[co-author: Sol Eppel]
What are the promises and potential privacy pitfalls when you take an old-fashioned television and connect it to the Internet? On December 7, 2016, the FTC hosted the final installment its Fall Technology Series in an effort to find out. The workshop explored Internet-connected TVs—smart TVs—and similar connected devices, such as Blu-Ray players, game consoles, streaming devices, and cable boxes, that deliver content to consumers on a large screen. Representatives from industry, the advertising community, privacy organizations, and the Commission weighed in on how stakeholders can take steps to protect consumers’ privacy without stifling innovation.
Change and Continuity
Jessica Rich, the Director of the Commission’s Bureau of Consumer Protection, kicked off the workshop by touching on changing trends in how we watch content and what this means for advertising and consumer privacy. She said that we have an ever increasing number of choices in what we watch, and that most of us are increasingly streaming content from the Internet to our devices instead of relying on traditional cable television. She said that more choice and connectivity allows advertisers to better understand consumer behavior, but it also means more privacy concerns because an individual’s viewing habits could be used to discern sensitive information about him or her.
In discussing how the FTC might respond to these concerns, Director Rich highlighted areas of continuity. Basic privacy principles apply in the smart TV space, she said, as they do in other spaces. The FTC may bring law enforcement actions in this space, too, as they do elsewhere. In fact, she explained, the FTC has long been involved in examining the practices of video content providers: in 2001, it warned that the collection of viewers’ personal information by set-top boxes raised privacy concerns, especially if the collection was misrepresented. Director Rich also noted that Congress is well aware of the sensitivity of consumers’ viewing habits, as evidenced by its enactment of the Cable Privacy Act (CPA) of 1984 and the Video Privacy Protection Act (VPPA) of 1988.
What are Smart TVs, and What Do They Tell Us?
Before diving into the workshop’s two panel discussions, Justin Brookman, Policy Director of the FTC’s Office of Technology, Research, and Investigation, gave an overview of the smart TV ecosystem, and Ian Klein, a graduate student who worked with the FTC over the summer, gave a presentation on what the FTC learned after examining three smart TVs in the FTC’s technology lab.
Mr. Brookman began with an overview of the benefits of smart TVs and related devices, touching on themes addressed by Director Rich and many of the day’s panelists. These devices benefit consumers by providing more, and more varied, content; by allowing consumers to interact with their devices as they watch content; by providing personalized recommendations; and by reducing commercials or prices.
Mr. Brookman said that these devices benefit companies, too, by allowing for more, and more accurate, data collection. With people relying on more devices—TVs, phones, tablets, and computers—to watch content, it is harder to measure who is watching what. But smart TVs can help track users’ viewing habits across all of their connected devices. Data from this tracking, combined with information about viewers, can be used to craft and deliver more effective and targeted advertisements.
Mr. Brookman then shifted to the privacy implications of these devices. Historically, TVs have not engaged in any tracking or data collection. This is no longer the case. Smart TVs harvest a variety of data. For example, they often have Automated Content Recognition (ACR) technology, which sends snapshots of what the viewer is watching to vendors for an analysis. Smart TVs also rely on users’ voice or video inputs, which raises the possibility that sensitive data could be collected—although Mr. Brookman questioned whether these data would always have significant commercial use. Because this expanded data collection can reveal much about the viewer, he raised issues on which the FTC often concentrates—those of notice and choice. Specifically, he said, smart TVs might raise challenges for delivering notice and choice to consumers given customers’ varied expectations and potentially inconsistent controls across apps and devices.
Mr. Brookman then highlighted an issue that has been in the news in recent weeks following a massive denial of service attack: that of device security. In particular, a buyer might keep a TV for many years. How often can they expect to receive updates? How long until their device becomes obsolete and unsupported? These questions are not only important for device security, but also for consumer protection. Mr. Brookman indicated that the FTC remains interested in looking into instances in which consumers are left stuck with devices that become obsolete too quickly and potentially subject to cyber attacks.
Finally, Mr. Brookman highlighted some of the laws that might apply in this space. In addition to Section 5 of the FTC Act, he suggested that the Children’s Online Privacy Protection Act might apply to these devices. The same applies to the CPA and VPPA, although he noted that there has been contradictory case law about whether the VPPA applies to today’s streaming services and devices. The Electronic Communications Privacy Act and Wiretap Act might also apply, he said, given that these devices have the ability to capture communications between users and others.
