Right to Not Be Forgotten (Sometimes):

Celebrity Privacy Rights in a Data-Driven

World
By: Franklin Graves and Germaine Gabriel

Access to data plays a crucial role in how society consumes entertainment. At the tap of an app, we can
find out the name of the familiar face playing a secondary role in a classic TV sitcom or learn the
(estimated) net worth of an athlete featured in a commercial that just aired. Additionally, we can
explore the back catalogs of our favorite artists on a streaming music platform or read about their
careers without leaving the platform. We can also dig into the latest gossip or paparaz zi video
documenting a celebrity’s meltdown.

The realms of entertainment, media, and sports law traditionally rely on a bundle of privacy and
publicity rights that, when taken together, form a protective legal shield for celebrities. These rights
range from invasion of privacy to libel and slander to misappropriation of name, image, and likeness.
Whether classified as celebrities, athletes, influencers, or something else entirely, famous individuals
have always faced legal hurdles across jurisdictions when they seek to secure legal protections over their
personal lives, businesses, brands, and numerous revenue streams. Public figures are now looking to the
ongoing advent of groundbreaking privacy regulations around the world to add more tools to their legal
arsenal. However, to what extent have they given up, or signed away, such rights?

Value and Ownership of Personal Data

Over the last few years, the general population has become familiar with privacy laws through their
routine, everyday use of products and services. It is nearly impossible to avoid privacy issues, whether it
is accepting an onslaught of updated social media platform privacy policies 1 or reading about weak user
passwords leading to bad actors gaining access to a camera in a child’s bedroom. 2 Data is commonly
analogized as the “new oil” and powers much of our economy and daily lives. 3 According to cloud
software firm DOMO, predictions indicate that “[b]y 2020, there will be 40x more bytes of data than
there are stars in the observable universe.” 4 What is the value of all this data? Estimates attempting to
place a monetary value on personal data range from a couple hundred dollars per service used5 up to
thousands of dollars per individual. 6 It is clear that there is a value to businesses and individuals when it
comes to personal data and the regulations that govern its use.

The most notable privacy legislation in recent years came from Europe in the form of the General Data
Protection Regulation (GDPR). 7 The state of California soon followed suit with the California Consumer
Privacy Act of 2018 (CCPA). 8 Both pieces of legislation laid the groundwork for handing over the controls
of personal privacy and the use of personal data to the individual (referred to as “data subjects” under
the GDPR and “consumers” under the CCPA), as opposed to sole control and use, termed “processing”
under both regulations, by the businesses transacting with such data (referred to as “processors” and/or

Page 1 of 10

Electronic copy available at: https://ssrn.com/abstract=3744484

“controllers” and “sub-processors” under the GDPR and “businesses” and/or “service providers” under
the CCPA).

The concept of data “ownership” within the context of personal data has largely been upended by
privacy regulations and resulted in a change to transacting with personal data within the entertainment,
media, and sports industries. Currently, privacy regulations do not differentiate between personal data
subjects who are well-known and those who might only have a couple of hundred Instagram followers,
so industries have been forced to adapt.

Key Rights and Obligations under the GDPR

and CCPA
As a starting point, it is helpful to understand that, generally, the GDPR applies to: (1) the processing of
personal data within the European Economic Area (EEA), regardless of whether it is the personal data of
a citizen of an EEA member state or not; and (2) the processing of EEA data subjects’ personal data,
regardless of whether the processing takes place within the EEA, or whether the controllers and/or
processors are established outside of the EEA. 9 The CCPA establishes a less broad approach for
applicability by focusing on for-profit legal entities that do business in California and meet the following
thresholds: (1) gross annual revenues over $25 million; (2) annually buy, receive, sell, or share
commercially the personal information of over 50,000 consumers, households, or devices; or (3) derive
50 percent or more of their annual revenues from selling consumers’ personal information. 10

Most companies within the entertainment, media, and sports industries would easily fall within the
categories of businesses, or processors and/or controllers, subject to the CCPA, the GDPR, or both.
However, not all public figures fall within the scope of existing privacy regulations. As regulators expand
protections, such as federal privacy regulations in the U.S., 11 businesses will have to continue adapting
processes and procedures for the handling of personal data. Absent an idyllic future in which a uniform
approach to privacy laws exists, building a foundational understanding of the CCPA and GDPR is a
perfect starting point for shaping a lawyer’s approach to personal data rights.

