From a boutique practice in Arkansas, Carney Bates & Pulliam has become one of the most feared names in consumer data privacy class action litigation — pursuing companies across the country under theories that make early dismissal difficult and settlement the default calculus.
GET A FREE PRIVACY AUDIT TO DETERMINE IF YOUR SITE IS AT RISK OF A PRIVACY LAWSUIT
The Unlikely Origin of a National Privacy Powerhouse
Little Rock, Arkansas is not where most people would expect to find the epicenter of cutting-edge digital privacy litigation. Silicon Valley, Chicago, New York — these are the addresses that come to mind when thinking about plaintiff’s firms pursuing the tech industry over data practices. And yet Carney Bates & Pulliam, PLLC has built one of the most active national plaintiff practices in VPPA and digital wiretapping law from its offices in the Arkansas capital, filing cases against companies whose digital infrastructure reaches into every state in the country. Meanwhile Morgan & Morgan, Pacific Trial Attorneys, and Bursor & Fisher are just some of the additional landmines that businesses need to avoid in the surging privacy litigation world.
The firm’s geographic origin is, in a sense, part of the strategy. By operating outside the plaintiff-side privacy litigation hubs, Carney Bates & Pulliam has developed a practice that is disciplined, selective, and technically sophisticated — attributes that translate directly into litigation effectiveness. Their cases are hard to dismiss. Their theories are coherent. Their filings reflect genuine understanding of how digital advertising infrastructure works, not just legal templates dropped onto fact patterns.
For companies in retail, media, healthcare, streaming, and e-commerce, the firm represents a category of litigation risk that most compliance programs were not built to address — and one that shows no signs of slowing down.
The Legal Architecture: VPPA and Digital Wiretapping
The Video Privacy Protection Act: A 1988 Law for a 2024 Problem
The Video Privacy Protection Act was enacted in 1988 — the year after a Washington journalist obtained and published the video rental history of Supreme Court nominee Robert Bork. Congress passed the statute in weeks, outraged by the ease with which a vendor had disclosed what Bork had been watching. For two decades, the VPPA sat largely dormant, a statute with a clear purpose and very little litigation activity.
Then the internet happened. And then Facebook’s advertising pixel happened.
By the late 2010s, the VPPA had found new life as a tool for challenging the automated transmission of video viewing data from authenticated digital platforms to Meta, Google, and other advertising technology companies. The statute’s core prohibition — that a “video tape service provider” may not knowingly disclose a consumer’s video viewing records to a third party without their informed written consent — maps with surprising precision onto how the Meta Pixel operates when deployed on a website that streams video content to logged-in users.
Here is the mechanism at the center of most VPPA cases: a user creates an account on a media company’s website and watches a video. At the moment of playback, an advertising pixel on the page fires a data packet to Meta. That packet contains the user’s Facebook ID (drawn from a browser cookie) and the title or URL of the video they just watched. Meta’s servers receive the transmission and link it to the user’s Facebook profile. The user never consented to this. They likely never knew it happened. And under the VPPA, the company that deployed the pixel may have just committed a federal statutory violation — with statutory damages of $2,500 per violation.
Carney Bates & Pulliam identified this vulnerability early and built a practice around it.
What the VPPA Requires to State a Claim
The firm’s litigation success stems in part from disciplined case selection. VPPA claims require three elements, and Carney Bates & Pulliam targets defendants where all three are clearly and defensibly established before the complaint is filed:
1. The plaintiff must be a “subscriber.” The VPPA applies to consumers who have established an ongoing relationship with the video service provider — typically through account creation, newsletter signup, or paid subscription. Anonymous visitors browsing a public website do not qualify. But anyone who has signed up for an account, newsletter, or membership that ties their identity to their platform activity almost certainly does.
2. The defendant must be a “video tape service provider.” The statute defines this broadly: any company whose business involves delivery of “prerecorded video cassette tapes or similar audio visual materials.” Courts have interpreted this to include digital streaming services, news publishers with video libraries, e-commerce platforms with product video content, and essentially any business that regularly delivers video content to consumers. Carney Bates & Pulliam has pushed this definition aggressively and successfully.
3. The disclosure must link the consumer’s identity to their specific video choices. The pixel transmission must be shown to send both identifying information (the Facebook ID) and video-specific information (what the user watched) in the same payload. This is the technical element that requires the firm to understand how pixels actually operate — and it is the element that makes their complaints substantively credible rather than speculative.
