Part 1: Pre-Audit Preparation
Step 1.1: Identify Your Key Stakeholders
- Legal/Compliance Lead
- Engineering/Dev Lead
- Marketing Lead
- Privacy Officer (if you have one)
- IT/Security
Step 1.2: Create an Audit Timeline
- Week 1-2: Initial assessment
- Week 3: Gap analysis
- Week 4: Remediation plan
- Week 5-8: Implementation
- Week 9: Testing & deployment
Part 2: Video Inventory Audit
Step 2.1: List All Pages With Embedded Video
Document:
- Exact page URLs
- Video type (YouTube, Vimeo, custom, etc.)
- Number of videos per page
- Whether page is public or restricted access
- Approximate monthly visitors
- Percentage who play the video
Example:
| Field | Value |
|---|---|
| Page URL | /products/lipstick |
| Video Type | YouTube |
| Number of Videos | 1 |
| Public/Restricted | Public |
| Monthly Visitors | 100,000 |
| % Who Play Video | 50% (50,000 viewers) |
Part 3: Tracking Technology Inventory
Step 3.1: Identify All Tracking Pixels and Tags
Document for each tool:
- Tool name and pixel ID
- Which pages it's installed on
- What it does
- Risk level (HIGH, MEDIUM, LOW)
Tools to Check:
- Meta Pixel
- Google Analytics
- Google Ads Tag
- TikTok Pixel
- Pinterest Pixel
- LinkedIn Insight Tag
- Hotjar/Session Recording
- Email Service Providers
- Marketing Automation
Part 4: Consent Mechanism Audit
Step 4.1: Assess Current Consent Status
- Do you have a cookie/consent banner?
- What does the banner say?
- Does it mention video tracking specifically?
- Is it specific about which third parties receive data?
- Is consent opt-in (unchecked) or opt-out (pre-checked)?
- Can you retrieve consent records?
Step 4.2: Review Privacy Policy
- Does it mention video tracking?
- Does it identify third-party vendors?
- Does it explain what happens to video data?
- Is it clear about cross-device tracking?
Part 5: Technical Implementation Audit
Step 5.1: Check Pixel Blocking
- Are pixels blocked until consent is given?
- Or do they fire regardless of consent?
Test in browser:
- Open developer tools (F12)
- Go to Network tab
- Load page with video
- Filter for "fbq" (Meta Pixel)
- If fbq loads without consent, that's a problem
Step 5.2: Check Consent Documentation
- Are consent records stored?
- Can you retrieve: user ID, timestamp, what was consented to?
- Are records timestamped?
- Are records linked to user accounts?
Part 6: Vendor & Third-Party Audit
Step 6.1: Map All Vendors Receiving Data
Document:
- Vendor name
- Data received
- Does it include video data?
- Contract in place?
- Data Processing Agreement (DPA)?
Questions for Each Vendor:
- What do they do with video-watching data?
- Do they have privacy commitments?
- Do they sign Data Processing Agreements?
- Do they re-disclose data?
Part 7: Exposure Assessment
Step 7.1: Calculate Potential Liability
Estimated class size: [number of users who watched video without consent]
× Statutory damages per person: $100-$2,500
= Exposure: $X million - $Y million
Step 7.2: Assess Litigation Risk
High Risk If:
- Video is major part of business
- Large user base (100K+)
- No consent mechanism
- High-profile company
Low Risk If:
- Video is incidental
- Small user base (<10K)
- Robust consent in place
- Smaller company
Part 8: Remediation Roadmap
Priority 1: Immediate (Week 1-2)
- Implement consent banner with specific video tracking language
- Block pixels from firing until consent is given
- Document current consent process
Priority 2: Short-term (Week 3-4)
- Set up CMP (consent management platform)
- Retrieve historical consent records
- Review and update privacy policy
Priority 3: Medium-term (Week 5-8)
- Conduct full tech stack audit
- Remove unnecessary pixels
- Implement cross-device consent
- Audit vendor compliance
Priority 4: Ongoing
- Monitor VPPA litigation trends
- Monitor Supreme Court Salazar decision
- Quarterly compliance reviews
- Annual full audit
Full VPPA Compliance Checklist
Video Inventory
- Identified all pages with embedded video
- Documented video types and locations
- Estimated video viewing traffic
Tracking Inventory
- Listed all pixels and tracking tools
- Identified data collection for each
- Mapped data flows to third parties
- Assessed risk level for each tool
Consent
- Implemented consent banner
- Consent language is specific to video tracking
- Consent is opt-in (unchecked)
- Consent is documented and retrievable
- Pixels are blocked until consent is given
- Updated privacy policy
Documentation
- Consent records stored with timestamps
- Pixel firing logs maintained
- Privacy policy version history kept
- Legal review completed
Vendor Management
- Vendor list maintained
- Vendor contracts reviewed
- Data Processing Agreements in place
- Vendor compliance assessed
Testing
- Tested consent banner across devices/browsers
- Tested pixel blocking (pixels don't fire without consent)
- Verified consent records are created
- Verified pixels fire when consent given
Litigation Readiness
- Consent documentation complete
- Implementation timeline documented
- Good faith compliance efforts shown
- Legal counsel reviewed approach
The infrastructure answer
The free PieEye compliance scan identifies whether your website has the VPPA vulnerabilities that plaintiffs' attorneys look for — tracking pixels firing on video pages without consent, data flowing to third parties before users have agreed, and policy-to-practice mismatches.
For the complete VPPA compliance framework, see our VPPA compliance guide. For damages and litigation risk, see VPPA damages and litigation risk. For consent mechanisms, see VPPA consent mechanisms.
Run a free PieEye compliance scan — it takes minutes, requires no code changes to initiate, and tells you exactly what a plaintiffs' attorney's scanning tool would find if it looked at your website today.