The CCPA allows consumers the right to prohibit businesses from selling their personal information, the
so-called “opt-out right,” with such options being clearly and conspicuously located on a business’s
website. Additionally, the CCPA explicitly requires parent or guardian consent for consumers under the
age of 13, or explicit consent for consumers between the ages of 13 and 16 (a so-called “right to opt-
in”). This particular obligation might prove problematic for websites that rely on user-generated
content, or crowdsourcing, such as IMDb or Wikipedia. By way of example, IMDb’s California Consumer
Privacy Act Disclosures list “professional information, for example data you may provide about your
acting experience” as a category of personal information that may be collected and disclosed for a
business purpose. 12 It, therefore, would be possible, at least operating within the view of the CCPA, for a
public figure within California to submit an opt-out request, as well as requests for other information.
However, would this lead to a breach of contract claim if the public figure, or their agent, is the party
responsible for supplying the personal information under the terms of a subscription agreement with
IMDb? An argument that personal information would be deemed public information after being
published might not hold up under the CCPA given that its definition of “publicly available” is limited to

Page 2 of 10

Electronic copy available at: https://ssrn.com/abstract=3744484

personal information “lawfully made available from federal, state, or local government records.” 13 The
GDPR similarly includes language addressing a public authority’s release of personal information that
might be contained within official documents. 14 The GDPR also references personal data that originates
“from publicly accessible sources,” 15 within the context of still placing an obligation upon the controller
to inform the data subject about the processing. While the GDPR does not include a right to prohibit the
sale of personal information, it does include an opt-out right of data processing for marketing
purposes16 and a right to withdraw consent at any time. 17

Both the CCPA and the GDPR contain provisions regarding the right to have personal information
deleted, but the GDPR contains six grounds under which the limited right applies. Those six grounds
include: (1) the personal data is no longer necessary in relation to the purposes for which it was
collected; (2) the data subject withdraws consent; (3) the data subject objects to the processing; (4) the
personal data has been unlawfully processed; (5) the personal data has to be erased for legal
compliance; and (6) the personal data was collected without parental or guardian consent. 18 The GDPR
also offers, among other things, a right to rectification of inaccurate or incomplete personal data 19 and a
right to restrict processing, 20 which are absent from the CCPA. It is likely that future debates over what is
deemed “inaccurate” or “incomplete” will arise, especially if the ability to rectify would provide some
benefit to the public figure and their overall public perception.

In accordance with the GDPR, the Article 29 working party provided within their Guidelines on
Transparency21 that transparency requires that any information and communication relating to the
processing of personal data be easily accessible, be easy to understand, and use clear and plain
language. The requirement to inform the data subjects about the processing of their personal data,
which guarantees transparency of all processing, is all the more important since it affects the data
subjects’ exercise of their right of access22 and right to object to the processing of that data. 23 A best
practice is to present data subjects with transparent notice of whether their personal data will be
collected, and how it will be processed, at the point of collection. This can be in the form of a privacy
notice if consumer data is collected in an online context.
Notice obligations exist under both the CCPA and the GDPR, which can directly impact the drafting of
contracts for entertainment, media, and sports purposes. The GDPR and CCPA both create a broad
range of operational and technical requirements that must be followed to ensure proper compliance at
the time of collection, but both essentially boil down to clearly identifying the categories of personal
information and the types of processing that will be done with the personal information. 24 As a best
practice, the level of detail around the processing of personal data that should be included in contracts
that are entered into directly with public figures should be carefully considered and drafted in a manner
that supports the present and future intents of the parties involved.
There are some exceptions that appear to provide some level of support for common business
transactions within the entertainment, media, and sports industries. For example, the CCPA excludes
situations under which “[a] consumer uses or directs the business to intentionally disclose personal
information or uses the business to intentionally interact with a third party” from the scope of selling
personal information as such activity is defined under the statute. 25 However, such disclosures to or
interactions with third parties by a business must prohibit the third party from selling the personal
information beyond what might be within the scope of the business purpose. Therefore, it again
becomes important that contractual terms, such as a detailed business purpose, between parties are

Page 3 of 10

Electronic copy available at: https://ssrn.com/abstract=3744484

carefully drafted to incorporate any nuances that might be required under applicable laws and
regulations. Another consideration might be to include language that mirrors traditional intellectual
property obligations and further assurances that the rights owner will support the licensee with any
additional steps that might be necessary to secure the full scope of rights intended to be conveyed
under the agreement. Whether this approach, or a limited power of attorney appointment, would be
enforceable under privacy regulations remains to be seen.