Mr. Klein then presented the FTC’s findings from its examination of three smart TVs in the FTC’s tech lab. In particular, the FTC examined the notice and choice offered to consumers about the devices’ privacy practices. The FTC found that the TVs’ default settings favored collection, although interfaces for notice and choice varied across the samples. However, the TVs didn’t always have a mechanism for controlling data sharing with third parties or for controlling app data collection and sharing.
The FTC also analyzed what data was transmitted from the smart TVs to third parties. The FTC found that two of the three smart TVs regularly communicated with their respective manufacturer’s servers, which Mr. Klein hypothesized might facilitate ACR or a cloud service. Another TV did not appear to communicate regularly with a server, although Mr. Klein noted that data could have been sent after a session was over or through an undetected proxy. He said that it appeared to the FTC that sharing collected data with third parties was not as widespread as on mobile devices or websites, but it is possible that manufacturers shared such information with third parties after the data has been sent to their servers.
Of course, such sharing is not static. The FTC found that when controls for data collection were used, two of the TVs sent no data to their manufacturers, while the third sent far less data. And manufacturers’ own collection practices seem to change over time: when the FTC re-ran its tests later on, it found that less information was transmitted. But Mr. Brookman noted that such data collection could increase in the future.
Panel 1: “New Frontiers in Media Measurement and Targeting”
The first panel, moderated by FTC attorney Kevin Moriarty, discussed the benefits that smart TVs can deliver to industry, advertisers, and consumers. The panel included Mark Risis, the former head of strategy and business development for a set-top box manufacturer; Ashwin Navin, the CEO of a company that develops software and apps for smart TVs; Josh Chasin, the Chief Research Officer of a marketing analytics company; Jane Clarke, CEO of a coalition seeking ways to provide more innovative methods for measuring audiences; and Shaq Katikala, Counsel and Assistant Director of Technology and Data Science at the Network Advertising Initiative (NAI).
In response to a question from Mr. Moriarty about what new approaches smart TVs and related devices facilitate, panelists generally agreed that, compared to traditional methods of delivering television content, such devices create the opportunity to better track viewership, deliver better content, and provide better targeted advertising. Some companies are combining consumers’ viewing habits with information from other sources, such as purchases and geolocation data. Thus, advertisers can move past the time in which ads were sold based on basic demographic information, such as age and sex, and target ads based on more advanced data, like transactional data.
Mr. Moriarty asked panelists to describe how consumers can benefit from developments in the smart TV space. Panelists pointed out that with better data on viewership, content providers can recommend and even create content that more viewers like. In addition, more effective advertisements mean that companies purchase fewer ads, which reduces the time that viewers have to sit through commercials. On the flip side, the proliferation of subscription models means that consumers can view content with no ads. Participants also pointed out that smart TVs facilitate a more interactive viewing experience, allowing viewers to follow social media while watching sports or to learn information about actors on a show.
Mr. Moriarty then directed panelists to discuss notice and choice. Mr. Katikala indicated that the NAI is in the process of crafting guidance for companies that operate in this space. He noted that smart TVs represent the convergence of three separate industries with their own history of privacy and regulation: the cable TV industry; app manufacturers; and TV manufacturers. He also noted that many consumers seem to be developing expectations on what types of data are collected based on the mobile market. Still, the NAI remains convinced that self-regulation is the optimal way to address privacy challenges posed by this technology. In response to a question from Mr. Moriarty—what’s the “dream”—Mr. Katikala explained that the dream is to put all participants in the smart TV space on the same footing when it comes to privacy. In response to another question from Mr. Moriarty—about whether a company should be required to provide notice and choice if it is not collecting personally identifiable information—Mr. Katikala stated that this should not be required to do so for fully de-identified data.
Mr. Moriarty then directed a discussion on interfaces used to deliver notice and choice, probing whether delivering notice and choice on a TV is arguably “jarring,” or whether an interface on an external device—or a “privacy” button on a remote control—is warranted. Mr. Navin suggested that consumers should be told what software and capabilities are included on smart TVs, although Mr. Katikala noted that more information without proper education is actually harmful to consumers. He suggested that companies in the smart TV space could adopt a standardized icon for ads so viewers can access more information about their privacy options. He emphasized that effective notice and choice is necessary.
In their concluding thoughts, participants generally acknowledged that the industry could do a better job in offering comprehensible disclosures and giving users meaningful choice and control, but that consumers should also be educated about how they benefit from this technology. One participant stated that it would be helpful to have FTC leadership in this space.
