chevron-down Created with Sketch Beta.
December 01, 2020 Feature

Right to Not Be Forgotten (Sometimes): Celebrity Privacy Rights in a Data-Driven World

Franklin Graves and Germaine Gabriel

©2020. Published in Landslide, Vol. 13, No. 2, November/December 2020, by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder.

Access to data plays a crucial role in how society consumes entertainment. At the tap of an app, we can find out the name of the familiar face playing a secondary role in a classic TV sitcom or learn the (estimated) net worth of an athlete featured in a commercial that just aired. Additionally, we can explore the back catalogs of our favorite artists on a streaming music platform or read about their careers without leaving the platform. We can also dig into the latest gossip or paparazzi video documenting a celebrity’s meltdown.

The realms of entertainment, media, and sports law traditionally rely on a bundle of privacy and publicity rights that, when taken together, form a protective legal shield for celebrities. These rights range from invasion of privacy to libel and slander to misappropriation of name, image, and likeness. Whether classified as celebrities, athletes, influencers, or something else entirely, famous individuals have always faced legal hurdles across jurisdictions when they seek to secure legal protections over their personal lives, businesses, brands, and numerous revenue streams. Public figures are now looking to the ongoing advent of groundbreaking privacy regulations around the world to add more tools to their legal arsenal. However, to what extent have they given up, or signed away, such rights?

Value and Ownership of Personal Data

Over the last few years, the general population has become familiar with privacy laws through their routine, everyday use of products and services. It is nearly impossible to avoid privacy issues, whether it is accepting an onslaught of updated social media platform privacy policies1 or reading about weak user passwords leading to bad actors gaining access to a camera in a child’s bedroom.2 Data is commonly analogized as the “new oil” and powers much of our economy and daily lives.3 According to cloud software firm DOMO, predictions indicate that “[b]y 2020, there will be 40x more bytes of data than there are stars in the observable universe.”4 What is the value of all this data? Estimates attempting to place a monetary value on personal data range from a couple hundred dollars per service used5 up to thousands of dollars per individual.6 It is clear that there is a value to businesses and individuals when it comes to personal data and the regulations that govern its use.

The most notable privacy legislation in recent years came from Europe in the form of the General Data Protection Regulation (GDPR).7 The state of California soon followed suit with the California Consumer Privacy Act of 2018 (CCPA).8 Both pieces of legislation laid the groundwork for handing over the controls of personal privacy and the use of personal data to the individual (referred to as “data subjects” under the GDPR and “consumers” under the CCPA), as opposed to sole control and use, termed “processing” under both regulations, by the businesses transacting with such data (referred to as “processors” and/or “controllers” and “sub-processors” under the GDPR and “businesses” and/or “service providers” under the CCPA).

The concept of data “ownership” within the context of personal data has largely been upended by privacy regulations and resulted in a change to transacting with personal data within the entertainment, media, and sports industries. Currently, privacy regulations do not differentiate between personal data subjects who are well-known and those who might only have a couple of hundred Instagram followers, so industries have been forced to adapt.

Key Rights and Obligations under the GDPR and CCPA

As a starting point, it is helpful to understand that, generally, the GDPR applies to: (1) the processing of personal data within the European Economic Area (EEA), regardless of whether it is the personal data of a citizen of an EEA member state or not; and (2) the processing of EEA data subjects’ personal data, regardless of whether the processing takes place within the EEA, or whether the controllers and/or processors are established outside of the EEA.9 The CCPA establishes a less broad approach for applicability by focusing on for-profit legal entities that do business in California and meet the following thresholds: (1) gross annual revenues over $25 million; (2) annually buy, receive, sell, or share commercially the personal information of over 50,000 consumers, households, or devices; or (3) derive 50 percent or more of their annual revenues from selling consumers’ personal information.10

Most companies within the entertainment, media, and sports industries would easily fall within the categories of businesses, or processors and/or controllers, subject to the CCPA, the GDPR, or both. However, not all public figures fall within the scope of existing privacy regulations. As regulators expand protections, such as federal privacy regulations in the U.S.,11 businesses will have to continue adapting processes and procedures for the handling of personal data. Absent an idyllic future in which a uniform approach to privacy laws exists, building a foundational understanding of the CCPA and GDPR is a perfect starting point for shaping a lawyer’s approach to personal data rights.