Another example of an exception can be found under GDPR Article 85, titled “Processing and freedom of
expression and information.” Article 85 provides a so-called “journalism exception” for the processing of
personal data in furtherance of “the right to freedom of expression and information, including
processing for journalistic purposes.” Building upon privacy regulations before it, 26 GDPR Article 85
provides a broad exemption to support the needs of free speech within the context of data protection.
Article 85 covers more than just traditional journalism and specifically includes processing exemptions
for “the purposes of academic, artistic or literary expression.” Additionally, Article 85 allows individual
EEA member states to determine whether free speech protections extend beyond just those listed in the
GDPR, akin to the state-by-state approach to regulations in the U.S., so when dealing with data subjects
across the EEA, it is important to take each jurisdiction’s potential approach into consideration.

Privacy Rights of Celebrities in the EEA

Across the pond in the EEA, the European Convention on Human Rights (ECHR) has recognized privacy in
public for celebrities and the right to privacy under the Data Protection Act of 1998.

In fairly recent EEA case law, specifically, Murray v. Express Newspapers plc 27 and Weller v. Associated
Newspapers Ltd., 28 photographs of celebrities’ children were taken and thereafter published without
parental consent. In Murray, J.K. Rowling, a famous author, filed suit in U.K. court after a photograph of
her toddler son was taken when she and her husband took the toddler for a walk. Among other
contentions, J.K. Rowling claimed breach of confidence, privacy, and infringement of the Data Protection
Act of 1998 over the unauthorized publication of her toddler son’s photograph. While the case was
originally dismissed, upon appeal, the court found that “personal data which have been obtained,
recorded, held and disclosed covertly and without giving the data subject any opportunity to object to
any of those operations on the data, are not processed ‘fairly’ within the meaning of the first data
protection principle.” 29 The court further found that a photograph constitutes information as to the
physical or mental health or condition of the data subject, which amounts to “sensitive personal data”
within section 2(e) of the Data Protection Act of 1998.

In Weller, a similar case, Paul Weller filed suit in U.K. court when photographs of his three minor
children were published without his consent. Weller is a well-known singer and contended that the
publication of the images of his children amounted to misuse of private information and breach of the
Data Protection Act of 1998. The court found that the defendant was liable for misuse of private
information and breach of the Data Protection Act of 1998. There were contributing factors to support
the court’s finding, including that the parents had not consented to the taking or publishing of the
photographs, and the claimants were children and had been identified by name, thus exposing them to
special vulnerability.

Page 4 of 10

Electronic copy available at: https://ssrn.com/abstract=3744484

In Von Hannover v. Germany, 30 Princess Caroline von Hannover of Monaco brought suit in German
courts after several photographs of her and her family were published on several occasions without her
or her family’s consent. Hannover contended that the photographs infringed on her and her family’s
right to respect for their private life under ECHR Article 8. In 2004, the court held that there was a
violation of Article 8. The court came to its rationale after balancing the protection of private life against
freedom of expression and the possible contribution that the published photos and articles would make
to a debate of general interest. Ultimately, the court deemed that the photographs made no such
contribution, since the applicant exercises no official function and the photos and articles related
exclusively to details of her private life. In short, Hannover had a “legitimate expectation” of protection
of her private life.
With the passing of the GDPR, it is unclear whether celebrities will have additional vehicles for recourse
if their likeness is photographed and published without their consent.

Impact on Data Licensing Agreements

A data processing addendum or agreement (DPA) contains contractual obligations between two parties
relating to the processing of data. As with nearly all contracts, the approaches taken with entering into
DPAs can range widely. DPAs can be structured and presented as stand-alone agreements, side letters,
or amendments to existing agreements; incorporated as a set of clauses within an existing agreement
template; attached as an exhibit or attachment to an agreement template; or presented as a set of
unilaterally binding online terms. It is worth noting that the use of a “DPA” within this context should
not be confused with a possible reference to “data protection authorities,” the independent public
authorities that enforce data privacy regulations across Europe.

