Author Archives: Joshua Greenberg

New Year, New Privacy Laws—Are You Compliant?

As we head into the new year, the CDAS Digital Media and Technology group would like to remind you about new developments in privacy law that might affect your business.

Greater Transparency and Access Under New California Consumer Privacy Act (CCPA)

Taking effect on January 1, 2020, the new California Consumer Privacy Protection Act requires businesses, both inside and outside California, to provide increased transparency and access regarding their collection and monetization of personal data from California residents. Companies that, on an annual basis, have gross revenues of at least $25 million, obtain personal information of at least 50,000 California residents, households, and/or devices, or generate at least half of its revenue from selling California residents’ personal information must disclose data collection practices to Californians upon both request and collection, delete personal information about a consumer upon request, provide consumers the opportunity to opt out of the sale of personal information, and comply with certain data security procedures or else face lawsuits from those consumers subject to a data breach. Non-compliant companies are subject to fines of $2,500 per violation and up to $7,500 for each “intentional violation,” as well as damages in a possible consumer data breach lawsuit. If you believe CCPA might apply to your business now or at any point in the future, contact our team for a briefing on compliance.

EU Court of Justice: Active Consent Required for Cookie Collection from EU Citizens

If your business is subject to the European Union’s General Data Protection Regulation (GDPR), a new ruling from the EU Court of Justice could affect how you disclose your use of cookies and similar technology to your customers or website visitors in the European Union Member States and European Economic Area. A website that tracks and stores its users’ website activities must obtain those users’ active consent, meaning a pre-checked box is insufficient for a user to intentionally opt-in to the website’s use and storage of cookies, regardless of whether the tracking data being collected is personally identifiable. The court also reiterated GDPR’s disclosure requirements around the use and storage of, and third-parties’ access to, cookie data. Specifically, a website should not have a popup banner stating cookies are already being stored when a user lands on the site; these types of banners are common on US websites and usually have a box to click “ok” or “dismiss,” but that is not considered active consent in the EU even if a user clicks the “ok” or “dismiss” box. Regardless of whether GDPR applies to your business, the changing landscape of privacy law suggests that inclusion of clear options for users to accept or reject the use of cookies is a best practice across the board.

New York is Next

This summer, New York passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which requires companies that buy or license New York residents’ private information to develop, implement, and maintain reasonable physical, technical, and administrative safeguards to better protect the security, confidentiality, and integrity of personal information. Based on the passage of the SHIELD Act, privacy lawyers and policy experts alike anticipate a robust data privacy law will be enacted in New York similar to CCPA. The New York State Senate is currently considering the New York Privacy Act (SB S5642), which would regulate the storage, use, disclosure, and sale of consumer personal data by businesses operating or marketing products and services in New York by requiring companies to “act in the best interests of the consumer without regard to the interest of the entity, controller or data broker” and provide their consumers with a “clear, meaningful privacy notice” and an opportunity to opt in or out opt of providing personal data. Companies that fail to comply would be subject to enforcement actions by the New York Attorney General under deceptive trade practices and unfair competition laws. Most recently, the bill was discussed in committee; stay tuned for further updates from CDAS as this legislation progresses.


CDAS counsels businesses on data privacy regulations and best practices and can provide guidance and strategy on how to comply with CCPA or GDPR. Contact our Digital Media and Technology group for a compliance evaluation and advice on best practices.

Managing Risk for Podcasts Through Media Liability Insurance

Producers, distributors, and marketers of creative content are vulnerable to legal risks, such as claims of copyright or trademark infringement, plagiarism, defamation (i.e., libel for written works, slander for audio or audiovisual works), misappropriation of a public figure or private person’s name, likeness, or other personal attributes, invasion of privacy, and other claims both legitimate or spurious – that can diminish the value of a creative work. This is especially true as a creative work achieves greater distribution or greater popularity or attention. Media liability insurance, a specialized type of errors and omissions insurance (commonly abbreviated as E&O), provides production companies, broadcasters, publishers, marketers, advertisers, and others in the digital media and entertainment industry with coverage against these types of claims. With more than half of Americans reporting having listened to a podcast and around 90 million people being monthly listeners, the excitement around podcasts has already given rise to a flourishing, diverse, and investment-rich industry that’s only expected to grow. As podcasts become more widely distributed, the risk of content related claims increases and producers, distributors, and marketers are increasingly looking to media liability insurance coverage to mitigate those risks.

Coverage Limits and Basis

The most typical E&O policy for podcasts and other media provides coverage on an occurrence basis with limits of $1,000,000 per occurrence, and $3,000,000 in the aggregate. In other words, the insurer will cover costs and damages up to $1,000,000 per claim made against the primary insured party (i.e., the production or distribution company or advertiser) or an additional insured party during the coverage period (also referred to as the policy term), and up to $3,000,000 in total for all claims made and paid out during the coverage period, with respect to content first disseminated or distributed during the coverage period. An “occurrence” policy covers claims for incidents or damages that occurred during the coverage period, regardless of when the claim was actually made, whereas a “claims made” policy only covers claims made during the coverage period for incidents or damages occurring during the coverage period.

Continue reading