Summary of the FTC’s 12/7 Workshop on Smart TV and Thoughts for the Future

by WilmerHale
Contact

[co-author: Sol Eppel]

What are the promises and potential privacy pitfalls when you take an old-fashioned television and connect it to the Internet? On December 7, 2016, the FTC hosted the final installment its Fall Technology Series in an effort to find out. The workshop explored Internet-connected TVs—smart TVs—and similar connected devices, such as Blu-Ray players, game consoles, streaming devices, and cable boxes, that deliver content to consumers on a large screen. Representatives from industry, the advertising community, privacy organizations, and the Commission weighed in on how stakeholders can take steps to protect consumers’ privacy without stifling innovation.

Change and Continuity

Jessica Rich, the Director of the Commission’s Bureau of Consumer Protection, kicked off the workshop by touching on changing trends in how we watch content and what this means for advertising and consumer privacy. She said that we have an ever increasing number of choices in what we watch, and that most of us are increasingly streaming content from the Internet to our devices instead of relying on traditional cable television. She said that more choice and connectivity allows advertisers to better understand consumer behavior, but it also means more privacy concerns because an individual’s viewing habits could be used to discern sensitive information about him or her.

In discussing how the FTC might respond to these concerns, Director Rich highlighted areas of continuity. Basic privacy principles apply in the smart TV space, she said, as they do in other spaces. The FTC may bring law enforcement actions in this space, too, as they do elsewhere. In fact, she explained, the FTC has long been involved in examining the practices of video content providers: in 2001, it warned that the collection of viewers’ personal information by set-top boxes raised privacy concerns, especially if the collection was misrepresented. Director Rich also noted that Congress is well aware of the sensitivity of consumers’ viewing habits, as evidenced by its enactment of the Cable Privacy Act (CPA) of 1984 and the Video Privacy Protection Act (VPPA) of 1988.

What are Smart TVs, and What Do They Tell Us?

Before diving into the workshop’s two panel discussions, Justin Brookman, Policy Director of the FTC’s Office of Technology, Research, and Investigation, gave an overview of the smart TV ecosystem, and Ian Klein, a graduate student who worked with the FTC over the summer, gave a presentation on what the FTC learned after examining three smart TVs in the FTC’s technology lab.

Mr. Brookman began with an overview of the benefits of smart TVs and related devices, touching on themes addressed by Director Rich and many of the day’s panelists. These devices benefit consumers by providing more, and more varied, content; by allowing consumers to interact with their devices as they watch content; by providing personalized recommendations; and by reducing commercials or prices.

Mr. Brookman said that these devices benefit companies, too, by allowing for more, and more accurate, data collection. With people relying on more devices—TVs, phones, tablets, and computers—to watch content, it is harder to measure who is watching what. But smart TVs can help track users’ viewing habits across all of their connected devices. Data from this tracking, combined with information about viewers, can be used to craft and deliver more effective and targeted advertisements.

Mr. Brookman then shifted to the privacy implications of these devices. Historically, TVs have not engaged in any tracking or data collection. This is no longer the case. Smart TVs harvest a variety of data. For example, they often have Automated Content Recognition (ACR) technology, which sends snapshots of what the viewer is watching to vendors for an analysis. Smart TVs also rely on users’ voice or video inputs, which raises the possibility that sensitive data could be collected—although Mr. Brookman questioned whether these data would always have significant commercial use. Because this expanded data collection can reveal much about the viewer, he raised issues on which the FTC often concentrates—those of notice and choice. Specifically, he said, smart TVs might raise challenges for delivering notice and choice to consumers given customers’ varied expectations and potentially inconsistent controls across apps and devices.

Mr. Brookman then highlighted an issue that has been in the news in recent weeks following a massive denial of service attack: that of device security. In particular, a buyer might keep a TV for many years. How often can they expect to receive updates? How long until their device becomes obsolete and unsupported? These questions are not only important for device security, but also for consumer protection. Mr. Brookman indicated that the FTC remains interested in looking into instances in which consumers are left stuck with devices that become obsolete too quickly and potentially subject to cyber attacks. 

Finally, Mr. Brookman highlighted some of the laws that might apply in this space. In addition to Section 5 of the FTC Act, he suggested that the Children’s Online Privacy Protection Act might apply to these devices. The same applies to the CPA and VPPA, although he noted that there has been contradictory case law about whether the VPPA applies to today’s streaming services and devices. The Electronic Communications Privacy Act and Wiretap Act might also apply, he said, given that these devices have the ability to capture communications between users and others.

