In Salazar v. NBA, the U.S. Court of Appeals for the Second Circuit held that the NBA's disclosure of users' viewing data through Facebook’s tracking pixel might violate the Video Privacy Protection Act (“VPPA”). This decision underscored the implications of video tracking technologies on websites, which the NBA used to send personal viewing information to Facebook (Meta), allowing for targeted advertising. Salazar, the plaintiff, argued that the NBA had failed to obtain consent before transmitting users' video-viewing information—like titles and URLs of viewed content tied to a user’s Facebook ID (FID)—to Facebook. The court determined that Salazar, as an online subscriber to NBA content and services, met the VPPA’s definition of a “consumer.” By watching videos while logged into Facebook, he alleged that the NBA transmitted his personal viewing information to Meta without notification or consent, constituting a VPPA breach under these circumstances. This ruling carries significant implications for companies with consumer loyalty and email opt-in programs, especially if they use website tracking technologies like pixels or cookies. By collecting data from loyalty program members or email subscribers who watch videos, companies could potentially be held liable for VPPA violations if data is shared with third parties without consent. Under VPPA, statutory damages could reach up to $2,500 per violation, which could add up rapidly if multiple instances of consumer data sharing occur without adherence to VPPA consent requirements. The Salazar v. NBA decision emphasizes the need for robust privacy compliance programs in companies that engage consumers with opt-in programs such as loyalty programs and promotional email programs, that also use website video content and consumer tracking. This case stresses the importance of re-evaluating privacy policies and tracking mechanisms, especially those involving third-party platforms like Meta, Google, or other advertising networks. Transparency with users regarding data usage and obtaining explicit consent before sharing personal data could be essential to mitigating the risk of VPPA claims. The Salazar decision reinforces the consumer's right to privacy in digital transactions, particularly within the context of video streaming and tracking, making it essential for "Advertisers" (companies that gather consumer information via loyalty or opt-in programs) to carefully consider both compliance and the potential for substantial fines per violation under the VPPA. The following provides a breakdown for in-house counsel on ensuring compliance with the VPPA and broader privacy laws, especially regarding digital marketing practices that may expose the company to privacy claims. 1. Assess All Data Collection Technologies in Use Pixels, cookies, and other tracking mechanisms on a company’s website can be beneficial for targeted advertising but pose legal risks under the VPPA if they share personally identifiable information (PII) about video content watched by consumers. The Salazar case underscored that consumer information linked to specific viewing activities—even indirectly through identifiers like a Facebook ID—may violate privacy laws if shared without explicit consent. Counsel should therefore identify all tracking technologies active on the site, and assess which are firing when consumers engage with video content. 2. Audit and Define "Personally Identifiable Information" (PII) Courts have expanded the scope of PII beyond traditional identifiers, particularly in VPPA cases. In Salazar, identifiers such as Facebook IDs and video-viewing history were classified as PII, which enabled the NBA to tailor advertisements. Counsel should implement a PII definition that covers non-traditional identifiers (e.g., account IDs, IP addresses, device identifiers, location data) if they connect the user to specific viewing activity, and ensure these definitions are aligned with VPPA requirements. 3. Obtain Explicit User Consent for Data Sharing Compliance under the VPPA requires “informed, written consent” from users before sharing PII, a step that can be easily overlooked in automated data flows on websites. In Salazar, the absence of consent led to claims against the NBA. In-house counsel should advise that privacy policies and cookie banners clearly outline all data-sharing practices, specifically noting if PII will be used by third-party platforms for targeted advertising. Proactive consent mechanisms, like “opt-in” notices before video streaming, help reduce the risk of implied consent issues. 4. Establish Rigorous Oversight of Third-Party Data Sharing Counsel should be vigilant about the company’s agreements with third-party advertisers and analytics providers. Tools like Facebook Pixel collect and transmit user data externally, and in Salazar, this data was sent to Meta without direct user consent. Ensure contractual terms limit third-party use of shared data to the purposes approved by users, and confirm that external partners comply with VPPA obligations. Regular audits and clear guidelines for third-party partners can further protect the company from privacy liability. 5. Implement Privacy-First Policies in Loyalty and Email Programs For loyalty and promotional email programs, collecting data from consumers can raise similar privacy issues if shared without consent. Counsel should review these programs, specifically any data sharing tied to consumer interactions with video content on the site. If the company shares or uses consumer viewing data for marketing purposes, a full privacy impact assessment (PIA) can help evaluate risks under the VPPA and other privacy regulations. 6. Prepare for Compliance Beyond VPPA: Broader Privacy Law Landscape While Salazar focuses on the VPPA, similar standards exist under various U.S. state privacy laws, such as the California Consumer Privacy Act (“CCPA”), which also covers PII and consent. Building a VPPA-compliant framework now will help prepare for and maintain compliance with other expanding consumer privacy protections across jurisdictions. A consistent VPPA compliance strategy based on user consent, proactive data mapping, third-party oversight, and clear privacy communications will support lawful marketing activities while reducing the risk of costly fines and class actions, which under the VPPA can reach up to $2,500 per violation. At Dorf Nelson and Zauderer LLP, we offer targeted data privacy solutions for your organization. Our services include drafting privacy policies, conducting privacy audits, and performing risk assessments to ensure compliance with data privacy regulations. We can help create privacy impact statements and develop Standard Operating Procedures (SOPs) for sensitive data handling. We also provide engaging training sessions for employees to boost data privacy awareness. Contact the author at jnelsonflynn@dorflaw.com.   The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.