Adtech Litigation Risk: How the EDO vs. iSpot Verdict Changes Due Diligence for Media Buyers

Adtech litigation risk just went up — what media buyers must do now

Media buyers and agency procurement teams already juggle messy attribution, fragmented measurement and privacy rules. The EDO vs. iSpot verdict — a jury award of $18.3 million for contract breach — turns a back-office compliance problem into a material commercial risk. This ruling is a wake-up call: vendor conduct, data access and contractual precision now directly affect campaign P&Ls and balance-sheet exposure.

Key takeaway: EDO verdict redefines vendor-risk calculus for adtech

On January 2026, a federal jury in the Central District of California found measurement firm EDO liable for breaching its agreement with rival iSpot, awarding iSpot $18.3 million in damages. According to iSpot’s amended complaint, EDO had accessed iSpot’s TV ad-airings measurement platform under a limited license for box-office analytics but then scraped proprietary data and used it beyond the licensed scope.

“We are in the business of truth, transparency, and trust. Rather than innovate on their own, EDO violated all those principles, and gave us no choice but to hold them accountable.” — iSpot spokesperson

The verdict matters for media buyers because it shows that disputes over how vendors access, use and repurpose measurement data can lead to seven-figure awards — and a cascade of operational and reputational consequences for advertisers who rely on that adtech. In 2026, with intensified scrutiny on CTV measurement, cross-device identity and data scraping, buyer due diligence must incorporate legal and forensics-oriented checks previously relegated to legal teams.

Why this case matters to media buyers and agencies

At minimum, the EDO verdict makes three things clear:

• Data access equals legal exposure. Third-party access to measurement dashboards and APIs can create liabilities if a vendor exceeds licensed uses.
• Contract language will be tested in court. Ambiguous use-rights, inadequate audit clauses and loose indemnities can translate into real damages awards.
• Downstream reliance compounds risk. Buyers who base buys on compromised measurement may face disputes about campaign outcomes, indemnity triggers and insurance recoveries.

2025–2026 trends that increase litigation risk

Recent market developments make this verdict more than an isolated headline. Consider the context:

• CTV and connected measurement have become primary battlegrounds for ad attribution — measurement vendors hold high-value, proprietary airings and viewing data.
• Privacy regulation updates (state-level U.S. laws, CPRA evolution and stricter EU data rules) emphasize purpose limitation and data-use consent — violations create both regulatory and contractual exposure.
• Data-scraping litigation and enforcement rose in late 2024–2025, with courts and regulators increasingly finding that unauthorized scraping and reuse can violate terms of service and trade-secret protections.
• Adtech consolidation and speeded M&A (2024–2025) meant many integrations relied on legacy access tokens and cross-licensing agreements that are often loosely documented.

Updated red flags to add to vendor selection and RFPs

Integrate these red flags into your RFPs, vendor scorecards and procurement checklists. Each item maps to legal, operational or reputational risk triggered by the EDO decision.

Contractual and legal red flags

• Vague data use language — Any clause that grants broad “access” or “use” without clear, enumerated purposes is risky. Require specific permitted uses and explicit prohibitions.
• No clear IP ownership/derivatives clause — If your vendor can create derivative datasets or models from your data, demand clarity on who owns derivatives and commercialization rights.
• Weak audit and access log rights — Contracts should grant buyers/advertisers (or their auditors) practical rights to inspect access logs, API calls and job histories on a defined cadence.
• Limited or unilateral indemnities — Watch for indemnity caps, carve-outs for negligence and indemnities that exclude breaches of usage limits or scraping.
• Absence of breach-notification timing — Fast notification is essential for containment and regulatory reporting. Set specific timelines aligned to applicable privacy laws.
• No explicit prohibition on scraping or repurposing — Include explicit contractual prohibitions on scraping, copying, rehosting or repurposing data without consent.

Operational and technical red flags

• Opaque data provenance — Vendors must document source, refresh cadence and sampling methods for measurement signals.
• No access-segmentation or role-based controls — Fine-grained access control over dashboards and APIs reduces the chance of misuse by internal teams or contractors.
• Lack of tamper-evident logs — If logs can be altered without detection, you lose reliable forensics in a dispute.
• No independent attestation — SOC 2 Type II, ISO 27001, or PCAOB-style attestations for measurement integrity should be table stakes for high-sensitivity vendors.

