A $5 million class action settlement involving Dapper Labs, Inc. — the blockchain technology company behind platforms including NBA Top Shot, NFL All Day, and Disney Pinnacle — has placed the Video Privacy Protection Act firmly back in the crosshairs of in-house legal and compliance teams across the United States.
The case, Ohebshalom v. Dapper Labs, Inc., Index No. 615987/2025, pending before the Supreme Court of the State of New York, County of Nassau, is scheduled for a Final Approval Hearing on 15 April 2026. While the settlement itself resolves claims against a single defendant, its implications reach far beyond Dapper Labs. For any organization that hosts video content and deploys third-party tracking pixels on those pages — which, in 2026, describes a substantial proportion of consumer-facing digital businesses — this case demands careful attention.
Background: What Is the Video Privacy Protection Act?
The Video Privacy Protection Act (VPPA) is a federal statute enacted in 1988, originally prompted by the disclosure of Supreme Court nominee Robert Bork’s video rental records to a newspaper. The law prohibits “video tape service providers” from knowingly disclosing “personally identifiable information” (PII) about consumers to third parties without informed written consent.
For decades, the VPPA was regarded as a relatively narrow statute with limited modern relevance. That perception changed substantially in the early 2020s as plaintiffs’ firms began applying the law’s broad language to the contemporary practice of embedding tracking pixels — including those from Meta, Google, Microsoft Bing, Snapchat, X (formerly Twitter), and TikTok — on web pages where users view video content.
The theory of liability is straightforward: when a user watches a video on a website that has a tracking pixel installed, that pixel may transmit the user’s identity (via cookies, login data, or device identifiers) alongside the title of the video they watched to the pixel’s operator. Under the VPPA’s plain language, that transmission constitutes a disclosure of PII — specifically, information that identifies a person as having requested or obtained specific video materials — to a third party, without the consent required by the statute.
Federal courts have, with increasing frequency, allowed VPPA claims premised on pixel tracking to survive motions to dismiss, and the wave of settlements that has followed reflects the genuine litigation exposure this theory creates.
The Dapper Labs VPPA Settlement: What Happened?
According to the settlement notice, the class action alleges that Dapper Labs disclosed its online video subscribers’ PII to various third parties without consent in violation of the VPPA. The covered conduct spans the period from 15 June 2020 through 30 January 2025, and the class encompasses individuals who held accounts with any of five Dapper Labs platforms:
- NBA Top Shot (nbatopshot.com)
- NFL All Day (nflallday.com)
- Disney Pinnacle (disneypinnacle.com)
- UFC Strike (ufcstrike.com)
- La Liga Golazos (laligagolazos.com)
Dapper Labs denies any violation of law but has agreed to a Gross Settlement Amount of $5,000,000 to resolve the claims. From that fund, after deducting notice and administration expenses, attorneys’ fees (capped at one-third of the gross amount, or approximately $1.67 million), and incentive awards of $5,000 each to the class representatives, valid claimants will receive cash payments of up to $5 per person via Zelle, Venmo, or PayPal.
The claims deadline and objection/exclusion deadline are both 15 April 2026, coinciding with the Final Approval Hearing in Mineola, New York. Class Counsel is Philip L. Fraietta and Stefan Bogdanovich of Bursor & Fisher, P.A., a plaintiffs’ firm that has been among the most prolific litigants in the VPPA pixel-tracking space.
The Injunctive Relief: The More Significant Term for Compliance Teams
While the per-class-member cash payment of up to $5 will attract most of the public attention, in-house counsel should focus equally — if not more — on the injunctive relief component of the Dapper Labs VPPA settlement.
As a condition of settlement, Dapper Labs has agreed to suspend operation of all six tracking pixels — Meta, Google, Microsoft Bing, Snapchat, X, and TikTok — on any pages of its websites where those pixels would capture the title of a video purchased or viewed by a user. This suspension is to remain in effect unless and until:
- The VPPA is amended, repealed, or otherwise invalidated by judicial decision as applied to pixel technology or video games generally; or
- Dapper Labs is otherwise in compliance with the VPPA.
This operational requirement is not a minor technical adjustment. For a business whose platforms are built around digital video collectibles and highlight clips, disabling six major advertising and analytics pixels across all video-adjacent pages represents a material constraint on digital marketing capabilities, retargeting capacity, and audience measurement infrastructure.
The injunctive term signals something important: plaintiffs’ counsel negotiated not merely for financial compensation, but for a structural change in how Dapper Labs deploys tracking technology. That negotiating posture is consistent with a broader trend in VPPA litigation in which settlements increasingly include technology remediation requirements alongside monetary relief.