Panel 2: “Consumer Understanding and Regulatory Framework”
FTC attorney Megan Cox led a discussion about how companies in the smart TV space should approach consumer privacy. On the panel was Serge Egelman, a researcher focusing on how consumers understand privacy; Claire Gartland, Director of the Consumer Protection Project at the Electronic Privacy Information Center; Dallas Harris, a Policy Fellow at Public Knowledge; Maria Rerecich, the Director of Electronics Testing at Consumer Reports; and Emmett O’Keefe, Senior Vice President of Advocacy at the Data and Marketing Association (DMA).
The panel began with Mr. Egelman discussing his research about how users perceive the privacy implications of smart TVs. He noted that many people thought that data does not leave smart TVs and is not used for other purposes. Some thought that laws were in place to protect their data. Some thought that there were loopholes around any such laws, and many thought that there was nothing they could do to control the privacy of their information.
In the ensuing discussion, some panelists expressed concern at the current state of affairs. They suggested that data in the smart TV realm can reveal the most intimate details of consumers’ private lives, but that industry has failed at educating consumers about the risks and benefits of data sharing. And opaque, barely readable privacy policies don’t help, according to these panelists, as consumers don’t know how to control the privacy of their own information. Some expressed concern at the efficacy of self-regulation. Mr. Egelman, for example, went so far as to contend that self-regulation has failed to give consumers meaningful choice and control in the web space—and may well prove to be a failure in the smart TV space too.
Mr. O’Keefe, however, disagreed. He argued that smart TVs are simply new devices that present many of the same services and privacy concerns as mobile and other devices. Thus, self-regulation—which he emphasized has worked well in other spaces, such as online and in the mobile environment—can work well here too, and that new laws are not necessary.
Some panelists pointed at options for improving consumer privacy protections in the smart TV industry. Ms. Gartland suggested that the VPPA might apply to some video streaming services, although she noted that there is conflicting case law on this question. Ms. Harris noted that the Cable Privacy Act might apply in this space, and also said that Congress needs to clarify how existing privacy laws apply to new technologies. Ms. Rerecich explained that Consumer Reports is working on standards, which she hopes will be promulgated early in 2017, that would inform consumers about the extent to which devices are secure and protect user privacy. Consumer Reports hopes that this standard will move the marketplace, causing companies to adopt better privacy and security measures. Mr. O’Keefe also explained that the DMA is on the verge of releasing a whitepaper for the smart TV space.
Ms. Cox asked panelists to discuss best practices for giving consumers control and choice, and whether we are moving to one standard. Panelists generally agreed that notice and choice should be more transparent, and some suggested that privacy-related standards could and should be more uniform.
Looking (Watching?) Forward
The workshop leaves no doubt that smart TVs will remain an important element of the FTC’s privacy agenda. As noted by some panelists, the DMA is releasing a whitepaper about smart TVs, while the NAI is developing guidelines about what privacy steps members will be required to take in the smart TV space. These guidelines are likely to track the 2015 NAI Code and the NAI’s guidance on non-cookie technologies, at least in some respects. These documents require NAI members who are engaged in interest-based advertising or ad delivery and reporting to provide clear and understandable notice to users about what information they collect from users, how that information will be used, and other pertinent information about members’ advertising practices. Members must also give users the ability to opt out of most advertising practices, and members cannot conduct particularly sensitive advertising practices absent user opt-in. It is notable that the Digital Advertising Alliance did not send a representative to the smart TV workshop, but it too may be working on self-regulatory guidelines for smart TV.
The FTC often releases reports following events like these. Such a report would be particularly welcome here as the adoption of smart TVs continues to increase. It is likely that any such report would focus on themes from the FTC’s 2009 report on online behavioral advertising and its seminal 2012 Privacy Report. A post-workshop report will likely recommend that that companies in the smart TV space “bake” privacy into every stage of a product’s development. It may also stress data minimization, recommend special treatment of certain categories of sensitive information, such as financial data, health data, children’s data, and precise geolocation data; emphasize the importance of adopting robust security practices; and stress the importance of giving consumers transparency on the personal information that is collected, how it is used, and with whom it is transferred, together with a call for meaningful and clear choices for consumers.
The Commission seems to be aware of the benefits that smart TV and related technologies can provide. But it is also acutely aware that the collection of new and more data by these devices raises privacy concerns. The Commission will likely continue to monitor technologies introduced in this space and how these technologies collect, use, and disclose data they collect. We are hopeful that the FTC will issue a Staff report based on this workshop with practical recommendations for industry, and perhaps even with comments on documents published by the NAI, the DMA, and others. And of course, as mentioned by Director Rich, the FTC may take enforcement action in this space should it deem such action necessary.