A DPA that is used for a relationship contemplating the sharing of personal data should typically cover
most, if not all, of the following points: (1) the nature and purpose of the processing activities; (2) a
description of the categories of data subjects and the categories of personal data; (3) the length of time
for processing of the personal data, and what happens when the contractual relationship between the
parties ends; (4) the technical and organizational measures to ensure processing of personal data in a
manner compliant with relevant laws and regulations, or the policy requirements established by a
particular business (including details such as de-identification, aggregation, and/or anonymization
procedures and requirements); (5) rules for data transfers, addressing any potential cross-border
transfers; and (6) the use of third-party contractors, referred to as “sub-processors” under the GDPR and
“service providers” under the CCPA. Additional information that will inform the legal analysis used to
draft the contract includes: (1) methods under which the data licensor has collected the personal data
being supplied; and (2) whether the personal data has come directly from the data subject or consumer,
publicly available resources (such as websites, social media platforms, or news outlets), or unaffiliated
third parties.

Within the context of the entertainment, media, and sports industries, data licensing agreements are
commonly used to govern the contractual relationship between two parties sharing data. For example, a
commercial music database may license artist biographical data to a music streaming platform so that
end users can read about the artist, or a sports betting website may license data about a particular
sports league to power its platform. Data licensing agreements can take the form of stand-alone

Page 5 of 10

Electronic copy available at: https://ssrn.com/abstract=3744484

agreements or follow a more technical, industry-specific structure, incorporating concepts such as an
application programming interface (API) license and restrictive or permissive data usage terms.

Following the implementation of data protection laws and regulations, many entertainment, media, and
sports data licensing agreements have been expanded to include DPAs in some fashion. Data licensing
agreements are now including provisions that govern a data subject’s right to be forgotten and
obligations to which the parties transacting with the data must comply. More specifically, it is not
uncommon to have a contract that includes an obligation to communicate such deletion requests from a
data subject to the other party to the contract. From a practical standpoint, this may require each party
to ensure an appropriate process and procedure for tracking and communicating such requests is
implemented and followed (or audited) on a regular basis. For businesses that operate as a service
provider to consumers, such as SaaS services or social media platforms, and utilize a privacy policy
designed to comply with the CCPA and GDPR, existing processes and procedures for data privacy
compliance programs might be an option for management of personal data requests relating to data
subjects governed by a data licensing agreement. This leads to the question of whether the data was
lawfully collected from the start.

When negotiating a data licensing agreement that will involve personal data, it is important to establish
and identify from the start the role of the parties. Under the GDPR, there are two potential
classifications: (1) one party can be a controller and the other a processor; 31 and (2) if two or more
parties can determine the purpose for processing, then it might be a joint controller relationship. 32 The
GDPR does not explicitly recognize an independent controller relationship, where each party
independently determines the purpose for processing, but there is a term previously identified under
the U.K. Data Protection Act of 1998 as “controllers in common.”33 Drafting the data licensing
agreement, and accompanying DPA, correctly is important to ensure each party understands their
obligations under privacy regulations, and to each other. Inappropriate use of personal data can subject
all parties to a risk of liability and fines, potentially even if the inappropriate use occurs downstream.

An important representation and warranty to include in data licensing contracts would be language that
the party supplying the personal data has adequately, or in a legally compliant manner, obtained
permissions not only to collect personal data but also to further distribute (either commercially or not)
the personal data without the need for additional permissions gathering. Analysis should explore
potential regulatory requirements for each lawful basis of, and consents necessary for, downstream
processing of the personal data. For example, a video game licensee receiving personal data subject to
privacy regulations does not want to be in a position where it is forced to individually contact and obtain
the consent of the data subjects, or potentially be left without recourse if it receives requests from data
subjects or inquiries from data authorities.
The mechanics involved with drafting and negotiating data licensing agreements that involve personal
data require close attention to the scope of privacy rights applicable to the data subjects involved to
ensure the contract adequately protects both parties and assigns obligations, liabilities, and risks as both
parties intend.

Page 6 of 10

Electronic copy available at: https://ssrn.com/abstract=3744484

Balancing First Amendment and Privacy
Rights
In addition to legislative efforts to expand individual privacy rights, courts’ interpretations of privacy
laws, and their intersection with other rights and interests, will likely continue to impact the
entertainment, media, and sports industries. In the past, the U.S. Supreme Court has examined issues of
competing concerns around an individual’s right to privacy and the First Amendment. 34 Is there a
legitimate public interest in knowing an actor’s age when they landed their first starring role or an
athlete’s body measurements throughout their career? How about the First Amendment right to publish
such information? In the future, answers to these questions may depend on targeted legislation
addressing such issues.