Mr. Klein then presented the FTC’s findings from its examination of three smart TVs in the FTC’s tech lab. In particular, the FTC examined the notice and choice offered to consumers about the devices’ privacy practices. The FTC found that the TVs’ default settings favored collection, although interfaces for notice and choice varied across the samples. However, the TVs didn’t always have a mechanism for controlling data sharing with third parties or for controlling app data collection and sharing.

The FTC also analyzed what data was transmitted from the smart TVs to third parties. The FTC found that two of the three smart TVs regularly communicated with their respective manufacturer’s servers, which Mr. Klein hypothesized might facilitate ACR or a cloud service. Another TV did not appear to communicate regularly with a server, although Mr. Klein noted that data could have been sent after a session was over or through an undetected proxy. He said that it appeared to the FTC that sharing collected data with third parties was not as widespread as on mobile devices or websites, but it is possible that manufacturers shared such information with third parties after the data has been sent to their servers.

Of course, such sharing is not static. The FTC found that when controls for data collection were used, two of the TVs sent no data to their manufacturers, while the third sent far less data. And manufacturers’ own collection practices seem to change over time: when the FTC re-ran its tests later on, it found that less information was transmitted. But Mr. Brookman noted that such data collection could increase in the future.

Panel 1: “New Frontiers in Media Measurement and Targeting”

The first panel, moderated by FTC attorney Kevin Moriarty, discussed the benefits that smart TVs can deliver to industry, advertisers, and consumers. The panel included Mark Risis, the former head of strategy and business development for a set-top box manufacturer; Ashwin Navin, the CEO of a company that develops software and apps for smart TVs; Josh Chasin, the Chief Research Officer of a marketing analytics company; Jane Clarke, CEO of a coalition seeking ways to provide more innovative methods for measuring audiences; and Shaq Katikala, Counsel and Assistant Director of Technology and Data Science at the Network Advertising Initiative (NAI).

In response to a question from Mr. Moriarty about what new approaches smart TVs and related devices facilitate, panelists generally agreed that, compared to traditional methods of delivering television content, such devices create the opportunity to better track viewership, deliver better content, and provide better targeted advertising. Some companies are combining consumers’ viewing habits with information from other sources, such as purchases and geolocation data. Thus, advertisers can move past the time in which ads were sold based on basic demographic information, such as age and sex, and target ads based on more advanced data, like transactional data.

Mr. Moriarty asked panelists to describe how consumers can benefit from developments in the smart TV space. Panelists pointed out that with better data on viewership, content providers can recommend and even create content that more viewers like. In addition, more effective advertisements mean that companies purchase fewer ads, which reduces the time that viewers have to sit through commercials. On the flip side, the proliferation of subscription models means that consumers can view content with no ads. Participants also pointed out that smart TVs facilitate a more interactive viewing experience, allowing viewers to follow social media while watching sports or to learn information about actors on a show.

Mr. Moriarty then directed panelists to discuss notice and choice. Mr. Katikala indicated that the NAI is in the process of crafting guidance for companies that operate in this space. He noted that smart TVs represent the convergence of three separate industries with their own history of privacy and regulation: the cable TV industry; app manufacturers; and TV manufacturers. He also noted that many consumers seem to be developing expectations on what types of data are collected based on the mobile market. Still, the NAI remains convinced that self-regulation is the optimal way to address privacy challenges posed by this technology. In response to a question from Mr. Moriarty—what’s the “dream”—Mr. Katikala explained that the dream is to put all participants in the smart TV space on the same footing when it comes to privacy. In response to another question from Mr. Moriarty—about whether a company should be required to provide notice and choice if it is not collecting personally identifiable information—Mr. Katikala stated that this should not be required to do so for fully de-identified data.

Mr. Moriarty then directed a discussion on interfaces used to deliver notice and choice, probing whether delivering notice and choice on a TV is arguably “jarring,” or whether an interface on an external device—or a “privacy” button on a remote control—is warranted. Mr. Navin suggested that consumers should be told what software and capabilities are included on smart TVs, although Mr. Katikala noted that more information without proper education is actually harmful to consumers. He suggested that companies in the smart TV space could adopt a standardized icon for ads so viewers can access more information about their privacy options. He emphasized that effective notice and choice is necessary.

In their concluding thoughts, participants generally acknowledged that the industry could do a better job in offering comprehensible disclosures and giving users meaningful choice and control, but that consumers should also be educated about how they benefit from this technology. One participant stated that it would be helpful to have FTC leadership in this space.

