What "Informed Written Consent" Actually Means
Informed: User must understand
- That you're collecting video-watching data
- That you're sharing it with third parties
- Which third parties will receive it
- What they'll do with it
Written: Documented proof
- Digital consent (checkbox, toggle, button)
- Timestamped
- Linked to user account
- Retrievable record
Consent: Affirmative agreement
- Opt-in (not opt-out)
- Clear choice (not buried in privacy policy)
- User actively participates
What Does NOT Qualify
- Privacy policy disclosure alone
- Pre-checked consent boxes
- Implied consent ("If you stay, you consent")
- Terms of service boilerplate
- Vague cookie banner language
What DOES Qualify
- Specific consent language mentioning video tracking
- Clear disclosure of third parties (Meta, Google)
- Affirmative opt-in (unchecked box user must check)
- Prominent placement (cookie banner or modal)
- Retrievable proof of consent
Consent Templates
Template 1: Simple Video Tracking
"Our website includes videos and uses Meta Pixel to track which videos you watch. This data is shared with Meta/Facebook for advertising purposes. Do you consent?"
Template 2: Granular Consent
- Analytics (unchecked): Google Analytics tracks page views
- Video Tracking (unchecked): We track which videos you watch and share with Meta
Template 3: Account-Based Consent
In privacy settings, users can enable/disable "Video Engagement Tracking" with clear explanation of what's shared where.
Technical Implementation
- Display consent banner on first visit
- Capture consent choice (checkbox click)
- Store consent record with timestamp and user ID
- Block pixels from firing until consent is given
- Respect withdrawal of consent
The infrastructure answer
The free PieEye compliance scan identifies whether your website has the VPPA vulnerabilities that plaintiffs' attorneys look for — tracking pixels firing on video pages without consent, data flowing to third parties before users have agreed, and policy-to-practice mismatches.
For the complete VPPA compliance framework, see our VPPA compliance guide. For the full compliance checklist, see VPPA compliance checklist. For Meta Pixel implementation, see Meta Pixel and VPPA.
Run a free PieEye compliance scan — it takes minutes, requires no code changes to initiate, and tells you exactly what a plaintiffs' attorney's scanning tool would find if it looked at your website today.
How Video Consent Differs from Standard Cookie Consent
Your cookie banner probably handles Google Analytics and marketing cookies just fine. Video tracking under VPPA is different—and your existing consent framework might not cover it.
Standard cookie consent banners ask permission for "analytics" and "marketing." Users understand that broadly. But VPPA requires specific disclosure about video tracking and which companies receive that data. A checkbox labeled "Marketing Cookies" doesn't satisfy VPPA because it doesn't tell users that you're tracking which videos they watch or that Meta will receive that information.
This distinction matters for your Shopify store. If you're running product demo videos, educational content, or even embedded YouTube content, VPPA may apply depending on how you're tracking viewer behavior. Meta Pixel fires on pages with videos—but does your consent banner explain that Meta gets video-engagement data? Does it list Meta by name?
Your existing consent tool (OneTrust, Termly, or your CMP) probably has VPPA-specific templates, but you need to audit whether they're active and whether they actually block pixels until consent is given. Many brands discover their cookie banner says "requires consent" but the underlying code never actually pauses Meta Pixel or Google Analytics on video pages.
Practically: review your cookie banner right now. If you have video content anywhere on your site (even a single hero video or testimonial), and your consent language doesn't specifically mention "video tracking" and "Meta" or "Google" by name, you have a gap. Update your banner to include a dedicated video-tracking consent option separate from generic marketing cookies. Make sure your CMP actually blocks those pixels until that specific consent is granted.
Consent Withdrawal: Your Legal Obligation to Make It Easy
Informed written consent requires that users can withdraw it as easily as they gave it. Many eCommerce brands miss this entirely.
If a customer checks "yes" to video tracking in your cookie banner, they can later change their mind. Your privacy settings—or account preferences, or a "manage cookies" link—must let them uncheck that box with one click. No email to support. No contacting customer service. One click, done.
For your brand, this means: wherever users gave consent (cookie banner, post-purchase email, account settings), you need an equally visible withdrawal option. If your Shopify store uses a cookie banner on landing pages, your account dashboard needs a "manage video tracking" toggle. If you ask for consent in an onboarding email, that email should include an unsubscribe-style link to withdraw video tracking consent.
When users withdraw consent, you must also stop collecting that data immediately. If someone unchecks "video tracking" on Tuesday, Meta Pixel should stop firing on Wednesday. Your CMP should communicate that withdrawal to your tag manager in real time.
Document these withdrawals the same way you document consent—with timestamp and user ID. If you ever get a VPPA lawsuit or data-subject access request (DSAR), you'll need to prove you stopped collecting video data the moment they asked.
VPPA Consent and GDPR: When You Need Both
If your DTC brand ships internationally or has EU customers, you're probably handling GDPR consent already. VPPA is a separate US requirement that can apply to the same user, on the same page, at the same time.
GDPR requires consent for certain data processing activities. VPPA requires consent specifically for video-viewing data shared with third parties. They're not the same.
Example: A UK customer visits your Shopify store. Your cookie banner asks for "marketing cookies" (GDPR). GDPR consent is satisfied. But if you're tracking which product videos she watches and sharing that with Meta Pixel, VPPA also applies to her because the data is shared with a third party. You need separate, VPPA-specific consent for that video tracking, in addition to GDPR consent.
Many brands assume GDPR consent covers everything. It doesn't. If you're tracking video engagement and sharing it with platforms like Meta or Google, you need explicit, documented permission under both frameworks.
Check your CMP: does it let you layer VPPA consent on top of GDPR consent for the same user? If not, your compliance is incomplete.