Interrupting Regularly Scheduled Programming: Privacy Regulations and the Emerging T/V Ecosystem

Something squeamish this way comes. It is the American consumer now awakening to the real impact and results of all those permissions granted in exchange for “free” or low-cost digital services from the likes of FAANG companies (Facebook, Amazon, Apple, Netflix and Google) as well as digital retailers, content publishers and others who monetize consumer data through marketing revenue. According to an IBM 2019 survey (reported by Fortune and Axios), 81% percent of consumers say they’ve become more concerned about how companies use their data, while 87% think companies should be more heavily regulated on personal data management.

Many global companies have already adapted to the European Union’s GDPR (General Data Protection Regulation(s)) and now must add functions to comply with California’s CCPA (California Consumer Privacy Act) laws that go into effect January 1, 2020, and are enforceable July 1, 2020. Companies operating primarily in the US must now put into place the operations and functions for CCPA and prepare for future state or federal regulations. CCPA focuses on companies doing business in California, which is the world’s fifth largest economy.

Fortune and source Pillsbury Law have outlined requirements for which large-sized companies will need to build response mechanisms in order to comply with California’s CCPA laws. Consumers must be provided:

  • The right to request disclosure of detailed data usage policies and partners
  • The right to request a copy of the previous 12 months information collected on a specific user
  • The right to have such information deleted (with some exceptions)
  • The right to request that their personal information not be sold to third parties
  • The right to not be discriminated against for exercising any of the new rights

How does CCPA Regulation Differ From GDPR?

According to Pillsbury Law, GDPR compliance is not CCPA compliance. CCPA goes beyond GDPR by adding consumer request responsibilities, a broader definition of data “sales” and more definitions of what the consumer must be able to opt out of.

What Makes T/V (Television/Video) Data Privacy Different From Other Digital Media?

T/V is in a period of rapid expansion for digitally delivered offerings from major new video streaming services. 28 such branded services will be out by this time next year.

If there are seven touchpoints where data is shared in the digital distribution chain:

  1. carriers/device manufacturers,
  2. digital content/service providers,
  3. intermediary selling platforms (SSPs),
  4. intermediary exchange platforms,
  5. intermediary buying platforms (DSPs),
  6. Data Management Platforms (DMPs)/Customer Data Platforms (CDPs) and
  7. advertisers/agencies—then each of these must be responsible for their own CCPA compliance and for the compliance of others in their chain.

Ad-supported T/V ‘s future relies on an emerging addressable advertising technology, ACR, that will dramatically change T/V advertising delivery, measurement and monetization.

Automated Content Recognition (ACR) allows both subscription providers (like Netflix, Disney+) and ad-supported T/V providers (like Hulu, YouTube) to capture viewing data on screen for smart TV owners, all of whom opt-in to have this and personal identification data shared when they set up their set’s internet access.

This opt-in often is accepted thinking it is permission for the TV manufacturer to use the data, but second-by-second ACR-captured viewing data matched to that device user will also be used by content providers who can sell the addressability to advertisers for a premium price. This demographic, behavioral and geographic “big data” is all gathered on Smart TVs, projected to exist in 75% of all TV homes by 2022 in addition to existing mobile and laptop/desktop usage already capturing that consumer’s behavioral and device-ID data.

How Will Operations Be Affected?

The new CCPA consumer privacy rights require investment—in human resources and technologies to set up and manage compliance functionalities, in new procedures and training and in doing a complete data management audit around what data exists, where data segments reside, which third-party companies touch consumer data, and how it can all be organized around a single consumer identity for opt-out.

EMarketer put out a checklist for companies to review in order to comply with CCPA, and operations will be especially involved especially in these questions:

  • Do you have the tools, people and processes in place to comply with both front-end (e.g., privacy policy, consent management) and back-end requirements (e.g., data hygiene, privacy by design, right to delete data or right to be forgotten)?
  • Have you conducted a data audit to determine where all personal information is stored and how it is moved between internal databases?
  • Have you vetted each partner to ensure they abide by required compliance and consent standards in each of the regions or countries in which you are operating?

One More Thing to Keep an Eye On

For US companies there is speculation that with CCPA going into effect in 2020, it may be better for a federal privacy law to be passed in order to avoid the prospect of having 50 slightly different State laws to adhere to. Microsoft has already announced it will embrace the CCPA guidelines for all US consumers. So, staying on top of any moves by the FTC toward that prospect will be very important going forward. A recent Ars Technica headline stated: “FTC head asks Congress for real privacy laws he can enforce.”