When all three elements are present, VPPA cases are difficult to dismiss on the pleadings. Carney Bates & Pulliam has developed what amounts to a pre-filing technical diligence process, identifying pixel behavior and data transmission patterns before the complaint is drafted.
Digital Wiretapping: CIPA and Beyond
While VPPA has been the firm’s highest-profile theory, Carney Bates & Pulliam has simultaneously built an aggressive practice in digital wiretapping claims under the California Invasion of Privacy Act and analogous statutes in other states.
CIPA’s Reach in the Digital Age
California’s wiretapping statute has become one of the most powerful tools in the consumer privacy plaintiff’s arsenal. Section 631 of CIPA prohibits the unauthorized interception of electronic communications — and courts have increasingly held that the statute applies to the deployment of session replay tools, chat monitoring software, tracking pixels, and behavioral analytics platforms when those tools capture user communications without all-party consent.
The theory sounds technical, but the underlying conduct is straightforward: a user visits a website. A third-party vendor’s code embedded on that site records the user’s keystrokes, mouse movements, form inputs, and browsing behavior in real time, transmitting that data to servers controlled by the vendor. The user has no idea. The vendor is not party to the user’s communication with the website. Under California’s all-party consent framework, this may constitute wiretapping.
Carney Bates & Pulliam has pursued this theory against companies across industries, including healthcare providers whose websites deploy session replay tools that capture sensitive patient inquiries, retail platforms whose chat software transmits customer conversations to third parties, and e-commerce sites whose behavioral analytics tools record shopping activity.
The Multi-State Wiretapping Strategy
One of the firm’s most distinctive tactical choices is its refusal to limit wiretapping cases to California defendants or California plaintiffs. Multiple states have enacted wiretapping statutes with all-party consent requirements that parallel CIPA’s framework — Florida, Maryland, Pennsylvania, and others. Carney Bates & Pulliam has demonstrated willingness to apply whichever state’s law provides the strongest protection for the plaintiff class, based on where the defendant operates, where the data interception occurred, or where the largest plaintiff population is located.
This multi-state approach fundamentally changes the risk calculus for businesses that may have assumed their non-California operations insulated them from CIPA-style exposure. It doesn’t.
The Industries in the Crosshairs
Digital Media and News Publishers
Subscription news publishers and digital media companies have been among the highest-profile defendants in VPPA cases filed by Carney Bates & Pulliam and similar firms. The business model of modern digital media — authenticated subscribers, advertising technology monetization, extensive video libraries — maps almost perfectly onto VPPA’s liability framework. A publisher that charges subscribers for access while simultaneously deploying Meta Pixel on its video player has essentially built a VPPA violation into its revenue stack.
Streaming and Entertainment
Streaming platforms that combine user accounts with advertising pixels or data-sharing arrangements with third-party platforms face acute VPPA exposure. The statute was written with exactly this type of business in mind: a company that knows who its customers are and what they are watching. When that company transmits both pieces of information to a third party without consent, the VPPA applies.
Healthcare and Wellness Platforms
Healthcare has emerged as one of the most sensitive VPPA and CIPA battlegrounds. Websites that offer video health education content — condition explainers, treatment tutorials, provider directories — to authenticated patients face VPPA exposure if advertising pixels fire during video consumption. The sensitivity of the underlying data (health conditions, treatment interests, provider searches) amplifies both the reputational and litigation risk. Carney Bates & Pulliam has recognized that healthcare’s combination of sensitive data, authenticated users, and widespread pixel deployment makes it a particularly viable target sector.
Retail and E-Commerce
E-commerce platforms with product demonstration video content, authenticated customer accounts, and advertising pixel infrastructure face VPPA exposure on the video side and CIPA exposure on the chat and session replay side. Retailers that have deployed third-party chat software, behavioral analytics tools, or session replay technology without state-compliant consent mechanisms are squarely in the firm’s target profile.
What Makes Carney Bates & Pulliam Different
Technical Sophistication in Case Development
Privacy class actions fail at the pleading stage when they are built on legal theory without factual specificity. Courts have dismissed numerous VPPA cases because the complaint did not adequately allege the specific data transmitted by the pixel, the mechanism by which the defendant’s identity was linked to viewing history, or the nature of the plaintiff’s subscriber relationship.
Carney Bates & Pulliam invests in pre-filing technical analysis to close these gaps. Their complaints typically reflect detailed knowledge of how the defendant’s pixel implementation works, what data fields are transmitted, and how that data can be linked to specific users. This technical groundwork is what makes their cases survive motions to dismiss — and what makes them expensive to defend even when the defendant has meritorious arguments.
