Navigating the biggest privacy risks facing media companies today

By Gregory Szewczyk

New privacy and data security laws – and new litigation risks involving privacy and data – can impact media companies more than most companies because of media’s expansive digital presence and its reliance on digital advertising. While the risks of new laws and litigation trends are serious, there are several relatively straightforward steps that media companies can take to mitigate these risks and better leverage their data. To do so, companies need to understand those risks.

The first comprehensive state privacy law went into effect in California on Jan. 1, 2020. For the next three years, that state stood alone as the only one with such a law. As of Nov. 1, 2023, three more states have laws in effect, 13 states have enacted laws that will go into effect soon, and several others have laws relating to nuanced privacy issues such as broadly defined health data and biometric identifiers. While Pennsylvania has not yet enacted a broad data privacy law, media companies here should be aware of the laws in other jurisdictions because those laws apply across state borders.

While state privacy laws are complex and differ in meaningful ways, they all focus on the use of common analytical tools such as cookies or pixels. Indeed, on top of the laws themselves, regulators are monitoring compliance: the sole public enforcement action and numerous of the anonymous government sweeps have all focused on the sufficiency of disclosures and opt-out mechanisms for these tools. Because media companies tend to rely heavily on these analytical tools ‒ especially if their business model does not depend on paid subscriptions ‒ they are at a particular risk of enforcement scrutiny.

These types of marketing and analytical cookies also pose a risk of class action litigation. Over the past few years, plaintiffs’ attorneys have filed claims based on older statutes ‒ especially the Video Privacy Protection Act and certain state wiretap laws ‒ based on the use of cookies and pixels. With respect to the VPPA, plaintiffs argue that by using cookies or pixels on a website displaying video, the website is disclosing an individual’s viewing habits to a third party without consent. With respect to the wiretap laws, plaintiffs argue that allowing cookies or pixels to be placed on a website allows a third party to intercept the plaintiff’s communications without consent. Pennsylvania’s wiretap law has been one of the most frequent bases for such suits. The per-violation statutory damages for these claims are generally in the $2,500 to $5,000 range, which can quickly amount to many millions, or even billions, of dollars in claimed damages depending on a site’s website traffic. These cases have just begun to move through the judicial system so it is unclear whether courts will accept these novel theories applying old laws to new technologies.

While these risks are significant, they do not mean that media companies should stop using analytical tools that provide value. It means they should follow basic compliance steps to mitigate their risks. First, companies need to know what analytics they are actually using. Second, companies need to know if these tools trigger new privacy obligations. Because these tools are relatively inexpensive off the shelf, they are often implemented without considering the legal issues they raise. Third, companies need to ensure that there are proper opt-out mechanisms available. Regulators have made clear that popular tools from trade groups or alliances and cookie banners do not suffice. Finally, companies need to be aware that relatively modest changes to privacy policies, interfaces, and disclosures can be used to preempt lawsuits and build in defenses.

These mitigating steps are not burdensome, do not interrupt the user experience, or do not significantly impact operations. However, by taking them, media companies can continue to leverage their data with significantly less risk.

Ballard Spahr’s Privacy and Data Security Group works with a wide range of companies around the country, including leading media companies. The group regularly partners with the firm’s media and entertainment law attorneys, who advise and represent media clients across platforms on the full range of issues that arise in newsgathering and publication ‒ in the newsroom and in court. The firm’s media lawyers have played a central role in many of the most significant First Amendment cases in recent years, in Pennsylvania and nationally. Their work is supported by lawyers from other firm practices, including intellectual property and business transactions, to address business and operations matters for journalists and media companies.

As practice co-leader of Ballard Spahr’s Privacy and Data Security Group, Gregory Szewczyk helps companies of all sizes build and maintain privacy and data security programs.