Panel 2: “Consumer Understanding and Regulatory Framework”

FTC attorney Megan Cox led a discussion about how companies in the smart TV space should approach consumer privacy. On the panel was Serge Egelman, a researcher focusing on how consumers understand privacy; Claire Gartland, Director of the Consumer Protection Project at the Electronic Privacy Information Center; Dallas Harris, a Policy Fellow at Public Knowledge; Maria Rerecich, the Director of Electronics Testing at Consumer Reports; and Emmett O’Keefe, Senior Vice President of Advocacy at the Data and Marketing Association (DMA).

The panel began with Mr. Egelman discussing his research about how users perceive the privacy implications of smart TVs. He noted that many people thought that data does not leave smart TVs and is not used for other purposes. Some thought that laws were in place to protect their data. Some thought that there were loopholes around any such laws, and many thought that there was nothing they could do to control the privacy of their information.

In the ensuing discussion, some panelists expressed concern at the current state of affairs. They suggested that data in the smart TV realm can reveal the most intimate details of consumers’ private lives, but that industry has failed at educating consumers about the risks and benefits of data sharing. And opaque, barely readable privacy policies don’t help, according to these panelists, as consumers don’t know how to control the privacy of their own information. Some expressed concern at the efficacy of self-regulation. Mr. Egelman, for example, went so far as to contend that self-regulation has failed to give consumers meaningful choice and control in the web space—and may well prove to be a failure in the smart TV space too.

Mr. O’Keefe, however, disagreed. He argued that smart TVs are simply new devices that present many of the same services and privacy concerns as mobile and other devices. Thus, self-regulation—which he emphasized has worked well in other spaces, such as online and in the mobile environment—can work well here too, and that new laws are not necessary.

Some panelists pointed at options for improving consumer privacy protections in the smart TV industry. Ms. Gartland suggested that the VPPA might apply to some video streaming services, although she noted that there is conflicting case law on this question. Ms. Harris noted that the Cable Privacy Act might apply in this space, and also said that Congress needs to clarify how existing privacy laws apply to new technologies. Ms. Rerecich explained that Consumer Reports is working on standards, which she hopes will be promulgated early in 2017, that would inform consumers about the extent to which devices are secure and protect user privacy. Consumer Reports hopes that this standard will move the marketplace, causing companies to adopt better privacy and security measures. Mr. O’Keefe also explained that the DMA is on the verge of releasing a whitepaper for the smart TV space.

Ms. Cox asked panelists to discuss best practices for giving consumers control and choice, and whether we are moving to one standard. Panelists generally agreed that notice and choice should be more transparent, and some suggested that privacy-related standards could and should be more uniform.

Looking (Watching?) Forward

The workshop leaves no doubt that smart TVs will remain an important element of the FTC’s privacy agenda. As noted by some panelists, the DMA is releasing a whitepaper about smart TVs, while the NAI is developing guidelines about what privacy steps members will be required to take in the smart TV space. These guidelines are likely to track the 2015 NAI Code and the NAI’s guidance on non-cookie technologies, at least in some respects. These documents require NAI members who are engaged in interest-based advertising or ad delivery and reporting to provide clear and understandable notice to users about what information they collect from users, how that information will be used, and other pertinent information about members’ advertising practices. Members must also give users the ability to opt out of most advertising practices, and members cannot conduct particularly sensitive advertising practices absent user opt-in. It is notable that the Digital Advertising Alliance did not send a representative to the smart TV workshop, but it too may be working on self-regulatory guidelines for smart TV.

The FTC often releases reports following events like these. Such a report would be particularly welcome here as the adoption of smart TVs continues to increase. It is likely that any such report would focus on themes from the FTC’s 2009 report on online behavioral advertising and its seminal 2012 Privacy Report. A post-workshop report will likely recommend that that companies in the smart TV space “bake” privacy into every stage of a product’s development. It may also stress data minimization, recommend special treatment of certain categories of sensitive information, such as financial data, health data, children’s data, and precise geolocation data; emphasize the importance of adopting robust security practices; and stress the importance of giving consumers transparency on the personal information that is collected, how it is used, and with whom it is transferred, together with a call for meaningful and clear choices for consumers.  

The Commission seems to be aware of the benefits that smart TV and related technologies can provide. But it is also acutely aware that the collection of new and more data by these devices raises privacy concerns. The Commission will likely continue to monitor technologies introduced in this space and how these technologies collect, use, and disclose data they collect. We are hopeful that the FTC will issue a Staff report based on this workshop with practical recommendations for industry, and perhaps even with comments on documents published by the NAI, the DMA, and others. And of course, as mentioned by Director Rich, the FTC may take enforcement action in this space should it deem such action necessary.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© WilmerHale | Attorney Advertising

Written by:

WilmerHale
Contact
more
less

WilmerHale on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
Feedback? Tell us what you think of the new jdsupra.com!