The CCPA allows consumers the right to prohibit businesses from selling their personal information, the so-called “opt-out right,” with such options being clearly and conspicuously located on a business’s website. Additionally, the CCPA explicitly requires parent or guardian consent for consumers under the age of 13, or explicit consent for consumers between the ages of 13 and 16 (a so-called “right to opt-in”). This particular obligation might prove problematic for websites that rely on user-generated content, or crowdsourcing, such as IMDb or Wikipedia. By way of example, IMDb’s California Consumer Privacy Act Disclosures list “professional information, for example data you may provide about your acting experience” as a category of personal information that may be collected and disclosed for a business purpose.12 It, therefore, would be possible, at least operating within the view of the CCPA, for a public figure within California to submit an opt-out request, as well as requests for other information. However, would this lead to a breach of contract claim if the public figure, or their agent, is the party responsible for supplying the personal information under the terms of a subscription agreement with IMDb? An argument that personal information would be deemed public information after being published might not hold up under the CCPA given that its definition of “publicly available” is limited to personal information “lawfully made available from federal, state, or local government records.”13 The GDPR similarly includes language addressing a public authority’s release of personal information that might be contained within official documents.14 The GDPR also references personal data that originates “from publicly accessible sources,”15 within the context of still placing an obligation upon the controller to inform the data subject about the processing. While the GDPR does not include a right to prohibit the sale of personal information, it does include an opt-out right of data processing for marketing purposes16 and a right to withdraw consent at any time.17

Both the CCPA and the GDPR contain provisions regarding the right to have personal information deleted, but the GDPR contains six grounds under which the limited right applies. Those six grounds include: (1) the personal data is no longer necessary in relation to the purposes for which it was collected; (2) the data subject withdraws consent; (3) the data subject objects to the processing; (4) the personal data has been unlawfully processed; (5) the personal data has to be erased for legal compliance; and (6) the personal data was collected without parental or guardian consent.18 The GDPR also offers, among other things, a right to rectification of inaccurate or incomplete personal data19 and a right to restrict processing,20 which are absent from the CCPA. It is likely that future debates over what is deemed “inaccurate” or “incomplete” will arise, especially if the ability to rectify would provide some benefit to the public figure and their overall public perception.

In accordance with the GDPR, the Article 29 working party provided within their Guidelines on Transparency21 that transparency requires that any information and communication relating to the processing of personal data be easily accessible, be easy to understand, and use clear and plain language. The requirement to inform the data subjects about the processing of their personal data, which guarantees transparency of all processing, is all the more important since it affects the data subjects’ exercise of their right of access22 and right to object to the processing of that data.23 A best practice is to present data subjects with transparent notice of whether their personal data will be collected, and how it will be processed, at the point of collection. This can be in the form of a privacy notice if consumer data is collected in an online context.

Notice obligations exist under both the CCPA and the GDPR, which can directly impact the drafting of contracts for entertainment, media, and sports purposes. The GDPR and CCPA both create a broad range of operational and technical requirements that must be followed to ensure proper compliance at the time of collection, but both essentially boil down to clearly identifying the categories of personal information and the types of processing that will be done with the personal information.24 As a best practice, the level of detail around the processing of personal data that should be included in contracts that are entered into directly with public figures should be carefully considered and drafted in a manner that supports the present and future intents of the parties involved.

There are some exceptions that appear to provide some level of support for common business transactions within the entertainment, media, and sports industries. For example, the CCPA excludes situations under which “[a] consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party” from the scope of selling personal information as such activity is defined under the statute.25 However, such disclosures to or interactions with third parties by a business must prohibit the third party from selling the personal information beyond what might be within the scope of the business purpose. Therefore, it again becomes important that contractual terms, such as a detailed business purpose, between parties are carefully drafted to incorporate any nuances that might be required under applicable laws and regulations. Another consideration might be to include language that mirrors traditional intellectual property obligations and further assurances that the rights owner will support the licensee with any additional steps that might be necessary to secure the full scope of rights intended to be conveyed under the agreement. Whether this approach, or a limited power of attorney appointment, would be enforceable under privacy regulations remains to be seen.

Another example of an exception can be found under GDPR Article 85, titled “Processing and freedom of expression and information.” Article 85 provides a so-called “journalism exception” for the processing of personal data in furtherance of “the right to freedom of expression and information, including processing for journalistic purposes.” Building upon privacy regulations before it,26 GDPR Article 85 provides a broad exemption to support the needs of free speech within the context of data protection. Article 85 covers more than just traditional journalism and specifically includes processing exemptions for “the purposes of academic, artistic or literary expression.” Additionally, Article 85 allows individual EEA member states to determine whether free speech protections extend beyond just those listed in the GDPR, akin to the state-by-state approach to regulations in the U.S., so when dealing with data subjects across the EEA, it is important to take each jurisdiction’s potential approach into consideration.