Why This Settlement Matters Beyond Dapper Labs
The Dapper Labs VPPA settlement is significant not because of the identity of the defendant, but because of what it illustrates about the current state of VPPA exposure for any organisation that combines three common features:
1. User accounts tied to video content. The VPPA’s PII definition is most clearly triggered when a platform can connect a specific individual — via an account identifier, login cookie, or persistent device ID — to their video-viewing behavior. Organizations that require account creation to access video content are at heightened risk because the connection between identity and video consumption is explicit rather than probabilistic.
2. Third-party tracking pixels on video pages. The mechanism of liability in VPPA pixel cases is the pixel’s transmission of viewing data to a third-party platform. Any pixel that fires on a page where video content is displayed, and that transmits information capable of identifying the viewer, creates potential exposure. This includes not only dedicated video pages but also landing pages, product pages, and blog posts that embed video players.
3. Absence of VPPA-specific consent. The VPPA requires informed, written consent — distinct from a general privacy policy acknowledgment — for the disclosure of video viewing information to third parties. Most organizations’ existing cookie consent frameworks and privacy notices do not meet this standard. The gap between what current consent mechanisms capture and what VPPA requires is precisely where litigation risk resides.
Dapper Labs is not an outlier. Since 2022, VPPA pixel-tracking cases have been filed against media companies, sports streaming platforms, retailers with embedded video content, healthcare organizations with patient-facing video portals, and financial services firms with educational video libraries. Bursor & Fisher alone has been involved in dozens of such matters. The Dapper Labs VPPA settlement is one data point in a much larger pattern.
Dapper Labs VPPA Implications for In-House Legal and Compliance Teams
The Dapper Labs VPPA settlement should prompt in-house counsel to initiate or accelerate the following review processes:
Conduct a Pixel and Video Content Audit
Map every third-party pixel currently deployed across your organization’s digital properties against every page on which video content appears or is embedded. This includes social media pixels, advertising pixels, and analytics tags. The audit should document which pixels fire, what data they transmit, and whether any of that data could constitute PII under the VPPA’s definition when combined with video title information.
Assess Your Consent Architecture Against VPPA Standards
Evaluate whether your current consent framework — cookie banners, privacy notices, terms of service — satisfies the VPPA’s specific consent requirements. Under 18 U.S.C. § 2710(b)(2)(B), consent must be informed, written (which courts have interpreted to include electronic consent), given at or before the time of disclosure, and presented in a form distinct from other legal or financial obligations. Generic cookie consent is unlikely to satisfy this standard without specific VPPA-oriented disclosure language.
Review Whether the VPPA Applies to Your Organisation
The VPPA applies to “video tape service providers,” a term defined broadly as any person engaged in the business of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials. Courts have interpreted “similar audio visual materials” to encompass streaming video delivered over the internet. If your organisation delivers video content to consumers — even as a secondary or ancillary offering — the statute may apply.
Consider Pixel Configuration Changes as a Near-Term Risk Mitigation
Where a full consent architecture overhaul is not immediately feasible, technical measures — including configuring pixels to fire only on non-video pages, implementing server-side tagging to limit data transmitted by pixels, or deploying consent mode configurations that suppress pixel activity absent explicit VPPA consent — can reduce exposure while longer-term compliance measures are developed.
Monitor Legislative and Judicial Developments
The injunctive relief in the Dapper Labs VPPA settlement includes a carve-out for legislative amendment or judicial invalidation of the VPPA as applied to pixel technology. There is active discussion in Congress and among legal commentators about whether the VPPA’s 1988 language maps appropriately onto modern digital advertising infrastructure. In-house counsel should monitor both federal legislative proposals and appellate decisions that could shift the legal landscape, particularly in circuits where your organization’s principal digital operations are concentrated.
Conclusion
The Dapper Labs VPPA settlement is a concrete and well-documented illustration of the litigation exposure that attaches to routine digital marketing practices when they intersect with the VPPA’s requirements. The $5 million settlement fund, the mandatory pixel suspension, and the involvement of one of the most active VPPA plaintiffs’ firms in the country all reinforce a single point: this is not a niche or theoretical risk.
For in-house legal and compliance teams, the appropriate response is not to wait for final settlement approval or further judicial guidance before acting. The combination of pixel tracking, user-account-linked video content, and inadequate VPPA-specific consent mechanisms is, based on current case law, a litigation-ready set of facts. Organizations that address these issues proactively — through audits, consent framework updates, and technical controls — are substantially better positioned than those that treat VPPA compliance as a future priority.
The deadline for class members to submit claims, object, or exclude themselves from the Dapper Labs VPPA settlement is 15 April 2026. The Final Approval Hearing is scheduled for the same date before the Supreme Court of the State of New York, County of Nassau.
