On February 6, 2017, the Federal Trade Commission announced that it had settled charges against VIZIO, Inc., a consumer electronics manufacturer of Internet-connected televisions. The FTC alleged that VIZIO unfairly tracked sensitive TV viewing data of millions of American consumers, and deceptively failed to disclose how the collected data was being used. This action was announced just a month after the FTC filed a complaint against the maker of various IoT devices, such as networked routers and IP cameras, which the FTC alleges suffer from security vulnerabilities that threaten consumer privacy.
This marks the first time consumer television viewing data has been brought within the FTC's definition of "sensitive" information and emphasizes that companies should provide clear, comprehensive disclosures regarding data collection, use and sharing, especially when such practices may be unexpected.
Complaint
The complaint sets forth a number of allegations regarding VIZIO's data collection practices, including:
- In February 2014, VIZIO started selling smart TVs loaded with automated content recognition (ACR) software that continuously captured all pixel data from television screens and transmitted that data back to VIZIO for comparison and matching using databases of television shows, movies and commercials.
- At the same time, VIZIO also remotely installed ACR software on televisions that had originally been sold without it.
- In addition to pixel data about viewing activity, the ACR software collected other information, such as IP addresses, MAC addresses, and WiFi signal strength and local access points, from the connected TVs.
- VIZIO then sold the data it collected to third parties for purposes of measuring audience size, analyzing advertising effectiveness and targeting ads across consumers' devices based on their viewing habits.
The complaint indicates that VIZIO's contracts with the third parties to whom it was selling the data prohibited re-identification of individual consumers, but allowed relatively rich data (including sex, age, income, marital status, household size, education, home ownership and household value) to be appended for marketing purposes.
According to the FTC, the televisions that had ACR software pre-installed did not provide any on-screen notice regarding the data collection occurring behind the scenes. TVs that were remotely updated to add ACR software did provide some notice, showing users a pop-up message regarding changes to the VIZIO privacy policy (with a URL) and stating that "Smart Interactivity" had been enabled but could be disabled through the settings menu. The FTC claimed that this notice was insufficient, as it did not adequately inform consumers about the comprehensiveness of the data collection or how the data would be shared. Further, although the "Smart Interactivity" feature was described as providing viewers with program offers and suggestions, the complaint alleges that no such offers or suggestions were actually provided to consumers.
The Order
In the stipulated court order, VIZIO agreed to pay $2.2 million to end the joint enforcement action brought by the FTC and the New Jersey Attorney General's office: $1.5 million to the FTC and $1 million to New Jersey (with $300,000 suspended for five years, to be vacated provided VIZIO complies with the terms of the settlement).
In addition to the monetary payment, going forward VIZIO must "prominently disclose" its data collection and sharing practices to consumers, separate from its privacy policy and terms of use. The disclosure must list the types of viewing data VIZIO will collect and use; the types of viewing data that will be shared with third parties; the identity of those third parties or the categories of the third parties; and the purposes for the sharing. VIZIO must then obtain the consumer's affirmative, express consent to the collection and sharing activities and provide instructions on how to revoke such consent.
VIZIO also has agreed to destroy, within 120 days of the order, viewing data that it collected prior to March 1, 2016. Similar to previous FTC enforcement actions, VIZIO will be required to implement a comprehensive privacy program and obtain biennial assessments of its compliance for 20 years.
Takeaways
- As suggested by the FTC's Business Center Blog post on the case, companies that may engage in data collection of this nature should (1) provide clear, user-friendly explanations about their activities up front; (2) obtain consent if they want to collect "highly specific information about [consumers'] entertainment preferences" (preferably affirmative, opt-in consent); and (3) make it easy for people to exercise the choices available to them when it comes to the collection and use of their personal data.
- If opt-outs will be provided, make sure choices are easy for consumers to access and exercise. Descriptions should clearly explain the effects of the opt-out so the consumer knows what opting out will (and will not) accomplish in terms of restricting data collection, use or disclosure.
- This case may indicate an expansion of the FTC's definition of "sensitive" data that, when collected, used or shared in an unexpected way, may cause the kind of substantial harm that can result in a Section 5 unfairness claim. Such a shift would put television viewing data on par with financial records, health data, Social Security numbers, children's personal information and precise geolocation coordinates in terms of sensitivity. That said, the changing political balance of the Commission may reveal this case to be an outlier for the foreseeable future.
- The new majority within the Commission may tilt the scales away from interpreting privacy injuries as "substantial", thereby reducing the number of unfairness claims brought in connection with alleged privacy violations. Nevertheless, failing to provide clear and complete disclosures or omitting material information about data collection and use practices will continue to be viewed as "deceptive" and therefore subject to Section 5 enforcement.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