Privacy Rights of Celebrities in the EEA

Across the pond in the EEA, the European Convention on Human Rights (ECHR) has recognized privacy in public for celebrities and the right to privacy under the Data Protection Act of 1998.

In fairly recent EEA case law, specifically, Murray v. Express Newspapers plc27 and Weller v. Associated Newspapers Ltd.,28 photographs of celebrities’ children were taken and thereafter published without parental consent. In Murray, J.K. Rowling, a famous author, filed suit in U.K. court after a photograph of her toddler son was taken when she and her husband took the toddler for a walk. Among other contentions, J.K. Rowling claimed breach of confidence, privacy, and infringement of the Data Protection Act of 1998 over the unauthorized publication of her toddler son’s photograph. While the case was originally dismissed, upon appeal, the court found that “personal data which have been obtained, recorded, held and disclosed covertly and without giving the data subject any opportunity to object to any of those operations on the data, are not processed ‘fairly’ within the meaning of the first data protection principle.”29 The court further found that a photograph constitutes information as to the physical or mental health or condition of the data subject, which amounts to “sensitive personal data” within section 2(e) of the Data Protection Act of 1998.

In Weller, a similar case, Paul Weller filed suit in U.K. court when photographs of his three minor children were published without his consent. Weller is a well-known singer and contended that the publication of the images of his children amounted to misuse of private information and breach of the Data Protection Act of 1998. The court found that the defendant was liable for misuse of private information and breach of the Data Protection Act of 1998. There were contributing factors to support the court’s finding, including that the parents had not consented to the taking or publishing of the photographs, and the claimants were children and had been identified by name, thus exposing them to special vulnerability.

In Von Hannover v. Germany,30 Princess Caroline von Hannover of Monaco brought suit in German courts after several photographs of her and her family were published on several occasions without her or her family’s consent. Hannover contended that the photographs infringed on her and her family’s right to respect for their private life under ECHR Article 8. In 2004, the court held that there was a violation of Article 8. The court came to its rationale after balancing the protection of private life against freedom of expression and the possible contribution that the published photos and articles would make to a debate of general interest. Ultimately, the court deemed that the photographs made no such contribution, since the applicant exercises no official function and the photos and articles related exclusively to details of her private life. In short, Hannover had a “legitimate expectation” of protection of her private life.

With the passing of the GDPR, it is unclear whether celebrities will have additional vehicles for recourse if their likeness is photographed and published without their consent.

Impact on Data Licensing Agreements

A data processing addendum or agreement (DPA) contains contractual obligations between two parties relating to the processing of data. As with nearly all contracts, the approaches taken with entering into DPAs can range widely. DPAs can be structured and presented as stand-alone agreements, side letters, or amendments to existing agreements; incorporated as a set of clauses within an existing agreement template; attached as an exhibit or attachment to an agreement template; or presented as a set of unilaterally binding online terms. It is worth noting that the use of a “DPA” within this context should not be confused with a possible reference to “data protection authorities,” the independent public authorities that enforce data privacy regulations across Europe.

A DPA that is used for a relationship contemplating the sharing of personal data should typically cover most, if not all, of the following points: (1) the nature and purpose of the processing activities; (2) a description of the categories of data subjects and the categories of personal data; (3) the length of time for processing of the personal data, and what happens when the contractual relationship between the parties ends; (4) the technical and organizational measures to ensure processing of personal data in a manner compliant with relevant laws and regulations, or the policy requirements established by a particular business (including details such as de-identification, aggregation, and/or anonymization procedures and requirements); (5) rules for data transfers, addressing any potential cross-border transfers; and (6) the use of third-party contractors, referred to as “sub-processors” under the GDPR and “service providers” under the CCPA. Additional information that will inform the legal analysis used to draft the contract includes: (1) methods under which the data licensor has collected the personal data being supplied; and (2) whether the personal data has come directly from the data subject or consumer, publicly available resources (such as websites, social media platforms, or news outlets), or unaffiliated third parties.

