On February 6, 2017, the Federal Trade Commission announced that it had settled charges against VIZIO, Inc., a consumer electronics manufacturer of Internet-connected televisions. The FTC alleged that VIZIO unfairly tracked sensitive TV viewing data of millions of American consumers, and deceptively failed to disclose how the collected data was being used. This action was announced just a month after the FTC filed a complaint against the maker of various IoT devices, such as networked routers and IP cameras, which the FTC alleges suffer from security vulnerabilities that threaten consumer privacy.
This marks the first time consumer television viewing data has been brought within the FTC’s definition of “sensitive” information and emphasizes that companies should provide clear, comprehensive disclosures regarding data collection, use and sharing, especially when such practices may be unexpected.
The complaint sets forth a number of allegations regarding VIZIO’s data collection practices, including:
- In February 2014, VIZIO started selling smart TVs loaded with automated content recognition (ACR) software that continuously captured all pixel data from television screens and transmitted that data back to VIZIO for comparison and matching using databases of television shows, movies and commercials.
- At the same time, VIZIO also remotely installed ACR software on televisions that had originally been sold without it.
- In addition to pixel data about viewing activity, the ACR software collected other information, such as IP addresses, MAC addresses, and WiFi signal strength and local access points, from the connected TVs.
- VIZIO then sold the data it collected to third parties for purposes of measuring audience size, analyzing advertising effectiveness and targeting ads across consumers’ devices based on their viewing habits.
The complaint indicates that VIZIO’s contracts with the third parties to whom it was selling the data prohibited re-identification of individual consumers, but allowed relatively rich data (including sex, age, income, marital status, household size, education, home ownership and household value) to be appended for marketing purposes.
In the stipulated court order, VIZIO agreed to pay $2.2 million to end the joint enforcement action brought by the FTC and the New Jersey Attorney General’s office: $1.5 million to the FTC and $1 million to New Jersey (with $300,000 suspended for five years, to be vacated provided VIZIO complies with the terms of the settlement).
VIZIO also has agreed to destroy, within 120 days of the order, viewing data that it collected prior to March 1, 2016. Similar to previous FTC enforcement actions, VIZIO will be required to implement a comprehensive privacy program and obtain biennial assessments of its compliance for 20 years.
- As suggested by the FTC’s Business Center Blog post on the case, companies that may engage in data collection of this nature should (1) provide clear, user-friendly explanations about their activities up front; (2) obtain consent if they want to collect “highly specific information about [consumers’] entertainment preferences” (preferably affirmative, opt-in consent); and (3) make it easy for people to exercise the choices available to them when it comes to the collection and use of their personal data.
- If opt-outs will be provided, make sure choices are easy for consumers to access and exercise. Descriptions should clearly explain the effects of the opt-out so the consumer knows what opting out will (and will not) accomplish in terms of restricting data collection, use or disclosure.
- This case may indicate an expansion of the FTC’s definition of “sensitive” data that, when collected, used or shared in an unexpected way, may cause the kind of substantial harm that can result in a Section 5 unfairness claim. Such a shift would put television viewing data on par with financial records, health data, Social Security numbers, children’s personal information and precise geolocation coordinates in terms of sensitivity. That said, the changing political balance of the Commission may reveal this case to be an outlier for the foreseeable future.
- The new majority within the Commission may tilt the scales away from interpreting privacy injuries as “substantial”, thereby reducing the number of unfairness claims brought in connection with alleged privacy violations. Nevertheless, failing to provide clear and complete disclosures or omitting material information about data collection and use practices will continue to be viewed as “deceptive” and therefore subject to Section 5 enforcement.