For Crunchyroll’s legal team, March 2026 was a bad month. The anime streaming service was cited in two distinct class action lawsuits that were filed in California within three weeks, each of which addressed a distinct category of data management failure. One claimed that without genuine consent, the company has been giving third-party marketing firms access to user viewing histories.
The other claimed that 6.8 million consumers’ personal data had been compromised due to a security flaw at an outsourced partner. When considered collectively, the cases depict a firm that has had difficulty safeguarding what its users believed to be private, and—possibly more damaging—one that has reportedly experienced similar problems in the past.
| Category | Details |
|---|---|
| Company | Crunchyroll (subsidiary of Sony Pictures Entertainment) |
| Lawsuit 1 Filed | March 5, 2026 — California federal court |
| Lawsuit 1 Type | Video Privacy Protection Act (VPPA) violation — data sharing without consent |
| Data Shared | User IDs, email addresses, specific anime viewing history |
| Shared With | Third-party marketing firms including Braze |
| Lawsuit 2 Filed | March 24, 2026 — California federal court |
| Lawsuit 2 Type | Data breach — security failure at outsourcing partner |
| Partner Implicated | Telus (customer support outsourcing partner) |
| Users Affected | Approximately 6.8 million |
| Data Exposed | Full names, usernames, email addresses, IP addresses, partial payment information |
| Data Source | Customer support tickets |
| Prior Related Case | Similar 2023 VPPA settlement (repeat violation allegation) |
| Jurisdiction | California |
The complaint under the Video Privacy Protection Act was filed on March 5 and is part of a legal tradition that streaming services have been uncomfortable navigating for a number of years. The unlawful disclosure of a Supreme Court nominee’s video rental records led to the original passage of the VPPA in 1988. Looking back, this event seems almost nostalgic given the speed and scale of data flows between platforms and advertising technology companies that the 1988 Congress could not have predicted.
According to the lawsuit, Crunchyroll was allegedly violating the Act by integrating with Braze and possibly other marketing platforms in order to knowingly disclose personally identifying information together with specific video material that a subscriber has viewed. Without the subscriber’s knowledge or approval, third-party companies receive user IDs, email addresses, and particular anime viewing histories for targeting reasons.
This lawsuit is especially noteworthy because of its connection to Crunchyroll’s recent past. By March 2026, the platform was facing legal repercussions for this type of action and was being sued for it once more after settling a similar VPPA lawsuit in 2023. The latest litigation implicitly raises the question of whether the previous settlement resulted in significant improvements to data procedures or primarily yielded a payout that closed a legal dispute without demanding operational reform.
Watching this unfold gives me the impression that the settlement-and-continue strategy used by certain internet corporations to handle privacy litigation eventually leads to just this result: a second lawsuit from a new plaintiff class that makes the same fundamental claims.
Three weeks later, on March 24, the data breach complaint was filed. It uses a different mechanism but has a similar degree of exposure. Unauthorized access to customer support ticket data was allegedly made possible via a security breach at Telus, a Canadian telecoms firm that Crunchyroll reportedly employed for customer service outsourcing.
Names, usernames, email addresses, IP addresses, and, in certain situations, partial payment details that appeared in support communication were all included in those tickets—exactly the kind of information individuals provide when they have an issue with their account. According to reports, 6.8 million users were impacted, making this one of the worst streaming platform breaches in recent memory.
Although it receives less attention than direct database breaches, customer support outsourcing vulnerabilities are uncomfortably common in breach revelations. In order to cut expenses, businesses outsource support services, sending private client communications via systems that might not adhere to the same security regulations as the main platform.
The business whose clients supplied the data in good faith bears responsibility if those third-party systems malfunction. The subscribers of Crunchyroll were unaware that Telus infrastructure was handling their support contacts. They anticipated Crunchyroll-level accountability for the handling of their data, and they were aware that they were contacting Crunchyroll.
Whether these two claims will be combined, resolved individually, or go to trial is still up in the air. The VPPA in particular has led to major litigation against streaming platforms over the past few years, with settlements ranging from small to substantial depending on class size and proved harm. California courts witness a high amount of privacy class actions.
The cases pose a simple question for Crunchyroll’s approximately 15 million subscribers that shouldn’t need to be resolved through litigation: Did the company’s privacy disclosures adequately explain what was being done with subscriber data?