Within the context of the entertainment, media, and sports industries, data licensing agreements are commonly used to govern the contractual relationship between two parties sharing data. For example, a commercial music database may license artist biographical data to a music streaming platform so that end users can read about the artist, or a sports betting website may license data about a particular sports league to power its platform. Data licensing agreements can take the form of stand-alone agreements or follow a more technical, industry-specific structure, incorporating concepts such as an application programming interface (API) license and restrictive or permissive data usage terms.

Following the implementation of data protection laws and regulations, many entertainment, media, and sports data licensing agreements have been expanded to include DPAs in some fashion. Data licensing agreements are now including provisions that govern a data subject’s right to be forgotten and obligations to which the parties transacting with the data must comply. More specifically, it is not uncommon to have a contract that includes an obligation to communicate such deletion requests from a data subject to the other party to the contract. From a practical standpoint, this may require each party to ensure an appropriate process and procedure for tracking and communicating such requests is implemented and followed (or audited) on a regular basis. For businesses that operate as a service provider to consumers, such as SaaS services or social media platforms, and utilize a privacy policy designed to comply with the CCPA and GDPR, existing processes and procedures for data privacy compliance programs might be an option for management of personal data requests relating to data subjects governed by a data licensing agreement. This leads to the question of whether the data was lawfully collected from the start.

When negotiating a data licensing agreement that will involve personal data, it is important to establish and identify from the start the role of the parties. Under the GDPR, there are two potential classifications: (1) one party can be a controller and the other a processor;31 and (2) if two or more parties can determine the purpose for processing, then it might be a joint controller relationship.32 The GDPR does not explicitly recognize an independent controller relationship, where each party independently determines the purpose for processing, but there is a term previously identified under the U.K. Data Protection Act of 1998 as “controllers in common.”33 Drafting the data licensing agreement, and accompanying DPA, correctly is important to ensure each party understands their obligations under privacy regulations, and to each other. Inappropriate use of personal data can subject all parties to a risk of liability and fines, potentially even if the inappropriate use occurs downstream.

An important representation and warranty to include in data licensing contracts would be language that the party supplying the personal data has adequately, or in a legally compliant manner, obtained permissions not only to collect personal data but also to further distribute (either commercially or not) the personal data without the need for additional permissions gathering. Analysis should explore potential regulatory requirements for each lawful basis of, and consents necessary for, downstream processing of the personal data. For example, a video game licensee receiving personal data subject to privacy regulations does not want to be in a position where it is forced to individually contact and obtain the consent of the data subjects, or potentially be left without recourse if it receives requests from data subjects or inquiries from data authorities.

The mechanics involved with drafting and negotiating data licensing agreements that involve personal data require close attention to the scope of privacy rights applicable to the data subjects involved to ensure the contract adequately protects both parties and assigns obligations, liabilities, and risks as both parties intend.

Balancing First Amendment and Privacy Rights

In addition to legislative efforts to expand individual privacy rights, courts’ interpretations of privacy laws, and their intersection with other rights and interests, will likely continue to impact the entertainment, media, and sports industries. In the past, the U.S. Supreme Court has examined issues of competing concerns around an individual’s right to privacy and the First Amendment.34 Is there a legitimate public interest in knowing an actor’s age when they landed their first starring role or an athlete’s body measurements throughout their career? How about the First Amendment right to publish such information? In the future, answers to these questions may depend on targeted legislation addressing such issues.

In 2016, California’s Assembly Bill (AB) 1687 sought to establish a right to have a person’s age removed from public view on a commercial online entertainment employment service provider in an effort to curb age discrimination, largely singling out and targeting the internet movie database, which is owned by, Inc., and its premium subscription-based service for industry professionals, known as IMDbPro.35 When challenged by IMDb, the statute was found to be “clearly unconstitutional” in the opinion by U.S. District Court Judge Vince Chhabria,36 a decision upheld in June 2020 when the state of California and SAG-AFTRA lost on appeal to the Ninth Circuit Court of Appeals.37

The IMDb challenge of AB 1687 centered on two key elements: (1) the parties involved having entered into a contractual agreement governing the collection of personal data, by way of the IMDbPro subscription agreement; and (2) collection of personal data through public submissions outside of a premium membership subscription. Circuit Judge Bridget S. Bade referenced the U.S. Supreme Court’s decision in Cohen v. Cowles Media Co. when writing the opinion: “Private parties may freely bargain with each other to restrict their own speech, and those agreements may be enforced, without implicating the First Amendment.”38 Since IMDb’s website content is supported from both public crowdsourcing as well as the contributions of subscribers to its IMDbPro service, the appeals court found the statute reached beyond the scope of just a voluntary contractual agreement between IMDb and the subscribers to the IMDbPro offering and attempted to curb publication of information obtained from a source unconnected to such commercial contractual obligations, thereby implicating a speech restriction and reduction in First Amendment protection.39

First Amendment challenges to privacy regulations have started appearing across the country as individual states begin rolling out new privacy regulations for their jurisdictions.40 It remains to be seen how such regulations will hold up when facing First Amendment challenges.

