Media companies and online businesses must comply with abundant diverging privacy and data protection law requirements across jurisdictions. With respect to targeted advertising, companies face particularly complex rules on opt-in consent and opt-out requirements. Smaller and newer businesses often find this exceedingly challenging, as they rely on advertising technology services and data brokerages to compete with more established companies, which have more — and more direct — consumer relationships and data. Accordingly, smaller businesses depend less on third-party data sharing and unsolicited marketing communications that trigger regulatory requirements and scrutiny.

Under the EU General Data Protection Regulation, for example, a news site operator wanting to serve interest-based advertisements must obtain express, affirmative, specific, informed and voluntary opt-in consent before placing cookies and using that personal data for marketing. If it wants to bolster its own data with mailing lists and information from third parties, the operator may need to notify data subjects and confirm that the third party obtained consent.

In practice, companies prompt users for consent regarding cookies with banners, offering "accept all" and "reject all but necessary" choices and unchecked boxes regarding marketing emails or newsletter subscriptions, with an additional "double opt-in consent" confirmation in Germany.

If a business prompts consumers in California with such consent requirements, however, it may violate the requirement of waiting at least 12 months following an opt out before asking for authorization for selling or sharing personal information for cross-context behavioral advertising. Instead, the business must recognize universal opt-out signals and offer opt outs for certain disclosures of personal information and email marketing, which an EU-style "cookie banner" cannot achieve — as the California Privacy Protection Agency expressly notes in §7026(a)(4) of its regulations.

Smaller companies often lack the resources to fully localize their disclosures and opt-in/opt-out mechanisms for each jurisdiction and every adtech service. Even with a "highest common denominator approach" — complying with the strictest data privacy requirements — they may fail on different particulars in some jurisdictions given increasingly prescriptive and intricate requirements. 

Practically, businesses may forgo using new adtech features and return to contextual advertising or paid services or operate only on larger platforms that cover most compliance requirements. But many smaller and newer companies believe this may stymie their competitiveness.

Alternatively, businesses can develop risk-based approaches to address requirements under the laws most likely to be enforced against them. Considering the fast-moving regulatory landscape, a risk-based approach may improve a business's ability to handle vast amounts of personal information in a more informed, structured and accountable way. It requires an understanding of applicable requirements and careful monitoring of the enforcement landscape through five key analyses.

Which particular activities trigger opt-in and opt-out requirements?

Under GDPR Article 6(1), companies must justify personal data processing with a legal basis, required, for example, when acquiring a mailing list, collecting an email address during account registration, collecting browsing information via cookies for marketing purposes, or enabling third-party disclosures via cookies or pixels. Additionally, under national laws implementing the ePrivacy Directive, businesses must obtain consent before sending marketing emails or placing cookies on user devices, unless necessary  to provide a service specifically requested by the data subject.

Across the pond, companies must fairly inform American consumers of data processing practices and offer opt-out rights. Consent is required in limited circumstances, for example, regarding SMS marketing, children's data, sensitive consumer data or biometric information. If consumers opt out of selling or sharing personal information for cross-context behavioral advertising purposes, businesses must wait 12 months before resoliciting an opt in. This may present practical challenges, for example where consumers can opt out through opt-out preference signals without providing their name, or via offline requests not easily connected to online accounts or unregistered website visitors.

Which activities does an advertising initiative or technology involve?

A business collecting personal data with first-party cookies or sending marketing emails may not trigger compliance requirements under U.S. privacy laws beyond having to offer an unsubscribe option in messages. The same business may have to obtain separate and specific prior consent for cookie placement, data use for marketing and sending emails under laws in the EU and other countries. SMS marketing triggers consent requirements and heightened litigation risks in the U.S. but is treated similar to email marketing in the EU. 

Companies must carefully analyze which activities a particular advertising campaign involves and determine what opt-in and opt-out requirements are triggered. Former Westin Fellow Anokhy Desai's web tracking technology index provides helpful context.

Which player(s) in the adtech ecosystem must, can or should ensure compliance with opt-in and opt-out requirements?

