePrivacy, and CCPA/CPRA compared by consent model, what they reach, what to build, and enforcement teeth. Figure 3. Four rule-sets, one platform. The VPPA and the EU rules are opt-in; California is opt-out with an automatic signal. What changes across them is the trigger and the size of the teeth — from $2,500 a head to 4% of global turnover.

The architecture: one privacy boundary on the pipeline

Here is the reassuring part. You do not satisfy three regimes by building three privacy systems. You satisfy them with one idea applied rigorously: a privacy boundary around the pipeline that carries viewing data, where a viewer's consent state is a signal that gates every use downstream of it.

Recall how viewing data moves. A play event leaves the player's instrumentation and fans out to several consumers: product analytics, the personalization and recommendation pipeline, the advertising stack that targets and measures ads, and — the dangerous one — any third-party tag. The privacy boundary is the rule that no viewing event crosses to a regulated use until the consent state for that viewer and that purpose has been checked. Consent becomes a first-class field that travels with the event, not a banner that lives only in the browser.

Four disciplines make the boundary real. First, capture consent per purpose and propagate it — analytics, personalization, and ad targeting are different purposes with different legal bases, so a single yes/no will not do; the consent state must be queryable everywhere the event flows. Second, gate third-party tags hard — no advertising or analytics pixel fires on a video page before consent in the EU, and no video-identifying disclosure goes to a third party without VPPA-grade consent in the US; preferring server-side ad insertion and measurement over client-side pixels shrinks the surface where viewing data leaks to third parties, which is one more reason server-side ad insertion matters. Third, minimize and pseudonymize — collect only the viewing fields each purpose needs, separate identity from behavior where you can, and you reduce both the GDPR footprint and the chance that a disclosure is "personally identifiable." Fourth, wire in the data-subject rights — access, deletion, and the automatic honoring of Global Privacy Control opt-out signals — as pipeline operations, not manual tickets.

Common mistake: treating consent as a front-end banner. A banner that records a click but never propagates that choice to the analytics warehouse, the recommendation trainer, and the ad server is theater. The viewer said "no targeting," yet the event still lands in a dataset that feeds an ad model. Make consent a signal that travels with every viewing event and is enforced at each consumer of the data — otherwise you are non-compliant the moment the data leaves the page, regardless of what the banner says.

Viewing events pass a consent gate before analytics, recommendations, and ad targeting; third-party pixels stay blocked. Figure 4. Build it once. Viewing events leave the player and hit a consent gate before any regulated use; consent state travels with the event to analytics, personalization, and the ad stack, and third-party tags stay dark until the gate clears. One boundary answers the VPPA, GDPR, ePrivacy, and CCPA/CPRA together.

Where Fora Soft fits in

Privacy on a streaming platform is a data-flow problem before it is a legal one: millions of viewing events a day, fanning out to analytics, recommendations, and advertising, each of which is a regulated use in at least one of your markets — and a single unconsented third-party tag on a video page can turn into per-viewer statutory damages. Fora Soft has built video streaming and OTT/Internet TV platforms since 2005 — 625+ projects for 400+ clients over 20+ years — and the same consent-and-data-boundary discipline runs through our telemedicine and e-learning work, where viewing and usage data is sensitive by default. We design the privacy boundary into the pipeline: consent captured per purpose and propagated to every consumer of viewing data, third-party tags gated, server-side ad paths preferred over leaky client pixels, and data-subject rights wired in as operations. We are vendor-neutral about consent-management and analytics platforms; we integrate the ones a given market and budget call for. This is engineering guidance, not legal advice — confirm your VPPA, GDPR, and CCPA/CPRA obligations with qualified counsel.

