When the Supreme Court agreed to hear Salazar v. Paramount Global in late January 2026, it did something rare in an era of policy indifference. The Court granted certiorari, meaning at least four Justices believed this case raised an important unresolved legal issue worth reviewing at the highest level.

At its heart, Salazar asks a deceptively simple question. Under the Video Privacy Protection Act (VPPA), a law passed in 1988 to stop video rental stores from sharing personally identifiable video rental records, who counts as a consumer protected by the statute? Is someone who watches online videos after signing up for a free newsletter part of that class? If not, does that mean companies can track and share watching habits freely with third parties like Facebook without consent?

This case seems narrow and technical, but it raises something far bigger: whether American consumers retain any meaningful privacy protections in the digital age.

Spoiler: They don’t.

Salazar and the VPPA: A Law Built for Blockbuster

The Video Privacy Protection Act (VPPA) was enacted in 1988 following the public release of the video rental history of Supreme Court nominee Robert Bork. Congress responded by making it illegal for “videotape service providers” to disclose video rental or sales information about their customers outside the ordinary course of business without consent.

The law’s core definitions reveal the technological assumptions of the late 1980s. A “video tape service provider” was literally someone engaged in renting, selling, or delivering prerecorded video cassette tapes or similar audiovisual materials. “Consumer” meant someone who rented, purchased, or subscribed to those goods or services.

For decades, that language was collateral to the world most Americans knew. VHS tapes were the dominant medium for home entertainment, a sprawling rental ecosystem had proliferated, and digital media was a distant promise. Congress could not have imagined Netflix, smartphones, streaming, or algorithmic personalization in 1988. DVDs were just emerging and would not eclipse VHS until the early 2000s.

Nearly four decades later, the courts noticed that the law’s language was frozen in time.

Leave a comment

Courts Tried to Fix It Because Congress Would Not

As digital technologies proliferated, courts were left to interpret the VPPA in new contexts. Federal judges, faced with lawsuits alleging that online platforms shared video viewing data without consent, repeatedly tried to stretch the statute beyond videotapes and Blockbuster stores. Some circuits held that online streaming services could qualify as “videotape service providers” and that tracking technologies that disclose video-viewing history could fall within the law. Others limited the statute to more literal readings. This led to conflicting decisions about who qualifies as a “consumer” and what data disclosures are covered.

The case now before the Supreme Court reflects this conflict. In Salazar v. Paramount Global, a federal appeals court held that a man who subscribed to a free newsletter from a sports website that also hosted videos was not a “consumer” under the VPPA because he did not specifically subscribe to audiovisual materials. Other circuits had adopted broader interpretations. This disagreement among courts is exactly why the Supreme Court agreed to resolve the matter.

It is noteworthy that courts have spent years trying to apply a law written for one era to another. This should not be necessary. Congress could have updated the VPPA decades ago to account for online video and digital ecosystems. They chose not to.

Share The Coffman Chronicle

From VHS to Streaming: The Tech Evolution Congress Ignored

The VPPA was passed in 1988 when Blockbuster was expanding and “Top Gun” topped box office charts. That same year, VHS tapes were ubiquitous, and streaming was science fiction. By the mid‑1990s, DVDs were available. Within a decade, DVD rentals had overtaken VHS sales, and by the early 2000s, VHS was effectively obsolete. Internet speeds improved, broadband proliferated, and video consumption moved online. Today, the global revenue from online video streaming is in the hundreds of billions of dollars. Yet the playing field for privacy rights remains anchored in law that still literally mentions “video cassette tapes.”

While technology advanced, Congress passed no general federal privacy statute to govern digital media providers, tracking technologies, or data sharing. Nor did they update the VPPA with modern language. In that absence, courts have improvised. The VPPA persisted because it provided a means for privacy claims, even if it was anachronistic. As a result, digital companies operate in a legal environment that has given them broad latitude to build business models around harvesting personal data, while consumers have had to sue — with mixed results— under outdated laws that Congress never updated.

Share

America vs. the World: Falling Behind on Privacy Protection

This is not the case elsewhere. In Europe, governments began updating privacy frameworks in the 1990s. The European Union’s Data Protection Directive in 1995 and, later, the General Data Protection Regulation (GDPR) in 2018, created comprehensive privacy protections, including requirements for consent, data minimization, and user access rights. Other countries, such as Canada and Australia, also updated their privacy laws more systematically. Even China enacted the Personal Information Protection Law in 2021. These nations recognize personal data privacy as a fundamental right worthy of proactive protection.