Preparing for the Future

The future impact of data privacy regulations on the entertainment, media, and sports industries remains to be seen as jurisdictions around the globe, including the U.S., continue to finalize and implement data privacy protections. Existing grounds for data privacy claims can provide little to no bar before the receiving party is legally required to take action, ultimately replacing traditional libel or other defamatory claims that often require a plaintiff to meet certain thresholds of proof before enforcement.41 Additionally, privacy rights might become a powerful tool to control third parties at the discretion of the rights holder, similar to a copyright takedown request under the Digital Millennium Copyright Act.

A public figure may need to be prepared for managing the public’s perception, and that of their peers and future employers in their industry, when attempting to utilize their privacy rights to skirt contract obligations or industry norms. Using legal rights in a way that could prevent access to entertainment, media, or sports content could negatively impact the public’s expectations for being able to consume such content. Rights and legal control issues exist across industries, such as music industry attempts to window content42 or sprawling cinematic comic book universes that utilize well-known characters subject to numerous intellectual property and contractual protections.43 With privacy rights, the backlash could be directed toward an individual, as opposed to a large corporation or industry practice. Romania, a member of the European Union, came under fire for the actions of its data protection authority in weaponizing the GDPR against journalists publishing information, which included personal information, implicating a Romanian politician in a fraud scheme.44 The case is still ongoing, despite drawing sharp criticism from European parliamentarians.

The mechanics of obtaining consents under the GDPR, the CCPA, and other applicable privacy laws should be closely examined by businesses seeking to collect or otherwise generate, capture, or use personal data of public figures. In commercial settings, it will be critical to ensure adequate measures are in place, such as by way of a written contract or similarly explicit and informed consent from the data subject discussed above. Establishment of such efforts will aid in the future planned processing of personal data collected so the data might be used, distributed, licensed, or otherwise exploited without having to gather additional consents, which would likely lead to additional negotiations between the parties. It will also be important to stay updated on developments in privacy legislation and laws around the world and, to the extent possible, work with industry trade groups to ensure adequate measures are included to address industry concerns on the impact of future legislation efforts.

Privacy legislation trends point toward explicitly establishing the right to privacy over personal data as a subset of fundamental privacy rights,45 meaning that it is difficult, arguably impossible, to obtain a bulletproof waiver of such rights or a broadly sweeping consent that adequately covers all uses of a public figure’s personal data. Attempts to obtain contractual waivers or limitations are considered void under the CCPA,46 while strict guidelines for gathering consent under the GDPR must be followed and narrowly tailored for the purpose of the anticipated processing.47 Ultimately, if data privacy regulations contain language restricting an individual’s ability to waive their rights, then it leaves very little room for contractual relationships seeking to operate outside the bounds of such regulation.

Future legislation should also avoid narrow attempts at creating legal protection targeting specific content publishers or restricting a specific type of speech, such as with AB 1687 and the outcome of creating a new category of speech that receives reduced protection under the First Amendment. Building upon such developments, it remains to be seen whether courts interpreting, or agencies enforcing, privacy regulations will take into account the nature of the disclosure (such as a public figure, or their authorized agent, releasing personal information for the advancement of their career interests). Public interest arguments can be made in defense of or against such disclosures being treated as irrevocable.

Privacy regulations also do not currently account for different rights based upon the conditions under which personal data collection has occurred. For example, the personal data collected by a website operator from its visitors is largely treated the same as personal data collected by a video game developer from a public figure paid for their involvement in the game development. Absent future legislation that includes, or retroactively creates, carve-outs for such industry-specific commercial agreements, it leaves ambiguity as to the enforceability, and true underlying value, of deals involving the personal data of public figures. We may just end up in a future where we are unable to know the true age of the person depicting a teenager on a network television show.