National Reach Without Geographic Limits
The firm’s willingness to file in federal courts from coast to coast is not merely tactical opportunism. It reflects a deliberate practice philosophy: privacy violations occur wherever consumers are affected, and the applicable law follows the conduct, not the address of the plaintiff’s attorney. VPPA is a federal statute that applies in every circuit. State wiretapping statutes apply wherever the relevant conduct occurs. Carney Bates & Pulliam has the litigation infrastructure to pursue cases in multiple jurisdictions simultaneously and the appellate experience to take favorable circuit positions to the courts of appeals when necessary.
The Economics of Their Case Selection
The VPPA’s $2,500 per-violation statutory damages provision is what transforms individual privacy harms into class action economics. A media company with 100,000 authenticated subscribers whose video viewing data has been transmitted to Meta without consent faces aggregate exposure of $250 million in statutory damages alone — before attorneys’ fees. Even at a fraction of that number, the settlement value is substantial. Carney Bates & Pulliam selects defendants where the subscriber count is large enough to generate meaningful class-wide damages and where the pixel evidence is clear enough to establish liability at scale.
The Defense Side: What These Cases Look Like in Practice
For companies served with a Carney Bates & Pulliam VPPA complaint, the litigation experience is characterized by a few consistent features.
Detailed pixel evidence in the complaint. Their filings typically include screenshots of browser developer tools showing pixel data transmission, specification of the data fields transmitted, and analysis of how the Facebook ID in the pixel payload can be linked to the authenticated user. This evidence-in-the-complaint approach is designed to survive 12(b)(6) motions.
Large proposed classes. The complaints define plaintiff classes broadly — all subscribers who were authenticated and watched video during the period when the pixel was deployed — generating the kind of aggregate damages exposure that drives settlement discussions early.
Pressure on the defendant’s advertising infrastructure. Because the VPPA violation is embedded in the defendant’s revenue-generating pixel configuration, addressing the litigation often requires the defendant to modify the infrastructure it uses to monetize its audience. This is not just a legal problem — it’s a business problem, and it creates urgency that purely legal disputes do not.
Settlement as the likely outcome. VPPA class actions rarely go to trial. The combination of statutory damages, large class sizes, and clear pixel evidence creates settlement pressure that most defendants ultimately cannot resist. The question is usually not whether to settle, but at what value and with what injunctive relief.
The Broader Landscape: Why This Matters Now
Carney Bates & Pulliam is one firm in a growing ecosystem of plaintiff’s practitioners who have identified digital advertising infrastructure as a systematic source of statutory privacy violations. The VPPA, CIPA, and their state equivalents were written before the internet existed in its current form — and yet they apply to conduct that is widespread, automated, and often unknown to the companies committing it.
The compliance fixes are known and implementable: block advertising pixels from firing during authenticated video sessions, implement VPPA-compliant consent disclosures, audit state wiretapping exposure beyond California, enforce pixel suppression for logged-in users who have not consented to advertising tracking. The gap between the state of most companies’ pixel implementations and the state of full compliance is not enormous. But in the meantime, that gap is generating litigation.
For businesses that have not addressed this exposure, Carney Bates & Pulliam represents the kind of sophisticated, technically-grounded plaintiff practice that makes remediation feel more urgent than it might have even two years ago.
Boutique Consumer Privacy Class Action Firm
Carney Bates & Pulliam has done something genuinely difficult: it has built a boutique consumer privacy class action practice with national reach and a litigation reputation that makes defendants treat their cases seriously from the first filing. Their focus on VPPA and digital wiretapping reflects a coherent theory of where consumer data practices have diverged most sharply from statutory requirements — and their technical sophistication in building cases ensures those theories survive the early stages of litigation where less disciplined plaintiffs’ firms have stumbled.
For any company that combines authenticated users, video content, and advertising pixels — or that deploys third-party chat, session replay, or behavioral analytics tools without state-compliant consent mechanisms — understanding Carney Bates & Pulliam’s litigation model is not optional. It is exactly the kind of plaintiff’s practice that shows up in your inbox before your compliance team knows there is a problem.
For a deeper dive into VPPA compliance, CIPA exposure assessments, and pixel audit services to avoid expensie Carney Bates & Pulliam style privacy lawsuits book a demo with one of our experts below.