What to read next

Call to action

References

  1. Video Privacy Protection Act, 18 U.S.C. § 2710 — the controlling US statute. Defines "video tape service provider," "consumer," and "personally identifiable information" ("information which identifies a person as having requested or obtained specific video materials or services"); prohibits knowing disclosure of a consumer's video records to third parties; sets liquidated damages of $2,500 per aggrieved person, plus punitive damages and attorneys' fees; permits disclosure with informed, written consent. Read directly. Tier 1 (US statute). https://www.law.cornell.edu/uscode/text/18/2710
  2. Video Privacy Protection Act Amendments Act of 2012 (Public Law 112-258) — amended § 2710 to allow consent to be given electronically over the internet, provided it is in a form distinct and separate from other terms, obtained in advance (for up to two years or until withdrawn), and revocable. Tier 1 (US statute). https://www.congress.gov/bill/112th-congress/house-bill/6671
  3. General Data Protection Regulation — Regulation (EU) 2016/679 — applicable since 25 May 2018; viewing data tied to an identifiable person is personal data requiring an Article 6 lawful basis (often consent); Article 9 governs special-category data (health, sexual orientation, religion, political opinion) that viewing can reveal; consent must be freely given, specific, informed, unambiguous, and withdrawable; fines up to €20M or 4% of global annual turnover. Tier 1 (EU law). https://eur-lex.europa.eu/eli/reg/2016/679/oj
  4. ePrivacy Directive — Directive 2002/58/EC, Article 5(3) — requires prior consent before storing or accessing information on a user's terminal equipment (cookies and equivalent trackers); legitimate interest does not substitute for this consent for non-essential trackers. Tier 1 (EU law). https://eur-lex.europa.eu/eli/dir/2002/58/oj
  5. EDPB Guidelines 2/2023 on the technical scope of Article 5(3) of the ePrivacy Directive (final, October 2024) — clarifies that Article 5(3) reaches beyond cookies to tracking pixels, URL-based tracking, IP-only tracking, and device fingerprinting. Tier 2 (issuing-body guidance). https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22023-technical-scope-art-53-eprivacy-directive_en
  6. California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), Cal. Civ. Code § 1798.100 et seq. — CPRA effective 1 January 2023, enforced by the California Privacy Protection Agency; defines "sharing" as transferring personal information for cross-context behavioral advertising; grants the right to opt out of sale and sharing; requires a "Do Not Sell or Share My Personal Information" control and honoring of opt-out preference signals (Global Privacy Control); creates a "sensitive personal information" category with a right to limit. Tier 1 (US state law). https://cppa.ca.gov/regulations/
  7. Solomon v. Flipps Media, Inc. (2d Cir., 1 May 2025) — the Second Circuit adopted the "ordinary person" standard for VPPA PII and held that code strings transmitted by a tracking pixel are not PII because only a sophisticated company, not an ordinary person, could decode them into a person's video-watching; rehearing denied July 2025. Tier 5 (litigation). https://caselaw.findlaw.com/court/us-2nd-circuit/117231436.html
  8. Eichenberger v. ESPN, Inc., 876 F.3d 979 (9th Cir. 2017) and In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016) — the appellate decisions that established the "ordinary person" standard for VPPA personally identifiable information later followed by the Second Circuit. Tier 5 (litigation). https://www.law.cornell.edu/
  9. Salazar v. Paramount Global (6th Cir.) — certiorari granted by the US Supreme Court, 26 January 2026 — the Supreme Court agreed to resolve a circuit split over who qualifies as a "consumer" under the VPPA (the Second Circuit reads it broadly to include subscribers of any good or service; the Sixth Circuit limits it to audiovisual subscriptions). Decision pending; outcome will reshape VPPA exposure. Tier 5 (litigation). https://www.supremecourt.gov/
  10. CNIL enforcement decisions, September 2025 (Google €325M; Shein €150M) — France's data-protection regulator fined Google and Shein for setting/using trackers without valid ePrivacy consent, illustrating active enforcement of the consent-before-tracker rule. Tier 5 (regulator action / trade reporting). https://www.cnil.fr/en

Per the section's source hierarchy, where popular "streaming privacy" explainers blur the three regimes into one duty, this article follows the controlling statutes and standards directly — the VPPA from the US Code, the GDPR and ePrivacy Directive from EUR-Lex, and the CCPA/CPRA from the CPPA — and treats the fast-moving VPPA case law (the 2025 PII rulings and the pending 2026 Supreme Court "consumer" case) as provisional, flagged for re-verification rather than presented as settled.