Opinion: Your digital product is global from day one

In 2024, over 250 class action lawsuits were filed under a US federal law passed in 1988 to protect VHS rental records.

The Video Privacy Protection Act was originally aimed at VHS rental stores, but plaintiffs’ firms discovered a 2022 application: embedding third-party video players on a website – without proper consent mechanisms – could expose companies to class action liability under the same statute. The wave accelerated rapidly.

Over 250 VPPA lawsuits were filed in 2024 alone, more than double the prior year, with multiple settlements running into the millions. The defendants weren’t careless companies operating in legal grey areas. They were ordinary businesses that had embedded a video player the way everyone embeds a video player.

This is what the compliance landscape looks like now: sprawling, fast-moving, and full of exposure that product teams have no idea exists.

The wiretapping theory nobody saw coming

The VPPA surge wasn’t an isolated event. Around the same time, California’s Invasion of Privacy Act became the basis for a different wave of litigation – this one targeting session replay tools, chat widgets, and analytics pixels.

The theory: if a third-party tool captures a user’s session in real time without prior notice, you may be intercepting an electronic communication. Courts have been inconsistent – some dismiss, some allow claims to proceed – but the volume of cases has been significant enough that major law firms issued standing guidance on how to defend against them. The theory has since spread to other states.

Neither of these developments came from new regulation. They came from old laws applied to tools that product teams treat as routine infrastructure. If your engineering team ships a video embed or deploys a session recording tool without legal review, you are making a compliance decision – you’re just making it without realising it.

You don’t get to choose your compliance perimeter

Here’s the insight that most growing companies discover too late: compliance obligations don’t follow a simple rule based on where you’re incorporated.

Whether a regulation applies depends on a mix of factors – where you’re established, your sector, your revenue, the type of data you process, and who your users are.

A product built in Austin that picks up users in California, Germany, and Canada is immediately in scope for CPRA, GDPR, and Canada’s PIPEDA – from the moment the first user signs up.

Unlike a physical business that expands market by market, a digital product is global from the day it launches. Its compliance obligations follow.

GDPR applies not only to companies established in the EU but to any organisation anywhere that targets EU users – and €5.88 billion in cumulative fines since 2018 makes clear that “we’re not a European company” is not a defence.

Nearly 20 US states now have comprehensive privacy laws in force or taking effect, each with different thresholds, exemptions, and enforcement mechanisms. The European Accessibility Act came into full enforcement in June 2025, requiring businesses serving EU consumers to meet harmonised accessibility standards – including those based in the US or UK.

The EU Whistleblower Directive requires companies above 50 employees to operate secure internal reporting channels, regardless of where headquarters sits.

The businesses struggling with all of this aren’t negligent. They’re facing obligations that multiplied faster than any reasonable compliance posture was built to handle – across jurisdictions they may have entered without fully realising it.

The problem with sourcing one obligation at a time

Most companies approach this by solving each problem as it arrives.

GDPR passes: find a cookie consent tool. Accessibility mandate appears: bolt on an overlay. Whistleblower Directive takes effect: procure a reporting channel. The result is a stack of separate vendors, separate contracts, and separate renewal dates – with no coherent view of where the business actually stands across all of them.

This isn’t a technology failure. It’s a structural one. Compliance obligations across data privacy, accessibility, and transparency requirements don’t arrive neatly spaced – they overlap, interact, and share underlying data. Managing them as isolated problems means managing their intersections badly.

The CRM market used to look like this. So did marketing technology, and security tooling. Each consolidated around platforms once the point-solution approach became unmanageable. Compliance is following the same trajectory – driven by the same force: obligations that have become too numerous and too interconnected to manage one vendor at a time.

The decision hiding inside a product decision

The VPPA and session replay cases both illustrate something worth sitting with.

The companies that got sued weren’t making compliance decisions. They were making product decisions – embedding a video player, deploying an analytics tool – and the compliance exposure came along for the ride. That’s the default mode for most product teams: compliance is someone else’s problem, handled somewhere downstream.

That assumption has become genuinely expensive. VPPA settlements. GDPR fines. EAA enforcement. California’s attorney general secured its largest-ever CCPA settlement in 2025 at $1.55 million. Texas continues pursuing active enforcement of its own comprehensive privacy law.

The companies that handle this well have made a specific structural choice: they treat compliance obligations not as a legal team’s inbox, but as a property of how their product works.

Not because regulators demanded it – but because at the scale and speed that digital products now operate across jurisdictions, there is no other way to stay on top of it.

That shift is already underway. The question for any company with a global user base is simply whether they’ve decided to be part of it.