The Video Privacy Protection Act (VPPA) is a major headache for streaming entertainment companies. It penalizes them with $2,500 fines per user for sharing customer data that combines PII and viewing history with third parties. For streaming services competing on personalization, this creates a dilemma: How do you offer personalized customer experiences when you can't share the required data with SaaS martech tools?
Traditional Customer Data Platforms promised to unify customer data for better personalization—but for streaming companies, they've become VPPA liability machines. When platforms like Segment, mParticle, or Adobe RT-CDP ingest and store viewing data alongside personal identifiers, they create exactly what VPPA prohibits: a third-party repository linking individuals to their streaming entertainment consumption.
Hightouch's Composable CDP solves the VPPA challenge through a fundamental architectural innovation: it doesn’t store customer data. Unlike traditional CDPs that create another copy of sensitive viewing information, Hightouch operates as a read-only activation layer directly on top of existing data warehouses like Snowflake, BigQuery, or Databricks. Because of this, some of the world’s biggest streaming companies have adopted Hightouch to give their marketers self-serve access to their data and create impactful personalization.
In the rest of this blog, we’ll explore how streaming companies have tried to personalize despite VPPA with traditional CDPs and in-house solutions and how the Composable CDP gives them a better path forward.
VPPA 101: The Blockbuster law terrorizing Netflix
When journalist Michael Dolan published Supreme Court nominee Robert Bork's video rental history in 1987—revealing his 146 Blockbuster rentals without permission—Congress reacted swiftly. The resulting Video Privacy Protection Act (VPPA) of 1988 made it illegal to share personally identifiable information linked to video viewing habits.
Courts have ruled that streaming services qualify as "video tape service providers" under the VPPA, despite Congress never having imagined Netflix when drafting the law–so the “Bork Bill” has become a litigation minefield for streaming companies. In 2024 alone, over 115 VPPA lawsuits targeted companies using Meta Pixel and similar tracking technologies on video platforms. These fees have already cost companies like Netflix and BuzzFeed $9 million each in settlements.
Simple solutions aren’t easy to come by. For example, even anonymizing customer data is insufficient for VPPA compliance: courts have found that combinations of seemingly anonymous identifiers (device IDs, location data, browser fingerprints) can constitute personally identifiable information when they're "reasonably likely" to identify someone.
Why traditional CDPs became compliance time bombs
Traditional Customer Data Platforms collect, unify, and activate customer data. Unfortunately, when they ingest and store viewing data alongside personal identifiers, they create exactly what VPPA prohibits: a repository linking individuals to their video consumption, which is stored outside of a streaming company.
The problem compounds when CDPs send this unified data to marketing tools. Salesforce Marketing Cloud, Braze, and similar platforms excel at personalization by leveraging rich behavioral profiles—but under VPPA, using "watched_show": "Stranger Things" in an email campaign could cost $2,500 per recipient.
This legal reality forces streaming companies into absurd workarounds. Instead of meaningful audience segments like "sci-fi drama fans," they're reduced to descriptors like “audience_329538.” User attributes like "favorite_show = The Mandalorian" have to be translated to cryptic traits like "favorite_show= 432492342334." Marketing teams can't build campaigns around actual viewing behavior, crippling their ability to compete with platforms that don't face VPPA restrictions.
The hidden cost of building in-house
Faced with traditional martech creating compliance nightmares, many streaming giants have invested millions in building proprietary solutions so their marketing teams can view streaming and user data together. These companies have to develop custom systems that separate user identification from content metadata across its entire architecture. These in-house platforms implement complex data flows where viewing events are immediately hashed, stored separately from personal identifiers, and only combined through secure, auditable processes when explicitly consented.
The financial burden is staggering: initial development costs range from $1-5 million for basic VPPA-compliant infrastructure, with annual maintenance consuming 20-30% of that investment. Streaming companies must hire specialized teams—often 5-15 additional engineers and compliance experts—to build and maintain these systems. Beyond development costs, they could spend millions annually on audits to ensure their custom solutions actually prevent VPPA violations.
