Introduction
On February 6, 2017, the Federal Trade Commission (“FTC”) announced a settlement with VIZIO, Inc. (“Vizio”) relating to Vizio’s alleged collection of consumer viewing history data via its Smart TVs. Specifically, under the terms of the settlement, as set out in the Stipulated Order for Permanent Injunction and Monetary Judgment (the “Order”), Vizio has agreed to pay $2.2 million to settle charges that it installed software on its Smart TVs to collect viewing data on 11 million consumer TVs without consumers’ knowledge or consent. In addition, Vizio must prominently disclose and obtain affirmative express consent for its data collection and sharing practices (i.e., users must opt in to the data collection), delete data collected before March 1, 2016, and implement a comprehensive data privacy program and biennial assessments of that program.
This action by the FTC (in conjunction with the Office of the New Jersey Attorney General) serves as another marker in the ongoing debate over the regulation of data collection by Smart TVs and other connected video devices. The data collection practices of Smart TV manufacturers have been on the FTC’s radar for some time and the FTC held a workshop on Smart TV privacy practices in December 2016. Moreover, these practices have been the subject of ongoing class actions brought under the Video Privacy Protection Act (“VPPA”).1 This is the first example of the FTC using its FTC Act Section 5 authority to police these practices, and may have implications for VPPA litigation and other litigation regarding the treatment of viewer history.
More immediately, however, the Concurring Statement of Acting Chairman Maureen K. Ohlhausen highlights two key issues that have framed the debate thus far and potentially provides more insight than the actual order regarding how the FTC will approach these questions over the coming years. On the question of consumer expectations regarding the collection of viewing data, Acting Chairman Ohlhausen concludes that “[e]vidence shows that consumers do not expect televisions to collect and share information about what they watch.” Vizio’s disclosures did not go far enough to help consumers understand that data about what they watch was, in fact, being collected and shared.
However, Acting Chairman Ohlhausen is more skeptical on the question of whether consumer viewing data should be considered “sensitive information.” The FTC has previously explained that companies should obtain opt-in consent from consumers – and not infer consent or use opt-out consent – before collecting and sharing such information. She argues that, before the FTC makes such a designation, it should have a better understanding of whether the practices at issue cause “substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers.” This suggests that the FTC in the future may apply a higher bar for activity that violates Section 5 – and triggers opt-in consent – than that applied in this case.
Background on Vizio’s Data Collection Practices
The Complaint focuses on two issues: how the data was collected and used by Vizio, and how Vizio notified and solicited consumer consent for the data collection.
First, the Complaint alleges that Vizio collected and shared consumers’ viewing history “through a medium that consumers would not expect to be used for tracking” without consumers’ consent. The Complaint explained that, beginning in February 2014, Vizio (1) manufactured TVs with its proprietary automated content recognition (“ACR”) software installed and turned on by default, and (2) remotely installed ACR software on previously-sold TVs. This software allegedly allows Vizio’s TVs to collect information about what a consumer is watching, regardless of source, on a second-by-second basis by matching a selection of pixels on the screen with a publicly available database of content. The Complaint refers to this viewing information as “sensitive data” without further explanation.
Additionally, the Complaint notes that ACR software periodically collects other information about the specific TV, including IP address, MAC address, WiFi signal strength and nearby access points, among other data. Importantly, the Complaint refers to this information as “information about the television.” As Vizio highlights in its public statement, the ACR software “never paired viewing data with personally identifiable information [(“PII”)] such as name or contact information.”
The Complaint does note that Vizio provided IP addresses to a data aggregator to identify particular consumers or households to facilitate the provision of demographic information, but not PII such as the household’s name, to third parties.
According to the Complaint, Vizio licenses the “highly-specific” data it collects to third parties for three main purposes: (1) audience measurement (how long was content viewed, when was it viewed, and on what channel was it viewed); (2) analysis of advertising effectiveness (using viewing data and corresponding IP addresses to analyze a household’s behavior across devices and aggregate the resulting data to evaluate advertising campaigns’ effectiveness); and (3) targeted advertising.
Second, the Complaint alleges that Vizio failed to adequately disclose that its “Smart Interactivity” feature collected and shared consumers’ viewing activity. The Complaint says that customers who purchased TVs with ACR preinstalled and enabled by default received no onscreen notice of the collection of viewing data, and customers whose TVs were updated to install ACR only received an initial pop-up notification (which timed out after one minute) that the privacy policy had changed and “Smart Interactivity” had been enabled. Information provided in the manual and the menu about the “Smart Interactivity” setting noted only that it enables program offers and suggestions – which the Complaint alleges Vizio no longer provided – and did not mention the collection and licensing of viewing data. The Complaint thus concluded that “[c]onsumers have no reason to expect that [Vizio] engaged in second-by-second tracking of consumer viewing data” and provided that data to third parties.
