What Clearly Counts as PII
Direct Personal Identifiers:
- Email addresses linked to video watching
- User IDs linked to video watching
- Phone numbers linked to video watching
- Physical addresses linked to video watching
- Usernames linked to video watching
What's Contested
Device IDs (fbp, _ga, gaid, idfa):
- Meta can link fbp to a real person
- If you disclose fbp + page URL, Meta knows person + video
- Safe assumption: YES, it's PII
Hashed Emails or IDs:
- sha256('john@example.com') = hashed email
- Can be linked back if ad network has lookup tables
- Safe assumption: YES, it's still PII if reversible
IP Addresses:
- Can identify a household
- Courts generally don't treat alone as PII
- But in combination with other data, might be VPPA-relevant
The Safe Principle
For VPPA purposes, assume that ANY information allowing a third party to link a person to their video watching is PII.
When in doubt, assume it's PII and get consent anyway.
The infrastructure answer
The free PieEye compliance scan identifies whether your website has the VPPA vulnerabilities that plaintiffs' attorneys look for — tracking pixels firing on video pages without consent, data flowing to third parties before users have agreed, and policy-to-practice mismatches.
For the complete VPPA compliance framework, see our VPPA compliance guide. For consent mechanisms that satisfy VPPA, see VPPA consent mechanisms. For Meta Pixel and PII, see Meta Pixel and VPPA.
Run a free PieEye compliance scan — it takes minutes, requires no code changes to initiate, and tells you exactly what a plaintiffs' attorney's scanning tool would find if it looked at your website today.
How Video Content Triggers VPPA Risk on eCommerce Sites
Your Shopify store probably has more video than you realize. Product demo videos, customer testimonial clips, live shopping streams, and embedded YouTube content all count as "video material" under VPPA. The moment a tracking pixel (Meta Pixel, Google Analytics 4, TikTok Pixel) fires on a page containing video, you're collecting information about who watched it.
The risk escalates when third-party services enter the picture. If you use a video hosting platform like Vimeo or Wistia that embeds its own tracking, and you also have Meta Pixel firing on that same page, you've created a chain where multiple parties can potentially link a user to their video viewing behavior. Even if the video is just a 30-second product carousel or a testimonial in your hero section, VPPA applies.
BigCommerce stores with embedded Vidyard or Loom videos face the same issue. The platform's native analytics + your marketing pixels = multiple entities with data about the same viewer. Courts have interpreted VPPA broadly enough that even partial video content on a page (not the main purpose of the page, but present) can trigger liability if tracking occurs without explicit consent. Your support video FAQ page, your brand story video, your livestream shopping events—all of it matters.
The practical implication: you need to know which pages on your site contain video, where your tracking pixels fire, and whether you have consent before those pixels activate on video pages.
The Difference Between Device IDs and User IDs in VPPA Context
Not all identifiers are equal under VPPA. A device ID (like Apple's IDFA or Google's gaid) tells a third party "this is device X." A user ID (like a Klaviyo subscriber ID or a Shopify customer ID) tells them "this is person Y." The distinction matters because VPPA cares about linking a person to video watching, not just a device.
Here's where it gets complicated: Meta's fbp cookie and Google's _ga cookie are technically device-level identifiers, but they often serve as proxies for person-level identification. Meta can link fbp to a Facebook account if the user is logged in or has visited Facebook recently. When you send that fbp to Meta via the Conversions API along with metadata about what page was viewed, Meta can connect the dots between the cookie and a real person's video watching history.
The riskier scenario involves customer data platforms (CDPs) or email service providers like Klaviyo. If you're syncing a hashed customer email or a Shopify customer ID to an ad platform, and that same platform sees your visitor's fbp or _ga, they can match it back to your customer record. Now there's a clear person-to-video link.
For BigCommerce users integrating with third-party analytics or email tools, the question becomes: does your tech stack pass customer identifiers or device identifiers—or both—to platforms that also receive traffic data from your video pages? If the answer is yes, VPPA consent is mandatory before that sync happens.
Common VPPA Consent Mistakes eCommerce Brands Make
Many Shopify and BigCommerce stores attempt VPPA compliance but fail in execution. The most common mistake is assuming a generic cookie banner satisfies the requirement. VPPA demands explicit, informed consent tied specifically to video watching. A banner that says "We use cookies for analytics" doesn't cut it. Users need to know that video watching will be tracked and shared with third parties.
Another frequent error: getting consent after pixels have already fired. If a user lands on a video product page and Meta Pixel immediately loads and starts collecting data, you're already in violation. Consent must come before tracking begins. This means delaying pixel initialization until a user opts in—a technical change many brands postpone because it feels complicated.
Brands also struggle with the "third party" definition. You might think you're only sharing data with Meta or Google, but if those platforms then share or infer data with other companies (ad networks, data brokers, attribution vendors), VPPA applies to the entire chain. Your consent language needs to reflect that scope.
Finally, many stores fail to document consent properly. VPPA litigation often hinges on whether you can prove consent existed at the time of tracking. If your banner doesn't generate timestamped, granular consent records, you have no defense. Separate consent for video tracking (not bundled with cookie consent) and audit trails are essential.
Why eCommerce Platforms Make VPPA Compliance Harder Than It Should Be
Shopify and BigCommerce make it easy to add pixels but difficult to control when they fire. Default installations of Meta Pixel, Google Analytics, and TikTok Pixel activate on page load across your entire site, including video pages. You can delay them with custom code, but most merchants lack the engineering resources to implement conditional firing.
Moreover, Shopify's ecosystem of apps compounds the problem. Installing a reviews app, a loyalty app, or an email plugin often adds its own tracking. You end up with ten different data collectors on your site, all firing simultaneously, and you don't fully know where the data flows. Auditing this requires technical diligence that many mid-market brands don't prioritize.
BigCommerce's native analytics and third-party integrations face the same issue. The platform encourages data collection, but compliance responsibility lands on you. Proper VPPA compliance requires mapping your entire data flow: which pixels fire where, which third parties receive data, and at what stage consent is obtained.
The solution requires visibility into your tech stack and the ability to enforce consent gates before data collection. This is why many brands turn to consent management platforms that can monitor pixels, enforce blocking, and generate proper consent documentation automatically.