The United States, by contrast, still debates the meaning of “consumer” in a law that predates the public internet. There is no federal baseline privacy law. Attempts at federal privacy legislation have repeatedly stalled or died in committee, even as tech platforms harvest, analyze, and monetize personal data at a massive scale.

Leave a comment

Congressional Theater and Regulatory Inaction

Over the past decades, Congress has held multiple hearings with executives from major technology companies. Lawmakers have feigned concern about algorithmic influences on children, targeted advertising, misinformation ecosystems, and data collection practices.

In October 2021, former Facebook employee Frances Haugen testified before Congress, releasing internal documents showing that the company knew Instagram was worsening body image issues in teen girls. She described in plain terms how engagement-optimized algorithms actively pushed harmful content onto vulnerable users, and how leadership chose profits over safety. Senators from both parties expressed outrage. There were headlines, primetime clips, and promises of reform. No legislation followed. The hearing joined a long line of moments when Congress performed concern but failed to act, even in the face of irrefutable internal evidence.

Various privacy bills have been introduced, but none have become law. Often, these proposals falter due to industry opposition backed by deep lobbying resources. Tech companies spend hundreds of millions of dollars each year to influence legislation and regulatory outcomes, which gives them enormous power to shape policy discussions in their favor. As a result, despite clear evidence of harm associated with digital privacy breaches, consumers remain largely unprotected at the federal level.

A Pattern of Erosion, Not Protection

The erosion of privacy in the United States has rarely been accidental. In the aftermath of September 11, 2001, Congress passed the PATRIOT Act, granting the federal government expansive surveillance authority, including secret access to records from libraries, bookstores, and other institutions. Under Section 215, agencies could demand personal data without a warrant and with a gag order attached. That wasn’t a failure to protect privacy. It was an intentional dismantling.

That moment was emblematic, not exceptional. Congress has routinely expanded surveillance powers when it serves the state, while declining to regulate corporate surveillance when it serves the market. What links both is the same result: ordinary people are stripped of their privacy, either in the name of national security or economic growth. In both cases, oversight is minimal, transparency is optional, and accountability is virtually nonexistent.

Share The Coffman Chronicle

COPPA and CIPA: Limited and Outdated Protections

One often‑cited federal law designed to protect minors online is the Children’s Online Privacy Protection Act (COPPA), passed in 1998 and implemented in 2000. COPPA imposes requirements on operators of websites and online services directed at children under 13, including parental consent for data collection. However, it protects only the under‑13 set and lacks comprehensive data protection provisions in a world of pervasive algorithmic tracking. Teens, the most active demographic online, are not covered at all.

Another statute, the Children’s Internet Protection Act (CIPA), passed in 2000, requires public schools and libraries that receive certain federal funds to install filters blocking obscene content. However, CIPA is about content restriction, not data privacy. It conditions funding on the use of filtering software. It does not protect minors' data from being collected, analyzed, or monetized by platforms outside educational settings. Together, COPPA and CIPA offer limited protection at best, and neither has been meaningfully updated to address the complex realities of modern digital environments, nor are either well-enforced.

Share

Privacy in Practice: What Happens When Rights Aren’t Protected

In the absence of a clear and enforceable federal privacy law, two of the largest technology companies in the world—Apple and Google—have quietly paid out a combined $163 million to settle claims that their voice assistants recorded users without their consent.

In September 2025, Apple agreed to a $95 million settlement to resolve a class-action lawsuit alleging that Siri was capturing private conversations even when not actively in use. The lawsuit claimed that unintentional activations led to the recording of sensitive discussions, which were, in some cases, reviewed by third-party contractors for quality control purposes. Apple denied any wrongdoing but agreed to delete affected recordings and reform its internal policies. Payouts to affected users began in January 2026.

That same month, in January 2026, Google agreed to pay $68 million to settle similar claims involving Google Assistant. Plaintiffs alleged that Google captured and stored private conversations even when the wake word (”Hey Google”) was not used. Like Apple, Google denied wrongdoing but agreed to settle and revise internal practices.

Neither of these cases resulted in meaningful precedent. Neither involved a government enforcement action. Notably, neither company admitted legal liability, yet agreed to delete the recordings and review internal protocols.

