Barely 10 years ago, on May 9, 2012, a class action was quietly settled between one individual and a huge video rental conglomerate – Blockbuster.

The company collected users’ video rental history as well as credit card information. At the time, this violated the Video Privacy Protection Action (VPPA), which prohibits movie rental services from disclosing information about the movies people watch without their consent.

Six years later (October 2018), streaming TV equipment manufacturers faced a similar claim. But in this case, the Streamers (Samsung, SONY and LG) reigned supreme and avoided a similar fate. The court ruled in favor of Samsung, LG and Sony, finding that the companies had no “disclose information that, with little or no additional effort, would allow an ordinary recipient to identify the video viewing habits of a particular person.” And the VPPA definition and use of IP addresses was not sufficient to personally identify an individual. Since, California Consumer Privacy Act (CCPA) and soon to be deployed California Privacy Rights Act (CPRA), further clarify the definition of PII to include IP addresses and their use to “reasonably” identify an individual or household. According to the laws, companies have an obligation to develop programs to manage and comply with these new laws, the new update to the CCPA regulations now includes a “limitation of purpose clause”, which means that ‘exclusive consent for use beyond the stated purpose is required.

How are PII exploited today?

To better digest this, we’ll use the Connected TV (CTV) industry, which is entering a golden era of addressable monetization, as an example. With the meteoric growth rate of subscription video-on-demand (SVOD), advertising video-on-demand (AVOD) and FAST networks, the CTV advertising market has become the hottest screen on which deliver performance-based marketing and targeted campaigns. (literally, up to individuals in a household). Most of these rely on the ability to “match” household, device, and individual PII levels, such as IP address (the identifier of choice for a CTV), advertiser IDs (IDFA), mobile advertising identifiers (MAIDS) and email addresses.

Data and “matching” cleanroom providers then take this PII information and run probabilistic and deterministic models to determine whether an individual resides within the household represented by the corresponding IP address. If everything matches, the individual receives targeted advertising on their CTV from a brand. Another example can occur when the individual purchases from a Big Box retailer and joins their loyalty program, which then combines the customer’s email address with purchase/transaction history. This information is then delivered through a “clean room” matching process while running an advertising campaign to target the specific customer’s “hashed” emails to IP with personalized and relevant advertisements on a FAST network.

What could change under the new ADPPA bill?

On June 3, 2022, the federal government released a draft US Data Protection and Privacy Act (ADPPA) which is sent to the House of Representatives. It reveals some telltale signs of where the government and the FTC are headed. When it comes to the TV/video viewing and streaming market, this could be a monumental shift in how every video platform and video/CTV AdTech company thinks about “consent” and “sensitive data.” “.

There are a few key sections that clear up the confusion around IP address usage and what constitutes “sensitive data”.

Sensitive Data: Information that reveals an individual’s access to or viewing of television, cable, or streaming services.

Any other Covered Data collected, processed or transferred for the purpose of identifying Sensitive Covered Data is also considered Sensitive.

This results in the combination of a consumer’s CTV viewing history (IP address with session level viewing information) with ANY other “covered data” such as device ID, e- mail and home address, then these data points become “sensitive data”. And if any of this data can reasonably be used to re-identify the consumer or their household, it is also NOT considered anonymized data (sorry, hashed emails and synthetic IDs)

Also, according to the ADPPA project:

Right of consent and opposition, is defined as: The sensitive data covered cannot be collected, processed or transferred to a third party without the authorization express affirmative consent of the individual to whom it relates. Individuals Must Have Means to Give and Withdraw Consent… Covered Entities Engaging in Targeted Advertising must provide clear and visible ways for individuals to opt out prior to any targeted advertising and at any time thereafter.

To translate this further, it essentially eliminates any misconceptions regarding the validity of the IP address (or any other identifier that could “reasonably” re-identify a household or individual) exploited by platforms and video providers and referred to as PII. And now, if the ADPPA project were to be law today, it would be classified as “sensitive data” which requires “express affirmative consent” for its operation.

According to the FTC, “affirmative express consent” means that:

  • . Prior to initial use of any Covered Software, it must be clearly and conspicuously disclosed, separate and apart from any “End User License Agreement”, “Privacy Policy”, “Terms of Use” page or similar document, the following elements

While we now see registration prompts when we first set up our Samsung, VIZIO, Sony, or LG connected TVs, do these notice and disclosure prompts really qualify as “Express Affirmative Consent?” Keep in mind that I may have provided a consent choice when I originally installed my TVs 2 or 3 years ago. I have not received any further notice, disclosure or consent prompts since. My choice on a connected TV in the household is not reflected or interoperable with any other brand of connected TV or IOT device in my household. So disabling data sharing on my VIZIO did not affect my Samsung TV.

As Wayne Matus, co-founder of SafeGuard Privacy States,

What is conveyed here is that consent is temporal. This is for the currently leaked purpose – not an authorization for the life of a TV. Maybe it should be every time the TV is turned on – which might solve the problem of consent coming from the person giving the consent. And the new federal bill also embodies this concept. This all stems from the GDPR concept that consent must be meaningful. Does consent really have any meaning if given once for the lifetime of an aTV by one person for anyone else using it?

Beyond that, the average consumer doesn’t understand that individual streaming apps may have a different privacy policy and consent practice than the actual connected TV. This specific streaming app may not even ask for consent and therefore targets the consumer in their household even if they thought they had opted out when they set up their privacy choices when setting up their smart TV. This is a poor customer experience and consent issue.

Your head is still spinning?

With all the state laws coming and every industry calling for sweeping federal law, as a consumer there is reason to be positive. The stakes couldn’t be higher for all businesses faced with changing consumer demands and data privacy laws, no industry is immune to these rules. Recently, the FTC made it even more real by fining Twitter $150 million for violating data privacy laws. The company collected consumer data for security and compliance purposes, totally legal and acceptable with consumer consent, however, it then dumped all of this data into its advertising mechanism without “first person” consent. to do so – neither legal nor acceptable. It’s one of the first shots fired and the reason every marketer, advertiser, brand manager, security/compliance manager and senior executive is working full throttle to tackle current practices and change The approach.

And, if there’s one thing that’s become abundantly clear, it’s that the notion of “consent” and “express affirmative consent” should be a priority for every publisher, brand, video streamer and advertiser when considering how they properly collect qualified and valid consent from their consumers.