In 2016, California’s Assembly Bill (AB) 1687 sought to establish a right to have a person’s age removed
from public view on a commercial online entertainment employment service provider in an effort to
curb age discrimination, largely singling out and targeting the internet movie database IMDb.com, which
is owned by Amazon.com, Inc., and its premium subscription-based service for industry professionals,
known as IMDbPro. 35 When challenged by IMDb, the statute was found to be “clearly unconstitutional”
in the opinion by U.S. District Court Judge Vince Chhabria, 36 a decision upheld in June 2020 when the
state of California and SAG-AFTRA lost on appeal to the Ninth Circuit Court of Appeals. 37
The IMDb challenge of AB 1687 centered on two key elements: (1) the parties involved having entered
into a contractual agreement governing the collection of personal data, by way of the IMDbPro
subscription agreement; and (2) collection of personal data through public submissions outside of a
premium membership subscription. Circuit Judge Bridget S. Bade referenced the U.S. Supreme Court’s
decision in Cohen v. Cowles Media Co. when writing the opinion: “Private parties may freely bargain with
each other to restrict their own speech, and those agreements may be enforced, without implicating the
First Amendment.”38 Since IMDb’s website content is supported from both public crowdsourcing as well
as the contributions of subscribers to its IMDbPro service, the appeals court found the statute reached
beyond the scope of just a voluntary contractual agreement between IMDb and the subscribers to the
IMDbPro offering and attempted to curb publication of information obtained from a source
unconnected to such commercial contractual obligations, thereby implicating a speech restriction and
reduction in First Amendment protection. 39

First Amendment challenges to privacy regulations have started appearing across the country as
individual states begin rolling out new privacy regulations for their jurisdictions. 40 It remains to be seen
how such regulations will hold up when facing First Amendment challenges.

Preparing for the Future

The future impact of data privacy regulations on the entertainment, media, and sports industries
remains to be seen as jurisdictions around the globe, including the U.S., continue to finalize and
implement data privacy protections. Existing grounds for data privacy claims can provide little to no bar
before the receiving party is legally required to take action, ultimately replacing traditional libel or other

Page 7 of 10

Electronic copy available at: https://ssrn.com/abstract=3744484

defamatory claims that often require a plaintiff to meet certain thresholds of proof before
enforcement. 41 Additionally, privacy rights might become a powerful tool to control third parties at the
discretion of the rights holder, similar to a copyright takedown request under the Digital Millennium
Copyright Act.

A public figure may need to be prepared for managing the public’s perception, and that of their peers
and future employers in their industry, when attempting to utilize their privacy rights to skirt contract
obligations or industry norms. Using legal rights in a way that could prevent access to entertainment,
media, or sports content could negatively impact the public’s expectations for being able to consume
such content. Rights and legal control issues exist across industries, such as music industry attempts to
window content 42 or sprawling cinematic comic book universes that utilize well-known characters
subject to numerous intellectual property and contractual protections. 43 With privacy rights, the
backlash could be directed toward an individual, as opposed to a large corporation or industry practice.
Romania, a member of the European Union, came under fire for the actions of its data protection
authority in weaponizing the GDPR against journalists publishing information, which included personal
information, implicating a Romanian politician in a fraud scheme. 44 The case is still ongoing, despite
drawing sharp criticism from European parliamentarians.

