Why Michigan AG sued Roku for violating VPPA, COPPA, & consumer protection laws

On April 29th, 2025, the Michigan Attorney General filed a groundbreaking lawsuit against Roku for sharing sensitive personal data without proper consent that violated the Video Privacy Protection Act (VPPA), Children's Online Privacy Protection Act (COPPA), the Michigan Consumer Protection Act, and Michigan’s Preservation of Personal Privacy Act. 

The lawsuit is based on three primary claims: (1) Roku shares children’s personal data without parental consent with advertising third parties (2) Roku shares personally identifiable information (PII) tied to user’s video viewing history with third parties without explicit consent (3) Roku does not honor users’ requests to not share or sell personal information or limit ad tracking. 

Roku rents and sells videos primarily through its connected TV devices and software, and the Michigan Attorney General is calling into question how Roku shares data on its millions of video customers. 

The lawsuit against Roku continues the trend of increased enforcement on personal data sharing without proper consent in the US. In particular, this lawsuit shows that companies are at an increased risk of legal action if they:

• Rent or sell video content via any technology: connected TV, web, mobile app, etc. 
• Market to children
• Disclose privacy policies inconsistent with data processing practices

To protect against these privacy risks, companies should continuously monitor how all personal data flows in and out digital products and proactively remediate instances where data processing does not adhere to privacy policies and applicable regulations. We call this practice product privacy management. Privado.ai offers the complete product privacy management solution for data visibility and privacy governance across web, app, and backend software products.

Allegation Summary

VPPA and Michigan’s Preservation of Personal Privacy Act Alleged Violations 

Legal requirements 

• VPPA: The US federal Video Privacy Protection Act prohibits the disclosure of consumers’ video rental history containing personally identifiable information (PII) without explicit consumer consent
• Michigan Preservation of Personal Privacy Act: Michigan state law that prohibits businesses that sell, rent, or lend video recordings from knowingly disclosing information that personally identifies the customer as having purchased, leased, rented, or borrowed the video recordings

Alleged violation

Roku shared customers’ PII with video viewing data to third parties such as Google, New Relic, Meta, LinkedIn, Nextdoor, and Innovid without obtaining explicit consent from customers.  

COPPA Alleged Violations

Legal requirements

Websites and online services must obtain verifiable consent from parents before collecting personal data from children, and provide parents with access to their child's information and the ability to prevent its future use.

Alleged violations

• Collects and allows third parties to collect the personal data of children without the required notice or without obtaining parental consent
• Systematically collects, processes, and discloses the personal data of children, including their locations, voice recordings, IP addresses, and persistent identifiers that track children’s browsing histories on Roku and across the internet
• Enables third-party channels to collect children’s personal data to attract content providers to its platform and increase advertising revenue
• Enhances its collection and monetization of children’s personal data through partnerships with third-party web trackers and data brokers, some of which have been sued by the Federal Trade Commission for tracking individuals’ locations
• Actively misleads parents about its collection of their children’s personal data and their rights to protect that data

Michigan Consumer Protection Act Alleged Violations

Legal requirements

Prohibits deceptive methods, acts, or practices in the conduct of trade or commerce, including representing that goods or services have characteristics that they do not have.

Alleged violations

• Roku’s “Do not share or sell my personal information” setting does not limit data sharing according to Roku’s policies. The setting description claims to give customers the option to opt of sharing data to enable “more relevant ads”, but the lawsuit claims Roku shares personal data with advertising partners for all customers if the setting is toggled on or off. The claim specifies that Roku’s sharing of personal data for ad attribution and giving advertising third parties access to data they could use for targeted advertising conflicts with Roku’s disclosed policy. Additionally, they state that the setting name “Do not share or sell my personal information” is misleading because it insinuates all personal data, instead of which it actually does, limit personal data that Roku uses for targeted advertising.
• Roku’s “Limit Ad Tracking” setting did not limit ad tracking. In 2019, technology researchers from Princeton University and The University of Chicago studied the effect of selecting “Limit Ad Tracking” on Roku. According to these researchers, activating this setting “did not affect the number of trackers contacted” by the channels they studied; did not affect the number of Roku device serial numbers leaked to third parties; and actually increased the number of outside domains contacted by these channels.

Key Takeaways for Privacy Leaders

• Any company whose data processing activities do not match their disclosed privacy policies is at risk of a lawsuit in the US, even in states without a comprehensive privacy law like Michigan.
• Customers’ video rental or purchase data tied to PII represents a high privacy risk across the US. VPPA is a federal law with a privacy right to action, meaning any individual can bring a lawsuit. 
• Children’s personal data represents a high privacy risk in the US. COPPA is federal law, and there have been many recent lawsuits brought by the Federal Trade Commission (FTC) and state attorney generals
• Privacy risk must be monitored across all digital products, including connected TV apps, mobile apps, and websites. 

How Privado.ai mitigates privacy risk across digital products 

• App Auditor: Scan app files to ensure consent banners, SDKs, and data flows are compliant with each regulation in each location. No technical implementation required.
• Privacy Code Scanning: Obtain real-time visibility and governance for how personal data is collected, used, shared, and stored by continuously scanning the code that runs your web, app, and backend software products.‍
• Web Auditor: Scan your websites to ensure consent banners, pixels, and data flows are compliant with each regulation in each location. No technical implementation required.