Practical, actionable due-diligence steps

Below are concrete steps media buyers and agencies should adopt immediately. Implementing these will reduce legal exposure and improve evidence collection if disputes arise.

Pre-engagement: RFP and contract stage

1. Insert narrow permitted-use clauses — Define exactly which product features and datasets the vendor can use and for what purposes (e.g., “box-office analytics for Film Titles X only”).
2. Require access logs and API telemetry — Contractually require exportable logs (JSON/CSV) covering access timestamps, user IDs, IPs, API endpoints and query payloads for at least 24 months.
3. Ask for independent attestations — Require recent SOC 2 Type II or ISO 27001 reports and a vendor attestation on data-use compliance signed by senior leadership.
4. Include strong audit rights — Specify who can audit (buyer, third-party forensic expert), frequency, scope and a defined courier for sensitive artifacts. Carve out a budget or escrow for third-party audits.
5. Negotiate indemnities tailored to misuse — Include indemnity triggers for unauthorized data use, scraping and IP infringement with a minimum uncapped layer for willful breach.
6. Mandate breach notification timelines — E.g., notify within 48–72 hours of discovery of unauthorized access or suspected scraping.
7. Require exit assistance and data escrow — On termination, vendor must preserve and transfer logs and provide cooperative forensic data for a defined period.

Post-engagement: operational audits and monitoring

1. Run initial forensic baseline — When onboarding, require a baseline export of historical access logs, dataset snapshots and configuration to detect later divergence.
2. Implement continuous telemetry scraping — Use a monitoring tool to ingest vendor API telemetry and compare usage patterns to the contract’s permitted-use profile.
3. Annual or trigger-based third-party audits — Commission independent forensic audits when you detect anomalous queries, sudden spike in exports or vendor M&A activity.
4. Document decisions tied to vendor outputs — Keep audit trails showing how vendor data influenced media buys, creative changes and billing. This helps in indemnity and recovery negotiations.
5. Align insurance and contract limits — Ensure your E&O and cyber policies cover vendor-driven measurement errors; if not, require vendor-side coverage and named-insured status where possible.

Sample redlines and clause language (practical templates)

Below are short, plain-English examples you can adapt. Have counsel localize them for your jurisdiction and regulatory needs.

Permitted use clause (short)

“Vendor shall use Client Data solely for the purposes described in Exhibit A (Permitted Uses). Any use, transfer, resale, model training, derivation, or repurposing of Client Data not expressly set forth in Exhibit A is prohibited and constitutes a material breach.”

Access logs and audit clause

“Vendor shall maintain tamper-evident logs of all access to Client Data and all API calls. Vendor shall provide exportable logs within 72 hours upon Client request and shall retain logs for at least 24 months. Client, or a third-party auditor designated by Client, shall have the right, once per calendar year or upon reasonable suspicion, to perform an on-site or remote audit of Vendor’s access controls and logs.”

Indemnity for misuse

“Vendor shall indemnify, defend and hold harmless Client from and against any losses arising from Vendor’s (i) unauthorized access to, use of, scraping of, or disclosure of Client Data; (ii) breach of the Permitted Uses; or (iii) willful misconduct. Vendor’s obligation to indemnify shall not be subject to any cap where the claim arises from willful or grossly negligent acts.”

How to operationalize red flags into procurement workflows

Procurement teams should integrate legal and forensic checks into standard vendor onboarding. Suggested workflow changes:

• Pre-RFP legal checklist: Legal and security sign-offs required for any vendor touching measurement or third-party airings data.
• Scoring model update: Add weighted criteria for “data-use governance,” “auditability” and “forensics readiness” in vendor evaluation matrices.
• Escalation triggers: Define thresholds (e.g., unexplained daily export > X GB, >Y API calls per hour) that automatically trigger a forensic review.
• Contract lifecycle: Require renewal-stage re-attestation of controls and a fresh SOC 2 report if more than 12 months have elapsed.

Insurance, indemnity and remedies — rethinking financial protections

The $18.3M award underscores that indemnity language and insurance coverage need alignment. Practical steps:

• Require vendor E&O and cyber insurance — Minimum limits should reflect the scale of ad budgets and potential reputational harm. Consider requiring named-insured status for large accounts.
• Keep uncapped carve-outs for willful misconduct — Where possible, push for no cap on damages if misuse is intentional.
• Specify equitable remedies — Include injunctive relief for unauthorized use and a contractual right to suspend vendor access without terminating the contract in ongoing investigations.