The mechanics of obtaining consents under the GDPR, the CCPA, and other applicable privacy laws
should be closely examined by businesses seeking to collect or otherwise generate, capture, or use
personal data of public figures. In commercial settings, it will be critical to ensure adequate measures
are in place, such as by way of a written contract or similarly explicit and informed consent from the
data subject discussed above. Establishment of such efforts will aid in the future planned processing of
personal data collected so the data might be used, distributed, licensed, or otherwise exploited without
having to gather additional consents, which would likely lead to additional negotiations between the
parties. It will also be important to stay updated on developments in privacy legislation and laws around
the world and, to the extent possible, work with industry trade groups to ensure adequate measures are
included to address industry concerns on the impact of future legislation efforts.
Privacy legislation trends point toward explicitly establishing the right to privacy over personal data as a
subset of fundamental privacy rights, 45 meaning that it is difficult, arguably impossible, to obtain a
bulletproof waiver of such rights or a broadly sweeping consent that adequately covers all uses of a
public figure’s personal data. Attempts to obtain contractual waivers or limitations are considered void
under the CCPA, 46 while strict guidelines for gathering consent under the GDPR must be followed and
narrowly tailored for the purpose of the anticipated processing. 47 Ultimately, if data privacy regulations
contain language restricting an individual’s ability to waive their rights, then it leaves very little room for
contractual relationships seeking to operate outside the bounds of such regulation.
Future legislation should also avoid narrow attempts at creating legal protection targeting specific
content publishers or restricting a specific type of speech, such as with AB 1687 and the outcome of
creating a new category of speech that receives reduced protection under the First Amendment.
Building upon such developments, it remains to be seen whether courts interpreting, or agencies
enforcing, privacy regulations will take into account the nature of the disclosure (such as a public figure,
or their authorized agent, releasing personal information for the advancement of their career interests).
Public interest arguments can be made in defense of or against such disclosures being treated as
irrevocable.

Page 8 of 10

Electronic copy available at: https://ssrn.com/abstract=3744484

Privacy regulations also do not currently account for different rights based upon the conditions under
which personal data collection has occurred. For example, the personal data collected by a website
operator from its visitors is largely treated the same as personal data collected by a video game
developer from a public figure paid for their involvement in the game development. Absent future
legislation that includes, or retroactively creates, carve-outs for such industry-specific commercial
agreements, it leaves ambiguity as to the enforceability, and true underlying value, of deals involving the
personal data of public figures. We may just end up in a future where we are unable to know the true
age of the person depicting a teenager on a network television show.

About the Authors

Franklin Graves is technology counsel at HCA Healthcare, Inc., in Nashville, Tennessee. He has extensive
experience in technology, media, and privacy laws.

Germaine Gabriel is corporate counsel - privacy at ServiceNow in Santa Clara, California. She has
experience in technology, intellectual property, product, and privacy law. Prior to entering Silicon Valley,
Germaine was a presidential appointee under President Barack Obama.

©2020. First published in Landslide, Vol. 13, No. 2, November/December 2020, by the American Bar
Association. Reproduced for SSRN distribution with permission. All rights reserved.

1
Jefferson Graham, Why You’re Receiving All Those Privacy Update Emails, USA Today (Dec. 28,
2019), https://www.usatoday.com/story/tech/2019/12/28/have-you-taken-look-what-conde-nast-yelp-hulu-and-
others-grab/2750460001.
2 Neil Vigdor, Somebody’s Watching: Hackers Breach Ring Home Security Cameras, N.Y. Times (Dec. 15,

2019), https://www.nytimes.com/2019/12/15/us/Hacked-ring-home-security-cameras.html.
3 Antonio García Martínez, No, Data Is Not the New Oil, Wired (Feb. 26, 2019), https://www.wired.com/story/no-

data-is-not-the-new-oil.
4 Data Never Sleeps 7.0, DOMO (2019), https://www.domo.com/learn/data-never-sleeps-7.
5
Martínez, supra note 3.
6 Marie Baca, What You Do on the Internet Is Worth a Lot. Exactly How Much, Nobody Knows, Wash. Post (Oct. 14,

2019), https://www.washingtonpost.com/technology/2019/10/14/what-you-do-internet-is-worth-lot-exactly-
how-much-nobody-knows.
7
Commission Regulation 2016/679, 2016 O.J. (L 119) 1 [hereinafter GDPR].
8 Cal. Civ. Code §§ 1798.100–.199. It should be noted that, as of this article’s publication, the California Privacy

Rights and Enforcement Act (CPRA) is scheduled to appear on the November 2020 ballot, with an anticipated
effective date of January 1, 2023.
9 GDPR, supra note 7, art. 3.
10 Cal. Civ. Code § 1798.140(c).
11
See Eric Newcomer, California Will Be Key Battleground in Tech Privacy Fight in 2020, Bloomberg (Jan. 2,
2020), https://www.bloomberg.com/news/articles/2020-01-02/privacy-fight-continues-in-california-dc-and-
beyond.
12 IMDb California Consumer Privacy Act

Disclosures, IMDb, https://help.imdb.com/article/issues/G73WRBWXE25UUTHP (last visited Oct. 28, 2020).