Numerous entities contribute to serving ads and handling personal data, from advertisers and organizations that want their products or services in front of a target audience to publishers, organizations producing content that attracts an audience, and all the adtech providers, data brokers, networks, exchanges and platforms in between. 

Publishers are often best positioned to inform consumers about privacy choices, but do not always understand all technical details or compliance requirements. Service providers may not be able to obtain consent or offer opt-out choices themselves but can support compliance by designing technologies and nudging their customers — publishers and advertisers — with default settings, standard contracts, whitepapers and FAQs. Advertisers tend to incur risk because ads prominently feature their brands and can drive compliance via contracts and financial incentives. 

Each entity must carefully analyze its role in delivering ads and processing personal data to determine which obligations it must tackle and which it must ensure other adtech players handle.

Which risk factors should companies consider as a priority?

Businesses selling only to other businesses often face less privacy law exposure, although some jurisdictions require prior opt-in consent for B2B marketing emails, and California includes employees and business representatives in its definition of "consumers" under the California Consumer Privacy Act. Note that B2B-focused companies selling data processing services or compliance solutions may incur greater risk, given the propensity for incentives for customers of those services to apply greater due diligence. These businesses can reduce exposure to misrepresentation claims by refraining from exaggerating values in privacy policies, codes of conduct or advertisements.

Businesses marketing or selling goods or services to individuals for personal, family or household purposes face comparably more risk, as they collect personal information on individuals' interests and preferences beyond their commercial role. Compliance and litigation risks increase exponentially if they use sensitive personal information for advertising purposes, including data on biometrics, health, children, race or sexual orientation. 

Under the CCPA, companies must enable consumers to "Limit the Use of My Sensitive Personal Information," unless a statutory exemption applies. Likewise, in Colorado, companies must obtain consent for sensitive data, and under Washington state's My Health My Data Act, companies need to obtain signed authorization to sell consumer health data. Consequently, many companies now consider sensitive data "off limits" for advertising purposes.

Companies can also mitigate risk by geographically limiting advertising, for example, in Brazil, California, the EU and Quebec. Some adtech service providers proactively offer geo-blocking or restricted data processing for cookie placement, social media campaigns and bulk email initiatives.

When considering the impact of particular laws, companies should assess how readily a law is enforced by plaintiffs' attorneys or regulators. Many businesses have stopped sending SMS messages in the U.S. or using biometric information in Illinois to avoid Telephone Consumer Protection Act or Biometric Information Privacy Act class action lawsuits, respectively. Most companies also prioritize GDPR compliance, in response to fines administered by EU data protection authorities, and CCPA compliance, given two state agencies focus on enforcement and actively furnish information requests, warnings and regulations. 

Additionally, companies should carefully monitor engagement, opt-out rates and complaints. Many consumers find retargeting, cold calls, unsolicited SMS messages and excessive marketing emails irritating. Even if potential conversion rates look promising, companies should heed consumer sentiment conveyed through opt-out requests or disengagement. The CCPA ballot initiatives demonstrated a mass, state-wide opt-out movement against increasingly intrusive data processing and advertising practices, and workarounds or lobbying may provoke further negative consumer sentiment and diminish trust.

How are enforcement and litigation trending?

After answering the four preceding conceptual questions, companies should continuously follow current enforcement and litigation trends. In the EU, DPAs publish enforcement reports and detail priorities. Stateside, the Federal Trade Commission and other regulators offer guidance and generate case law. U.S. class action firms also persistently try new theories or build on successful precedents.

The CCPA, as amended by the CPRA

California prescribes strict rules around personal information. Entities within or reliant upon adtech should give particular concern to the California Privacy Right Act's broad "sale or sharing" provision. 

Where a "sale" includes third-party disclosure of personal information for "monetary or other valuable consideration," "sharing" more narrowly involves disclosures "for cross-context behavioral advertising, whether or not for monetary or other valuable consideration." This encompasses disclosures in exchange for using targeted advertising services. Businesses utilizing these services must then provide notice and grant opt-out rights.

