Yes, Crunchyroll faces two separate class action lawsuits filed within just 22 days of each other in March 2026, exposing a troubling pattern of data security failures at the streaming anime platform. On March 5, 2026, a California federal court lawsuit alleged that Crunchyroll embedded a third-party marketing tracker (Braze SDK) in its mobile app to transmit user email addresses and video watching habits without consent, violating the Video Privacy Protection Act. Then on March 27, 2026, a second lawsuit was filed claiming Crunchyroll’s negligence allowed cybercriminals to gain unauthorized access to the systems of Telus Digital, a third-party vendor that handles customer support, exposing the personal information of approximately 6.8 million users. This article breaks down the specifics of both lawsuits, explains what data was compromised, details the damages being sought, and shows why Crunchyroll’s privacy troubles are part of a repeating pattern—the company previously settled a similar VPPA case for $16 million in 2023.
Table of Contents
- What Are the Two Lawsuits Against Crunchyroll?
- The Data Breach—What Was Exposed and How Many Users Were Affected?
- The Video Privacy Protection Act Angle—Why This Matters for Streaming Companies
- What Damages Are Being Sought and How Class Actions Work for Data Breach Cases?
- Why This Pattern Matters—A History of Privacy Failures
- What Information Was in Those Customer Support Tickets?
- What Happens Next and What This Means for Streaming Platforms
- Conclusion
What Are the Two Lawsuits Against Crunchyroll?
The first lawsuit, filed March 5, 2026, centers on what’s known as the Video Privacy Protection Act (VPPA), a federal law that restricts how streaming services can share information about what users watch. Plaintiff Francisco Cabonios alleges that Crunchyroll secretly used the Braze SDK—a software development kit created by a marketing automation company—to intercept and transmit user data including email addresses, device identifiers, and detailed video viewing history to Braze without user consent. This SDK was embedded directly into Crunchyroll’s mobile app, meaning every time someone opened the app and watched content, that information flowed to a third party marketing platform. The VPPA was designed specifically to prevent this kind of covert data sharing, and it carries statutory damages of $100 to $750 per violation per user—which explains why VPPA cases are often pursued as class actions.
The second lawsuit, filed March 27, 2026, takes a different angle: negligence and inadequate cybersecurity. Plaintiff Emilia Enfield, a Washington resident, alleges that Crunchyroll failed to implement adequate security measures, which allowed cybercriminals to exploit a vulnerability and gain unauthorized access to systems at Telus Digital, a third-party vendor that handles customer service operations. According to publicly available information from cybersecurity researchers, the breach occurred when malware infected the computer of an employee at Telus Digital’s facility in India, giving hackers a foothold into systems containing Crunchyroll customer data. This second lawsuit seeks up to $25,000 per affected U.S. user in damages, a figure much higher than typical statutory damages and reflecting the severity of the alleged negligence in allowing customer data to be stored on insecure third-party systems.
The Data Breach—What Was Exposed and How Many Users Were Affected?
The Telus Digital breach compromised data for approximately 6.8 million crunchyroll users, according to cybersecurity reports and the hackers’ own claims of exfiltrating 100 GB of company data. The breach was discovered no later than March 12, 2026, but the initial unauthorized access likely occurred earlier, giving hackers a window of time to copy data before Crunchyroll detected the intrusion. The exposed information includes full names, usernames, email addresses, IP addresses, approximate location data derived from IP geolocation, and the complete text of customer support tickets—which often contain sensitive information like payment card details, account recovery information, or other personally identifying details shared by users when requesting help.
However, it’s important to note a crucial distinction here: while the first lawsuit (the VPPA case) involves intentional data sharing to a third-party marketing company with the knowledge and technical setup of Crunchyroll, the second lawsuit involves data stolen through a security failure. Both are serious, but they represent different legal and practical problems. In the VPPA case, Crunchyroll chose to embed Braze; in the cybersecurity case, Crunchyroll either failed to adequately secure data it shouldn’t have concentrated at a third party, or failed to properly manage access to a vendor system. The cybersecurity angle suggests that customer data should not have been stored in an insecure manner at a third-party vendor in the first place—a common problem in the industry where companies outsource customer service and then inadequately protect the data shared with those vendors.
The Video Privacy Protection Act Angle—Why This Matters for Streaming Companies
The VPPA lawsuit is significant because it targets a specific, intentional practice: embedding tracking code that shares video-watching data. Video streaming is uniquely sensitive under privacy law because the VPPA recognizes that what someone watches can reveal deeply personal information—political leanings, health conditions, relationship status, religious beliefs, and more. When Crunchyroll embedded the Braze SDK into its mobile app, it created a direct pipeline from user watches to a third-party marketing company, allowing Braze to build profiles on Crunchyroll users without their knowledge. This is exactly what the VPPA was designed to prevent.
Crunchyroll already learned this lesson—or should have. In 2022, the company faced a similar VPPA lawsuit alleging that it used the Facebook Pixel to transmit video viewing data to Facebook without consent. That case was settled in September 2023 for $16 million, plus cy pres awards (money donated to privacy organizations). The fact that Crunchyroll is now facing nearly identical allegations just three years later suggests the company either failed to implement proper privacy controls across all of its tracking, or became complacent after the 2023 settlement and resumed or continued practices that violated user privacy. For users, this means the company has a documented pattern of privacy violations, which often strengthens class action arguments and may influence damages calculations.
What Damages Are Being Sought and How Class Actions Work for Data Breach Cases?
