Scrolling through Instagram recently, sports fans may have come across a targeted ad from Morgan & Morgan—America’s largest injury law firm—with a blunt message: “The Athletic may have shared users’ personal information without consent. If you have an account, you may qualify.”
The ad, running from forthepeople.com, directs subscribers to a qualification intake form and promises that attorneys will “fight tirelessly to protect your rights.” The legal theory at the center of the claim isn’t a vague data breach allegation—it’s a specific federal statute with a $2,500-per-violation statutory damages provision and no requirement to prove actual harm.
As we have been warning privacy teams and business owners who are not familiar with compliance requirements. Now that plaintiff firms like Morgan & Morgan are getting into the data privacy lawsuit game it’s going to be pandemonium for business owners and it’s best to have the compliance shield guarantee from Captain Compliance to protect against very expensive litigation.
Morgan & Morgan Privacy Lawsuits
Morgan & Morgan is not a boutique plaintiff firm running targeted social media ads on a shoestring. It is, by most measures, the largest personal injury law firm in the United States—and it has rapidly become one of the most formidable forces in consumer privacy litigation.
Founded in Orlando in 1988 by John Morgan, the firm now operates across all 50 states, with over 1,000 lawyers and more than 6,000 total employees spread across 100-plus offices. The firm generated over $2 billion in revenue in 2023 and has surpassed $30 billion recovered for clients over its history. In 2025, the firm was ranked #34 on Law360’s list of the 400 largest U.S. law firms by attorney headcount—jumping 20 spots in a single year.
Morgan & Morgan is not a new entrant to privacy litigation. Its track record in this space includes:
- Equifax Data Breach – A $380.5 million settlement for victims of the 2017 breach affecting roughly half the U.S. population.
- Yahoo Data Breach – A $117.5 million settlement covering approximately 200 million people.
- Capital One Data Breach – A $190 million settlement for 98 million affected customers.
- MGM Resorts Data Breach – A $45 million preliminary settlement approved in January 2025.
- Google Location Tracking – A $425.7 million jury verdict in December 2025 for approximately 98 million users whose location data was collected in violation of California privacy laws, with Morgan & Morgan serving as co-lead counsel.
In February 2026, Law360 named Morgan & Morgan its 2025 Cybersecurity & Privacy Group of the Year—a designation the firm earned largely on the strength of that Google verdict. The firm’s cybersecurity practice, based in Tampa and led by John Yanchunis, consists of 13 attorneys—many of them former federal law clerks—who operate entirely on contingency.
The firm also runs one of the most sophisticated digital plaintiff recruitment operations in the country, investing heavily in social media advertising to identify and intake claimants at scale before cases are fully assembled. The Athletic campaign is a direct product of that infrastructure.
Who Is The Athletic?
The Athletic is a subscription-based sports journalism platform launched in 2016 and acquired by The New York Times Company in 2022 for approximately $550 million. It publishes long-form sports coverage, game analysis, and video content across professional and college sports, reaching a large subscriber base of sports fans who pay for premium access.
The Athletic operates as a distinct entity from The New York Times, with its own website (theathletic.com), app, and data infrastructure. Morgan & Morgan has explicitly noted that while The Athletic is owned by The New York Times Company, the claims in this matter focus on The Athletic’s website and its own tracking practices—not the parent company.
The Athletic is not the only sports or media platform to face this type of scrutiny. A wave of VPPA-based claims has targeted ESPN, Fandango, Patreon, and various streaming platforms in recent years. But The Athletic’s combination of a large, identifiable paid subscriber base and video content makes it a particularly clean target under the statute.
What Is the Alleged Violation?
The allegations against The Athletic center on a specific piece of tracking technology: the Meta (Facebook) Pixel.
The Facebook Pixel is a small code snippet that website operators embed to support advertising targeting, audience building, and conversion tracking. When integrated into pages that host video content, the pixel can capture which videos a user watches, how long they viewed them, and other behavioral data—then transmit that information to Meta’s servers. If the user is logged into Facebook at the time (or is otherwise identifiable via cookies or shared identifiers), Meta can link that viewing history directly to a specific person’s Facebook profile.
“The Athletic may have shared users’ personal information without consent. If you have an account, you may qualify.” — Morgan & Morgan advertisement, 2025–2026
The allegations state that The Athletic embedded the Facebook Pixel on its video content pages and, as a result, transmitted subscribers’ video-watching histories—including content watched and device identifiers—to Meta without obtaining the written consent required by federal law. Critically, claimants do not need to prove financial harm or produce records of what videos they watched. Eligibility is based on whether the sharing occurred, not whether the user can document it.
The statute at the center of these claims is the Video Privacy Protection Act.
Understanding the VPPA: The Law Behind This Claim
The Video Privacy Protection Act was enacted by Congress in 1988—ironically, the same year Morgan & Morgan was founded—after a Washington, D.C. newspaper published the video rental history of Supreme Court nominee Robert Bork. Congress responded by passing one of the strongest consumer privacy statutes ever enacted at the federal level.
The VPPA prohibits any “video tape service provider” from knowingly disclosing personally identifiable information about a consumer’s rental or viewing history to a third party without that person’s informed written consent. The statute’s protections have been interpreted broadly to cover all types of video content—not just physical rentals—including game highlights, press conference clips, short video segments, and any other audiovisual material streamed online.