What these settlements reflect is not accountability, but corporate risk management. Rather than being subject to strong privacy regulations with clear penalties for unauthorized data collection, these tech giants simply treat lawsuits as a cost of doing business. They delete some data, pay out settlements, tweak policies behind closed doors, and continue operating with largely the same incentive structures that led to the violations in the first place.

In practice, the only people holding Big Tech accountable right now are private plaintiffs with enough resources and evidence to sue. Even then, the outcome is usually a quiet payout and a denial of wrongdoing. This is not what a functioning regulatory system looks like. It’s a vacuum of governance, where enforcement happens post-harm, in slow motion, and behind settlement walls that keep the public from seeing just how often these violations occur.

Leave a comment

We Expanded the Second Amendment for Assault Rifles but Left Privacy in the VHS Era

A telling contrast emerges when one considers how the United States interprets other laws. The Second Amendment, written at a time of muskets and militias, has been judicially interpreted to apply to modern assault weapons, bump stocks, and high‑capacity magazines far beyond what could have been imagined in the 18th century. Meanwhile, privacy protections written for videotapes remain tethered to language that treats digital video consumption as if Blockbuster were still the only way to watch a video.

This isn’t conservative originalism or textual fidelity. It is selective modernization. The Constitution and statutes expand to protect weapons beyond the Founders’ wildest imagining while shrinking and ignoring statute after statute meant to protect individuals from emerging harms.

Share The Coffman Chronicle

What Meaningful Privacy Law Should Look Like

A modern federal privacy law needs to recognize that privacy is a fundamental right in the digital age. It should broadly apply to personal data, including location, biometric identifiers, listening interfaces, algorithmic profiling, and behavioral tracking. Such a law must require clear consent, define personal data universally, include robust enforcement mechanisms, and provide a private right of action so individuals can seek redress when harmed. Teens and adults alike deserve protection, not just children under age 13.

The law should also mandate transparency about algorithmic processes and restrict the resale of data without informed opt‑in. It should not preempt stronger state privacy laws but set a baseline from which states can build.

Share

A Harsh Reality: Likely Too Late for This Congress

Even with a clear pathway for meaningful privacy protections, the political reality remains stark. In an era dominated by deregulatory ideologies and the outsized influence of corporate money, comprehensive federal privacy law seems unlikely. Just last year, this same Congress made attempts to prevent states from passing AI regulations. Technology companies have stymied reform through lobbying, campaign contributions, and framing any regulation as antithetical to innovation. Without broad public demand and political will, another generation will grow up digitally surveilled and legally unprotected.

Leave a comment

Salazar Is a Symptom, Not a Cure

Salazar v. Paramount Global may determine who qualifies as a “consumer” under an outdated federal statute, but it also symbolizes a more profound failure of governance. After nearly four decades of digital transformation, American law still relies on analog relics to protect digital lives. That failure is not a matter of bureaucratic delay. It is a calculated political choice that places corporate profit above consumer safety and dignity.

Privacy rights will not be spared by judicial interpretation alone. They require legislation that reflects the realities of the digital era, not the preferences of rent‑seeking dominions of wealth and influence.

Sources:

• US Supreme Court to Define Who Can Sue Under the Video Privacy Protection Act — WilmerHale, January 26, 2026

• Supreme Court agrees to hear case on digital privacy, reverses ruling ordering new murder trial — SCOTUSblog, January 26, 2026

• BREAKING: Video Privacy Set To Be Latest Battleground As Supreme Court Considers Definition of “Consumer” Under VPPA — JD Supra, early 2026

• Supreme Court To Define ‘Consumer’ Under the VPPA: What’s at Stake for Privacy Litigation — Lowenstein Sandler, January 26, 2026

• Video Privacy Protection Act (VPPA) — Wikipedia

• Supreme Court to Clarify Meaning of “Consumer” Under VPPA — DLA Piper, January 28, 2026

• US Supreme Court to Decide Who Qualifies as a “Consumer” Under Video Privacy Protection Act — Duane Morris, January 2026

• Payments begin in $95M Siri eavesdropping class‑action settlement — NBC Chicago, January 26, 2026

• Settlement Payments in $95 Million Apple Lawsuit Begin: What To Know — Newsweek, January 27, 2026

• Judge approves $95 million Apple settlement over Siri privacy case — Courthouse News Service, September 4, 2025

• Google to pay $68 million over allegations its voice assistant eavesdropped on users — CBS News, January 23, 2026

• Siri — Wikipedia