The digital world operates on a different scale than the physical one. A product launched in Austin, Texas, can instantly reach users in Germany, Canada, and beyond. But this global reach comes with a hidden complexity: a rapidly expanding web of legal obligations that many companies don’t even realize they’re facing. In 2024, over 250 class action lawsuits were filed in the US under the Video Privacy Protection Act (VPPA), a 1988 law originally designed to protect VHS rental records, demonstrating how quickly old laws can be repurposed for the digital age.
The surge in VPPA litigation began in 2022 when plaintiffs’ attorneys discovered a novel application of the law: embedding third-party video players on websites without proper consent mechanisms could create liability. This wasn’t about negligent companies deliberately skirting the rules, but rather ordinary businesses using common tools in a way that unexpectedly triggered legal risk. More than double the number of VPPA lawsuits were filed in 2024 compared to the prior year, with settlements reaching into the millions of dollars, according to reports.
This trend, coupled with similar cases arising from California’s Invasion of Privacy Act targeting session replay tools and analytics pixels, highlights a fundamental shift in the compliance landscape. Companies are now facing exposure from tools that product teams often treat as standard infrastructure. The core issue is that compliance is no longer a matter of simply adhering to the laws of the jurisdiction where a company is incorporated. it’s about understanding the complex interplay of regulations across the globe.
The Wiretapping Theory Nobody Saw Coming
The VPPA isn’t an isolated incident. Around the same time, California’s Invasion of Privacy Act became the basis for a wave of litigation targeting session replay tools, chat widgets, and analytics pixels. The legal theory behind these cases centers on the idea that capturing a user’s session in real-time without prior notice could be considered intercepting an electronic communication. While courts have been inconsistent in their rulings – some dismissing claims while others allow them to proceed – the sheer volume of cases has prompted major law firms to issue guidance on how to defend against them, and the theory is spreading to other states.
Neither of these legal challenges stemmed from new regulations. Instead, they represent the application of existing laws to tools that product teams routinely deploy. If an engineering team integrates a video embed or deploys a session recording tool without legal review, they are, in effect, making a compliance decision – albeit unknowingly.
You Don’t Secure to Choose Your Compliance Perimeter
A crucial lesson many growing companies learn is that compliance obligations aren’t determined solely by their place of incorporation. Whether a regulation applies depends on a complex mix of factors, including where the company is established, its industry, revenue, the type of data it processes, and, crucially, the location of its users. A product developed in Austin, Texas, that attracts users in California, Germany, and Canada immediately falls under the purview of the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) – from the moment the first user signs up.
Unlike a physical business that expands market by market, a digital product is inherently global from day one. Its compliance obligations follow suit. The GDPR, for example, applies not only to companies established within the European Union but to any organization that targets EU users, and since 2018, cumulative fines have reached €5.88 billion, demonstrating that simply being “not a European company” is not a valid defense.
The regulatory landscape is likewise rapidly evolving in the United States. Nearly 20 US states now have comprehensive privacy laws in force or set to take effect, each with its own unique thresholds, exemptions, and enforcement mechanisms. The European Accessibility Act (EAA) came into full enforcement in June 2025, mandating that businesses serving EU consumers meet harmonized accessibility standards, even those based in the US or UK. The EU Whistleblower Directive also requires companies with over 50 employees to establish secure internal reporting channels, regardless of their headquarters location.
The companies struggling with these challenges aren’t necessarily negligent; they’re grappling with obligations that have multiplied faster than any reasonable compliance strategy could anticipate – across jurisdictions they may have entered without fully realizing it.
The Problem with Sourcing One Obligation at a Time
Many companies adopt a reactive approach, addressing each compliance issue as it arises. When GDPR was introduced, they sought a cookie consent tool. When accessibility mandates emerged, they added an overlay. When the Whistleblower Directive took effect, they procured a reporting channel. This results in a fragmented stack of separate vendors, contracts, and renewal dates, lacking a cohesive understanding of their overall compliance posture.
This isn’t a technological failure, but a structural one. Compliance obligations related to data privacy, accessibility, and transparency don’t exist in isolation; they overlap, interact, and share underlying data. Managing them as separate problems leads to poorly managed intersections. The CRM, marketing technology, and security tooling markets followed a similar trajectory – initially fragmented, then consolidated around platforms once the point-solution approach became unsustainable. Compliance is now following the same path, driven by the sheer number and interconnectedness of obligations.
The Decision Hiding Inside a Product Decision
The VPPA and session replay cases illustrate a critical point: the companies that faced lawsuits weren’t making deliberate compliance decisions. They were making product decisions – embedding a video player, deploying an analytics tool – and the compliance risks came along for the ride. What we have is the default mindset for many product teams, where compliance is often viewed as the responsibility of the legal department, handled downstream.
This assumption has become increasingly costly. VPPA settlements, GDPR fines, and EAA enforcement actions are all evidence of this. In 2025, California’s Attorney General secured its largest-ever CCPA settlement at $1.55 million, and Texas continues to actively enforce its own comprehensive privacy law.
Companies that are successfully navigating this landscape treat compliance obligations not as a legal team’s inbox, but as an inherent property of their product’s functionality. This isn’t driven by regulatory pressure, but by the recognition that, at the scale and speed of today’s digital world, there’s no other way to stay ahead of the curve.
That shift is already underway. The key question for any company with a global user base is whether they’ve decided to embrace this proactive approach.
The regulatory environment will continue to evolve, with ongoing enforcement actions and the introduction of new laws. The next major checkpoint to watch is the US Supreme Court’s upcoming decision in Salazar v. Paramount Global, which will define who qualifies as a “consumer” under the VPPA, potentially clarifying the scope of the law’s reach.
What are your thoughts on the evolving compliance landscape? Share your experiences and insights in the comments below.