Key features of the VPPA that make it particularly powerful in litigation:
- Statutory damages of up to $2,500 per violation – No proof of actual harm required. Each unauthorized disclosure can be treated as a separate violation.
- Written consent requirement – Standard website behavior such as “by continuing to browse, you accept our terms” does not meet the threshold. The law requires clear, affirmative, opt-in consent specifically for video data sharing.
- Broad scope – Any platform that distributes video content to consumers can qualify as a “video tape service provider” under the statute, including sports journalism sites, news platforms, and subscription streaming services.
- Private right of action – Unlike many privacy statutes that rely solely on government enforcement, the VPPA allows individual consumers to sue directly in federal court.
Because The Athletic’s terms of service include an arbitration clause, these claims are proceeding through mass arbitration rather than class action litigation—a model in which hundreds or thousands of individuals file individual arbitration claims simultaneously against the same company over the same issue. Mass arbitration has become a significant pressure point for technology and media companies because the per-claimant economics can quickly overwhelm defendants even if individual claim values are modest.
Why This Case Has Broader Implications
The Athletic case is not an isolated event. It is part of a broader litigation wave that is sweeping across the digital media, sports streaming, and subscription content industries.
VPPA filings in federal court more than doubled between 2023 and 2024, jumping from roughly 137 cases to over 250. The statute—originally designed for video rental stores—has found new life as plaintiff firms apply it to the ubiquitous use of third-party tracking pixels on websites that host any form of video content. Courts have so far been receptive, allowing many VPPA claims to proceed past motions to dismiss.
The reason the Facebook Pixel is such an effective hook for these claims is structural: the pixel was designed to link behavioral data back to identifiable Facebook profiles. When a website operator embeds it on a video page, they are—knowingly or not—creating the exact disclosure chain the VPPA was designed to prohibit. And because the pixel is used by millions of websites, the litigation risk is industry-wide, not company-specific.
For digital media and subscription content platforms in particular, the calculus is stark: if you host video content, use the Facebook Pixel (or similar tools), and have not obtained VPPA-compliant written consent from your users, you may already have exposure.
6 Ways to Avoid a Privacy Lawsuit Over VPPA Violations
Whether or not the Athletic arbitrations result in significant payouts, the campaign is a clear signal for any business that hosts video content online. Here is what compliance teams should be prioritizing:
1. Audit whether the Facebook Pixel (or equivalent) is running on your video pages.
Many companies deploy tracking pixels through tag managers or marketing automation platforms without legal or compliance teams being fully aware of what those tools are capturing. A technical audit of your tag architecture—specifically on pages that serve video content—is the essential first step.
2. Understand whether the VPPA applies to your platform.
If your website or app delivers any form of video content to subscribers or registered users, you are likely subject to the VPPA. This includes sports highlights, product demo videos, educational content, webinars, and news clips—not just long-form streaming. The statute’s “video tape service provider” definition has been interpreted expansively.
3. Evaluate your consent mechanisms against VPPA’s written consent standard.
VPPA consent must be specific, written, informed, and opt-in. A buried cookie consent banner, a terms-of-service checkbox, or a “by using this site you agree to our privacy policy” notice almost certainly does not meet the standard. If you are sharing video viewing data with third parties, you need a consent mechanism that explicitly describes that sharing and obtains affirmative user agreement.
4. Review your data sharing agreements with Meta and other ad platforms.
The issue in cases like The Athletic is not just that the pixel was present—it is that viewing data was transmitted in a way that could identify individual users. Review your pixel configurations to understand what data is being passed, whether it includes user identifiers, and whether your privacy notice accurately describes that transmission.
5. Monitor whether your arbitration clause creates mass arbitration exposure.
Many platforms assume that arbitration clauses protect them from class action risk. In the VPPA context, arbitration clauses can actually accelerate exposure by enabling mass arbitration at scale. If your terms contain an arbitration clause and you have VPPA exposure, that combination warrants specific attention from litigation counsel.
6. Treat a Morgan & Morgan intake campaign as equivalent to a pre-suit demand.
When a firm of this size and infrastructure launches a paid social media campaign targeting your brand, a formal filing or arbitration demand is not far behind. Do not wait for a demand letter. If you spot a campaign recruiting claimants against your platform, engage litigation counsel immediately and initiate a parallel compliance remediation effort.
Privacy Compliance Help – Get Captain Compliance’s Software Stood Up ASAP
The Morgan & Morgan campaign against The Athletic is a landmark moment for VPPA enforcement—not because the statute is new, but because a firm with a $350 million annual marketing budget, a Law360-recognized privacy practice, and a track record of nine-figure verdicts is now deploying its full industrial capacity against it.
The Athletic’s experience illustrates a compliance failure that is common across the digital media landscape: a legal team that didn’t fully account for how a marketing technology decision—embedding the Facebook Pixel on video pages—could create federal statutory liability at scale.
Every subscription platform, sports media property, news site, and streaming service that serves video content to identified users should treat this case as a direct warning. The VPPA is one of the sharpest tools in the plaintiff bar’s toolkit, and Morgan & Morgan has just demonstrated exactly how it intends to use it.
Privacy compliance is no longer a legal back-office function. It is a front-line business risk—and the cost of getting it wrong just went up by $2,500 per user.