The CPRA vests enforcement powers in the California attorney general's office and CPPA. It does not provide for a private right of action, except in the context of data security breaches. Despite this, plaintiffs have continued to allege CCPA violations, which have largely been dismissed but nonetheless impose legal cost.

State wiretapping laws

The California Invasion of Privacy Act — the state's wiretapping prohibition — requires consent for third-party interception of live communications. The CIPA protects against "intentional wiretapping, willfully attempting to learn the contents or meaning of a communication in transit over a wire, and attempting to use or communicate information obtained as a result of engaging in either of the two previous activities," as stated in Tavernetti v. Super. Ct.

Plaintiffs have asserted wiretapping claims over various technologies and features, including chat, call, or keystroke recording, website analytics, pixels and session replay technology. Courts have since grappled with categorizing third-party technology embedded on websites, resulting in unsettled statutory application.

Class action filings have hit record numbers in response to two federal appellate decisions in particular:

  • The U.S. Court of Appeals for the 9th Circuit held in Javier v. Assurance IQ that consent to tracking via session replay technology cannot apply retroactively. 
  • In Popa v. Harriet Carrier Gifts, the 3rd Circuit, reviewing violation of Pennsylvania's wiretapping law, held that a party to a conversation can be liable for its own "interception" of that conversation. 

Accordingly, judges have upheld claims that companies using session replay technology collected user information without consent while users sought life insurance quotes, as in Hazel v. Prudential Financial, and that retail companies using session replay technology aided and abetted wiretapping, as in Saleh v. Nike and Yoon v. Lululemon.

ECPA

The Electronic Communications Privacy Act extended restrictions on telephone wiretaps to include transmissions of electronic data by computer. It consists of three acts: the Wiretap Act, regulating the interception of communications; the Stored Communications Act, regulating communications in storage and ISP subscriber records; and the Pen Register Act, regulating the use of pen register and trap-and-trace devices. Claims have primarily relied on the Wiretap Act and the Stored Communications Act, but recently have also asserted Pen Register Act claims and state law equivalents.

Challenges over cookie usage under these acts date back decades, with little success. The court in In re DoubleClick held that unauthorized collection of personal information alone does not amount to "economic loss" and could not support the standing. Following Spokeo v. Robins, where the Supreme Court held that harm must be concrete, particularized, and actual or imminent, standing often presents an insurmountable obstacle to plaintiffs' claims.

So long as judges continue to assign negligible value to certain privacy harms, businesses will have little concern over ECPA claims and tracking technologies. Should plaintiffs prove more concrete harms, for example with sensitive personal information, businesses must assure they place cookies with valid consent, showing that access is explicitly authorized.

CFAA

The Computer Fraud and Abuse Act provides prohibits unauthorized access to computers, including accessing "a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain and alter."

Plaintiffs have long alleged cookie placement on their device to be unauthorized and a CFAA violation. However, in Bose v. Interclick, a district court judge dismissed a plaintiff's claim for failure to plead sufficient injury required for statutory damages. Like under the ECPA, standing issues often stymie CFAA cases over adtech products.

TCPA

The Telephone Consumer Protection Act aims to "protect residential telephone subscribers' privacy rights and to avoid receiving telephone solicitations to which they object." Under it, the FTC established the National Do Not Call Registry, permitting residential telephone subscribers to object by proxy to telephone solicitations by registering one's number.

Practically speaking, and of import to businesses concerned with marketing and lead generation, the TCPA, alongside other marketing-focused legislation such as the U.S. Controlling the Assault of Non-Solicited Pornography And Marketing Act and Canada's Anti-Spam Law, requires consent for direct marketing messages. TCPA litigation has continued to grow in number and has shifted toward class action lawsuits. 

VPPA

The Video Privacy Protection Act prohibits companies from disclosing video rental history information without written consent. Courts have applied the definition of "video tape service provider" to include online video providers that collect personally identifiable information. 

Plaintiffs have engaged in VPPA litigation over decades, culminating in seminal decisions in In re Nickelodeon Consumer Privacy Litigation and In re Vizio Consumer Privacy Litigation that outlined the contours of personal information under the statute. 