13 Cal. Civ. Code § 1798.140(o)(2).
14 GDPR, supra note 7, art. 86.

Page 9 of 10

Electronic copy available at: https://ssrn.com/abstract=3744484

15 Id. art. 14(2)(f).
16 Id. art. 21(2).
17
Id. art. 7(3).
18
Id. art. 17(1).
19
Id. art. 16.
20
Id. art. 18.
21
Guidelines on Transparency under Regulation 2016/679 (wp260rev.01) (2018).
22 GDPR, supra note 7, art. 12.
23
Id. art. 14.
24
Id. arts. 13–15; Cal. Civ. Code § 1798.130(a)(5).
25
Cal. Civ. Code § 1798.140(t)(2)(A).
26
See, e.g., Council Directive 95/46/EC, art. 9, 1995 O.J. (L 281) 31 (“Processing of personal data and freedom of
expression”).
27 [2008] EWCA (Civ) 446, [2009] Ch 481 (Eng.).
28 [2014] EWHC 1163 (QB) (Eng.).
29
Murray, [2009] Ch at 488.
30 [2004] ECHR 294.
31 GDPR, supra note 7, ch. IV.
32
Id. art. 26.
33
See also Serkan Kurt, Guide for Multi-Controller Situations under the GDPR, IAPP (Nov. 6,
2017), https://iapp.org/media/pdf/resource_center/guide-multi-controller.pdf.
34
See, e.g., Fla. Star v. B.J.F., 491 U.S. 524 (1989).
35
IMDb.com Inc. v. Becerra, 962 F.3d 1111 (9th Cir. 2020); see also Eriq Gardner, IMDb Wins Lawsuit over Actress
Age Revelation, Hollywood Rep. (Apr. 11, 2013), https://www.hollywoodreporter.com/thr-esq/imdb-wins-lawsuit-
actress-age-437828 (reporting on 2013 jury verdict in favor of IMDb following actress Huong Hoang’s lawsuit
bringing claims for, among other things, privacy violation for IMDb’s inclusion of Hoang’s age on her public profile).
36
IMDb.com, Inc. v. Becerra, No. 16-cv-06535-VC (N.D. Cal. Feb. 20, 2018).
37
IMDb.com, 962 F.3d 1111.
38
Id. at 1120 (citing Cohen v. Cowles Media Co., 501 U.S. 663, 671 (1991)). Judge Bade acknowledges there are
times such a principle is limited.
39
Id.
40
See Edward D. Murphy, Federal Judge Rejects Much of Legal Challenge to Maine Internet Privacy Law, Portland
Press Herald (July 7, 2020), https://www.pressherald.com/2020/07/07/federal-judge-rejects-much-of-legal-
challenge-to-maine-internet-privacy-law.
41
Nani Jansen Reventlow, Can the GDPR and Freedom of Expression Coexist?, 114 AJIL Unbound 31
(2020), https://www.cambridge.org/core/services/aop-cambridge-
core/content/view/C8C5B4F0BFF87B9CAD78ED4BDDF27BBC/S2398772319000771a.pdf/can_the_gdpr_and_freed
om_of_expression_coexist.pdf.
42 Mark Mulligan, The Problem with Streaming Exclusives, Music Industry Blog (Apr. 30,

2015), https://musicindustryblog.wordpress.com/2015/04/30/the-problem-with-streaming-exclusives.
43
Alex Abad-Santos, Marvel and Sony Have Cut a Deal to Keep Spider-Man in the MCU, Vox (Sept. 27,
2019), https://www.vox.com/2019/9/27/20835417/spider-man-marvel-sony-deal-mcu.
44 Bernhard Warner, Online-Privacy Laws Come with a Downside, Atlantic (June 3,

2019), https://www.theatlantic.com/ideas/archive/2019/06/europes-gdpr-elevated-privacy-over-press-
freedom/590845.
45 See GDPR, supra note 7, art. 1(2); Cal. Civ. Code § 1798.1.
46 Cal. Civ. Code § 1798.192.
47 GDPR, supra note 7, art. 7.

Page 10 of 10

Electronic copy available at: https://ssrn.com/abstract=3744484