What to do if you find misuse or suspect scraping

1. Preserve evidence immediately — Export logs, snapshots and metadata; document who accessed what and when.
2. Engage a forensic specialist — Use an independent provider experienced in adtech telemetry and API forensics.
3. Follow contractual notice clauses — Provide required notices and invoke audit and mitigation rights as specified in the contract.
4. Alert insurance carriers early — Early notice preserves coverage; document communications with the vendor for claims support.

Longer-term strategic shifts: product and procurement choices

Beyond contractual hygiene, buyers should consider strategic shifts that reduce vendor-driven legal exposure:

• Prefer privacy-preserving measurement — Clean rooms, aggregated on-device measurement and federated learning reduce raw-data transfers and the attack surface for scraping.
• Insist on measurement provenance — Vendors should document lineage and show tests that validate that datasets weren’t derived from unauthorized sources.
• Favor vendors with transparent APIs — Well-documented API rate limits, scopes and access controls reduce ambiguity about permitted behavior.
• Build multi-vendor redundancy — Reduces dependency on a single supplier and provides cross-checking to detect anomalous outputs or manipulation.

Case-study style example: a hypothetical media buyer scenario

Imagine a mid-sized advertiser using Vendor A for CTV measurement. Vendor A ingests airings data from multiple sources and promises “industry-leading granularity.” During onboarding, the buyer neglected to require exportable access logs. Six months later, an anomalous uplift in attributed conversions appears. Investigation shows Vendor A queried a competitor’s dashboard via shared credentials and combined that data into a proprietary dataset sold to the buyer.

Without logs or explicit contractual limits, the buyer faces limited remedies, contested invoices and potential regulatory notice obligations. Contrast that with a buyer who required logs, periodic audits and a narrow permitted-use clause: they would have immediate evidence to invoke indemnity, suspend the vendor and preserve insurance claims.

Final thoughts: vigilance, not panic

The EDO vs. iSpot verdict does not mean every vendor relationship will become litigious. But it does shift the equilibrium — ambiguous contracts and opaque access controls are now tangible risks that can translate into millions of dollars in damages and severe operational disruption.

Media buyers should treat vendor selection as jointly legal, technical and procurement discipline. Start by updating RFP templates, inserting the red flags and clauses above, and operationalizing new audit and monitoring workflows. These are not one-off changes; they should be part of ongoing vendor governance that evolves with adtech developments in 2026 and beyond.

Actionable checklist: immediate next steps for media buyers

• Audit active measurement vendors for explicit permitted-use language and access-log availability.
• Insert or amend audit and export-log clauses in all renewal contracts this quarter.
• Require independent attestations (SOC 2 Type II or equivalent) if not already on file.
• Set up automated telemetry monitoring for vendor API usage anomalies.
• Update procurement scorecards to weigh legal/forensic controls heavily.
• Confirm vendor insurance coverage and negotiate named-insured status for material providers.

Need help implementing these changes?

If you manage media procurement or run campaigns that rely on third-party measurement, now is the time to act. Our team at investments.news can help you translate these red flags into RFP language, vendor scorecards and technical audit scopes tailored to ad budgets and risk tolerance.

Contact us to get a vendor-risk checklist and a contract redline starter pack tailored for 2026 adtech litigation risks.

Call to action

Stay ahead of adtech litigation risk: subscribe to our market-legal brief for monthly updates on regulatory changes, court decisions and procurement best practices affecting media buyers and agencies. Sign up today to receive the vendor-risk checklist and contract templates referenced in this article.

Related Reading

• Which Label Printers Scale as You Replace Headcount with AI Nearshore Teams?
• Live Like a Local in Whitefish: Where to Eat, Stay and Hang After the Slopes
• How VectorCAST + RocqStat Changes Automotive Dev Workflows: A Case Study
• Plan a 2026 Dubai Trip: Combine Points, Phone Plans and Hotel Deals for Maximum Savings
• How to Graft Citrus: A Beginner’s Guide to Creating Climate-Resilient Groves