The technical complexity matches the financial burden. Companies must architect complete separation between identity and content data, build custom APIs to connect disparate compliance-focused systems, implement real-time processing that maintains compliance in live environments, and create comprehensive audit trails for every data operation. They essentially rebuild the entire martech stack from scratch, sacrificing speed-to-market and innovation velocity to avoid legal exposure.
Hightouch flips the privacy equation
Hightouch avoids the VPPA nightmare that other CDPs face by operating directly within a company’s owned data warehouse. Because viewing data never leaves the streaming company's controlled environment, there's no risk of creating illegal data combinations in third-party systems. Marketing teams can build sophisticated audiences based on actual viewing behavior—"Users who watched 3+ episodes of sci-fi shows this month"—because the computation happens within their own compliant data infrastructure.
Hightouch doesn’t store data, so marketers can use it to freely build audiences that include viewership information.
Everything Hightouch does for streaming companies occurs within their data warehouse, which is tightly governed and secure. For example, when Hightouch performs identity resolution, unifying customer profiles across devices, sessions, and platforms, all of that data stays in the data warehouse. Critically, the resolution logic is transparent so compliance teams can audit it, and is not a black-box algorithm.
When streaming companies want to use Hightouch to take action on their segments (for example, by sending them to third-party marketing platforms), Hightouch employs a clever de-identification strategy. Instead of sharing "john@email.com watched Stranger Things," it pushes anonymized segments with internal identifiers: "Users in segment_sci_fi_fans_2024." Downstream marketing tools receive only the anonymous identifiers they need for activation, while the mapping between these segments and actual viewing behavior remains secure in the streaming company's warehouse. Hightouch also includes granular consent management, ensuring data only flows to approved destinations based on user preferences stored directly in the warehouse.
When Hightouch syncs data to third-party marketing channels, it anonymizes segments to ensure VPPA compliance.
A streaming giant's 1,000-audience success story
One of the world's largest streaming services uses Hightouch’s Composable CDP at a daunting scale. They manage over 1,000 distinct audiences through Hightouch, all powered by viewing data in their data warehouse.
Their audience strategy leverages the full richness of viewing data without compliance risk. They build segments based on content engagement patterns (binge-watchers vs. casual viewers), genre preferences with temporal components (weekend sports viewers, weeknight drama fans), and lifecycle stages combined with content affinity (new subscribers interested in documentaries). They even create predictive segments using viewing patterns to identify churn risk or upsell opportunities.
Hightouch users can make intuitive audience segments, using specific content categories and names, because of our VPPA-compliant architecture.
The technical implementation maintains complete VPPA compliance through Hightouch's architecture. All audience definitions live in their data warehouse, with Hightouch never storing the underlying data. Identity resolution happens within their warehouse using compliant matching rules. When syncing to marketing tools, only de-identified segment membership flows to external systems. The platform provides comprehensive audit trails showing exactly what data was shared, when, and under what consent—critical for demonstrating VPPA compliance.
This approach delivers measurable business impact while eliminating legal risk. The company reported improved targeting accuracy, which resulted in higher engagement rates, faster campaign deployment without compliance review bottlenecks, and the ability to test and iterate on audience strategies rapidly. Most importantly, they've achieved this sophisticated personalization with zero VPPA violations or legal challenges.
Conclusion
As the streaming wars intensify and personalization becomes table stakes, the companies that master privacy-compliant audience activation will be the ones that survive and thrive. The Composable CDP maintains data governance in the warehouse while enabling sophisticated activation. For streaming services operating on thin margins in a competitive landscape, the improvements to their marketing personalization and streamlined technical infrastructure can determine market success.
Legal teams love Hightouch for their reduced liability exposure. Marketing teams gain unprecedented flexibility without sacrificing compliance. They can build audiences using actual viewing behavior rather than obscured identifiers, test new segmentation strategies without engineering involvement, and activate the same audiences across dozens of channels consistently. And data teams benefit from a simplified architecture that eliminates redundant infrastructure by centralizing on the data warehouse. This unified approach reduces data discrepancies, simplifies debugging, and ensures marketing always operates on the same fresh data that powers analytics and reporting.
If you’re interested in learning more, we’d love to meet with you–grab a time with our solutions team!