Early common web beacons initially attracted VPPA class action lawsuits. Since then, VPPA pixel litigation has proliferated. Through October 2023, almost 200 proposed privacy class action lawsuits had been filed citing the VPPA.

Two defenses to VPPA claims have prevailed, most notably:

  • Courts dismissed plaintiffs' claims on grounds that plaintiffs could not be considered "subscribers" under the statute, when they did not receive anything in return for their general subscriptions to a website or when video content was applicable to anyone, as in Gardener v. MeTVJefferson v. Healthline Media, and Carter v. Scripps Networks. Note that this argument has not always prevailed, such as in Harris v. Pub. Broad. Serv. and Goldstein v. Fandango Media.
  • Defendants also argued that information disclosed could not sufficiently identify the plaintiff, like in Ghanaat V. Numerade Labs, where plaintiffs inadequately alleged that the sharing of their Facebook IDs, coupled with the URLS of videos watched, disclosed personally identifiable information.

HIPAA

The U.S. Department of Health and Human Services, Office for Civil Rights guidance on use of online tracking technologies — including cookies, web beacons or pixels, session replay scripts and fingerprinting scripts — by covered entities and business associates under the Health Insurance Portability and Accountability Act states all "individually identifiable health information" collected on a covered entity's or business associate's website or app is protected health information. It remains unclear, however, whether any mere web query by an unregistered user on a publicly available website will be presumed to contain or constitute health information, given that family members, researchers, business partners and many others may access health care focused websites for reasons other than personal health conditions.

Pixel providers have faced claims of wrongful collection of PHI from hospitals and health care providers that installed the technology on their websites, causing many organizations in the industry to question to what extent they can use beacons, pixels, cookies or other adtech products and remain in compliance.

HIPAA-regulated entities may also incur liability for impermissibly disclosing PHI to tracking technology vendors under the HIPAA Privacy Rule, which minimally requires business associate agreements with tracking technology vendors. 

Additionally, the FTC has enforced unfair competition law against health care platforms using common adtech services, including pixels, imposing penalties and requiring companies to send security breach notifications to consumers whose web browsing history was tracked and transferred.

Driver's Privacy Protection Act

The Driver's Privacy Protection Act restricts personal information disclosure by requiring departments of motor vehicles to obtain driver affirmative consent. Up to October 2023, pixels embedded in department of motor vehicle websites resulted in almost 70 proposed privacy class action lawsuits. Plaintiffs in Gershzon v. Meta Platforms, for example, survived dismissal after claiming their personal information had been sent using pixels embedded on DMV websites.

Lessons from these cases go beyond pixel usage or DMVs: web tracking technology providers must understand the websites and applications that implement their products or services so as to avoid similar highly industry-specific claims.

Other U.S. privacy laws

Plaintiffs have applied numerous other federal and state privacy laws to suits involving use of adtech services while legislatures and regulators keep adding requirements at a rapid pace. Companies must methodically review applicable laws in California and at the federal level, as well as newly added state laws.

Practical recommendations

All this said, professionals looking to optimize compliance in light of a quickly evolving privacy landscape shaped by regulation, legislation, enforcement, and best practices can start by focusing on a few key points.

Understand, assess, and document tools and data processing activities. Businesses and counsel must communicate with software developers about code included on a website or app.

Conduct a cost-benefit analysis. Consider industry exposure, litigation developments and robustness of the business's documentation and compliance program. Monitor opt-out rates and listen to customer complaints.

Avoid or minimize use of sensitive personal information. Heightened risks apply for data relating to biometrics, health, children, race and sexual orientation.

Optimize service provider agreements. Ensure vendors or service providers are limited, by agreement or otherwise, to using website activity only for defined activities, such as analyzing the website's functionality for a business's benefit, rather than for the provider's own independent purposes. 

Localize cookie banners and opt-out mechanisms to applicable requirements. Opt-in banners optimized for compliance with the GDPR are not ideal for California and likely even violate CCPA.