The second lawsuit seeks up to $25,000 per affected U.S. user, which if successful, could represent billions of dollars in total claims given the 6.8 million users affected. This figure is much higher than the statutory damages available under the VPPA (which typically range from $100 to $750 per violation), and it reflects state tort law concepts like negligence, breach of implied contract, and unjust enrichment. To understand the difference: VPPA damages are built into the statute and apply per violation of the law; negligence damages are based on the harm caused and can be much larger, but also harder to prove and more subject to negotiation.
However, in practice, large data breach class actions rarely result in full per-user damages being paid to claimants. When a major company faces a data breach lawsuit, it typically settles for a fraction of the theoretical maximum damage amount. For example, some major data breach settlements have resulted in payments to affected users ranging from a few dollars to a few hundred dollars per person, depending on the class action administrator’s estimate of actual harm and the company’s ability to pay. In the Crunchyroll case, the actual settlement amount—if the lawsuit is settled rather than decided at trial—will depend on factors like the likelihood of victory at trial, the company’s financial situation, and the negotiating strength of the plaintiff’s attorneys. Users who join the class action will receive more information about settlement details once a settlement is reached or the case reaches a significant milestone.
Why This Pattern Matters—A History of Privacy Failures
Crunchyroll’s two lawsuits in March 2026 are not isolated incidents; they reflect a broader pattern at the company. The 2022 VPPA case that settled for $16 million in 2023 involved nearly identical allegations: that Crunchyroll embedded third-party tracking pixels (in that case, Facebook Pixel) into its web properties and mobile apps without properly obtaining user consent, allowing Facebook to build profiles of Crunchyroll users’ viewing habits. The settlement required Crunchyroll to change its practices, implement better tracking consent mechanisms, and pay substantial damages. Yet within a few years, the company is facing nearly identical VPPA allegations involving a different third-party tracker (Braze).
This pattern suggests several possibilities: either Crunchyroll’s compliance infrastructure is inadequate and doesn’t consistently prevent privacy-violating practices across all teams, or the company has made a business calculation that paying periodic settlements is cheaper than fully redesigning its tracking ecosystem. For users, the lesson is clear: streaming companies that have previously violated your privacy have a documented track record and are statistically more likely to do so again. If you’re a Crunchyroll user who has been affected by either the Braze VPPA violation or the Telus Digital breach, you likely have grounds to join a class action and file a claim. The previous $16 million settlement demonstrates that Crunchyroll can be held accountable, but only through litigation and class action pressure.
What Information Was in Those Customer Support Tickets?
One particularly sensitive piece of data exposed in the Telus Digital breach is the “full text of customer support tickets.” This matters because customer support conversations often contain far more personal information than users realize. When someone contacts Crunchyroll customer service because they can’t access their account, they might provide security questions, answers, recovery email addresses, or even payment card information while troubleshooting.
Hackers who gain access to these tickets have a goldmine of information they can use for identity theft, account takeovers, or social engineering attacks on other platforms. For example, if a customer contacted Crunchyroll support saying “I can’t log in; my backup email is jane.smith@gmail.com and my phone number is 555-1234,” and those tickets were exposed, a hacker now has personally identifying information that could be used to reset passwords on other accounts, contact phone carriers to hijack cell phone accounts, or perform other fraud. The exposure of support tickets is why some data breach cases have resulted in particularly high damages—they contain a concentrated store of personal information.
What Happens Next and What This Means for Streaming Platforms
Both lawsuits will now proceed through the federal court system, likely in the U.S. District Court for the Northern District of California where the second lawsuit was filed. Early-stage litigation typically involves discovery (where attorneys exchange evidence), expert reports, and settlement discussions. Many class actions settle before trial, but the timeline can be months or even years.
In the meantime, Crunchyroll’s reputation for privacy has been significantly damaged by the dual announcements, and the company faces pressure not only from litigation but also from potential regulatory action (the Federal Trade Commission has taken interest in data security failures at streaming companies) and user backlash. For other streaming platforms and tech companies more broadly, these lawsuits send a signal that privacy-violating tracking practices and inadequate vendor security management carry real financial consequences. However, the pattern of Crunchyroll facing similar VPPA allegations three years after settling the Facebook Pixel case also suggests that legal settlements alone may not be sufficient to change behavior—companies need internal governance, compliance teams with real authority, and regular privacy audits to ensure that privacy violations aren’t simply being replaced with new ones. For affected users, the immediate question is whether to join the class action and file a claim if eligible.
Conclusion
Crunchyroll’s two lawsuits in March 2026 represent a significant moment in platform accountability: the company faces both intentional privacy violations (embedding the Braze tracker without consent) and negligence allegations (allowing customer data to be compromised at a third-party vendor). The 6.8 million affected users have potential claims for statutory VPPA damages and negligence damages, with the latter potentially reaching $25,000 per user if plaintiffs prevail. The cases are particularly damaging to Crunchyroll’s reputation because they follow nearly identical VPPA allegations just three years prior, suggesting the company either failed to implement adequate privacy controls or resumed violating practices after the 2023 settlement.
If you are a Crunchyroll user whose data was exposed in the Telus Digital breach (by March 12, 2026 or earlier) or who used the Crunchyroll mobile app while the Braze tracker was active, you may be eligible to join one or both class actions and file a claim for compensation. As these cases proceed, more information about settlement options and claim procedures will become available through official court filings and class action websites. In the meantime, consider reviewing your Crunchyroll account security settings, monitoring your credit report, and updating passwords on other platforms if you reused credentials—standard precautions whenever personal data is exposed.