1. Jefferson Graham, Why You’re Receiving All Those Privacy Update Emails, USA Today (Dec. 28, 2019),

2. Neil Vigdor, Somebody’s Watching: Hackers Breach Ring Home Security Cameras, N.Y. Times (Dec. 15, 2019),

3. Antonio García Martínez, No, Data Is Not the New Oil, Wired (Feb. 26, 2019),

4. Data Never Sleeps 7.0, DOMO (2019),

5. Martínez, supra note 3.

6. Marie Baca, What You Do on the Internet Is Worth a Lot. Exactly How Much, Nobody Knows, Wash. Post (Oct. 14, 2019),

7. Commission Regulation 2016/679, 2016 O.J. (L 119) 1 [hereinafter GDPR].

8. Cal. Civ. Code §§ 1798.100–.199. It should be noted that, as of this article’s publication, the California Privacy Rights and Enforcement Act (CPRA) is scheduled to appear on the November 2020 ballot, with an anticipated effective date of January 1, 2023.

9. GDPR, supra note 7, art. 3.

10. Cal. Civ. Code § 1798.140(c).

11. See Eric Newcomer, California Will Be Key Battleground in Tech Privacy Fight in 2020, Bloomberg (Jan. 2, 2020),

12. IMDb California Consumer Privacy Act Disclosures, IMDb, (last visited Oct. 28, 2020).

13. Cal. Civ. Code § 1798.140(o)(2).

14. GDPR, supra note 7, art. 86.

15. Id. art. 14(2)(f).

16. Id. art. 21(2).

17. Id. art. 7(3).

18. Id. art. 17(1).

19. Id. art. 16.

20. Id. art. 18.

21. Guidelines on Transparency under Regulation 2016/679 (wp260rev.01) (2018).

22. GDPR, supra note 7, art. 12.

23. Id. art. 14.

24. Id. arts. 13–15; Cal. Civ. Code § 1798.130(a)(5).

25. Cal. Civ. Code § 1798.140(t)(2)(A).

26. See, e.g., Council Directive 95/46/EC, art. 9, 1995 O.J. (L 281) 31 (“Processing of personal data and freedom of expression”).

27. [2008] EWCA (Civ) 446, [2009] Ch 481 (Eng.).

28. [2014] EWHC 1163 (QB) (Eng.).

29. Murray, [2009] Ch at 488.

30. [2004] ECHR 294.

31. GDPR, supra note 7, ch. IV.

32. Id. art. 26.

33. See also Serkan Kurt, Guide for Multi-Controller Situations under the GDPR, IAPP (Nov. 6, 2017),

34. See, e.g., Fla. Star v. B.J.F., 491 U.S. 524 (1989).

35. Inc. v. Becerra, 962 F.3d 1111 (9th Cir. 2020); see also Eriq Gardner, IMDb Wins Lawsuit over Actress Age Revelation, Hollywood Rep. (Apr. 11, 2013), (reporting on 2013 jury verdict in favor of IMDb following actress Huong Hoang’s lawsuit bringing claims for, among other things, privacy violation for IMDb’s inclusion of Hoang’s age on her public profile).

36., Inc. v. Becerra, No. 16-cv-06535-VC (N.D. Cal. Feb. 20, 2018).

37., 962 F.3d 1111.

38. Id. at 1120 (citing Cohen v. Cowles Media Co., 501 U.S. 663, 671 (1991)). Judge Bade acknowledges there are times such a principle is limited.

39. Id.

40. See Edward D. Murphy, Federal Judge Rejects Much of Legal Challenge to Maine Internet Privacy Law, Portland Press Herald (July 7, 2020),

41. Nani Jansen Reventlow, Can the GDPR and Freedom of Expression Coexist?, 114 AJIL Unbound 31 (2020),

42. Mark Mulligan, The Problem with Streaming Exclusives, Music Industry Blog (Apr. 30, 2015),

43. Alex Abad-Santos, Marvel and Sony Have Cut a Deal to Keep Spider-Man in the MCU, Vox (Sept. 27, 2019),

44. Bernhard Warner, Online-Privacy Laws Come with a Downside, Atlantic (June 3, 2019),

45. See GDPR, supra note 7, art. 1(2); Cal. Civ. Code § 1798.1.

46. Cal. Civ. Code § 1798.192.

47. GDPR, supra note 7, art. 7.

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

Franklin Graves is technology counsel at HCA Healthcare, Inc., in Nashville, Tennessee. He has extensive experience in technology, media, and privacy laws.

Germaine Gabriel is corporate counsel - privacy at ServiceNow in Santa Clara, California. She has experience in technology, intellectual property, product, and privacy law. Prior to entering Silicon Valley, Germaine was a presidential appointee under President Barack Obama.