Key Cases
Second Circuit: Salazar v. NBA (118 F.4th 533, 2d Cir. 2024)
The court held: YES, the plaintiff is a VPPA "consumer."
But the court went further. It suggested that even someone who ONLY purchased merchandise from the NBA might be a "consumer" if the NBA is a "video tape service provider."
Key language: "The statute defines 'consumer' simply as 'any renter, purchaser, or subscriber of goods or services from a video tape service provider.' There is no requirement that the goods or services be related to audiovisual content."
Seventh Circuit: Gardner v. Me-TV (998 F.3d 1359, 7th Cir. 2021)
The court held: YES, even free users are VPPA "consumers."
The Seventh Circuit interpreted "subscriber" broadly to include anyone who uses a service, whether they pay for it or not.
Impact on Defendants
A company facing Second or Seventh Circuit VPPA litigation has:
- Massive class size (everyone who interacted with the company)
- High damages exposure ($100-$2,500 per person)
- Difficult settlement leverage
Example:
- 100,000 people = $10M-$250M exposure
- Settlement range: $20M-$100M+
The infrastructure answer
The free PieEye compliance scan identifies whether your website has the VPPA vulnerabilities that plaintiffs' attorneys look for — tracking pixels firing on video pages without consent, data flowing to third parties before users have agreed, and policy-to-practice mismatches.
For the complete VPPA compliance framework, see our VPPA compliance guide. For the circuit split and forum shopping implications, see VPPA circuit split and forum shopping. For the Supreme Court case that will resolve this split, see Salazar v. Paramount Global.
Run a free PieEye compliance scan — it takes minutes, requires no code changes to initiate, and tells you exactly what a plaintiffs' attorney's scanning tool would find if it looked at your website today.
What "Consumer" Actually Means in Your Shopify Store
The Second and Seventh Circuit rulings have fundamentally changed what counts as customer data under the VPPA. You don't need to sell video services to be liable. If you're a DTC brand on Shopify and you embed a product video on your homepage, the courts say anyone who visits that page—and whose viewing activity gets tracked—could be a "consumer" under the VPPA.
This matters because many eCommerce sites use video as a standard feature. You might have:
- Product demo videos on category pages
- Customer testimonial videos in your trust section
- Tutorial videos in your help center
- Live shopping or TikTok embeds
The moment you add tracking pixels (Meta Pixel, Google Analytics, Klaviyo tracking) to those pages without explicit consent, you've potentially exposed yourself. The courts didn't require that visitors actually watch the video—just that the tracking infrastructure fires when they land on a page where video could be viewed. This is a critical distinction for your compliance strategy.
The Seventh Circuit's inclusion of free users is especially relevant for eCommerce. Many brands offer free shipping calculators, size guides, or loyalty program access without requiring purchase. Under Gardner, those free interactions count. Your exposure isn't limited to paying customers—it extends to anyone who engages with your digital property.
How Consent Forms the Real Liability Shield
Courts in both circuits emphasized that explicit, affirmative consent before tracking on video pages eliminates VPPA exposure. But consent means more than a generic privacy policy buried in your footer.
Your Shopify store needs consent specifically for video tracking. A blanket cookie banner that says "We use cookies" won't satisfy either circuit. You need:
- Clear disclosure that video pages use tracking
- Affirmative opt-in before pixels fire
- Proof that the user consented before data collection occurred
- Easy revocation (especially important for Seventh Circuit "subscribers")
This is where most DTC brands fail. They assume their standard cookie consent flow covers VPPA compliance. It doesn't. A user might accept "analytical" cookies without understanding that Meta Pixel on a video page is collecting viewing behavior linked to their identity. That's a gap a plaintiffs' attorney will exploit.
The Second Circuit's language about "any renter, purchaser, or subscriber" means your consent capture needs to happen at multiple touchpoints:
- Before video loads on product pages
- Before checkout video plays (yes, even there)
- Before you fire tracking pixels on pages with embedded video content
- Before you send video viewing data to third parties like your email platform
Your cookie banner tool (whether Termly, OneTrust, or similar) needs to be configured to block video tracking pixels until consent is received. If your tool allows consent to be given after the pixel has already fired, you're still liable.
The Data Sharing Problem Most Brands Miss
The VPPA doesn't just limit your tracking of video viewing—it restricts sharing that data with third parties without consent.
Here's where eCommerce brands commonly expose themselves: when you connect Shopify to Klaviyo, Google Analytics, or Meta Business Suite, viewer data flows downstream. If a customer watches a product video and then receives a retargeting ad within 24 hours, that chain of events created liability.
You need to audit your data flows:
- What platforms receive video page visits from your Shopify store?
- Does your Klaviyo integration capture "viewed product video" as a behavioral trigger?
- Are you syncing audiences to Meta Ads based on landing page activity (which might include video pages)?
- Does your Google Analytics 4 setup send cross-domain data to your advertising platform?
Each of these integrations could constitute "disclosure" of video viewing data to a third-party service provider under the VPPA's definition. The Second Circuit suggested liability extends not just to the original collector, but potentially to the platforms receiving the data.
Your compliance checklist needs to include:
- Documenting which third parties receive video page traffic data
- Confirming consent covers data sharing, not just collection
- Reviewing your platform-to-platform integrations for video-related data signals
- Disabling automatic audience syncing that includes video page visitors
Building Your Defense in Discovery
If you face VPPA litigation, both circuits will examine what your compliance infrastructure actually looked like—not what your privacy policy promises. Courts look for evidence of reasonable effort to protect consumer privacy around video content.
Your defense depends on demonstrating:
- You identified pages with video content
- You implemented consent before tracking fired
- You trained your team on the policy
- You monitored compliance over time
- You responded quickly when gaps were discovered
Most brands can't produce this evidence because they never documented it. Your Shopify admin logs, pixel implementation records, and cookie consent audit trails become exhibits in discovery.
Start building this record now. Screenshot your current setup. Document which pages have video. Log your consent configuration. Create an audit trail showing you knew about VPPA exposure and took steps to address it. This becomes your best defense if litigation arrives.
Managing consent across video content, third-party integrations, and multiple tracking tools is complex. The stakes—damages up to $2,500 per person, multiplied across your entire customer base—demand more than a standard privacy policy. Brands that implement purposeful, documented consent infrastructure before litigation strikes have dramatically better outcomes than those defending reactive compliance practices.