In resolving the dispute, the Order stipulates that Vizio will pay $2.2 million in relief, with $1.5 million to the FTC and $1 million to the New Jersey Division of Consumer Affairs (of which $300,000 is suspended for five years). Additionally, the Order requires Vizio to prominently and accurately disclose the extent and purposes of – and obtain affirmative express consent for – its data collection and sharing practices, delete data collected before March 1, 2016, implement a comprehensive data privacy program, and undergo biennial independent assessments of that program for twenty years.
The Legal and Policy Landscape for Smart TVs
Smart TVs’ data collection practices have been the focus of both regulatory and judicial scrutiny for some time. In December 2016, the FTC held a workshop to explore both data collection technology and practices of Smart TV manufacturers, consumer expectations regarding the collection of that information, and the FTC’s role in regulating the industry. Along those same lines, a number of class actions are currently being litigated in which plaintiffs have alleged that Smart TV manufacturers like Vizio have violated the VPPA.
The two issues at the heart of Acting Chairman Ohlhausen’s Concurring Statement have been front and center of this debate: do consumers expect this kind of information to be collected, and is this data “sensitive information.” The issue of consumer expectations was a significant topic of discussion at the FTC’s December 2016 workshop. Jessica Rich, then-Director of the FTC’s Bureau of Consumer Protection, noted in her Opening Remarks that differing consumer expectations on data collection in the computer and television industries stem from their respective evolutions: unlike the simultaneous evolution of Internet use and online data collection, “the television industry did not evolve with data collection as a critical component”; thus, consumer expectations in the context of Smart TVs depend on “whether consumers think of their Smart TV as a computer or a television, and whether they recognize that today, it may be both.” Acting Chairman Ohlhausen noted in her statement that the evidence shows consumers do not expect this kind of tracking, suggesting that the FTC is unified in that view.
The question of whether television viewing activity constitutes “sensitive information,” however, remains undecided. In December, Rich argued that, as consumers have more choices in the manner and content they watch, the more sensitive information about those choices becomes, “as it could provide insight into consumers’ religious beliefs, political views, and other potentially sensitive topics.” Rich and others – including Acting Chairman Ohlhausen – have noted that Congress passed two laws, the VPPA and the Cable Privacy Act, that recognize and protect consumer viewing habits in certain contexts. However, Acting Chairman Ohlhausen pointed out in her Concurring Statement that the Vizio Complaint’s labeling of individualized television viewing activity as “sensitive” was perfunctory. Her critique did not conclude that such information is not sensitive, instead arguing that the FTC “must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers,” and that the facts presented by this case “demonstrate[] the need for the FTC to examine more rigorously what constitutes ‘substantial injury’” in this context. She pledged to launch an effort to do so in the coming weeks. We will monitor those efforts.
While the FTC relies solely on its Section 5 FTC Act authority, it seems likely that this decision will find its way into ongoing litigation over whether these devices and data collection practices violate the VPPA. Those cases have been dominated by questions regarding the applicability of the statute, the scope of its protections, and the requirements of the statute. We would expect that this decision will be used by plaintiffs in those cases to argue that the courts should construe the VPPA and other statutes in a way that comports with the FTC’s conclusions regarding consumer expectations and the sensitivity of the information at issue. We will continue to monitor that litigation.
For companies that collect viewing history data using ACR or other technologies, the Vizio case suggests that such companies should consider a variety of questions regarding their existing practices for customer disclosures and consent. For example, does your product present clear and accurate disclosures to customers regarding your collection practices? Is it sufficiently clear to users what is done with data collected? Are your customers readily able to determine whether and how to provide consent (if consent is necessary)? Even if Acting Chairman Ohlhausen’s statement suggests that the FTC may not be as active in this area as it has been, addressing these questions will continue to be important. Willkie’s Cybersecurity & Privacy and Communications & Media teams can help review your processes and disclosures to put you in the best position to defend against litigation and regulatory investigations.
Click here to download this article.
1 See, e.g., In re Vizio, Inc., Consumer Privacy Litigation, MDL-2693 (C.D. Cal.).